Skip to content

feat: live tail (SSE), incident memory, demo mode, Cisco/Nokia coverage, confidence scores (v0.5.0)#14

Merged
gesh75 merged 1 commit into
mainfrom
claude/product-analysis-improvements-9oobad
Jul 13, 2026
Merged

feat: live tail (SSE), incident memory, demo mode, Cisco/Nokia coverage, confidence scores (v0.5.0)#14
gesh75 merged 1 commit into
mainfrom
claude/product-analysis-improvements-9oobad

Conversation

@gesh75

@gesh75 gesh75 commented Jul 13, 2026

Copy link
Copy Markdown
Owner

Why

Fresh Exa research on what makes 2026 NOC tooling sticky pointed at two things netlog-ai lacked: real-time-first viewing (the closest purpose-built competitor leads with "events pushed via SSE the moment they arrive — no polling") and incident-history recall. This wave closes both, plus the remaining backlog items from the full product review.

🔴 Live tail (roadmap item, done)

  • GET /api/tail/<source_id> — Server-Sent Events stream of classified events from any syslog listener source. Zero new dependencies (no websocket stack), server-side ?min_severity= filter, keepalive frames for proxies, query-token auth (EventSource can't set headers).
  • Cursor-based fetch_new() on the syslog source: monotonic ingest counter → duplicate-free, ring-buffer-wraparound-safe incremental reads.
  • Live Tail panel in the Logs tab: source picker, severity floor, start/stop, rolling 200-event severity-tinted view.

↻ Incident memory

  • AI_LOG_ANALYZER_INCIDENT_STORE journals every run's action items to a bounded local JSONL (corrupt-file tolerant, atomic rewrites).
  • Action items now carry recurrence"↻ seen 3× before (last 2026-07-05)" badges in the UI. A first-ever BGP flap and the fourth one this month finally read differently.
  • GET /api/incidents/similar?q=fan failures spine-02 — token-overlap search over the journal.

🎬 Demo mode

  • ai-log-analyzer demo — deterministic synthetic incident storyline (6 devices, 4 vendor dialects: flapping interface → BGP collapse → NX-OS service crash + PSU failure → SSH brute force → SR Linux churn → one never-seen message shape) through the full pipeline, zero setup, zero LLM key. Every analysis surface lights up.
  • demo --serve starts the UI with a UDP feeder replaying the storyline — the Live Tail panel streams it in real time.

🔎 Vendor coverage + confidence

  • Cisco IOS-XE, NX-OS, Nokia SR Linux classifier patterns (%LINK-3-UPDOWN, %ETHPORT-5-IF_DOWN, %SYSMGR-2-SERVICE_CRASHED, %VPC-2-*, %DUAL-5-NBRCHANGE, %HSRP-5-STATECHANGE, %ENVMON, %SEC_LOGIN-4/5, %SYS-5-CONFIG_I, SR Linux bgp_mgr/oper-state transitions) — mapped onto the existing canonical descriptions so stability flap-pairing, recovery filtering, and the KB work unchanged.
  • Every classified event now carries a confidence score (1.0 custom rule / 0.9 KB / 0.6 severity-promoted / 0.3 unmatched).
  • Bonus perf fix: the literal-gate extractor now handles sre's common-prefix hoisting (%a|%b% + branch), taking always-scanned unguarded patterns from 2 to 0.

Tests

338 → 369 passed (2 skipped), ruff clean. New: SSE end-to-end (UDP → listener → classified SSE frame), cursor semantics, tail auth, 14 vendor-pattern cases, confidence tiers, recurrence across runs, similarity search, journal corruption tolerance, demo determinism + surface coverage + CLI smoke.

Version

0.4.0 → 0.5.0.

🤖 Generated with Claude Code

https://claude.ai/code/session_015XM7j9iDXYwSvjnxZYjzaq


Generated by Claude Code

…ns, confidence (v0.5.0)

Research-driven wave — competitive study showed SSE-first live viewing and
incident-history recall are what make NOC tools sticky:

- Live tail: GET /api/tail/<source> streams classified events from syslog
  listener sources via Server-Sent Events (zero deps, no polling,
  min_severity filter, keepalives, query-token auth) + Live Tail UI panel.
  Cursor-based fetch_new() on the syslog source: monotonic ingest counter,
  duplicate-free, ring-wraparound safe.
- Incident memory (memory.py, AI_LOG_ANALYZER_INCIDENT_STORE): bounded local
  JSONL journal; action items gain 'seen Nx before (last date)' recurrence
  badges; /api/incidents/similar?q= token-overlap search.
- Demo mode: ai-log-analyzer demo — deterministic 6-device 4-dialect
  synthetic incident storyline through the full pipeline; --serve starts the
  UI with a UDP feeder so Live Tail streams the story live.
- Vendor coverage: IOS-XE, NX-OS, SR Linux patterns mapped onto canonical
  descriptions so stability pairing + KB work unchanged.
- Per-event confidence (1.0 custom / 0.9 KB / 0.6 promoted / 0.3 unmatched).
- Literal-gate extractor now handles sre common-prefix hoisting: unguarded
  patterns 2 -> 0.

Suite 338 -> 369 tests. Version 0.4.0 -> 0.5.0.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015XM7j9iDXYwSvjnxZYjzaq
@gesh75
gesh75 marked this pull request as ready for review July 13, 2026 19:55
@gesh75
gesh75 merged commit e7ea9d3 into main Jul 13, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants