feat: live tail (SSE), incident memory, demo mode, Cisco/Nokia coverage, confidence scores (v0.5.0)#14
Merged
Conversation
…ns, confidence (v0.5.0) Research-driven wave — competitive study showed SSE-first live viewing and incident-history recall are what make NOC tools sticky: - Live tail: GET /api/tail/<source> streams classified events from syslog listener sources via Server-Sent Events (zero deps, no polling, min_severity filter, keepalives, query-token auth) + Live Tail UI panel. Cursor-based fetch_new() on the syslog source: monotonic ingest counter, duplicate-free, ring-wraparound safe. - Incident memory (memory.py, AI_LOG_ANALYZER_INCIDENT_STORE): bounded local JSONL journal; action items gain 'seen Nx before (last date)' recurrence badges; /api/incidents/similar?q= token-overlap search. - Demo mode: ai-log-analyzer demo — deterministic 6-device 4-dialect synthetic incident storyline through the full pipeline; --serve starts the UI with a UDP feeder so Live Tail streams the story live. - Vendor coverage: IOS-XE, NX-OS, SR Linux patterns mapped onto canonical descriptions so stability pairing + KB work unchanged. - Per-event confidence (1.0 custom / 0.9 KB / 0.6 promoted / 0.3 unmatched). - Literal-gate extractor now handles sre common-prefix hoisting: unguarded patterns 2 -> 0. Suite 338 -> 369 tests. Version 0.4.0 -> 0.5.0. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_015XM7j9iDXYwSvjnxZYjzaq
gesh75
marked this pull request as ready for review
July 13, 2026 19:55
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Fresh Exa research on what makes 2026 NOC tooling sticky pointed at two things netlog-ai lacked: real-time-first viewing (the closest purpose-built competitor leads with "events pushed via SSE the moment they arrive — no polling") and incident-history recall. This wave closes both, plus the remaining backlog items from the full product review.
🔴 Live tail (roadmap item, done)
GET /api/tail/<source_id>— Server-Sent Events stream of classified events from any syslog listener source. Zero new dependencies (no websocket stack), server-side?min_severity=filter, keepalive frames for proxies, query-token auth (EventSource can't set headers).fetch_new()on the syslog source: monotonic ingest counter → duplicate-free, ring-buffer-wraparound-safe incremental reads.↻ Incident memory
AI_LOG_ANALYZER_INCIDENT_STOREjournals every run's action items to a bounded local JSONL (corrupt-file tolerant, atomic rewrites).recurrence— "↻ seen 3× before (last 2026-07-05)" badges in the UI. A first-ever BGP flap and the fourth one this month finally read differently.GET /api/incidents/similar?q=fan failures spine-02— token-overlap search over the journal.🎬 Demo mode
ai-log-analyzer demo— deterministic synthetic incident storyline (6 devices, 4 vendor dialects: flapping interface → BGP collapse → NX-OS service crash + PSU failure → SSH brute force → SR Linux churn → one never-seen message shape) through the full pipeline, zero setup, zero LLM key. Every analysis surface lights up.demo --servestarts the UI with a UDP feeder replaying the storyline — the Live Tail panel streams it in real time.🔎 Vendor coverage + confidence
%LINK-3-UPDOWN,%ETHPORT-5-IF_DOWN,%SYSMGR-2-SERVICE_CRASHED,%VPC-2-*,%DUAL-5-NBRCHANGE,%HSRP-5-STATECHANGE,%ENVMON,%SEC_LOGIN-4/5,%SYS-5-CONFIG_I, SR Linuxbgp_mgr/oper-state transitions) — mapped onto the existing canonical descriptions so stability flap-pairing, recovery filtering, and the KB work unchanged.confidencescore (1.0 custom rule / 0.9 KB / 0.6 severity-promoted / 0.3 unmatched).%a|%b→%+ branch), taking always-scanned unguarded patterns from 2 to 0.Tests
338 → 369 passed (2 skipped), ruff clean. New: SSE end-to-end (UDP → listener → classified SSE frame), cursor semantics, tail auth, 14 vendor-pattern cases, confidence tiers, recurrence across runs, similarity search, journal corruption tolerance, demo determinism + surface coverage + CLI smoke.
Version
0.4.0 → 0.5.0.
🤖 Generated with Claude Code
https://claude.ai/code/session_015XM7j9iDXYwSvjnxZYjzaq
Generated by Claude Code