lessence 0.3.1

Extract the essence of your logs — compress repetitive lines while preserving all unique information
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207

// Timestamp Format Definitions and Pattern Structures
// Constitutional requirement: All 30+ timestamp formats without shortcuts

use super::{FormatFamily, PatternPriority};
use regex::Regex;

/// Individual timestamp pattern with metadata
#[derive(Debug, Clone)]
pub struct TimestampPattern {
    pub regex: Regex,
    pub format_type: TimestampFormat,
    pub priority: PatternPriority,
    pub source: PatternSource,
}

/// Comprehensive timestamp format classification
/// Constitutional requirement: Support ALL formats from both implementations
#[allow(dead_code)]
#[derive(Debug, Clone, PartialEq)]
pub enum TimestampFormat {
    // ISO8601 family
    ISO8601Full,
    ISO8601NoZ,
    ISO8601Date,
    ISO8601Time,
    ISO8601Enhanced,
    WeekDate,
    OrdinalDate,

    // RFC family
    RFC3339,
    RFC3339NoZ,
    RFC2822,

    // Application family
    JavaSimpleDate,
    KubernetesLog,
    DockerLog,
    ElasticsearchLog,
    Log4j,
    Splunk,

    // Database family
    MySQLTimestamp,
    PostgreSQLTimestamp,
    Oracle,

    // Regional family
    USDate,
    USDateDash,
    EuropeanDate,
    EuropeanDateDot,

    // Web server family
    ApacheCommon,
    ApacheError,
    NginxAccess,

    // Unix family
    UnixTimestamp,
    UnixTimestampMs,
    UnixTimestampNs,
    UnixBracketed,
    UnixPrefixed,

    // Legacy family
    SyslogBSD,
    SyslogRFC5424,
    SyslogWithYear,
    IBMFormat,
    CompactFormat,

    // Time-only
    TimeOnly,

    // Duration
    Duration,

    // Additional formats found in essence/processor.rs
    WindowsEvent,
    WindowsIIS,
    GitCommit,
    Aws,
    Gcp,
    Azure,
    Ansic,
    RFC822,
}

impl TimestampFormat {
    /// Get format family for priority assignment
    pub fn format_family(&self) -> FormatFamily {
        match self {
            TimestampFormat::ISO8601Full
            | TimestampFormat::ISO8601NoZ
            | TimestampFormat::ISO8601Date
            | TimestampFormat::ISO8601Time
            | TimestampFormat::ISO8601Enhanced
            | TimestampFormat::WeekDate
            | TimestampFormat::OrdinalDate
            | TimestampFormat::RFC3339
            | TimestampFormat::RFC3339NoZ
            | TimestampFormat::RFC2822
            | TimestampFormat::RFC822 => FormatFamily::Structured,

            TimestampFormat::JavaSimpleDate
            | TimestampFormat::KubernetesLog
            | TimestampFormat::DockerLog
            | TimestampFormat::ElasticsearchLog
            | TimestampFormat::Log4j
            | TimestampFormat::Splunk
            | TimestampFormat::ApacheCommon
            | TimestampFormat::ApacheError
            | TimestampFormat::NginxAccess
            | TimestampFormat::Aws
            | TimestampFormat::Gcp
            | TimestampFormat::Azure => FormatFamily::Application,

            TimestampFormat::USDate
            | TimestampFormat::USDateDash
            | TimestampFormat::EuropeanDate
            | TimestampFormat::EuropeanDateDot
            | TimestampFormat::WindowsEvent
            | TimestampFormat::WindowsIIS => FormatFamily::Regional,

            TimestampFormat::MySQLTimestamp
            | TimestampFormat::PostgreSQLTimestamp
            | TimestampFormat::Oracle => FormatFamily::Database,

            TimestampFormat::SyslogBSD
            | TimestampFormat::SyslogRFC5424
            | TimestampFormat::SyslogWithYear
            | TimestampFormat::IBMFormat
            | TimestampFormat::CompactFormat
            | TimestampFormat::GitCommit
            | TimestampFormat::Ansic => FormatFamily::Legacy,

            TimestampFormat::UnixTimestamp
            | TimestampFormat::UnixTimestampMs
            | TimestampFormat::UnixTimestampNs
            | TimestampFormat::UnixBracketed
            | TimestampFormat::UnixPrefixed => FormatFamily::Unix,

            TimestampFormat::TimeOnly | TimestampFormat::Duration => FormatFamily::Legacy,
        }
    }

    /// Calculate specificity score for priority ordering
    pub fn specificity_score(&self) -> u32 {
        match self {
            // Most specific: Full ISO dates with timezone and nanoseconds
            TimestampFormat::ISO8601Enhanced
            | TimestampFormat::KubernetesLog
            | TimestampFormat::DockerLog => 100,

            // High specificity: Structured formats with timezone
            TimestampFormat::ISO8601Full
            | TimestampFormat::RFC3339
            | TimestampFormat::WeekDate
            | TimestampFormat::OrdinalDate => 90,

            // Medium-high: Structured without timezone
            TimestampFormat::ISO8601NoZ
            | TimestampFormat::RFC3339NoZ
            | TimestampFormat::RFC2822 => 80,

            // Medium: Application-specific formats
            TimestampFormat::ApacheCommon
            | TimestampFormat::ApacheError
            | TimestampFormat::JavaSimpleDate
            | TimestampFormat::Log4j
            | TimestampFormat::ElasticsearchLog => 70,

            // Medium-low: Regional and database formats
            TimestampFormat::USDate
            | TimestampFormat::EuropeanDate
            | TimestampFormat::MySQLTimestamp
            | TimestampFormat::PostgreSQLTimestamp
            | TimestampFormat::Oracle => 60,

            // Low: Legacy and simple formats
            TimestampFormat::SyslogBSD
            | TimestampFormat::SyslogRFC5424
            | TimestampFormat::CompactFormat
            | TimestampFormat::IBMFormat => 50,

            // Very low: Unix timestamps (high false positive risk)
            TimestampFormat::UnixTimestamp
            | TimestampFormat::UnixTimestampMs
            | TimestampFormat::UnixTimestampNs => 10,

            // Lowest: Prefixed unix (more specific but still risky)
            TimestampFormat::UnixBracketed | TimestampFormat::UnixPrefixed => 20,

            // Default for remaining formats
            _ => 40,
        }
    }
}

/// Pattern source tracking for maintenance and debugging
#[derive(Debug, Clone, PartialEq)]
pub enum PatternSource {
    OriginalTimestamp,
    OriginalEssence,
    Merged,
}