turbolog 0.2.1

Ultralight log anomaly detection — no API key, no Python, pipe-friendly CLI with local LLM explain
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179

//! Persistent anomaly history backed by SQLite.
//!
//! DB location (in priority order):
//!   $XDG_DATA_HOME/turbolog/history.db
//!   ~/.local/share/turbolog/history.db
//!
//! If the DB cannot be opened (read-only FS, permission error, etc.)
//! callers receive `None` — history is fully optional.

use std::path::PathBuf;

use anyhow::Result;
use rusqlite::{params, Connection};

pub struct HistoryQuery {
    /// Look back this many seconds (None = all time).
    pub since_secs: Option<i64>,
    /// Substring filter on the template column.
    pub template: Option<String>,
    /// Maximum rows to return.
    pub limit: usize,
}

pub struct HistoryEntry {
    pub timestamp: i64,
    pub template: String,
    pub line: String,
    pub score: f32,
    pub explanation: Option<String>,
}

pub struct HistoryStore {
    conn: Connection,
}

impl HistoryStore {
    pub fn open() -> Result<Self> {
        let path = db_path();
        if let Some(parent) = path.parent() {
            std::fs::create_dir_all(parent)?;
        }
        let conn = Connection::open(&path)?;
        conn.execute_batch(
            "CREATE TABLE IF NOT EXISTS anomalies (
                id          INTEGER PRIMARY KEY AUTOINCREMENT,
                timestamp   INTEGER NOT NULL,
                template    TEXT    NOT NULL,
                line        TEXT    NOT NULL,
                score       REAL    NOT NULL,
                explanation TEXT
            );
            CREATE INDEX IF NOT EXISTS idx_template  ON anomalies(template);
            CREATE INDEX IF NOT EXISTS idx_timestamp ON anomalies(timestamp);",
        )?;
        Ok(Self { conn })
    }

    /// Persist a detected anomaly. `explanation` may be None if --explain is off.
    pub fn insert(
        &self,
        template: &str,
        line: &str,
        score: f32,
        explanation: Option<&str>,
    ) -> Result<()> {
        let ts = now_secs();
        self.conn.execute(
            "INSERT INTO anomalies (timestamp, template, line, score, explanation)
             VALUES (?1, ?2, ?3, ?4, ?5)",
            params![ts, template, line, score as f64, explanation],
        )?;
        Ok(())
    }

    /// Query anomaly history with optional filters.
    pub fn query(&self, q: &HistoryQuery) -> Result<Vec<HistoryEntry>> {
        let cutoff = q.since_secs.map(|s| now_secs() - s).unwrap_or(0);
        let limit = q.limit as i64;

        let mut entries: Vec<HistoryEntry> = Vec::new();

        if let Some(ref tmpl) = q.template {
            let pattern = format!("%{tmpl}%");
            let mut stmt = self.conn.prepare(
                "SELECT timestamp, template, line, score, explanation
                 FROM anomalies WHERE timestamp >= ?1 AND template LIKE ?2
                 ORDER BY timestamp DESC LIMIT ?3",
            )?;
            let mut rows = stmt.query(params![cutoff, pattern, limit])?;
            while let Some(row) = rows.next()? {
                entries.push(map_history_row(row)?);
            }
        } else {
            let mut stmt = self.conn.prepare(
                "SELECT timestamp, template, line, score, explanation
                 FROM anomalies WHERE timestamp >= ?1
                 ORDER BY timestamp DESC LIMIT ?2",
            )?;
            let mut rows = stmt.query(params![cutoff, limit])?;
            while let Some(row) = rows.next()? {
                entries.push(map_history_row(row)?);
            }
        }

        Ok(entries)
    }

    /// Returns a one-line context string for the given template, e.g.
    /// "seen 3× in the last 7 days (last: 2h ago)" — or None if no prior history.
    pub fn context_for(&self, template: &str) -> Option<String> {
        let cutoff = now_secs() - 7 * 86_400;
        let count: i64 = self
            .conn
            .query_row(
                "SELECT COUNT(*) FROM anomalies WHERE template = ?1 AND timestamp >= ?2",
                params![template, cutoff],
                |row| row.get(0),
            )
            .unwrap_or(0);

        if count == 0 {
            return None;
        }

        let last_ts: i64 = self
            .conn
            .query_row(
                "SELECT MAX(timestamp) FROM anomalies WHERE template = ?1",
                params![template],
                |row| row.get(0),
            )
            .unwrap_or(0);

        let age = format_age(now_secs() - last_ts);
        Some(format!(
            "This log pattern has occurred {count}× in the last 7 days (last seen: {age})"
        ))
    }
}

fn map_history_row(row: &rusqlite::Row<'_>) -> rusqlite::Result<HistoryEntry> {
    Ok(HistoryEntry {
        timestamp: row.get(0)?,
        template: row.get(1)?,
        line: row.get(2)?,
        score: row.get::<_, f64>(3)? as f32,
        explanation: row.get(4)?,
    })
}

fn now_secs() -> i64 {
    std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .map(|d| d.as_secs() as i64)
        .unwrap_or(0)
}

fn format_age(secs: i64) -> String {
    let secs = secs.max(0);
    if secs < 60 {
        format!("{secs}s ago")
    } else if secs < 3_600 {
        format!("{}m ago", secs / 60)
    } else if secs < 86_400 {
        format!("{}h ago", secs / 3_600)
    } else {
        format!("{}d ago", secs / 86_400)
    }
}

fn db_path() -> PathBuf {
    let base = std::env::var("XDG_DATA_HOME")
        .map(PathBuf::from)
        .unwrap_or_else(|_| {
            PathBuf::from(std::env::var("HOME").unwrap_or_else(|_| ".".to_string()))
                .join(".local/share")
        });
    base.join("turbolog/history.db")
}