penghuo
commented
2 years ago @rishabhmaurya Nice doc!
One question, How do we propose to query the TSDB?
Taken examples from PromQL, let's say http_requets_total metrics has 4 dimensions (job, group, stage, method),
1.we want to select particular timeseries from http_requets_total metrics. e.g. http_requests_total{job="prometheus",group="canary"}.
2.we want to aggregate on sum by (job, group) (http_requests_total).
Correct me if i am wrong, my understanding is TSID will help only when we do exactly selection and rollup aggregation.
- search for exactly match of all the dimensions
http_requests_total{job="prometheus",group="canary",stage=prod, methdo='GET'}. - sum(http_requests_total, 7 days)
rishabhmaurya
downsrob
muralikpbhat
gashutos
Is your feature request related to a problem? Please describe. Dedicated architecture for TimeSeries in OpenSearch to offer low cost and better performance for such use cases.
Describe the solution you'd like
TSDB Design Proposal
This document proposes an alternate approach to store and query TimeSeries data in OpenSearch. It presents definition and representation of TimeSeries data, an approach using existing OpenSearch and Lucene architecture to store and query TS data. It compares storage, cost and query performance against existing approach OpenSearch users would take to store and query TS data. Later it proposes even efficient approach to store and perform range queries over TS data with certain limitations. This document doesn’t covers the performance benchmark numbers and prototype details, but it captures the high level picture of performance and cost benefits of the newer over traditional approach.
TimeSeries data definition
In TS data, the data points (or measurements/collection metrics) are associated with a timestamp and set of dimensions, which are emitted periodically. E.g. Weather data, measurements from sensor/IOT devices, stocks/finance data, host metrics etc. In host metrics data, dimensions could be - hostname, region, AZ, IP. Datapoint will contain collection of metrics such as CPU, memory, Error Count associated with a timestamp.
Representation:
Dimensions: Set of dimensions D = {D1, D2, .. Dn} where Di is the ith dimension. N is the number of dimensions associated with any data point. N here has very strict constraint and should be under 10 in most of the cases.
Metrics: set of metrics M = {M1, M2 .. } each metric is a tuple of <metric_name, metric_type>, metric_type could be one of {sum, avg, min, max, count}.
Datapoint consists of: TimeSeries TS - its a representation of values of all dimensions associated with a datapoint.
TSi is the timeseries associated with ith datapoint TSi = {DV1, DV2 .. DVn} where DVj is the dimension value of Dj. DVj is always a low cardinality field. The number of unique values have limits here to be fit for TimeSeries data. Pi, the ith datapoint = {MV1, MV2, ..} where MVj is the metric value of jth metric in metric collection M of ith datapoint. Ti is the timestamp associated with the ith datapoint
so document is a tuple of <TSi, Ti, Pi>
Traditional approach
Traditional approach in OpenSearch is based on creating DataStreams and indexing documents with mandatory
@timestampfield, mapped as a date. Dimension field defined above, Di , can be mapped as numeric, keyword, IP or a similar type. Metric field Mi will b mapped as a numeric field.DataStreams have hidden backing index, which are associated with a time range, and depending on timestamp, the document is routed to the right backing index. IndexManagement policy can be defined which will automatically create a new backing index when desired.
Indexing on data streams is similar to any other index. Doc will be stored as it is in segment with all the fields and in order the documents are ingested unless index sort order is specified by the user.
Query types in TS data
Queries over TS data will be of nature -
QTs-Ts (Filter(D={DV1, DV2 .. DVn}), M={M1, M2})
QTs-Ts (Filter(D={DV1, DV2}), Agg(D={D3}), M={M1, M2}) Ts is the start time and Te is the end time. Filter represents filter query and Agg represents aggregation on certain field. Each query will output an aggregated result of metrics M requested in the query. for e.g. min, max, avg on metric field.
Performance on each segment Query is a combination of AND conjunctions on all dimensions, range query on timestamp and metric aggregation on metrics requested. Assuming there is no sort order and given dimensional value is a low cardinality field, the filter query could potentially match a very high percentage of documents. Scanning through each of them, to look up metric field or aggregate on another dimension, in a non-ordered way, would require tremendous amount of disk IO to fetch documents. Placing similar documents together has 2 benefits - speeding up query, better compression.
Proposal
Tenets for TS data:
All these tenets aims toward better query performance and lower the cost to store and query time series data.
Proposal 1
Creating TimeSeries and TimeSeriesID
Instead of storing all Dimensional values in separate fields, they can combined into a single field of type byteref. Each of these timeseries can be referred using an ID - TSID, generated by encoding their byteref representation.
TSID = encode(byteref(D1V1, DiVk .. DnVm))
Instead of indexing all dimensions, just TSID can be indexed, which can be decoded later if needed at query time.
Note: Number of TSIDs will not grow much in a segment as dimension values in time series data are limited and doesn’t explode. So TSID still remains a low cardinality field.
Index Sorting
Index sort order would be - (TSID, timesstamp)
When index is refreshed and segments are persisted on disk, it would order docs on the basis of above sort order. In this case, all similar timeseries will be kept together, and docs with same timeseries will be ordered on the basis of timestamp.
TSIDs are encoded such that the - if TSIDi < TSIDj then byteref(TSIDi ) < byteref(TSIDj). So all timeseries are lexicographically sorted, based on their dimensional value, inside a segment.
Queries like QTs-Ts (Filter(D={DV1, DV2 .. DVn}), M={M1, M2}) which are filtering on Timeseries and is a range query on timestamps, can be very efficiently executed by iterating over the docs in docvalues in an ordered way and skipping over large batches of the irrelevant docs (skipping the batches of TSIDs). Also, by not indexing each dimensions, instead just indexing the TSID, will avoid AND conjunctions on dimension values.
Shard Routing Strategy
Strategy should aim toward storing similar timeseries together for better query performance and compression results. The shards can be routed greedily based on the dimension value, to keep similar timeseries together, at the same time keeping the shards sizes uniform across index.
Rollups
Aged data will be rolledup with courser granularity of timestamps, so ranges of timestamps can be merged by merging each of the summary metrics associated with the datapoints. This will be similar to rollups in index management. The configuration here would be even simpler by just defining the timeranges and their granularity.
Even faster range queries and efficient storage
Idea is to store timestamps against each timeseries in an ordered tree which could efficiently execute range queries without scanning over all matching timestamps in linear time. Also, when storing such trees on disk, it should efficiently retrieve internal nodes minimizing the need to read/load the full file in-memory.
Proposal 2: Extending Points and BKD in Lucene
This is similar to Proposal 1, but instead of using Index Sort to perform fast range queries on timestamps, we will be exploring the use of single dimensional BKD trees in lucene for range queries. Today, the internal nodes of BKD doesn’t store any information other than file pointer, split dimension, split value which are required to traverse to the right leaf nodes while querying. This proposal is centered around additionally storing the aggregated summaries in the internal nodes.
Assumptions:
Changes:
Changes in BKD:
Timeseries related changes: Timeseries will also be stored in a sorted order as SortedDocValues. So while filter queries on timeseries, they can be retrieved in an ordered way. A new query type will be introduced which can output the aggregation summaries on metrics given a timeseries and range of timestamps.
Lucene changes:
Changes pertaining to BKD with summaries can be found here - https://github.com/rishabhmaurya/lucene/pull/1
Performance
This approach wil change the time complexity of tree traversal from O(N) to O(logN) where N is the number of hits for a given timeseries queries. Also, it would save visiting doc values to compute aggregation summaries but instead use the precomputed aggregation summaries.
Cons
All assumptions made are cons here, the question is if its fine to live with these assumptions for timeseries use-cases.
PTRangeOrDocValues query
This can be an additional feature for power users who are fine to bear the cost associated with storing timeseries data using both approaches. PTRangeOrDocValues can be helpful for those users to estimate the cost of running queries using both models and choose the optimal one.
These powers users will also not loose the features flexibility offered by approach 1 and not by approach 2, but will not be as optimal in terms of performance when compared to approach 1.
Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.
Additional context Add any other context or screenshots about the feature request here.