Correct Log type detection prompt for complex syslogs

x-pack/plugins/integration_assistant/common/constants.ts

@@ -39,8 +39,9 @@ export enum GenerationErrorCode {
 
 // Size limits
 export const FRONTEND_SAMPLE_ROWS = 100;
-export const LOG_FORMAT_DETECTION_SAMPLE_ROWS = 5;
+export const LOG_FORMAT_DETECTION_SAMPLE_ROWS = 30;
 export const CATEGORIZATION_INITIAL_BATCH_SIZE = 60;
 export const CATEROGIZATION_REVIEW_BATCH_SIZE = 40;
 export const CATEGORIZATION_REVIEW_MAX_CYCLES = 5;
 export const CATEGORIZATION_RECURSION_LIMIT = 50;
+export const ANALYZE_LOGS_RECURSION_LIMIT = 50;

x-pack/plugins/integration_assistant/server/graphs/log_type_detection/prompts.ts

@@ -32,6 +32,10 @@ Follow these steps to do this:
 
 You ALWAYS follow these guidelines when writing your response:
 <guidelines>
+- Do not consider a free-form text with characters like \`:\` \`=\` as structured syslogs.
+- Only a message body with characters \`:\` or \`=\` as delimeters to key-value pairs is considered "structured".
+- If you can not 100% determine the key-value pairs and a delimeter , classify the syslogs as "unstrtuctured".
+- Make sure to verify that the "structured" syslogs have key-value pairs in the message body.
 - Do not respond with anything except the updated current mapping JSON object enclosed with 3 backticks (\`). See example response below.
 </guidelines>
 

x-pack/plugins/integration_assistant/server/graphs/unstructured/prompts.ts

@@ -40,6 +40,7 @@ export const GROK_MAIN_PROMPT = ChatPromptTemplate.fromMessages([
  <guidelines>
  - Make sure to map the remaining message part to \'message\' in grok pattern.
  - Make sure to add \`{packageName}.{dataStreamName}\` as a prefix to each field in the pattern. Refer to example response.
+ - Make sure to escape using double-slash (\`\\\\\`)
  - Do not respond with anything except the processor as a JSON object enclosed with 3 backticks (\`), see example response above. Use strict JSON response format.
  </guidelines>
 
@@ -91,6 +92,7 @@ Follow these steps to help improve the grok patterns and apply it step by step:
  <guidelines>
  - Make sure to map the remaining message part to \'message\' in grok pattern.
  - Make sure to add \`{packageName}.{dataStreamName}\` as a prefix to each field in the pattern. Refer to example response.
+ - Make sure to escape using double-slash (\`\\\\\`)
  - Do not respond with anything except the processor as a JSON object enclosed with 3 backticks (\`), see example response above. Use strict JSON response format.
  </guidelines>
 

x-pack/plugins/integration_assistant/server/routes/analyze_logs_routes.ts

@@ -18,7 +18,7 @@ import { buildRouteValidationWithZod } from '../util/route_validation';
 import { withAvailability } from './with_availability';
 import { isErrorThatHandlesItsOwnResponse, UnsupportedLogFormatError } from '../lib/errors';
 import { handleCustomErrors } from './routes_util';
-import { GenerationErrorCode } from '../../common/constants';
+import { ANALYZE_LOGS_RECURSION_LIMIT, GenerationErrorCode } from '../../common/constants';
 
 export function registerAnalyzeLogsRoutes(
   router: IRouter<IntegrationAssistantRouteHandlerContext>
@@ -77,6 +77,7 @@ export function registerAnalyzeLogsRoutes(
             streaming: false,
           });
           const options = {
+            recursionLimit: ANALYZE_LOGS_RECURSION_LIMIT,
             callbacks: [
               new APMTracer({ projectName: langSmithOptions?.projectName ?? 'default' }, logger),
               ...getLangSmithTracer({ ...langSmithOptions, logger }),