tellaro-query-language 0.1.6__py3-none-any.whl → 0.1.8__py3-none-any.whl

{tellaro_query_language-0.1.6.dist-info → tellaro_query_language-0.1.8.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: tellaro-query-language
-Version: 0.1.6
+Version: 0.1.8
 Summary: A flexible, human-friendly query language for searching and filtering structured data
 Home-page: https://github.com/tellaro/tellaro-query-language
 License: MIT

{tellaro_query_language-0.1.6.dist-info → tellaro_query_language-0.1.8.dist-info}/RECORD

@@ -4,12 +4,12 @@ tql/cache/__init__.py,sha256=GIzIEMZUZEYJj72sAhuVLEG-OJEKUG2srUWNM3Ix-T8,213
 tql/cache/base.py,sha256=0b-8uyh3JltayGmXQI45snTqsM5sQu9u0KcNvZIRa-I,687
 tql/cache/memory.py,sha256=ibcmQSAxNvqCy6DksbU7gLu6UArYp1u3fW-oLubxtV0,2056
 tql/cache/redis.py,sha256=ZU_IsVDvpSYpNvPfnZ4iulJDODpEGx3c4dkXLzPzPVc,2309
-tql/core.py,sha256=zAkTStN_3logY9ARABDZNsQJfXV5rITiiTKoX5bo274,40859
+tql/core.py,sha256=zIihZijiwqejG78EIRikTtaDvzMgcy2cwBCL3-HwZy8,40797
 tql/core_components/README.md,sha256=Rm7w4UHdQ0vPBEFybE5b62IOvSA5Nzq2GRvtBHOapmc,3068
 tql/core_components/__init__.py,sha256=v8BBybPlqV7dkVY9mw1mblvqyAFJZ7Pf_bEc-jAL7FI,643
 tql/core_components/file_operations.py,sha256=Jr0kkxz_OP2KHOAsIr7KMtYe_lbu8LuBUySt2LQbjJw,3925
-tql/core_components/opensearch_operations.py,sha256=x0GPdQfMX-NYCzzAlJCbtzYFa6HmaKxGEVl2JdAhKJY,35447
-tql/core_components/stats_operations.py,sha256=9WSEMdAvtZA6deckGwyetPAtnDODFqlnrhvlBbNkBcs,7469
+tql/core_components/opensearch_operations.py,sha256=HIiSosL2uek88H6aPkX_QDnlgV8bT1fbotG652Z2vdE,37900
+tql/core_components/stats_operations.py,sha256=zAfDhVOFFPMrRIMw6Qtjxbobbdi7ao_HuHBCcVc3BGY,7579
 tql/core_components/validation_operations.py,sha256=_VPXh0HABBjsXF99jFT7B6-5QAPsADOCy6poinGrxeE,22454
 tql/evaluator.py,sha256=YdgS1vuxUEPAHhUsZey-Y4NydeS8CTYOy_O8R5_K8cE,15421
 tql/evaluator_components/README.md,sha256=c59yf2au34yPhrru7JWgGop_ORteB6w5vfMhsac8j3k,3882
@@ -36,21 +36,21 @@ tql/opensearch_components/field_mapping.py,sha256=N4r7VkzNeXjIhNDt2cfnd1LbkvaS_9
 tql/opensearch_components/lucene_converter.py,sha256=ZbupWZ2smGhWfE9cSIrNo7MZVY35l2t86HYM-bd7nKw,12436
 tql/opensearch_components/query_converter.py,sha256=9Nkhehb8X7jIQcyRaHCa5WCKWtovdRGKuSdDsBulrG0,36722
 tql/opensearch_mappings.py,sha256=zJCCdMrxK7mswrkxd5LiOhunQ9GIJNZdhktVoGXgVgk,11529
-tql/opensearch_stats.py,sha256=svcE23lD1gDe1iYGlC388WE8X3x9C8tjfBylUVy2Uqo,17216
+tql/opensearch_stats.py,sha256=h-hA2EZ-sc4S1zxr7jaInmonfrgTXoGBbb9sOYurdFE,17823
 tql/parser.py,sha256=dnjgc-sDVihe-VIVPT_SRULeng4OWaLtkbM23dluT6M,75532
 tql/parser_components/README.md,sha256=lvQX72ckq2zyotGs8QIHHCIFqaA7bOHwkP44wU8Zoiw,2322
 tql/parser_components/__init__.py,sha256=zBwHBMPJyHSBbaOojf6qTrJYjJg5A6tPUE8nHFdRiQs,521
 tql/parser_components/ast_builder.py,sha256=-pbcYhZNoRm0AnjmJRAAlXLCAwHfauchTpX_6KO0plE,6793
 tql/parser_components/error_analyzer.py,sha256=qlCD9vKyW73aeKQYI33P1OjIWSJ3LPd08wuN9cis2fU,4012
 tql/parser_components/field_extractor.py,sha256=TumeuUo2c5gPYVbTPsmU43C3TJFC8chAAWERu5v_Q3c,4182
-tql/parser_components/grammar.py,sha256=WtmgANV49Jx1uHNBeiyElpXqKy3feQOWj9aYdxGn3Ww,19182
+tql/parser_components/grammar.py,sha256=lSvjABvEBaH29-ad-_UGD4WmofdNwC_pO2OKQJ_It-U,19309
 tql/post_processor.py,sha256=-vA2wgbuLij2FVnj5I9HDHtw5bKj9Cu3EE9mtoeSWk8,28859
 tql/scripts.py,sha256=VOr5vCjIvKlW36kwvJx7JGFIRM16IJZlbJcWlBexBtk,3728
-tql/stats_evaluator.py,sha256=GtmygLdPPMhAMR5bN1h69cQsNBYqg-jQl6bN5rwEx6Q,15692
+tql/stats_evaluator.py,sha256=lOEbICFuP0krZZqEjREz37xlpm35_P6eRgkHVgJLNI4,15703
 tql/stats_transformer.py,sha256=MT-4rDWZSySgn4Fuq9H0c-mvwFYLM6FqWpPv2rHX-rE,7588
 tql/validators.py,sha256=e9MlX-zQ_O3M8YP8vXyMjKU8iiJMTh6mMK0iv0_4gTY,3771
-tellaro_query_language-0.1.6.dist-info/LICENSE,sha256=zRhQ85LnW55fWgAjQctckwQ67DX5Jmt64lq343ThZFU,1063
-tellaro_query_language-0.1.6.dist-info/METADATA,sha256=5IbaJTGKJLQvYnXR-670n5rRISPIOmfekhqDie1V1MQ,15109
-tellaro_query_language-0.1.6.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-tellaro_query_language-0.1.6.dist-info/entry_points.txt,sha256=H43APfGBMsZkKsUCnFTaqprQPW-Kce2yz2qsBL3dZrw,164
-tellaro_query_language-0.1.6.dist-info/RECORD,,
+tellaro_query_language-0.1.8.dist-info/LICENSE,sha256=zRhQ85LnW55fWgAjQctckwQ67DX5Jmt64lq343ThZFU,1063
+tellaro_query_language-0.1.8.dist-info/METADATA,sha256=7dSseBpILkxyeAW0B7QQ3psZORRfkM0Cai7l5uiQGCU,15109
+tellaro_query_language-0.1.8.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
+tellaro_query_language-0.1.8.dist-info/entry_points.txt,sha256=H43APfGBMsZkKsUCnFTaqprQPW-Kce2yz2qsBL3dZrw,164
+tellaro_query_language-0.1.8.dist-info/RECORD,,

tql/core.py

@@ -167,7 +167,7 @@ class TQL:
             return f"NOT {operand}"
         return str(ast)
 
-    def query(
+    def query(  # noqa: C901
         self, data: Union[List[Dict], str], query: str, size: int = 10, save_enrichment: bool = False
     ) -> Dict[str, Any]:  # noqa: C901
         """Execute a TQL query against data and return results in execute_opensearch format.
@@ -470,8 +470,7 @@ class TQL:
             size: Number of results to return (default: 500)
             from_: Starting offset for pagination (default: 0)
             timestamp_field: Field name for timestamp filtering (default: "@timestamp")
-            time_range: Optional time range dict with 'gte' and/or 'lte' keys.
-                       If None, defaults to 'gte': 'now-15m', 'lte': 'now'
+            time_range: Optional time range dict with 'gte' and/or 'lte' keys
             scan_all: If True, use scroll API to retrieve all matching documents
             scroll_size: Size per scroll when scan_all=True (default: 1000)
             scroll_timeout: Scroll timeout when scan_all=True (default: "5m")

tql/core_components/opensearch_operations.py

@@ -311,10 +311,6 @@ class OpenSearchOperations:
         search_body = opensearch_query.copy()
 
         # Handle time range filtering
-        if time_range is None:
-            # Default time range: last 15 minutes
-            time_range = {"gte": "now-15m", "lte": "now"}
-
         # Add time range filter to the query
         if time_range:
             base_query = search_body.get("query", {})
@@ -441,49 +437,93 @@ class OpenSearchOperations:
                 fields = [agg.get("field") for agg in aggregations]
 
                 stats_results = {
-                    "type": "stats",
+                    "type": "stats_grouped",
                     "operation": operations[0] if len(operations) == 1 else operations,
                     "field": fields[0] if len(fields) == 1 else fields,
-                    "values": buckets,  # Array of buckets for grouped results
+                    "results": buckets,  # Array of buckets for grouped results
                     "group_by": group_by_fields,
                 }
             else:
                 # Simple aggregations without grouping
                 if aggregations:
-                    first_agg = aggregations[0]
-                    func = first_agg.get("function", "")
-                    field = first_agg.get("field", "*")
-
-                    # Get the aggregation result
-                    # The alias is typically func_field_0 for the first aggregation
-                    alias = first_agg.get("alias") or f"{func}_{field}_0"
-                    agg_result = aggs_response.get(alias, {})
-
-                    # Extract the value based on aggregation type
-                    if func == "count":
-                        value = agg_result.get("value", 0)
-                    elif func in ["sum", "min", "max", "avg", "average"]:
-                        value = agg_result.get("value", 0)
-                    elif func == "unique_count":
-                        value = agg_result.get("value", 0)
-                    elif func in ["percentile", "percentiles", "p", "pct"]:
-                        # Percentiles return a values dict
-                        values_dict = agg_result.get("values", {})
-                        # For a single percentile, extract the value
-                        if len(values_dict) == 1:
-                            value = list(values_dict.values())[0]
+                    if len(aggregations) == 1:
+                        # Single aggregation
+                        first_agg = aggregations[0]
+                        func = first_agg.get("function", "")
+                        field = first_agg.get("field", "*")
+
+                        # Get the aggregation result
+                        # The alias is typically func_field_0 for the first aggregation
+                        alias = first_agg.get("alias") or f"{func}_{field}_0"
+                        agg_result = aggs_response.get(alias, {})
+
+                        # Extract the value based on aggregation type
+                        if func == "count":
+                            value = agg_result.get("value", 0)
+                        elif func in ["sum", "min", "max", "avg", "average"]:
+                            value = agg_result.get("value", 0)
+                        elif func == "unique_count":
+                            value = agg_result.get("value", 0)
+                        elif func in ["percentile", "percentiles", "p", "pct"]:
+                            # Percentiles return a values dict
+                            values_dict = agg_result.get("values", {})
+                            # For a single percentile, extract the value
+                            if len(values_dict) == 1:
+                                value = list(values_dict.values())[0]
+                            else:
+                                value = values_dict
+                        elif func in ["values", "unique"]:
+                            # Extract buckets from terms aggregation
+                            buckets = agg_result.get("buckets", [])
+                            value = [bucket["key"] for bucket in buckets]
                         else:
-                            value = values_dict
+                            value = agg_result
+
+                        stats_results = {
+                            "type": "stats",
+                            "operation": func,
+                            "field": field,
+                            "values": value,
+                            "group_by": [],
+                        }
                     else:
-                        value = agg_result
-
-                    stats_results = {
-                        "type": "stats",
-                        "operation": func,
-                        "field": field,
-                        "values": value,
-                        "group_by": [],
-                    }
+                        # Multiple aggregations
+                        agg_results = {}
+                        for i, agg in enumerate(aggregations):
+                            func = agg.get("function", "")
+                            field = agg.get("field", "*")
+                            alias = agg.get("alias") or f"{func}_{field}_{i}"
+                            agg_result = aggs_response.get(alias, {})
+
+                            # Extract the value based on aggregation type
+                            if func == "count":
+                                value = agg_result.get("value", 0)
+                            elif func in ["sum", "min", "max", "avg", "average"]:
+                                value = agg_result.get("value", 0)
+                            elif func == "unique_count":
+                                value = agg_result.get("value", 0)
+                            elif func in ["percentile", "percentiles", "p", "pct"]:
+                                # Percentiles return a values dict
+                                values_dict = agg_result.get("values", {})
+                                # For a single percentile, extract the value
+                                if len(values_dict) == 1:
+                                    value = list(values_dict.values())[0]
+                                else:
+                                    value = values_dict
+                            elif func in ["values", "unique"]:
+                                # Extract buckets from terms aggregation
+                                buckets = agg_result.get("buckets", [])
+                                value = [bucket["key"] for bucket in buckets]
+                            else:
+                                value = agg_result
+
+                            key = agg.get("alias") or f"{func}_{field}"
+                            agg_results[key] = value
+
+                        stats_results = {
+                            "type": "stats",
+                            "results": agg_results,
+                        }
                 else:
                     stats_results = {"type": "stats", "operation": "unknown", "field": "*", "values": 0, "group_by": []}
 

tql/core_components/stats_operations.py

@@ -133,7 +133,8 @@ class StatsOperations:
         """
         # Parse the query
         try:
-            if not query.strip().startswith("| stats") and "|" not in query:
+            # Don't add prefix if query already starts with "stats"
+            if not query.strip().startswith("| stats") and not query.strip().startswith("stats") and "|" not in query:
                 query = "| stats " + query.strip()
 
             ast = self.parser.parse(query)

tql/opensearch_stats.py

@@ -33,6 +33,9 @@ class OpenSearchStatsTranslator:
         "pct_rank": "percentile_ranks",
         "pct_ranks": "percentile_ranks",
         "zscore": None,  # Requires post-processing
+        "values": "terms",  # Return unique values
+        "unique": "terms",  # Alias for values
+        "cardinality": "cardinality",  # Count of unique values
     }
 
     # Aggregations that require numeric fields
@@ -146,6 +149,9 @@ class OpenSearchStatsTranslator:
                     if not rank_values:
                         raise TQLError("percentile_rank requires at least one value")
                     aggs_dsl[alias] = {"percentile_ranks": {"field": field, "values": rank_values}}
+                elif func in ["values", "unique"]:
+                    # Terms aggregation to get unique values
+                    aggs_dsl[alias] = {"terms": {"field": field, "size": 10000}}  # Large size to get all values
                 else:
                     # Direct mapping
                     aggs_dsl[alias] = {os_agg_type: {"field": field}}
@@ -398,7 +404,7 @@ class OpenSearchStatsTranslator:
 
     def _extract_aggregation_value(  # noqa: C901
         self, agg_result: Dict[str, Any], function: str
-    ) -> Union[int, float, Dict[str, Any], None]:
+    ) -> Union[int, float, Dict[str, Any], List[Any], None]:
         """Extract value from OpenSearch aggregation result.
 
         Args:
@@ -447,5 +453,9 @@ class OpenSearchStatsTranslator:
                 for k, v in values.items():
                     result[f"rank_{k}"] = v
                 return result
+        elif function in ["values", "unique"]:
+            # Extract buckets from terms aggregation
+            buckets = agg_result.get("buckets", [])
+            return [bucket["key"] for bucket in buckets]
         else:
             return None

tql/parser_components/grammar.py

@@ -380,8 +380,9 @@ class TQLGrammar:
             caseless=True,
         )
 
-        # Special case for count(*)
+        # Special case for count(*) and count()
         self.count_all = CaselessKeyword("count") + Suppress("(") + Suppress("*") + Suppress(")")
+        self.count_empty = CaselessKeyword("count") + Suppress("(") + Suppress(")")
 
         # Aggregation function with field
         self.agg_function = (
@@ -395,6 +396,7 @@ class TQLGrammar:
                 + Suppress(")")
             )
             | self.count_all
+            | self.count_empty
         )
 
         # Support for aliasing: sum(revenue) as total_revenue

tql/stats_evaluator.py

@@ -198,7 +198,7 @@ class TQLStatsEvaluator:
 
     def _calculate_aggregation(  # noqa: C901
         self, records: List[Dict[str, Any]], agg_spec: Dict[str, Any]
-    ) -> Union[int, float, Dict[str, Any], None]:
+    ) -> Union[int, float, Dict[str, Any], List[Any], None]:
         """Calculate a single aggregation value.
 
         Args: