ClickHouse
diff --git a/‎docs/use-cases/observability/clickstack/deployment/hyperdx-clickhouse-cloud.md‎
Lines changed: 148 additions & 0 deletions b/‎docs/use-cases/observability/clickstack/deployment/hyperdx-clickhouse-cloud.md‎
Lines changed: 148 additions & 0 deletions
diff --git a/‎docs/use-cases/observability/clickstack/event_patterns.md‎
Lines changed: 40 additions & 0 deletions b/‎docs/use-cases/observability/clickstack/event_patterns.md‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎static/images/use-cases/observability/event_patterns.png‎
1.07 MB b/‎static/images/use-cases/observability/event_patterns.png‎
1.07 MB
diff --git a/‎static/images/use-cases/observability/event_patterns_highlight.png‎
1.1 MB b/‎static/images/use-cases/observability/event_patterns_highlight.png‎
1.1 MB
@@ -68,6 +68,154 @@ curl -O https://raw.githubusercontent.com/ClickHouse/clickhouse-docs/refs/heads/
 <details>
 <summary>otel-cloud-config.yaml</summary>
 ```yaml file=docs/use-cases/observability/clickstack/deployment/_snippets/otel-cloud-config.yaml
+receivers:
+  otlp/hyperdx:
+    protocols:
+      grpc:
+        include_metadata: true
+        endpoint: '0.0.0.0:4317'
+      http:
+        cors:
+          allowed_origins: ['*']
+          allowed_headers: ['*']
+        include_metadata: true
+        endpoint: '0.0.0.0:4318'
+processors:
+  transform:
+    log_statements:
+      - context: log
+        error_mode: ignore
+        statements:
+          # JSON parsing: Extends log attributes with the fields from structured log body content, either as an OTEL map or
+          # as a string containing JSON content.
+          - set(log.cache, ExtractPatterns(log.body, "(?P<0>(\\{.*\\}))")) where
+            IsString(log.body)
+          - merge_maps(log.attributes, ParseJSON(log.cache["0"]), "upsert")
+            where IsMap(log.cache)
+          - flatten(log.attributes) where IsMap(log.cache)
+          - merge_maps(log.attributes, log.body, "upsert") where IsMap(log.body)
+      - context: log
+        error_mode: ignore
+        conditions:
+          - severity_number == 0 and severity_text == ""
+        statements:
+          # Infer: extract the first log level keyword from the first 256 characters of the body
+          - set(log.cache["substr"], log.body.string) where Len(log.body.string)
+            < 256
+          - set(log.cache["substr"], Substring(log.body.string, 0, 256)) where
+            Len(log.body.string) >= 256
+          - set(log.cache, ExtractPatterns(log.cache["substr"],
+            "(?i)(?P<0>(alert|crit|emerg|fatal|error|err|warn|notice|debug|dbug|trace))"))
+          # Infer: detect FATAL
+          - set(log.severity_number, SEVERITY_NUMBER_FATAL) where
+            IsMatch(log.cache["0"], "(?i)(alert|crit|emerg|fatal)")
+          - set(log.severity_text, "fatal") where log.severity_number ==
+            SEVERITY_NUMBER_FATAL
+          # Infer: detect ERROR
+          - set(log.severity_number, SEVERITY_NUMBER_ERROR) where
+            IsMatch(log.cache["0"], "(?i)(error|err)")
+          - set(log.severity_text, "error") where log.severity_number ==
+            SEVERITY_NUMBER_ERROR
+          # Infer: detect WARN
+          - set(log.severity_number, SEVERITY_NUMBER_WARN) where
+            IsMatch(log.cache["0"], "(?i)(warn|notice)")
+          - set(log.severity_text, "warn") where log.severity_number ==
+            SEVERITY_NUMBER_WARN
+          # Infer: detect DEBUG
+          - set(log.severity_number, SEVERITY_NUMBER_DEBUG) where
+            IsMatch(log.cache["0"], "(?i)(debug|dbug)")
+          - set(log.severity_text, "debug") where log.severity_number ==
+            SEVERITY_NUMBER_DEBUG
+          # Infer: detect TRACE
+          - set(log.severity_number, SEVERITY_NUMBER_TRACE) where
+            IsMatch(log.cache["0"], "(?i)(trace)")
+          - set(log.severity_text, "trace") where log.severity_number ==
+            SEVERITY_NUMBER_TRACE
+          # Infer: else
+          - set(log.severity_text, "info") where log.severity_number == 0
+          - set(log.severity_number, SEVERITY_NUMBER_INFO) where log.severity_number == 0
+      - context: log
+        error_mode: ignore
+        statements:
+          # Normalize the severity_text case
+          - set(log.severity_text, ConvertCase(log.severity_text, "lower"))
+  resourcedetection:
+    detectors:
+      - env
+      - system
+      - docker
+    timeout: 5s
+    override: false
+  batch:
+  memory_limiter:
+    # 80% of maximum memory up to 2G, adjust for low memory environments
+    limit_mib: 1500
+    # 25% of limit up to 2G, adjust for low memory environments
+    spike_limit_mib: 512
+    check_interval: 5s
+connectors:
+  routing/logs:
+    default_pipelines: [logs/out-default]
+    error_mode: ignore
+    table:
+      - context: log
+        statement: route() where IsMatch(attributes["rr-web.event"], ".*")
+        pipelines: [logs/out-rrweb]
+exporters:
+  debug:
+    verbosity: detailed
+    sampling_initial: 5
+    sampling_thereafter: 200
+  clickhouse/rrweb:
+    database: ${env:CLICKHOUSE_DATABASE}
+    endpoint: ${env:CLICKHOUSE_ENDPOINT}
+    password: ${env:CLICKHOUSE_PASSWORD}
+    username: ${env:CLICKHOUSE_USER}
+    ttl: 720h
+    logs_table_name: hyperdx_sessions
+    timeout: 5s
+    retry_on_failure:
+      enabled: true
+      initial_interval: 5s
+      max_interval: 30s
+      max_elapsed_time: 300s
+  clickhouse:
+    database: ${env:CLICKHOUSE_DATABASE}
+    endpoint: ${env:CLICKHOUSE_ENDPOINT}
+    password: ${env:CLICKHOUSE_PASSWORD}
+    username: ${env:CLICKHOUSE_USER}
+    ttl: 720h
+    timeout: 5s
+    retry_on_failure:
+      enabled: true
+      initial_interval: 5s
+      max_interval: 30s
+      max_elapsed_time: 300s
+extensions:
+  health_check:
+    endpoint: :13133
+service:
+  pipelines:
+    traces:
+      receivers: [otlp/hyperdx]
+      processors: [memory_limiter, batch]
+      exporters: [clickhouse]
+    metrics:
+      receivers: [otlp/hyperdx]
+      processors: [memory_limiter, batch]
+      exporters: [clickhouse]
+    logs/in:
+      receivers: [otlp/hyperdx]
+      exporters: [routing/logs]
+    logs/out-default:
+      receivers: [routing/logs]
+      processors: [memory_limiter, transform, batch]
+      exporters: [clickhouse]
+    logs/out-rrweb:
+      receivers: [routing/logs]
+      processors: [memory_limiter, batch]
+      exporters: [clickhouse/rrweb]
+
 ```
 </details>
 
 
@@ -0,0 +1,40 @@
+---
+slug: /use-cases/observability/clickstack/event_patterns
+title: 'Event Patterns with ClickStack'
+sidebar_label: 'Event Patterns'
+pagination_prev: null
+pagination_next: null
+description: 'Event Patterns with ClickStack'
+---
+
+import Image from '@theme/IdealImage';
+import event_patterns from '@site/static/images/use-cases/observability/event_patterns.png';
+import event_patterns_highlight from '@site/static/images/use-cases/observability/event_patterns_highlight.png';
+
+Event patterns in ClickStack allow you to quickly make sense of large volumes of logs or traces by automatically clustering similar messages together, so instead of digging through millions of individual events, you only need to review a small number of meaningful groups.
+
+<Image img={event_patterns} alt="Event patterns" size="lg"/>
+
+This makes it much easier to spot which errors or warnings are new, which are recurring, and which are driving sudden spikes in log volume. Because the patterns are generated dynamically, you don't need to define regular expressions or maintain parsing rules - ClickStack adapts to your events automatically, regardless of format.
+
+Beyond incident response, this high-level view also helps you identify noisy log sources that can be trimmed to reduce cost, discover the different types of logs a service produces, and more quickly answer whether the system is already emitting the signals you care about.
+
+
+## Accessing event patterns {#accessing-event-patterns}
+
+Event patterns are available directly through the **Search** panel in ClickStack.  
+
+From the top-left **Analysis Mode** selector, choose **Event Patterns** to switch from the standard results table to a clustered view of similar events.  
+
+<Image img={event_patterns_highlight} alt="Event patterns" size="lg"/>
+
+
+This provides an alternative to the default **Results Table** which allows users to scroll through every individual log or trace.
+
+## Recommendations {#recommendations}
+
+Event patterns are most effective when applied to **narrowed subsets** of your data. For example, filtering down to a single service before enabling event patterns will usually surface more relevant and interesting messages than applying patterns across thousands of services at once.  
+
+They are also particularly powerful for summarizing error messages, where repeated errors with varying IDs or payloads are grouped into concise clusters.  
+
+For a live example, see how event patterns are used in the [Remote Demo Dataset](/use-cases/observability/clickstack/getting-started/remote-demo-data#identify-error-patterns).