Flink Windows Boundaries, Watermark, Event Timestamp & Processing Time - apache-flink

Problem Definition & Establishing Concepts
Let’s say we have a TumblingEventTimeWindow with size 5 minutes. And we have events containing 2 basic pieces of information:
number
event timestamp
In this example, we kick off our Flink topology at 12:00 PM worker machines’ wall clock time (of course workers can have out of sync clocks but that’s out of the scope of this question). This topology contains one processing operator whose responsibility is to sum up the values of events belonging to each window and a KAFKA Sink which is irrelevant with regard to this question.
This window has a BoundedOutOfOrdernessTimestampExtractor with allowed latency of one minute.
Watermark: To my understanding, watermark in Flink and Spark Structured Stream is defined as (max-event-timestamp-seen-so-far - allowed-lateness). Any event whose event timestamp is less than or equal to this watermark will be discarded and ignored in result computations.
Part 1 (Determining Boundaries Of The Window)
Happy (Real-Time) Path
In this scenario several events arrive at the Flink Operator with different event timestamps spanning 12:01 - 12:09. Also, the event timestamps are relatively aligned with our processing time (shown in the X axis below). Since we're dealing with EVENT_TIME characteristic, whether or not an even belongs to a particular event should be determined via its event timestamp.
Old Data Rushing In
In that flow I have assumed the boundaries of the two tumbling windows are 12:00 -- 12:05 and 12:05 -- 12:10 just because we have kicked off the execution of the topology at 12:00. If that assumption is correct (I hope not), then what happens in case of a back-filling situation in which several old events coming in with much older event timestamps and we have kicked off the topology at 12:00 again? (old enough that our lateness allowance does not cover them). Something like the following:
If it goes like that, then our events won't be captured in any window of course, so again, I'm hoping that's not the behavior :)
The other option would be to determine windows' boundaries via the event timestamp of the arriving events. If that's the case, how would that work? The smallest event timestamp noticed becomes the beginning of the first window and from there based on the size (in this case 5 minutes), the consequent boundaries are determined? Cause that approach will have flaws and loopholes too. Can you please explain how does this work and how the boundaries of windows are determined?
Backfilling Events Rushing In
The answer to the previous question will address this as well, but I think it would be helpful to explicitly mention it here. Let's say I have this TumblingEventTimeWindow of size 5 minutes. Then at 12:00 I kick off a backfilling job which rushes in many events to the Flink operator whose timestamps cover the range 10:02 - 10:59; but since this is a backfilling job, the whole execution takes about 3 minutes to finish.
Will the job allocate 12 separate windows and populate them correctly based on the events' event timestamps? What would be the boundaries of those 12 windows? And will I end up with 12 output events each of which having the summed up value of each allocated window?
Part 2 (Unit/Integration Testing Of Such Stateful Operators)
I also have some concerns regarding automated testing of such logic and operators. Best way to manipulate processing time, trigger certain behaviors in such a way that shape desired windows' boundaries for testing purposes. Specially since the stuff that I've read so far on leveraging Test Harnesses seem a bit confusing and can cause some cluttered code potentially which is not that easy to read:
Unit Test Stateful Operators
Lateness Testing of Window in Flink
References
Most of what I've learned in this area and the source of some of my confusion can be found in the following places:
Timestmap Extractors & Watermark Emitters
Event Time Processing & Watermarking
Handling Late Data & Watermarking in Spark
The images in that section of Spark doc were super helpful and educative. But at the same time the way windows' boundaries are aligned with those processing times and not event timestamps, caused some confusion for me.
Also, in that visualization, it seems like the watermark is computed once every 5 minutes since that's the sliding specification of the window. Is that the determining factor for how often the watermark should be computed? How does this work in Flink with regard to different windows (e.g. Tumbling, Sliding, Session and more)?!
HUGE thanks in advance for your help and if you know about any better references with regard to these concepts and their internals working, please let me know.
UPDATES AFTER #snntrable Answer Below
If you run a Job with event time semantics, the processing time at the window operators is completely irrelevant
That is correct and I understand that part. Once you're dealing with EVENT_TIME characteristics, you're pretty much divorced from processing time in your semantics/logic. The reason I brought up the processing time was my confusion with regard to the following key question which still is a mystery to me:
How does the windows' boundaries are computed?!
Also, thanks a lot for clarifying the distinction between out-of-orderness and lateness. The code I was dealing with totally threw me off by having a misnomer (the constructor argument to a class inheriting from BoundedOutOfOrdernessTimestampExtractor was named maxLatency) :/
With that in mind, let me see if I can get this correct with regard to how watermark is computed and when an event will be discarded (or side-outputted):
Out of Orderness Assigner
current-watermark = max-event-time-seen-so-far - max-out-of-orderness-allowed
Allowed Lateness
current-watermark = max-event-time-seen-so-far - allowed-lateness
Regular Flow
current-watermark = max-event-time-seen-so-far
And in any of these cases, whatever event whose event timestamp is less than or equal to the current-watermark, will be discarded (side-outputted), correct?!
And this brings up a new question. When would you wanna use out of orderness as opposed to lateness? Since the current watermark computation (mathematically) can be identical in these cases. And what happens when you use both (does that even make sense)?!
Back To Windows' Boundaries
This is still the main mystery to me. Given all the discussion above, let'e revisit the concrete example I provided and see how the windows' boundaries are determined here. Let's say we have the following scenario (events are in the shape of (value, timestamp)):
Operator kicked off at 12:00 PM (that's the processing time)
Events arriving at the operator in the following order
(1, 8:29)
(5, 8:26)
(3, 9:48)
(7, 9:46)
We have a TumblingEventTimeWindow with size 5 minutes
The window is applied to a DataStream with BoundedOutOfOrdernessTimestampExtractor which has 2 minute maxOutOfOrderness
Also, the window is configured with allowedLateness of 1 minute
NOTE: If you cannot have both out of orderness and lateness or does not make sense, please only consider the out of orderness in the example above.
Finally, can you please layout the windows which will have some events allocated to them and, please specify the boundaries of those windows (beginning and end timestamps of the window). I'm assuming the boundaries are determined by events' timestamps as well but it's a bit tricky to figure them out in concrete examples like this one.
Again, HUGE thanks in advance and truly appreciate your help :)

Original Answer
Watermark: To my understanding, watermark in Flink and Spark Structured Stream is defined as (max-event-timestamp-seen-so-far - allowed-lateness). Any event whose event timestamp is less than or equal to this watermark will be discarded and ignored in result computations.
This is not correct and might be the source of the confusion. Out-of-Orderness and Lateness are different concepts in Flink. With the BoundedOutOfOrdernessTimestampExtractor the watermark is max-event-timestamp-seen-so-far - max-out-of-orderness. More about Allowed Lateness in the Flink Documentation [1].
If you run a Job with event time semantics, the processing time at the window operators is completely irrelevant:
events will be assigned to their windows based on their event time timestamp
time windows will be triggered once the watermarks reaches their maximum timestamp (window end time -1).
events with a timestamp older than current watermark - allowed lateness are discarded or sent to the late data side output [1]
This means, if you start a job at 12:00pm (processing time) and start ingesting data from the past, the watermark will also be (even further) in the past. So, the configured allowedLateness is irrelevant, because the data is not late with respect to even time.
On the other hand, if you first ingest some data from 12:00pm and afterwards data from 10:00pm, the watermark will have already advanced to ~12:00pm before you ingest the old data. In this case the data from 10:00pm will be "late". If it is later than the configured allowedLateness (default=0) it is discarded (default) or sent to a side output (if configured) [1].
Follow Up Answers
The timeline for an event time window is the following:
first element with timestamp within the a window arrives -> state for this window (& key) is created
watermark >= window_endtime - 1 arrives -> window is fired (results are emitted), but state is not discarded
watermark >= window_endtime + allowed_latenes arrives -> state is discarded
Between 2. and 3. events for this window are late, but within the allowed lateness. The events are added to the existing state and - per default - the window is fired on each record emitting a refined result.
After 3. events for this window will be discarded (or sent to the late output sink).
So, yes, it makes sense to configure both. The out of orderness determines, when the window is fired for the first time, while the allowed lateness determines how long the state is kept around to potentially update the results.
Regarding the boundaries: tumbling event time windows have a fixed length, are aligned across keys and start at the unix epoch. Empty windows, don't exist. For your example this means:
(1, 8:29) is added to window (8:25 - 8:29:59:999)
(5, 8:26) is added to window (8:25 - 8:29:59:999)
(3, 9:48) is added to window (9:45 - 9:49:59:999)
(8:25 - 8:29:59:999) is fired because the watermark has advanced to 9:48-0:02=9:46, which is larger than the last timestamp of the window. The window state is also discarded, because the watermark has advanced to 9:46, which is also larger than the end time of the window + the allowed lateness (1 minute)
(7, 9:46) is added to window is added to window (9:45 - 9:49:59:999)
Hope this helps.
Konstantin
[1] https://ci.apache.org/projects/flink/flink-docs-release-1.8/dev/stream/operators/windows.html#allowed-lateness

Related

When does a Flink window get emitted?

"For example, with an event-time-based windowing strategy that creates non-overlapping (or tumbling) windows every 5 minutes and has an allowed lateness of 1 min, Flink will create a new window for the interval between 12:00 and 12:05 when the first element with a timestamp that falls into this interval arrives, and it will remove it when the watermark passes the 12:06 timestamp."
When the watermark passes the 12:06 timestamp -- is that when the window function processes the watermark itself, i.e. when the source watermark passes through the window operator, or when the window operator processes the next record after the watermark?
The time flow in case of event time processing in Flink is always based on Watermarks not the events themselves.
This means that if You have some window with let's say 10 elements, if You have a watermarking strategy that periodically generates increasing watermarks (say You increase them by few seconds every time), the window will still get closed and emitted at some point even if You never receive any other events.

How can I get the moving sum of streaming events?

I have a source that emits integer events.
For each new integer, I would like to sum it with all the integers that got streamed in the previous hour and emit that value to the next step.
What is the idiomatic way of calculating and then emitting the sum of the current event's integer combined with integers from all the events in the preceding hour? I can think of two options, but feel I am missing something:
Use a sliding window of size one hour that slides by one millisecond. This would ensure there is always a window that spans from the latest event back one hour exactly.
Create my own process function that keeps track of the previous integers that are less than or equal to one hour old. Use this state to do my calculations.
You can do that with Flink SQL using an over window. Something like this:
SELECT
SUM(*) OVER last_hour AS rolling_sum
FROM Events
WINDOW last_hour AS (
ORDER BY eventTime
RANGE BETWEEN INTERVAL '1' HOUR PRECEDING AND CURRENT ROW
)
See OVER Aggregation from the Flink SQL docs for more info. You could also use the Table API, see Over Windows.

Does Flink's windowing operation process elements at the end of window or does it do a rolling processing?

I am having some trouble understanding the way windowing is implemented internally in Flink and could not find any article which explain this in depth. In my mind, there are two ways this can be done. Consider a simple window wordcount code as below
env.socketTextStream("localhost", 9999)
.flatMap(new Splitter())
.groupBy(0)
.window(Time.of(500, TimeUnit.SECONDS)).sum(1)
Method 1: Store all events for 500 seconds and at the end of the window, process all of them by applying the sum operation on the stored events.
Method 2: We use a counter to store a rolling sum for every window. As each event in a window comes, we do not store the individual events but keep adding 1 to previously stored counter and output the result at the end of the window.
Could someone kindly help to understand which of the above methods (or maybe a different approach) is used by Flink in reality. The reason is, there are pros and cons to both approach and is important to understand in order configure the resources for the cluster correctly.
eg: The Method 1 seems very close to batch processing and might potentially have issues related to spike in processing at every 500 sec interval while sitting idle otherwise etc while Method2 would need to maintain a common counter between all task managers.
sum is a reducing function as mentioned here(https://nightlies.apache.org/flink/flink-docs-master/docs/dev/datastream/operators/windows/#reducefunction). Internally, Flink will apply reduce function to each input element, and simply save the reduced result in ReduceState.
For other windows functions, like windows.apply(WindowFunction). There is no aggregation so all input elements will be saved in the ListState.
This document(https://nightlies.apache.org/flink/flink-docs-master/docs/dev/datastream/operators/windows/#window-functions) about windows stream mentions about how the internal elements are handled in Flink.

numLateRecordsDropped: What does it mean for operators

There are multiple tasks here. One of the tasks is BookingInfoWithFraudAndDefaultAndMainSP -> TSAndWMBookingWithSPObjects. Lets call it task-1. At task-1, I assign a timestamp and generate watermark, I am using BoundedOutOfOrdernessTimestampExtractor with maxOutOfOrderness equal to 2min.
The next operator is where I window the data and do some aggregations on top it which are then sinked to Kafka. Lets call this chained task of Aggregating and Sinking, Task-2.
numLateRecordsDropped: Looking at this metric which tells the The number of records this operator/task has dropped due to arriving late.
Question: When I window elements, i have assigned 0 allowed Lateness. So it could have dropped some elements. But when I look at the metrics, since window is not an operator, there is no metric which can tell how many elements are being dropped by windows.
When I look at task-2 metrics, it shows a count for numLateRecordsDropped. What does it mean. How can Window aggregation task drop records. Or since it is aggregating windows, the count basically is the number of records dropped by windows.
The Window operator is the only place where Flink uses numLateRecordsDropped (and furthermore, the window aggregation function runs in the window operator), so yes, the count is the number of records dropped by the window.

What‘s the practical use of DataStream#assignAscendingTimestamps

The javadoc for the DataStream#assignAscendingTimestamps
* Assigns timestamps to the elements in the data stream and periodically creates
* watermarks to signal event time progress.
*
* This method is a shortcut for data streams where the element timestamp are known
* to be monotonously ascending within each parallel stream.
* In that case, the system can generate watermarks automatically and perfectly
* by tracking the ascending timestamps.
This method assumes that the the element timestamp are known to be monotonously ascending within each parallel stream. But in practice, almost no stream can give such guarantee that event timestamps are in ascending order.
I would like to conclude that this method should never be used,but I would ask if I have missed something(eg, when to use it)
generally I agree, it can be rarely used in practice. An exception is the following: If Kafka is used as a source with LogAppendTime, timestamp are in order per-partition. You can then use per-partition watermarking in Flink [1] with the AscendingTimestampExtractor and will have pretty optimal watermarking.
Cheers,
Konstantin
[1] https://ci.apache.org/projects/flink/flink-docs-release-1.8/dev/connectors/kafka.html#kafka-consumers-and-timestamp-extractionwatermark-emission
After reading the source code DataStream#assignAscendingTimestamps, it is using AscendingTimestampExtractor to extract the timestamp.
AscendingTimestampExtractor will keep the largest event timestamp seen so far. If the event time is out of order, it will print a log to warn that monotonously ascending timestamps is violated.
So, I think this class may be handy in practice for the case that doesn't allow laziness(the watermark may keep growing).

Resources