Design a Log-Processing System (Technical Screen)

Context

You are designing a real-time log-processing system from scratch. Logs are emitted by many services as structured events (e.g., JSON) with fields like timestamp, level, component, host, request_id, and message. The system must ingest high throughput, index/store logs for retrieval, and support analytical queries with low latency.

Assume:

• Real-time queries over the last 24 hours should return in under 1 second p95 for typical filters.
• Sustained ingest could reach 100k events/second (bursty), with occasional out-of-order and duplicate events.
• Message pattern filters can be substring or regex.

Requirements

Design a system that provides:

1. Filtering logs by fields (e.g., level, component, message pattern).
2. Returning the count of error logs over a time window.
3. Building an hourly histogram for a specified log predicate.

Specify:

• Ingestion API (schema, transport, idempotency, batching, auth).
• Storage/index choices (hot vs cold tiers, indexes, compression).
• Query interfaces (APIs, semantics, examples).
• Aggregation strategies (on-write rollups vs on-read, caching).
• Handling of late/out-of-order events and deduplication.
• Scalability/partitioning (topics, shards, sort/partition keys).
• Retention policies and tiering.
• Correctness/performance trade-offs.
• Complexity estimates for common queries.