Method and system for implementing efficient classification and exploration of data

US 10,127,301 B2
Filed: 09/24/2015
Issued: 11/13/2018
Est. Priority Date: 09/26/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a plurality of log records from a processing system, the plurality of log records comprising one or more first log records and one or more second log records;

comparing the one or more first log records to the one or more second log records to determine how similar the one or more first log records are to the one or more second log records, the one or more first log records compared to the one or more second log records by independently tokenizing the one or more first log records into a first plurality of tokens and the one or more second log records into a second plurality of tokens, where a similarity value is generated that corresponds to a degree of overlap, in terms of both token content and position, between the first plurality of tokens and the second plurality of tokens;

classifying the one or more first log records and the one or more second log records into a group based at least in part on the similarity value;

storing, for the group, a signature comprising one or more overlapping portions that are shared by both the one or more first log records and the one or more second log records, and one or more variable portions that differ between the one or more first log records and the one or more second log records;

detecting a problem on the processing system based at least in part on how the one or more first log records and the one or more second log records were classified; and

performing at least one operation responsive to detecting the problem on the processing system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a system, method, and computer program product for analyzing sets of data in an efficient manner, such that analytics can be effectively performed over that data. Classification operations can be performed to generate groups of similar log records. This permits classification of the log records in a cohesive and informative manner.

12 Citations

View as Search Results

33 Claims

1. A method comprising:
- receiving a plurality of log records from a processing system, the plurality of log records comprising one or more first log records and one or more second log records;
  
  comparing the one or more first log records to the one or more second log records to determine how similar the one or more first log records are to the one or more second log records, the one or more first log records compared to the one or more second log records by independently tokenizing the one or more first log records into a first plurality of tokens and the one or more second log records into a second plurality of tokens, where a similarity value is generated that corresponds to a degree of overlap, in terms of both token content and position, between the first plurality of tokens and the second plurality of tokens;
  
  classifying the one or more first log records and the one or more second log records into a group based at least in part on the similarity value;
  
  storing, for the group, a signature comprising one or more overlapping portions that are shared by both the one or more first log records and the one or more second log records, and one or more variable portions that differ between the one or more first log records and the one or more second log records;
  
  detecting a problem on the processing system based at least in part on how the one or more first log records and the one or more second log records were classified; and
  
  performing at least one operation responsive to detecting the problem on the processing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - storing a group identifier for the group;
      
      storing a sample log record for the group; and
      
      storing at least one of a count of the log records associated with the group, a group signature for the group, or member information for the group.
  - 3. The method of claim 1, wherein the similarity value is calculated as a function of a hamming distance.
  - 4. The method of claim 1, further comprising:
    - counting numbers of tokens in the one or more first log records and the one or more second log records; and
      
      identifying subsets using the numbers of tokens that have been counted for the one or more first log records and the one or more second log records, wherein the one or more first log records are compared to the one or more second log records within a given subset.
  - 5. The method of claim 1, wherein the one or more first log records and the one or more second log records are processed as a batched group of records.
  - 6. The method of claim 1, wherein the plurality of log records from the processing system are processed online, the method further comprising:
    - receiving an individual log record;
      
      comparing the individual log record to a sample log record from the group to determine a degree of overlap between the individual log record and the sample log record from the group;
      
      classifying the individual log record into a new group if the degree of overlap is less than a threshold level; and
      
      classifying the individual log record into the group if the degree of overlap is greater than the threshold level.
  - 7. The method of claim 1, further comprising combining multiple groups of log records together, wherein variable parts of signatures associated with the multiple groups of log records are collapsed to identify equivalent group signatures.
  - 8. The method of claim 1, wherein multiple processing entities operate in parallel on the one or more first log records and the one or more second log records.
  - 9. The method of claim 8, wherein the multiple processing entities perform at least one of tokenizing the one or more first and second records in parallel, classifying the one or more first and second records in parallel, or merging multiple groups together in parallel.
  - 10. The method of claim 1, further comprising identification of sequences of groups within the plurality of log records from the processing system.
  - 11. The method of claim 1, wherein the at least one operation comprises at least one of notifying an administrator of an anomaly, providing a suggestion on how to address the problem, or providing a forecast of future usage associated with the problem.

12. A non-transitory computer readable medium having stored thereon a sequence of instructions which, when executed by a processor causes the processor to execute a method comprising:
- receiving a plurality of log records from a processing system, the plurality of log records comprising one or more first log records and one or more second log records;
  
  comparing the one or more first log records to the one or more second log records to determine how similar the one or more first log records are to the one or more second log records, the one or more first log records compared to the one or more second log records by independently tokenizing the one or more first log records into a first plurality of tokens and the one or more second log records into a second plurality of tokens, where a similarity value is generated that corresponds to a degree of overlap, in terms of both token content and position, between the first plurality of tokens and the second plurality of tokens;
  
  classifying the one or more first log records and the one or more second log records into a group based at least in part on the similarity value;
  
  storing, for the group, a signature comprising one or more overlapping portions that are shared by both the one or more first log records and the one or more second log records, and one or more variable portions that differ between the one or more first log records and the one or more second log records;
  
  detecting a problem on the processing system based at least in part on how the one or more first log records and the one or more second log records were classified; and
  
  performing at least one operation responsive to detecting the problem on the processing system.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The non-transitory computer readable medium of claim 12, wherein the method further comprises:
    - storing a group identifier for the group;
      
      storing a sample log record for the group; and
      
      storing at least one of a count of the log records associated with the group, a group signature for the group, or member information for the group.
  - 14. The non-transitory computer readable medium of claim 12, wherein the similarity value is calculated as a function of a hamming distance.
  - 15. The non-transitory computer readable medium of claim 12, wherein the method further comprises:
    - counting numbers of tokens in the one or more first log records and the one or more second log records; and
      
      identifying subsets using the numbers of tokens that have been counted for the one or more first log records and the one or more second log records, wherein the one or more first log records are compared to the one or more second log records within a given subset.
  - 16. The non-transitory computer readable medium of claim 12, wherein the one or more first log records and the one or more second log records are processed as a batched group of records.
  - 17. The non-transitory computer readable medium of claim 12, wherein the plurality of log records from the processing system are processed online, the method further comprising:
    - receiving an individual log record;
      
      comparing the individual log record to a sample log record from the group to determine a degree of overlap between the individual log record and the sample log record from the group;
      
      classifying the individual log record into a new group if the degree of overlap is less than a threshold level; and
      
      classifying the individual log record into the group if the degree of overlap is greater than the threshold level.
  - 18. The non-transitory computer readable medium of claim 12, wherein the method further comprises combining multiple groups of log records together, wherein variable parts of signatures associated with the multiple groups of log records are collapsed to identify equivalent group signatures.
  - 19. The non-transitory computer readable medium of claim 12, wherein multiple processing entities operate in parallel on the one or more first log records and the one or more second log records.
  - 20. The non-transitory computer readable medium of claim 19, wherein the multiple processing entities perform at least one of tokenizing the one or more first and second records in parallel, classifying the one or more first and second records in parallel, or merging multiple groups together in parallel.
  - 21. The non-transitory computer readable medium of claim 12, wherein the method further comprises identification of sequences of groups within the plurality of log records from the processing system.
  - 22. The non-transitory computer readable medium of claim 12, wherein the at least one operation comprises at least one of notifying an administrator of an anomaly, providing a suggestion on how to address the problem, or providing a forecast of future usage associated with the problem.

23. A system, comprising:
- a processor;
  
  a memory having stored thereon a sequence of instructions which, when executed by a processor causes the processor to execute operations comprising;
  
  receiving a plurality of log records from a processing system, the plurality of log records comprising one or more first log records and one or more second log records;
  
  comparing the one or more first log records to the one or more second log records to determine how similar the one or more first log records are to the one or more second log records, the one or more first log records compared to the one or more second log records by independently tokenizing the one or more first log records into a first plurality of tokens and the one or more second log records into a second plurality of tokens, where a similarity value is generated that corresponds to a degree of overlap, in terms of both token content and position, between the first plurality of tokens and the second plurality of tokens;
  
  classifying the one or more first log records and the one or more second log records into a group based at least in part on the similarity value;
  
  storing, for the group, a signature comprising one or more overlapping portions that are shared by both the one or more first log records and the one or more second log records, and one or more variable portions that differ between the one or more first log records and the one or more second log records;
  
  detecting a problem on the processing system based at least in part on how the one or more first log records and the one or more second log records were classified; and
  
  performing at least one operation responsive to detecting the problem on the processing system.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The system of claim 23, the sequence of instructions further implementing operations to:
    - store a group identifier for the group;
      
      store a sample log record for the group; and
      
      store at least one of a count of the log records associated with the group, a group signature for the group, or member information for the group.
  - 25. The system of claim 23, wherein the similarity value is calculated as a function of a hamming distance.
  - 26. The system of claim 23, the sequence of instructions further implementing operations to:
    - count numbers of tokens in the one or more first log records and the one or more second log records; and
      
      identify subsets using the numbers of tokens that have been counted for the one or more first log records and the one or more second log records, wherein the one or more first log records are compared to the one or more second log records within a given subset.
  - 27. The system of claim 23, wherein the one or more first log records and the one or more second log records are processed as a batched group of records.
  - 28. The system of claim 23, wherein the plurality of log records from the processing system are processed online, the sequence of instructions further implementing operations to:
    - receive an individual log record;
      
      compare the individual log record to a sample log record from the group to determine a degree of overlap between the individual log record and the sample log record from the group;
      
      classify the individual log record into a new group if the degree of overlap is less than a threshold level; and
      
      classify the individual log record into the group if the degree of overlap is greater than the threshold level.
  - 29. The system of claim 23, the sequence of instructions further implementing operations to combine multiple groups of log records together, wherein variable parts of signatures associated with the multiple groups of log records are collapsed to identify equivalent group signatures.
  - 30. The system of claim 23, wherein multiple processing entities operate in parallel on the one or more first log records and the one or more second log records.
  - 31. The system of claim 30, wherein the multiple processing entities perform at least one of tokenizing the one or more first and second records in parallel, classifying the one or more first and second records in parallel, or merging multiple groups together in parallel.
  - 32. The system of claim 23, the sequence of instructions further implementing operations to identify of sequences of groups within the plurality of log records from the processing system.
  - 33. The system of claim 23, wherein the at least one operation comprises at least one of notifying an administrator of an anomaly, providing a suggestion on how to address the problem, or providing a forecast of future usage associated with the problem.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Morfonios, Konstantinos, Beg, Mirza Mohsin, Yoon, Jae Young
Primary Examiner(s)
Chau, Dung K

Application Number

US14/863,994
Publication Number

US 20160092552A1
Time in Patent Office

1,146 Days
Field of Search

707737, 707749, 707999006
US Class Current
CPC Class Codes

G06F 11/008   Reliability or availability...

G06F 11/0754   by exceeding limits

G06F 11/0766   Error or fault reporting or...

G06F 11/079   Root cause analysis, i.e. e...

G06F 11/14   Error detection or correcti...

G06F 11/3072   where the reporting involve...

G06F 16/13   File access structures, e.g...

G06F 16/1734   Details of monitoring file ...

G06F 16/23   Updating

G06F 16/285   Clustering or classification

G06F 16/355   Class or cluster creation o...

Method and system for implementing efficient classification and exploration of data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

12 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for implementing efficient classification and exploration of data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links