SYSTEM EVENT LOGS

US 20110185234A1
Filed: 01/28/2010
Published: 07/28/2011
Est. Priority Date: 01/28/2010
Status: Active Grant

First Claim

Patent Images

1. An automated method, comprising:

receiving event messages associated with one or more computer system event logs, each event message including event text;

determining a set of message clusters, each cluster in the set identifying a template text that represents one or more event messages across the one or more event logs; and

assigning each received event message to a message cluster of the set, according to a measure of similarity between the respective event text of the event message and the template text of the message cluster.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An automated method of processing computer system event logs comprises receiving event messages associated with one or more system event logs, each event message including event text, determining a set of message clusters, each comprising a template text, representative of the event messages across the one or more event logs, and assigning each event message to a message cluster of the set, according to a measure of similarity between the respective event text of the event message and the template text of the message cluster.

128 Citations

18 Claims

1. An automated method, comprising:
- receiving event messages associated with one or more computer system event logs, each event message including event text;
  
  determining a set of message clusters, each cluster in the set identifying a template text that represents one or more event messages across the one or more event logs; and
  
  assigning each received event message to a message cluster of the set, according to a measure of similarity between the respective event text of the event message and the template text of the message cluster.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The automated system of claim 1, comprising receiving computer system behaviour information over one or more periods of time, and determining which message clusters coincide with particular kinds of system behaviour.
  - 3. The automated system of claim 2, comprising using the determination of which message clusters coincide with particular kinds of system behaviour to diagnose current, or identify potential future, performance problems in the computer system.
  - 4. The automated method of claim 1, wherein determining the set of message clusters includes comparing the event text of each received event message with the template text of the message clusters according to a pre-determined cluster sequence.
  - 5. The automated method of claim 4, wherein the pre-determined cluster sequence is determined to be an order in which the message clusters are generated.
  - 6. The automated method of claim 5, including assigning an event message to a message cluster according to a first comparison in the sequence that produces a measure of similarity that exceeds a pre-determined similarity threshold, or, if there is no comparison that exceeds the pre-determined threshold, creating at the end of the sequence a new message cluster comprising a template text using the event text.
  - 7. The automated method of claim 4, wherein the comparing applies a word order sensitive cosine similarly measure.
  - 8. The automated method of claim 1, including periodically splitting message clusters on the basis of pre-determined splitting criteria.
  - 9. The automated method of claim 8, wherein the pre-determined splitting criteria includes there being greater than a minimum number of event messages assigned to a message cluster and there being a non-zero word position entropy, of a variable event text word position across all event messages assigned to the message cluster, below a pre-determined entropy threshold.
  - 10. The automated method of claim 9, wherein a message cluster that is split becomes a root cluster and a cluster that is split therefrom becomes a branch cluster of the root cluster, and at least a first branch cluster is generated having a template text including, in a respective variable event text word position thereof, the variable word value that is responsible for the word position entropy being below the pre-determined entropy threshold.
  - 11. The automated method of claim 1, further comprising determining a plurality of atoms, each comprising one or more message clusters which relate to the same system process or failure.
  - 12. The automated method of claim 11, comprising identifying message clusters that tend to occur together within pre-determined time windows.
  - 13. The automated method of claim 12, comprising identifying as an atom a pattern of clusters that tends to occur repeatedly across each of a plurality of time windows.
  - 14. The automated method of claim 13, comprising minimising a cost function using an iterative process to identify atoms.
  - 15. The automated method of claim 11, comprising receiving computer system behaviour information over one or more periods of time, and determining which atoms coincide with particular kinds of system behaviour.
  - 16. The automated system of claim 15, comprising using the determination of which atoms coincide with particular kinds of system behaviour to diagnose current, or identify potential future, performance problems in the computer system.

17. A computer implemented method of diagnosing a computer system problem, comprising:
- receiving computer system behaviour information over one or more periods of time, the system behaviour information indicating a system problem;
  
  receiving event messages associated with one or more system event logs over the same period(s) of time, each event message including event text;
  
  determining a set of message clusters, each comprising a template text, representative of the event messages across the one or more event logs;
  
  assigning each event message to a message cluster of the set, according to a measure of similarity between the respective event text of the event message and the template text of the message cluster;
  
  determining which event clusters coincide with the system problem; and
  
  using the determination of which message clusters coincide with the system problem to diagnose a source of the system problem.

18. A program product containing instructions that, when executed on a computer, perform a method of diagnosing a computer system problem, comprising:
- receiving computer system behaviour information over one or more periods of time, the system behaviour information indicating a system problem;
  
  receiving event messages associated with one or more system event logs over the same period(s) of time, each event message including event text;
  
  determining a set of message clusters, each comprising a template text, representative of the event messages across the one or more event logs;
  
  assigning each event message to a message cluster of the set, according to a measure of similarity between the respective event text of the event message and the template text of the message cluster;
  
  determining which event clusters coincide with the system problem; and
  
  using the determination of which message clusters coincide with the system problem to diagnose a source of the system problem.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Barash, Gilad, Mordechai, Eli, Cohen, Ira, Aharon, Michal

Granted Patent

US 8,209,567 B2
Time in Patent Office

Days
Field of Search
US Class Current

714/37
CPC Class Codes

G06F 11/3452   Performance evaluation by s...

G06F 11/3476   Data logging G06F11/14, G06...

G06F 16/285   Clustering or classification

G06F 2201/81   Threshold

G06F 2201/86   Event-based monitoring

SYSTEM EVENT LOGS

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

128 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM EVENT LOGS

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

128 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links