METHOD AND SYSTEM FOR CLUSTERING AND PRIORITIZING EVENT MESSAGES

US 20150370799A1
Filed: 06/30/2014
Published: 12/24/2015
Est. Priority Date: 06/24/2014
Status: Abandoned Application

First Claim

Patent Images

1. An event-message clustering system comprising:

one or more processors;

one or more memories; and

computer instructions, stored in one or more of the one or more memories that, when executed by one or more of the one or more processors, control the event-message clustering system toreceive event messages, andprocess each of the received event messages bydetermining a cluster to which to assign the event message,extracting data values from the event message,computing a significance value for the event message,generating an event record corresponding to the event message that includes the extracted data values, andstoring the event record within, or associated with, the selected cluster in a physical data-storage device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The current document is directed to methods and systems for processing, classifying, and efficiently storing large volumes of event messages generated in modern computing systems. In a disclosed implementation, received event messages are assigned to clusters based on metrics computed for the event messages. In addition, a significance value is determined for each received event message. When the significance value exceeds a threshold value, one or more actions are taken, including marking an event record corresponding to the event message, storing an event record corresponding to the event message in a significant-event log, and generating a notice or alarm.

31 Citations

View as Search Results

23 Claims

1. An event-message clustering system comprising:
- one or more processors;
  
  one or more memories; and
  
  computer instructions, stored in one or more of the one or more memories that, when executed by one or more of the one or more processors, control the event-message clustering system toreceive event messages, andprocess each of the received event messages bydetermining a cluster to which to assign the event message,extracting data values from the event message,computing a significance value for the event message,generating an event record corresponding to the event message that includes the extracted data values, andstoring the event record within, or associated with, the selected cluster in a physical data-storage device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The event-message clustering system of claim 1 wherein the significance value computed for an event message is a numeric value that reflects one or more of:
    - a dissimilarity of the event-message type that includes the received event message to other event-message types;
      
      a frequency that event messages of the event-message type that includes the received event message are received; and
      
      a temporal proximity of event messages of the event-message type that includes the received event message to critical events.
  - 3. The event-message clustering system of claim 2 wherein the dissimilarity of the event-message type that includes the received event message to other event-message types is computed from one or more of:
    - a distance separating a point in feature-vector space corresponding to the type of the received event message from another point in feature-vector space;
      
      a ratio of densities of points in feature-vector space;
      
      a difference between a pair-wise similarity computed for a group of event messages that includes the received event message and a pair-wise similarity computed for the group without the received event message; and
      
      a difference between a pair-wise similarity computed for a group of event-message types that include the type of the received event message and a pair-wise similarity computed for the group without the type of the received event message.
  - 4. The event-message clustering system of claim 3 wherein, in computing the distance separating the point in feature-vector space corresponding to the type of the received event message from another point in feature-vector space, the other point in feature-vector space corresponds to one of;
    - a centroid of a cluster of event-message types;
      
      a feature vector associated with a cluster; and
      
      a k^th-nearest-neighbor event message.
  - 5. The event-message clustering system of claim 3 wherein the ratio of densities of points in feature-vector space is the ratio of an average density of points in feature-vector space to a density of points in feature-vector-space neighborhood of the point in feature-vector space corresponding to the type of the received event message.
  - 6. The event-message clustering system of claim 2 wherein the frequency that event messages of the event-message type that includes the received event message are received is computed by:
    - accessing a number of event records within the stored event records, each stored event record including a time indication; and
      
      determining, from the accessed number of event records, an average number of event messages of the event-message type that includes the received event message that are received for each interval of time.
  - 7. The event-message clustering system of claim 2 wherein the temporal proximity of event messages of the event-message type that includes the received event message to critical events is computed by:
    - accessing a number of event records within the stored event records, each stored event record including a time indication, within temporal neighborhoods about time points of critical system events; and
      
      determining, from the accessed number of event records, an average number of event messages of the event-message type that includes the received event message that are received within the temporal neighborhoods.
  - 8. The event-message clustering system of claim 7 further including one or more of:
    - determining, from the accessed number of event records, an average highest number of event messages of the event-message type that includes the received event message that are received that occur within the temporal neighborhoods.
  - 9. The event-message clustering system of claim 1 wherein, following computation of a significance value for the event message, the event-message clustering system:
    - compares the computed significance value to a threshold value; and
      
      when the computed significance value is greater than the threshold value,generates an event record corresponding to the event message,places an indication in the event record to indicate that the event record corresponds to a significant event, andstores the event record within, or associated with, the selected cluster in a physical data-storage device.
  - 10. The event-message clustering system of claim 1 wherein, following computation of a significance value for the event message, the event-message clustering system:
    - compares the computed significance value to a threshold value; and
      
      when the computed significance value is greater than the threshold value,generates an event record corresponding to the event message, andstores the event record within an event log for significant event messages.
  - 11. The event-message clustering system of claim 1 wherein, following computation of a significance value for the event message, the event-message clustering system:
    - compares the computed significance value to a threshold value; and
      
      when the computed significance value is greater than the threshold value,generates one or more of a notice and alarm, andtransmits the generated notice or alarm to one or more of an automated system-administration subsystem and human system administrator.

12. A method that processes event messages, carried out within an event-message clustering system, the event-message clustering system having one or more processors, one or more memories, and computer instructions, stored in one or more of the one or more memories that, when executed by one or more of the one or more processors, control the event-message clustering system to receive event messages and process each of the received event messages, the method comprising:
- receiving event messages, andprocessing each of the received event messages bydetermining a cluster to which to assign the event message,extracting data values from the event message,computing a significance value for the event message,generating an event record corresponding to the event message that includes the extracted data values, andstoring the event record within, or associated with, the selected cluster in a physical data-storage device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12 wherein the significance value computed for an event message is a numeric value that reflects one or more of:
    - a dissimilarity of the event-message type that includes the received event message to other event-message types;
      
      a frequency that event messages of the event-message type that includes the received event message are received; and
      
      a temporal proximity of event messages of the event-message type that includes the received event message to critical events.
  - 14. The method of claim 13 wherein the dissimilarity of the event-message type that includes the received event message to other event-message types is computed from one or more of:
    - a distance separating a point in feature-vector space corresponding to the type of the received event message from another point in feature-vector space;
      
      a ratio of densities of points in feature-vector space;
      
      a difference between a pair-wise similarity computed for a group of event messages that includes the received event message and a pair-wise similarity computed for the group without the received event message; and
      
      a difference between a pair-wise similarity computed for a group of event-message types that include the type of the received event message and a pair-wise similarity computed for the group without the type of the received event message.
  - 15. The method of claim 14 wherein, in computing the distance separating the point in feature-vector space corresponding to the type of the received event message from another point in feature-vector space, the other point in feature-vector space corresponds to one of:
    - a centroid of a cluster of event-message types;
      
      a feature vector associated with a cluster; and
      
      a k^th-nearest-neighbor event message.
  - 16. The method of claim 14 wherein the ratio of densities of points in feature-vector space is the ratio of an average density of points in feature-vector space to a density of points in feature-vector-space neighborhood of the point in feature-vector space corresponding to the type of the received event message.
  - 17. The method of claim 13 wherein the frequency that event messages of the event-message type that includes the received event message are received is computed by:
    - accessing a number of event records within the stored event records, each stored event record including a time indication; and
      
      determining, from the accessed number of event records, an average number of event messages of the event-message type that includes the received event message that are received for each interval of time.
  - 18. The method of claim 13 wherein the temporal proximity of event messages of the event-message type that includes the received event message to critical events is computed by:
    - accessing a number of event records within the stored event records, each stored event record including a time indication, within temporal neighborhoods about time points of critical system events; and
      
      determining, from the accessed number of event records, an average number of event messages of the event-message type that includes the received event message that are received within the temporal neighborhoods.
  - 19. The method of claim 18 further including one or more of:
    - determining, from the accessed number of event records, an average highest number of event messages of the event-message type that includes the received event message that are received that occur within the temporal neighborhoods.
  - 20. The method of claim 12 further including, following computation of a significance value for the event message:
    - comparing the computed significance value to a threshold value; and
      
      when the computed significance value is greater than the threshold value,generating an event record corresponding to the event message,placing an indication in the event record to indicate that the event record corresponds to a significant event, andstoring the event record within, or associated with, the selected cluster in a physical data-storage device.
  - 21. The method of claim 12 further including, following computation of a significance value for the event message:
    - comparing the computed significance value to a threshold value; and
      
      when the computed significance value is greater than the threshold value,generating an event record corresponding to the event message, andstoring the event record within an event log for significant event messages.
  - 22. The method of claim 12 further including, following computation of a significance value for the event message:
    - comparing the computed significance value to a threshold value; and
      
      when the computed significance value is greater than the threshold value,generating one or more of a notice and alarm, andtransmitting the generated notice or alarm to one or more of an automated system-administration subsystem and human system administrator.

23. Computer instructions stored in a physical device that, when executed on one or more processors of an event-message clustering system that additionally includes one or more memories, control the event-message clustering system to:
- receive event messages; and
  
  process each of the received event messages bydetermining a cluster to which to assign the event message,extracting data values from the event message,computing a significance value for the event message,generating an event record corresponding to the event message that includes the extracted data values, andstoring the event record within, or associated with, the selected cluster in a physical data-storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VMware, Inc. (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Kushmerick, Nicholas, Lin, Junyuan

Application Number

US14/319,057
Publication Number

US 20150370799A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/285   Clustering or classification

H04L 41/046   comprising network manageme...

H04L 41/069   using logs of notifications...

H04L 41/40   using virtualisation of net...

H04L 43/16   Threshold monitoring

METHOD AND SYSTEM FOR CLUSTERING AND PRIORITIZING EVENT MESSAGES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR CLUSTERING AND PRIORITIZING EVENT MESSAGES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links