Message clustering of system event logs
First Claim
Patent Images
1. An automated method, comprising:
- receiving event messages associated with one or more computer system event logs, each event message including event text;
determining a set of message clusters, each cluster in the set identifying a template text that represents one or more event messages across the one or more event logs;
assigning each received event message to a message cluster of the set according to a measure of similarity between the respective event text of the event message and the template text of the message cluster; and
periodically splitting message clusters on the basis of pre-determined splitting criteria,wherein the pre-determined splitting criteria includes greater than a minimum number of event messages being assigned to a message cluster.
8 Assignments
0 Petitions
Accused Products
Abstract
An automated method of processing computer system event logs comprises receiving event messages associated with one or more system event logs, each event message including event text, determining a set of message clusters, each comprising a template text, representative of the event messages across the one or more event logs, and assigning each event message to a message cluster of the set, according to a measure of similarity between the respective event text of the event message and the template text of the message cluster.
64 Citations
18 Claims
-
1. An automated method, comprising:
-
receiving event messages associated with one or more computer system event logs, each event message including event text; determining a set of message clusters, each cluster in the set identifying a template text that represents one or more event messages across the one or more event logs; assigning each received event message to a message cluster of the set according to a measure of similarity between the respective event text of the event message and the template text of the message cluster; and periodically splitting message clusters on the basis of pre-determined splitting criteria, wherein the pre-determined splitting criteria includes greater than a minimum number of event messages being assigned to a message cluster. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer implemented method of diagnosing a computer system problem, comprising:
-
receiving computer system behaviour information over one or more periods of time, the system behaviour information indicating a system problem; receiving event messages associated with one or more system event logs over the one or more periods of time, each event message including event text; determining a set of message clusters, each comprising a template text, representative of the event messages across the one or more event logs; assigning each event message to a message cluster of the set of message clusters according to a measure of similarity between the respective event text of the event message and the template text of the message cluster; determining which event messages coincide with the system problem; and using the determination of which event messages coincide with the system problem to diagnose a source of the system problem, wherein determining the set of message clusters includes a degree of variability of word positions within the event messages of each message cluster and words within each position being below a pre-determined threshold.
-
-
18. A computer implemented method of diagnosing a computer system problem, comprising:
-
receiving computer system behaviour information over one or more periods of time, the system behaviour information indicating a system problem; receiving event messages associated with one or more system event logs over the one or more periods of time, each event message including event text; determining a set of message clusters, each comprising a template text, representative of the event messages across the one or more event logs; assigning each event message to a message cluster of the set of message clusters according to a measure of similarity between the respective event text of the event message and the template text of the message cluster; determining which event messages coincide with the system problem; and using the determination of which event messages coincide with the system problem to diagnose a source of the system problem, wherein assigning each event message to a message cluster of the set of message clusters includes comparing each event message to the message clusters in an order in which the message clusters are created and assigning each event message to a first message cluster in which a threshold of the measure of similarity is exceeded.
-
Specification