Method, apparatus and computer program for analysing events in a computer system
First Claim
1. A method for analysing events in a computer system, the method comprising:
- receiving an event;
splitting the event into a meta part and a content part, the meta part comprising non-content of the event including at least one of;
non-letter/number character, colon (;
), semicolon (;
), space ( ) comma (,), tab ( ), and a cryptographic hash;
comparing the meta part by matching the meta part with meta parts from previous events for determining that the meta part is new, and wherein when the meta part is determined new;
storing the meta part and the content part;
whereinwhen the meta part is determined not new, comparing the content part by matching with previous content parts with the same meta part for determining that the content part is new,comparing the content part with other content parts with the same meta part as said content part,determining existence of at least one parameter of said content part being different from a number of corresponding parameters of said other content parts, and when a difference is determined for the at least one parameter determine a parameter variation between content parts which are otherwise the same,labelling the at least one parameter of said content part as a dynamic parameter,determining that said content part is new when said content part has at least one new parameter different from said at least one dynamic parameter, andwhen the content part is determined new, storing the content part, thereby enabling analysing events in a computer system and presenting events as new.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, an apparatus and computer program for analyzing events in a computer system, the method comprises receiving an event, splitting the event into a meta part and a content part. The method further comprises comparing the meta part by matching the meta part with meta parts from previous events. The method further comprises determining that the meta part is new, and when the meta part is determined new storing the meta part and the content part. The method further comprises wherein when the meta part is determined not new, comparing the content part by matching with previous content parts with the same meta part. The method further comprises determining that the content part is new, and when the content part is determined new, storing the content part, thereby enabling analyzing events in a computer system and presenting events as new.
-
Citations
20 Claims
-
1. A method for analysing events in a computer system, the method comprising:
-
receiving an event; splitting the event into a meta part and a content part, the meta part comprising non-content of the event including at least one of;
non-letter/number character, colon (;
), semicolon (;
), space ( ) comma (,), tab ( ), and a cryptographic hash;comparing the meta part by matching the meta part with meta parts from previous events for determining that the meta part is new, and wherein when the meta part is determined new; storing the meta part and the content part;
whereinwhen the meta part is determined not new, comparing the content part by matching with previous content parts with the same meta part for determining that the content part is new, comparing the content part with other content parts with the same meta part as said content part, determining existence of at least one parameter of said content part being different from a number of corresponding parameters of said other content parts, and when a difference is determined for the at least one parameter determine a parameter variation between content parts which are otherwise the same, labelling the at least one parameter of said content part as a dynamic parameter, determining that said content part is new when said content part has at least one new parameter different from said at least one dynamic parameter, and when the content part is determined new, storing the content part, thereby enabling analysing events in a computer system and presenting events as new. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus for analysing events in a computer system, comprising a processor and a memory, said memory containing instructions executable by said processor, whereby:
-
the apparatus is arranged to receive an event; the apparatus is arranged to split the event into a meta part and a content part, the meta part comprising non-content of the event including at least one of;
non-letter/number character, colon (;
), semicolon (;
), space H, comma (,), tab ( ), and a cryptographic hash;the apparatus is arranged to compare the meta part by matching the meta part with meta parts from previous events to determine that the meta part is new, and wherein when the meta part is determined new; the apparatus is arranged to store the meta part and the content part; wherein when the meta part is determined not new, the apparatus is arranged to compare the content part by matching with previous content parts with the same meta part to determine that the content part is new, the apparatus being arranged to compare the content part with other content parts with the same meta part as said content part; the apparatus being arranged to determine existence of at least one parameter of said content part being different from a number of corresponding parameters of said other content parts, and when a difference is determined for the at least one parameter determine a parameter variation between content parts which are otherwise the same; the apparatus being arranged to label the at least one parameter of said content part as a dynamic parameter; the apparatus is arranged to determine that said content part is new when said content part has at least one new parameter different from said at least one dynamic parameter; and wherein when the content part is determined new;
the apparatus is arranged to store the content part, thereby enabling to analyse events in a computer system and to present events as new. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification