JP2009205372A - Information processor, information processing method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To reduce a load in rule creation for extracting a business event from a system log. <P>SOLUTION: An identifier extraction part 0109 investigates relation between a value of a column selected by a user 0102 among columns included in a sample log 0103 and a value of the other column, and presents a candidate of a column used as an identifier when analyzing the sample log as an event identifier list 0110, the user selects the column used as the identifier as an identifier column based on the identifier list, an event correlation diagram generation part 0111 analyzes the sample log based on a value of the identifier column, derives a transition pattern between events, generates an event correlation diagram showing the transition pattern, and presents it to the user, the user derives correspondence relation between the business event and a log event from the event correlation diagram, and an extraction rule generation part 0113 generates an extraction rule from the correspondence relation between the business event and the log event. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an analysis system that performs business analysis based on, for example, log events obtained from a business system.

In conventional business analysis, it is necessary to incorporate a mechanism for acquiring data for business analysis into the business system in advance, or an event with a business meaning (business event) is associated based on the log of the existing business system It was necessary to create rules for collecting and converting / converting information (for example, Patent Document 1 and Patent Document 2).
JP 2006-004346 A JP 2006-338305 A

  However, the task of associating existing business system logs with business events and creating business event extraction rules is performed manually, so the burden of rule creation is high, and only a limited number of engineers can perform it. There is.

  One of the main objects of the present invention is to solve the above-mentioned problems, and by supporting the creation of rules for extracting business events from the logs of existing systems, the load of rule creation is reduced, The main purpose is to enable many engineers to create business event extraction rules.

An information processing apparatus according to the present invention includes:
A record reading unit for sequentially reading records including a plurality of columns from the storage device;
An input unit for inputting event type value column specifying information for specifying an event type value column in which an event type value representing an event type among the plurality of columns is described;
The record read by the record reading unit is input, an event type value column is selected from a plurality of columns of the input record, and attribute values representing event attributes are described in columns other than the event type value column. The attribute type column and the event type value described in the event type value column and the attribute value described in each attribute value column are compared and the event type value and attribute value are Investigate the combination, update the number of types of combination of event type value and attribute value for the attribute value column corresponding to each time a new type appears in the combination of event type value and attribute value, And a calculation processing unit that counts the number of types of combinations of event type values and attribute values for each attribute value column.

  According to the present invention, since the number of combination types is counted for each attribute value column, it is possible to present column candidates to be used as identifiers when analyzing the system log, reflecting the result of counting the number of combination types. As a result, it is possible to accurately derive transitions between events by system log analysis, and to reduce the load in creating rules for extracting business events.

Embodiment 1 FIG.
FIG. 1 is a diagram illustrating a system configuration example according to the present embodiment.
In FIG. 1, a business event extraction rule creation support device (0101) is a mechanism for generating a business event extraction rule (0104) from a specified sample log (0103) in accordance with an instruction from a user (0102).
The business event extraction rule creation support device (0101) is an example of an information processing device.

The record reading unit (0114) sequentially reads the records of the sample log (0103) from the storage device (0201). Hereinafter, the record of the sample log (0103) is also referred to as a log record.
Although details will be described later, the sample log (0103) is, for example, information shown in FIG.

The format extraction unit (0105) is a mechanism that automatically creates and outputs a format list (0106) for the records read by the record reading unit (0114).
Although details will be described later, the format list (0106) is, for example, information shown in FIG.

The event type extraction unit (0107) is a mechanism that automatically creates and outputs an event type list (0108) according to the format specified by the sample log (0103) and the user (0102).
Although details will be described later, the event type list (0108) is information shown in FIG.

The identifier extraction unit (0109) is a mechanism that automatically generates and outputs an event identifier list (0110) in accordance with the sample log (0103), the format, and the event type specified by the user (0102).
Although details will be described later, the event identifier list (0110) is information shown in FIG. 9, for example.
The identifier extraction unit (0109) is an example of a calculation processing unit.

The event correlation diagram generation unit (0111) follows the event log specified by the sample log (0103), format, event type, and user (0102) and event correlation diagram information (0112) (hereinafter also simply referred to as an event correlation diagram). ) Is created and output.
Although details will be described later, the event correlation diagram (0112) is, for example, information shown in FIG.
The event correlation diagram generation unit (0111) is an example of an event correlation analysis unit.

The extraction rule generation unit (0113) obtains the business event extraction rule (0104) from the sample log (0103), format, event type, event identifier, and correspondence table between the business event specified by the user (0102) and the event log. It is a mechanism that generates automatically.
Although details will be described later, the business event extraction rule (0104) is, for example, information shown in FIG.

Each information such as the format list (0106) and the event type list (0108) is displayed on the display device (0202), and the user (0102) can select various information displayed using the input device (0203). Instruct the business event extraction rule creation support device (0101) to make corrections.
In the business event extraction rule creation support device (0101), the input unit (0115) receives an instruction from the user (0102).

  The business event extraction rule creation support apparatus (0101) according to the present embodiment mainly performs the following operations in order to reduce the load in creating rules for extracting business events from the system log.

The format extraction unit (0105) analyzes the record read by the record reading unit (0114), extracts the format existing in the sample log (0103), and extracts the format via the display device (0202). Is displayed to the user (0102).
The user (0102) notifies the format selection result via the input device (0203) and the input unit (0115).
In addition, the event type extraction unit (0107) extracts the values described in each column of the record that matches the format selected by the user, and extracts the values extracted for each column via the display device (0202). An event type list (0108) to be shown is presented to the user (0102).
The user (0102) selects any column and notifies the selection result via the input device (0203) and the input unit (0115).

The identifier extraction unit (0109) uses the value described in the column selected by the user among the columns included in the record that matches the format specified by the user (0102) and the value described in the other columns. The relationship is investigated, and column candidates used as identifiers when analyzing the sample log (0103) are presented to the user as an event identifier list (0110) via the display device (0202).
Based on the event identifier list (0110), the user selects a column to be used as an identifier as an identifier column, and notifies the identifier column via the input device (0203) and the input unit (0115).
The event correlation diagram generation unit (0111) analyzes the sample log (0103) with reference to the value of the identifier column, derives a transition pattern between events, generates an event correlation diagram (0112) indicating the transition pattern, It is presented to the user via the display device (0202).
Further, the user derives the correspondence between the business event and the log event from the event correlation diagram, and notifies the correspondence via the input device (0203) and the input unit (0115).
The extraction rule generation unit (0113) generates a business event extraction rule (0104) from the correspondence between the business event and the log event.

  FIG. 2 is a flowchart showing the overall processing flow of the business event extraction rule creation support apparatus (0101) according to the first embodiment.

First, in step S0101, the user (0102) designates the sample log (0103) and executes the business event extraction rule creation support device (0101).
In step S0102, the record reading unit (0114) sequentially reads the log records of the sample log (0103), and the format extracting unit (0105) reads the format list (0106) for the log records read by the record reading unit (0114). Automatically create and output (record reading step).
In step S0103, the user (0102) selects a format from the format list, inputs information indicating the selected format using the input device (0203), and the input unit (0115) receives the information.

Next, in step S0104, the event type extraction unit (0107) automatically creates an event type list (0108) according to the format specified by the sample log (0103) and the user (0102), and displays it on the display device (0108). 0202).
Next, in step S0105, the user (0102) selects from the event type list (0108) a column number from which the event type is extracted and a plurality of values to be extracted as events, and information indicating the selected contents (event type value) Column designation information) is input using the input device (0203), and the input unit (0115) receives the information (input step).
Although details will be described later, a plurality of columns are specified for each record of the sample log (0103), and the user selects a column in which an event type value indicating the type of event is described. This column designated by the user is called an event type value column. Also, columns other than the event type value column are columns in which attribute values of events are described and are also referred to as attribute value columns.

In step S0106, the identifier extraction unit (0109) automatically generates an event identifier list (0110) according to the sample log (0103), the format, and the event type value column specified by the user (0102). And output to the display device (0202) (calculation processing step).
Next, in step S0107, the user (0102) selects the column number of the identifier used for associating the events from the event identifier list (0110), and inputs information indicating the selected column number to the input device (0203). ) And the input unit (0115) receives the information (input step).

  Next, in step S0108, the event correlation diagram generation unit (0111) displays the event correlation diagram (0112) according to the sample log (0103), the format, the event type value column, and the event identifier specified by the user (0102). Create and output to the display device (0202) (event correlation analysis step).

Next, in step S0109, the user (0102) refers to the event correlation diagram (0112) and the business process, examines the correspondence between the business event and the log event generation order, and inputs a correspondence table.
Next, in step S0110, the extraction rule generation unit (0113) determines the business from the sample log (0103), format, event type, event identifier, and correspondence table between the business event specified by the user (0102) and the event log. An event extraction rule (0104) is automatically generated.

  Next, the detailed operation of each step will be described using each table example and flowcharts (FIGS. 3 to 17).

FIG. 3 shows a business process (0204) and a sample log (0103) used as an example.
FIG. 3A shows an example of a business process in a call center.
In addition, the sample log (0103) in FIG. 3B shows a history of processing when the business process of the call center is performed.
The sample log (0103) in FIG. 3B has a plurality of columns, and each column is separated from other columns by a comma (,), a hyphen (-), or a colon (:).

  The detailed operation of step S0102 will be described using the flowchart of FIG. 4 and the format list example of FIG.

First, in step S0201, the record reading unit (0114) reads a sample log.
In step S0202, it is confirmed whether there is a log record that has not been read. If it exists, the process proceeds to S0203, and if not, the process proceeds to S0209.
If there is a log record that has not been read in step S0202, the record reading unit (0114) reads one line of the log record in step S0203.

Next, in step S0204, the format extraction unit (0105) divides the log record into words such as time, character string, number, and symbol.
Next, in step S0205, the format extraction unit (0105) creates a format from the lexical arrangement. The created format is, for example, described in the format column of the format list example in FIG.
Next, in step S0206, the format extraction unit (0105) checks whether the created format is in the format list. If not, the process proceeds to step S0207. If there is, the process proceeds to step S0208.

If the created format is not in the format list, in step S0207, the format extraction unit (0105) adds the format and the number of columns to the format list.
Here, the number of columns is the number of lexical words extracted by the format, and for example, is described in the column number column of the format list example of FIG.
For example, in the record on the first line in FIG. 3B, “2007/03/02 09:30:30”, “Ringing”, “803”, “xxxxxxxx”, “2”, “2271”, “024046” ”,“ TD ”,“ 2 ”,“ DOW ”,“ 5 ”, which corresponds to the format of the first line in the format list of FIG. 5 and has 11 columns.

Next, in step S0208, the format extraction unit (0105) increments the number of formats corresponding to the format list by 1, and returns to step S0202.
Note that a counter that counts the number of appearances of the format may be prepared inside or outside the format extraction unit (0105), and the format extraction unit (0105) may increase this counter to count the number of times.

If NO in step S0202, the format extraction unit (0105) sorts the format list in descending order of the number of appearances and the number of columns in step S0209, and the format number, the number of times, the number of columns, and the format are indicated. The format list is output to the display device (0202).
The format list is stored in a storage device (not shown) such as a main memory, a cache memory, and a register.

  An example of the format list generated based on the sample log (0103) shown in FIG. 3 is as shown in the format list example of FIG.

  Next, the detailed operation of step S0104 will be described using the flowchart of FIG. 6 and the event type list example of FIG.

First, in step S0301, the format extraction unit (0105) reads the format specified by the user (0102) in step S0103. For example, the format is number 1 in FIG.
Next, in step S0302, the record reading unit (0114) reads the sample log.
Next, in step S0303, if the record reading unit (0114) confirms whether there is a log record that has not been read, the process proceeds to step S0304, and if not, the process proceeds to step S0312.
If there is a record that has not been read, the record reading unit (0114) reads one line of the log record in step S0304.
The sample log read here is the same as that read in the flow of FIG. Also, in the sample log reading process in the subsequent flowcharts, the same sample log as that read in the flow of FIG. 2 is read.

Next, in step S0305, the event type extraction unit (0107) checks whether the log record matches the format specified by the user (0102). If the log record matches, the process proceeds to step S0306. Returns to step S0303.
If there is a match in step S0305, the event type extraction unit (0107) extracts data for each column in step S0306.
In step S0307, the event type extraction unit (0107) checks whether there is a column that has not been processed, and if there is, proceeds to step S0308, otherwise returns to step S0303.
In step S0308, the event type extraction unit (0107) selects a column and a value.

Next, in step S0309, the event type extraction unit (0107) checks whether there is a value in the corresponding column of the event type list (whether “Ringing” or the like is already described in the event type list). , The process proceeds to step S0310. If there is, the process proceeds to step S0311.
If there is no value in the corresponding column of the event type list in step S0309, the event type extraction unit (0107) adds a value (such as “Ringing”) to the event type list and increases the number of types by 1 in step S0310. Let
If there is a value in the corresponding column of the event type list in step S0309, in step S0311, the event type extraction unit (0107) increments the number of times corresponding to the column and value in the event type list by one, and step S0307 Return to.
Note that a counter that counts the number of times may be prepared inside or outside of the event type extraction unit (0107), and the event type extraction unit (0107) may increase the counter to count the number of times.

Next, in step S0312, the event type extraction unit (0107) sorts the event type list in ascending order of the column (number), sorts the values in descending order of the number of times, column (number), type (number), and value. The list of (list) is output to the display device (0202).
The event type list is stored in a storage device such as a main memory, a cache memory, and a register (not shown).

  An example of the event type list generated based on the sample log (0103) shown in FIG. 3 is as shown in the event type list example of FIG.

In the above example, the case where one format is used is used, but a plurality of formats may be selectable. In this case, the steps from S0305 to S0311 are performed for each selected format, and the change can be made by adding a format number to the top of the event type list output in step S0312.
Details of this point will be described later.

  Next, the detailed operation of step S0106 will be described using the flowchart of FIG. 8 and the event identifier list example of FIG.

First, in step S0401, the identifier extraction unit (0109) reads the format specified by the user (0102) in step S0103. For example, the format is number 1 in FIG.
Next, in step S0402, the identifier extraction unit (0109) reads the column number and event list specified by the user (0102) in step S0105.
Here, the column number designated by the user (0102) in step S0105 is the column number of the event type value column. The event attribute value column is also referred to as an event column. Further, the identifier extraction unit (0109) treats columns other than the event type value column as attribute value columns indicating event attribute values. Further, the user selects a specific event type value from a plurality of event type values described in the event type value column. A set of event type values selected by the user is called an event list.
Next, in step S0403, the identifier extraction unit (0109) changes the format based on the column number and the event list.
For example, when the format number in FIG. 5 is 1, the column number in FIG. 7 is 2, and the event type value is selected as (Ringing, Dialing, Established, Released, NotReady, Ready), it is converted into the following format: .
“% Time%, (Ring | Dialing | Established | Released | NotReady | Ready)-% numerical value%,% character string%,% numerical value%,% numerical value%,% numerical value%,% numerical value%,% character string%,% numerical value%,% Character string%,% numerical value% "
Note that “Ringing”, “Dialing”, “Established”, “Released”, “NotReady”, and “Ready” are the event list.
In FIG. 7, the event type values included in the event list are underlined to facilitate understanding.
Note that the user does not have to select the event list. That is, it is not necessary to select only the event type value column and select individual values described in the event type value column.

Next, in step S0404, the record reading unit (0114) reads the sample log.
In step S0405, the record reading unit (0114) proceeds to step S0406 if there is a log record that has not been read, and proceeds to step S0414 if there is no log record.
If there is an unread log record, the record reading unit (0114) reads one line of the log record in step S0406.
Next, in step S0407, the identifier extraction unit (0109) checks whether or not the read log record matches the format changed in step S0403. If there is a match, the process proceeds to step S0408, and if not, the process proceeds to step S0405. Return.

If the format matches, in step S0408, the identifier extraction unit (0109) extracts the event column value and increments the number of events corresponding to the value by one.
In step S0409, the identifier extraction unit (0109) extracts data for each attribute value column.
In step S0410, the identifier extraction unit (0109) checks whether there is an attribute value column that has not been processed, and if there is, proceeds to step S0411, and if not, returns to step S0405.
If there is an attribute value column that has not been processed, the identifier extraction unit (0109) selects an attribute value column and a value in step S0411.
Next, in step S0412, the identifier extraction unit (0109) checks whether there is a value corresponding to the event type value and attribute value column. If not, the process proceeds to step S0413. If there is, the process returns to step S0410.
If there is no value corresponding to the event type value and attribute value column in step S0412, in step S0413, the identifier extraction unit (0109) adds a value to the type corresponding to the event type value and attribute value column, and sets the number of types. Increase by one.
Next, in step S0414, the identifier extraction unit (0109) calculates the number of types / the number of events for each event type value and attribute value column.
In step S0415, the identifier extraction unit (0109) sorts the calculated values in descending order of the average value and outputs an event identifier list.
The event identifier list is stored in a storage device (not shown) such as a main memory, a cache memory, and a register.

  An example of the event type list generated based on the sample log (0103) shown in FIG. 3 is the example of the event identifier list of FIG.

In the processing flow of FIG. 8, the identifier extraction unit (0109) selects a record that matches the format (S0407), and counts the number of event type values that have appeared in the selected records (S0408). At this time, the number of occurrences of the event type value is counted in units of event type values (for “Ringing”, “Dialing”, “Established”, “Released”, “NotReady”, and “Ready”).
In addition, the identifier extraction unit (0109) sets, for each selected record, the event type value and each attribute value described in each attribute value column (such as “205” and “206” for the column 3, “xxxxxxxxxxxx” for the column 4). ”,“ Yyyyyyyyy ”, etc.) and the combination of the event type value and the attribute value is investigated for each attribute value column, and it corresponds to the time when a new type appears in the combination of the event type value and the attribute value. The number of types of combinations of event type values and attribute values is updated for the attribute value column, and the number of types of combinations of event type values and attribute values in a plurality of input records is counted for each attribute value column (S0409 to S0413). ). At this time, the number of combination types is counted for each attribute value column in units of event type values (for “Ringing”, “Dialing”, “Established”, “Released”, “NotReady”, and “Ready”).
Then, the identifier extraction unit (0109) calculates, for each attribute value column, the ratio of the number of combination types to the number of appearances of event type values in units of event type values. The calculated ratio is referred to as the kind number ratio.

For example, in the sample log of FIG. 3B, the record in the first line has the format “% time%, (Ringing | Dialing | Established | Released | NotReady | Ready) −% numerical value%,% character string%. ,% Numerical value%,% numerical value%,% numerical value%,% character string%,% numerical value%,% character string%,% numerical value% ”are selected (S0407).
Then, the number of occurrences of “Ringing”, which is the event type value included in this record, is increased by 1 (S0408).
FIG. 16 shows an example of a count result of the number of appearances of event type values.
As shown in FIG. 16, the number of appearances is counted in event type value units.

In addition, the identifier extraction unit (0109) has attribute values described in the attribute value column “803”, “xxxxxxxx”, “2”, “2271”, “024046”, “TD”, “2”, “ “DOW” and “5” are sequentially extracted (S0409 to S0411), and a combination of the event attribute value and each attribute value (a combination of “Ringing” and “803”, a combination of “Ringing” and “xxxxxxxx”, etc.) Is already appearing in another record and it is determined whether it is already registered in the event identifier list (S0412).
If the combination appears for the first time (NO in S0412), it is a new combination type, so that combination is registered in the event identifier list and the number of types is incremented by 1 (S0413). For example, when the combination of “Ringing” and the attribute value of column 3 appears for the first time as a combination of “Ringing” and “803”, the number of types is increased by one for column 3, and “Ringing” is added to other records. ”And“ 505 ”when the combination appears for the first time, the number of types for the column 3 is further increased by one. Similarly, when a combination of “Ringing” and “xxxxxxxx” appears for the first time as a combination of attribute values of “Ringing” and column 4, the number of types is increased by one for column 4, and “Ringing” is added to other records. ”And“ yyyyyyyyyy ”appear for the first time, the number of types is further increased by one for the column 4.
FIG. 17 shows an example of the counting result of the number of types of combinations of event type values and attribute values.
As shown in FIG. 17, the number of types of combinations is counted for each attribute value column in units of event type values.

Then, the identifier extraction unit (0109) calculates the type ratio by the number of types / the number of events for each event type value and for each attribute value column.
In the example of FIGS. 16 and 17, for example, the type number ratio of 0.4 is calculated by dividing column number 3 and the number of types of “Ringing”: 40 by the number of occurrences of “Ringing”: 100.
Thereafter, the identifier extraction unit (0109) sorts the calculated average values in descending order and outputs an event identifier list to the display device (0202) as shown in FIG.
The event identifier list is an example of attribute value column ratio information.

The event identifier list indicates how valid each column value is as an identifier for each event. An identifier for uniquely identifying each event to be associated with each process (a value corresponding to a reception number or order number, assuming that column 4 corresponds to a telephone number and is unique here) is required.
Here, if “value type of x column / number of occurrences of event = 1.0” for each event, the attribute values appearing in the x column are different from each other, and the attribute value of the x column is used as a reference. By tracing log data in chronological order, transitions between events can be identified completely uniquely.
However, due to loops (changes, resubmissions, etc.), it is not completely 1.0. For example, if “Ringing” occurs 100 times and the number of types of column 4 at the time of “Ringing” is 90, the value is 0.9. It is assumed that the closer this value is to 1.0, the more appropriate the identifier, and the uniqueness by one or more combinations.
For this reason, as shown in FIG. 9, the identifier extraction unit (0109) displays the event identifier list arranged higher in the attribute value column with the higher average value of the calculated values on the display device (0202), and the user (0102). ) Selects the highest attribute value column in the event identifier list.

In this embodiment, the case where one event column is used is used. However, a plurality of event columns may be selected. In that case, in step S0408, the extraction of the value of the event column can be dealt with by changing the extraction of values from a plurality of event columns and managing the concatenated values as event types.
For example, in a format in which “telephone operation”, “mail operation”, “Web operation”, etc. are described in column 1 and “event 1”, “event 2”, etc. are described in column 2, the user (0102) ) Specifies these columns 1 and 2 as event columns (inputs information specifying event columns from the input device (0203)), and the identifier extraction unit (0109) specifies the columns 1 and columns specified as event columns. A specific event can be specified by combining two event type values.
In this case, for example, the combined “value of column 1_value of column 2” is handled as the event type value. Then, for each attribute value column, the number of combinations of “value of column 1_value of column 2” and attribute value is counted.
The subsequent processing is as described above.

  Next, the detailed operation of step S0108 will be described using the flowchart of FIG. 10 and the event correlation diagram example of FIG.

First, in step S0501, the event correlation diagram generation unit (0111) reads the format specified by the user (0102).
In step S0502, the event correlation diagram generation unit (0111) reads the column number and event list specified by the user (0102).
In step S0503, the event correlation diagram generation unit (0111) changes the format based on the column number and the event list.
For example, when the format number of FIG. 5 is 1, the column number of FIG. 7 is 2, and the value is selected as (Ringing, Dialing, Established, Released, NotReady, Ready), the format is converted as follows.
“% Time%, (Ring | Dialing | Established | Released | NotReady | Ready)-% numerical value%,% character string%,% numerical value%,% numerical value%,% numerical value%,% numerical value%,% character string%,% numerical value%,% Character string%,% numerical value% "

Next, the event correlation diagram generation unit (0111) reads the identifier column designated by the user (0102) in step S0504. This identifier column is a column designated in step S0107 in FIG. 2, and as described above, it is usually the highest column in the event identifier list (FIG. 9).
The identifier column designated by the user (0102) is also referred to as a designated attribute value column.

Next, in step S0505, the record reading unit (0114) reads the sample log.
Next, in step S0506, the record reading unit (0114) proceeds to step S0507 if it is confirmed that there is a log record that has not been read, and proceeds to step S0513 if there is no log record.
If there is an unread log record, in step S0507, the record reading unit (0114) reads one line of the log record.

Next, in step S0508, the event correlation diagram generation unit (0111) checks whether the read log record matches the format changed in step S0503. If it matches, the process proceeds to step S0509. Return to step.
When the format matches, the event correlation diagram generation unit (0111) takes out the values of the identifier column and the event column in step S0509.
Next, in step S0510, the event correlation diagram generation unit (0111) checks whether there is a previous event corresponding to the identifier. If there is, the process proceeds to step S0511, and if not, the process proceeds to step S0512.
Here, the previous event is the same as the attribute value described in the identifier column (designated attribute value column) of the newly input new input record (that is, the log record currently being processed in step S0509). The attribute value is indicated in the record located at the end of the input records (that is, the log records that have already been processed in step S0509) described in the identifier column (specified attribute value column). Event type value (such as “Ringing”).
For example, when the identifier column is column 4 and “xxxxxxxxxxxx” is described in column 4 of the newly input new input record, “xxxxxxxxxxxx” is described in column 4 among the already input records. The event type value of the last record is the previous event.

Next, in step S0511, the event correlation diagram generation unit (0111) increments the number of times corresponding to the combination of the previous event and the current event by one.
The current event is an event type value indicated in the new input record.

For example, when column 4 is an identifier column, event type values are detected in the order of Ringing → Establish → Release for attribute value “xxxxxxxx”, and events in the order of Ringing → Release for attribute value “yyyyyyyyy”. When the type value is detected and the event type value is detected in the order of Dialing → Establish → Release with respect to the attribute value “zzzzzzzzz”, the count is performed as follows.
Ringing, Establish, 1
Ringing, Release, 1
Dialing, Establish, 1
Establish, Release, 2

Next, in step S0512, the event correlation diagram generation unit (0111) stores the current event in the previous event corresponding to the identifier, and returns to step S0506.
That is, the previous event type value and the current event type value are linked in accordance with the record input order.

When all the log records are read and the processing of S0507 to S0512 is performed on all the log records (NO in S0506), the event correlation diagram generation unit (0111) responds to each event in step S0513. Generate a node to do.
Next, the event correlation diagram generation unit (0111) generates an edge corresponding to the combination of the previous event and the current event in step S0514.
At this time, the line thickness is changed according to the number of times corresponding to the previous event and the current event group.
That is, the event correlation diagram generation unit (0111) analyzes the linked event type values to derive a plurality of event transition patterns, and the previous event (transition source event type value) representing the transition source event for each event transition pattern. And the number of appearances of the combination of the current event (transition destination event type value) representing the transition destination event. Then, each event transition pattern is indicated by a node and an edge, and an event correlation diagram (0112) is generated in which the number of appearances of the combination of the previous event and the current event is represented as a line thickness in each event transition pattern.
Finally, in step S0515, the event correlation diagram generation unit (0111) arranges the layout and outputs the event correlation diagram to the display device (0202).
In addition, the event correlation diagram is stored in a storage device such as a main memory, a cache memory, and a register (not shown).

  An example of an event correlation diagram generated based on the sample log (0103) shown in FIG. 3B is as shown in the event correlation diagram of FIG.

In this embodiment, the case where one identifier column is used is used. However, a plurality of identifier columns may be selected.
In that case, in step S0509, the extraction of the value of the identifier column can be dealt with by changing the extraction of values from a plurality of identifier columns and managing the concatenated values as identifiers.
For example, the user (0102) specifies columns 3 and 4 in FIG. 7 as identifier columns (inputs information specifying the identifier column from the input device (0203)), and the event correlation diagram generation unit (0111) Investigate the values in columns 3 and 4 of the input record, and the entered record where the same value as the value of column 3 in the new input record is described in column 3 and the same value as the value of column 4 is described in column 4 Among them, the event type value of the last record is set as the previous event.
Then, the previous event and the current event searched in this way are connected.
The subsequent processing is as described above.

  In this embodiment, the line thickness is changed according to the number of times corresponding to the previous event and the current event group. However, not only the thickness but also the line type and color can be changed. good. Also, other values such as a time distance may be used instead of the number of times.

  In this embodiment, only the node is generated in step S0513, but the thickness, type, color, etc. may be changed depending on the number of times and the type of event.

In step S0109 of FIG. 2, the user (0102) refers to the event correlation diagram as shown in FIG. 11 output in step S0108 and the business process (0204) of FIG. Consider order mapping.
Here, the correspondence is as shown in the correspondence image of the occurrence order of the business event and the log event in FIG.
The user (0102) inputs a correspondence table of the order of occurrence of business events and log events.

The example based on the business process (0204) and the sample log (0103) shown in FIG. 3 is an example of a correspondence table between the business event and the log event occurrence order shown in FIG.
This association is also performed by the user (0102).

Next, in S0110 of FIG. 2, from the correspondence table between the sample log (0103), the format, the event type value, the event identifier (identifier column attribute value), and the business event specified by the user (0102) and the event log. The extraction rule generation unit (0113) generates a business event extraction rule (0104).
An example based on the business process (0204) and the sample log (0103) shown in FIG. 3 is the business event extraction rule example of FIG.

With the configuration and operation as described above, the log of the existing system is automatically analyzed, the log format candidates, the log event type candidates, and the log event identifier candidates are sequentially presented, and the user selects them. As a result, it is possible to obtain a correlation between log events that is highly related to the business process.
In addition, because it is possible to generate semi-automatic extraction rules for automatically extracting business events from the log by associating the order of occurrence of log events with business events, business events are extracted from the existing system log. By supporting the creation of rules for this purpose, the load of rule creation can be reduced, and many engineers can create business event extraction rules.

  Further, in this embodiment, the event correlation diagram is automatically generated by the event correlation diagram generation unit, but a diagram like the event tree example shown in FIG. 15 is generated from the event occurrence order for each extracted event identifier. It may be a method.

  In the above description, the case where the sample log (0103) including a plurality of formats is used has been described. However, if there is one format, S0102 and S0103 in FIG. The processing relating to the format selection such as S401 in FIG. 8 can be omitted.

Embodiment 2. FIG.
In the first embodiment, the identifier extraction unit (0109) outputs the event identifier list illustrated in FIG. 9 to the display device (0202), and the user (0102) displays any column indicated in the event identifier list as an identifier column. The event correlation diagram generation unit (0111) analyzes the sample log (0103) with reference to the identifier column designated by the user (0102) to generate an event correlation diagram.
Instead, the identifier extraction unit (0109) does not output the event identifier list to the display device (0202), and the event correlation diagram generation unit (0111) designates the identifier column by itself without designation from the user (0102). An event correlation diagram may be generated.

  As described above, the closer the number ratio calculated by the number of types divided by the number of events is, the more appropriate the identifier column is. Therefore, in this embodiment, the event correlation diagram generation unit (0111) The column having the largest average number ratio is selected as the identifier column, and the event log is generated by analyzing the sample log (0103) based on the selected identifier column.

Note that the present embodiment is different from the first embodiment only in that the event identifier list is not output to the display device (0202) and the event correlation diagram generation unit (0111) specifies the identifier column by itself. This process is the same as in the first embodiment.
The configuration of the business event extraction rule creation support apparatus (0101) according to the present embodiment is also as shown in FIG.

Embodiment 3 FIG.
In Embodiment 1, the identifier extraction unit (0109) calculates the type number ratio by the number of types / the number of events for each column, and generates an event identifier list indicating the type number ratio.
Instead of this, the identifier extraction unit (0109) may generate an event identifier list indicating the number of types of combination itself, not the number of types ratio.

For example, after the identifier extraction unit (0109) performs the processing up to step 0413 in FIG. 8 and counts the number of types for each event type value and for each column as shown in FIG. 16, the number of types in step S0414 / Without calculating the number of events, the event identifier list is sorted by the average value or the total value of the number of types, and an event identifier list indicating the number of types for each column is generated as shown in FIG. Alternatively, the data may be output to the display device (0202).
Also in this case, the highest column is considered to be the most appropriate column as an identifier because it has the largest number of types.

It is also possible to indicate in the event identifier list the value of the total number of combination types for each attribute value column / the total number of occurrences of event type values.
For example, the total number of appearances for each event type value shown in FIG. 16 is 620 as shown in FIG. 19 (100 + 100 + 200 + 200 + 10 + 10 = 620).
In addition, the sum of the number of types of combinations shown in FIG. 17 for each attribute value column is, as shown in FIG. 20, column 3: 204, column 4: 466, column 5:62, and these are divided by 620 shown in FIG. Then, column 3: 0.33, column 4: 0.75, column 5: 0.10, and the columns may be sorted in descending order of this ratio to form an event identifier list (FIG. 20 shows the state after sorting). ing).

In the present embodiment, only the points described above are different from those in the first embodiment, and other processes are the same as those in the first embodiment.
The configuration of the business event extraction rule creation support apparatus (0101) according to the present embodiment is also as shown in FIG.

  As in the second embodiment, the event correlation diagram generation unit (0111) selects the column with the largest average number of types as the identifier column without outputting the event identifier list to the display device (0202). Then, the event log may be generated by analyzing the sample log (0103) based on the selected identifier column.

Embodiment 4 FIG.
In Embodiment 1, the case where one format is used has been described, but a plurality of formats may be used.

Specifically, the processing from step S0305 to step S0311 in FIG. 6 is performed for each selected format, and it is possible to cope with the change by adding a format number to the top of the event type list output in step S0312. is there.
In this case, the user selects an event type value column for each format.

Further, the processing after S0407 in FIG. 8 is performed for each format, and the format number is added to the head of the event type list output in S0415.
For example, as shown in FIG. 21, a column indicating the format number is provided in the event identifier list, and the event identifier list is output for each format.
In the example of FIG. 21, the upper event identifier list is an event identifier list for format 1, and the lower event identifier list is an event identifier list for format 5.
The identifier extraction unit (0109) outputs a plurality of event identifier lists for each format to the display device (0202), and causes the user (0102) to select an identifier column for each format.
Here, the user (0102) needs to select a column in which a common attribute value (for example, telephone number) is described for each format. For example, if the value described in the column 4 of the format 1 is a telephone number and the user selects the column 4 of the format 1 as an identifier column, the column in which the telephone number is described for the format 5 is also an identifier. Must be selected as a column.
For this reason, a column exemplifying attribute values may be added to each event identifier list of FIG. 21 so that the user can easily determine the columns in which common attribute values are described. In this case, for example, the attribute values described in the column 4 such as “xxxxxxxx”, “yyyyyyyyy”, etc. are exemplified with respect to the column 4 of the upper event identifier list. Similarly, the attribute values are exemplified for the other column and lower event identifier lists.

Further, using the example of FIG. 21, in step S0503 in FIG. 10, the format is changed for each of format 1 and format 5, and in step S0508, the format of the read record is changed to format 1 after change. Or, if it matches the format 5 after the change, it becomes YES.
In step S0510, the previous event having the same attribute value in the identifier column is searched, and both the identifier column of format 1 and the identifier column of format 5 are to be searched.
For example, when the identifier column of the format 1 is the column 4 and the identifier column of the format 5 is the column 3, the attribute value of the identifier column of the record currently being processed (new input record) is “xxxxxxxxxxxx” If so, it is a record of format 1 and “xxxxxxxxxxxx” is indicated in column 4 or a record of format 5 and “xxxxxxxxxxxx” is indicated in column 3 and is the last record. Are subject to consolidation.

In the first embodiment, only the same format is to be linked. For this reason, the set of the previous event and the current event is limited to “Receiving”, “Established”, and the like, for example.
In this embodiment, since different formats are also subject to concatenation, as a set of the previous event and the current event, for example, a set of “Established” (format 1) and “button 1 pressed” (format 5) or “screen 2” A set of “display” (format 5) and “Released” (format 1) is extracted.
When the entire flow of FIG. 10 is completed, for example, an event correlation diagram (0302) as shown in FIG. 22 is generated.
In the event correlation diagram (0302) of FIG. 22, transitions between events of format 1 and events of format 5 are shown.

In the above description, as shown in FIG. 21, an example in which an event identifier list of a plurality of formats is output to the display device (0202) and the user (0102) specifies an identifier column for each format has been described. As in the second embodiment, the event correlation diagram generation unit (0111) selects the identifier column for each format without outputting the event identifier list to the display device (0202), and uses the selected identifier column as a reference. The event log may be generated by analyzing the sample log (0103).
Also in this case, the event correlation diagram generation unit (0111) needs to select a column in which a common attribute value (for example, telephone number) is described for each format.

  Here, the main features of the business event extraction rule creation support device described in the first to fourth embodiments will be restated.

In the first to fourth embodiments, in an analysis system that performs business analysis based on log events obtained from the business system,
Format extractor that automatically extracts formats from logs,
An event type extraction unit that automatically extracts an event type from the information and the format;
An event identifier extraction unit that automatically extracts an event identifier from the information and the event type;
An event correlation diagram generator for automatically extracting an event correlation diagram from the information and the event identifier;
An extraction rule generation unit that automatically generates a business event extraction rule from the correspondence between the information and the business event and the log event occurrence order;
The business event extraction rule creation support apparatus having the above has been described.

  Further, in the first to fourth embodiments, the business event extraction rule creation support device has been described that can cope with the case where the relationship between events cannot be associated with only one column by specifying a plurality of event identifiers.

  Further, in the first to fourth embodiments, the business event extraction rule creation support device has been described that can cope with a case where an event cannot be specified by only one column by specifying a plurality of event types.

  In the first to fourth embodiments, the business event extraction rule creation support device has been described that can cope with a case where an event cannot be specified by only one log record by specifying a plurality of formats.

Finally, a hardware configuration example of the business event extraction rule creation support apparatus (0101) shown in the first to fourth embodiments will be described.
FIG. 23 is a diagram illustrating an example of hardware resources of the business event extraction rule creation support apparatus (0101) illustrated in the first to fourth embodiments.
The configuration in FIG. 23 is merely an example of the hardware configuration of the business event extraction rule creation support apparatus (0101), and the hardware configuration of the business event extraction rule creation support apparatus (0101) is described in FIG. It is not limited to this configuration, and other configurations may be used.

In FIG. 23, the business event extraction rule creation support device (0101) includes a CPU 911 (also called a central processing unit, a central processing unit, a processing unit, an arithmetic unit, a microprocessor, a microcomputer, and a processor) that executes a program. .
The CPU 911 is connected to, for example, a ROM (Read Only Memory) 913, a RAM (Random Access Memory) 914, a communication board 915, a display device 901, a keyboard 902, a mouse 903, and a magnetic disk device 920 via a bus 912. Control hardware devices.
Further, the CPU 911 may be connected to an FDD 904 (Flexible Disk Drive), a compact disk device 905 (CDD), a printer device 906, and a scanner device 907. Further, instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card (registered trademark) read / write device may be used.
The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of the storage device.
A communication board 915, a keyboard 902, a mouse 903, a scanner device 907, an FDD 904, and the like are examples of input devices.
The communication board 915, the display device 901, the printer device 906, and the like are examples of output devices.

  The communication board 915 is connected to the network. For example, the communication board 915 may be connected to a LAN (local area network), the Internet, a WAN (wide area network), or the like.

The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924.
The programs in the program group 923 are executed by the CPU 911 using the operating system 921 and the window system 922.

The RAM 914 temporarily stores at least part of the operating system 921 program and application programs to be executed by the CPU 911.
The RAM 914 stores various data necessary for processing by the CPU 911.

The ROM 913 stores a BIOS (Basic Input Output System) program, and the magnetic disk device 920 stores a boot program.
When starting up the business event extraction rule creation support device (0101), the BIOS program in the ROM 913 and the boot program in the magnetic disk device 920 are executed, and the operating system 921 is started up by the BIOS program and the boot program.

  The program group 923 stores a program for executing the function described as “˜unit” in the description of the first to fourth embodiments. The program is read and executed by the CPU 911.

In the file group 924, in the description of the first to fourth embodiments, “determination of”, “extraction of”, “calculation of”, “comparison of”, “contrast of”, “change of” ”,“ Update of ”,“ setting of ”,“ counting of ”,“ concatenation of ”,“ registration of ”,“ selection of ”, etc. Data, signal values, variable values, and parameters are stored as items of “˜file” and “˜database”.
The “˜file” and “˜database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for CPU operations such as calculation, processing, editing, output, printing, and display.
Information, data, signal values, variable values, and parameters are stored in the main memory, registers, cache memory, and buffers during the CPU operations of extraction, search, reference, comparison, calculation, processing, editing, output, printing, and display. It is temporarily stored in a memory or the like.
In addition, arrows in the flowcharts described in the first to fourth embodiments mainly indicate input / output of data and signals, and the data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the CDD 905 compact disk, and the magnetic field. Recording is performed on a recording medium such as a magnetic disk of the disk device 920, other optical disks, mini disks, DVDs, and the like. Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

  In addition, what is described as “to part” in the description of the first to fourth embodiments may be “to circuit”, “to device”, “to device”, and “to step”, It may be “˜procedure” or “˜processing”. That is, what is described as “˜unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, only hardware such as elements, devices, substrates, wirings, etc., or a combination of software and hardware, and further a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “to part” in the first to fourth embodiments. Alternatively, the computer executes the procedure and method of “to unit” in the first to fourth embodiments.

  As described above, the business event extraction rule creation support device (0101) shown in the first to fourth embodiments outputs a CPU as a processing device, a memory as a storage device, a magnetic disk, etc., a keyboard as an input device, a mouse, a communication board, etc. The computer includes a display device, a communication board, and the like, and implements the functions indicated as “to unit” using the processing device, the storage device, the input device, and the output device as described above.

FIG. 3 is a diagram illustrating a configuration example of a business event extraction rule creation support device according to the first embodiment. FIG. 3 is a flowchart showing an example of a business event extraction rule creation support method according to the first embodiment. The figure which shows the example of the business event and sample log which concern on Embodiment 1. FIG. FIG. 3 is a flowchart showing an example of a format extraction flow according to the first embodiment. FIG. 6 is a diagram showing an example of a format list according to the first embodiment. FIG. 3 is a flowchart showing an example of an event type extraction flow according to the first embodiment. FIG. 6 is a diagram showing an example of an event type list according to the first embodiment. FIG. 4 is a flowchart showing an example of an event identifier extraction flow according to the first embodiment. FIG. 6 shows an example of an event identifier list according to the first embodiment. FIG. 3 is a flowchart showing an example of an event correlation diagram generation flow according to the first embodiment. FIG. 4 shows an example of an event correlation diagram according to the first embodiment. The figure which shows the example of a response | compatibility image of the generation | occurrence | production order of the business event which concerns on Embodiment 1, and a log event. The figure which shows the example of a correspondence table of the business event which concerns on Embodiment 1, and a log event generation order. FIG. 5 is a diagram showing an example of a business event extraction rule according to the first embodiment. FIG. 3 shows an example of an event tree according to the first embodiment. FIG. 6 is a diagram showing an example of a result of counting the number of event appearances according to the first embodiment. FIG. 6 is a diagram showing an example of a counting result of the number of combination types according to the first embodiment. FIG. 10 shows an example of an event identifier list according to the third embodiment. FIG. 10 is a diagram showing an example of the total number of event appearances according to the third embodiment. FIG. 10 shows an example of an event identifier list according to the third embodiment. FIG. 10 shows an example of an event identifier list according to the fourth embodiment. An example of an event correlation diagram according to the fourth embodiment is shown. The figure which shows the structural example of the business event extraction rule creation assistance apparatus which concerns on Embodiment 1-4.

Explanation of symbols

  0101 business event extraction rule creation support device, 0102 user 0103 sample log, 0104 business event extraction rule, 0105 format extraction unit, 0106 format list, 0107 event type extraction unit, 0108 event type list, 0109 identifier extraction unit, 0110 event identifier list , 0111 event correlation diagram generation unit, 0112 event correlation diagram, 0113 extraction rule generation unit, 0114 record reading unit, 0115 input unit, 0201 storage device, 0202 display device, 0203 input device.

Claims (23)

A record reading unit for sequentially reading records including a plurality of columns from the storage device;
An input unit for inputting event type value column specifying information for specifying an event type value column in which an event type value representing an event type among the plurality of columns is described;
The record read by the record reading unit is input, an event type value column is selected from a plurality of columns of the input record, and attribute values representing event attributes are described in columns other than the event type value column. The attribute type column and the event type value described in the event type value column and the attribute value described in each attribute value column are compared and the event type value and attribute value are Investigate the combination, update the number of types of combination of event type value and attribute value for the attribute value column corresponding to each time a new type appears in the combination of event type value and attribute value, And a calculation processing unit that counts the number of types of combinations of event type values and attribute values for each attribute value column. Management apparatus. The calculation processing unit
Count the number of occurrences of event type values in multiple records entered,
The information processing apparatus according to claim 1, wherein a ratio of the number of types of combinations to the number of appearances of event type values is calculated as a type number ratio for each attribute value column. The calculation processing unit
Count the number of combination types for each attribute value column in units of event type values, count the number of occurrences of event type values in units of event type values,
The information processing apparatus according to claim 2, wherein the type number ratio is calculated for each attribute value column in units of event type values. The calculation processing unit
Compare the types ratio,
Generate attribute value column ratio information that shows each attribute value column along with its type ratio in descending order of type ratio,
The information processing apparatus according to claim 2, wherein the attribute value column ratio information is output to a display device. The input unit is
After the attribute value column ratio information is output from the calculation processing unit to the display device, input attribute value column designation information for designating a specific attribute value column as a designated attribute value column from among a plurality of attribute value columns. ,
The information processing apparatus further includes:
A record read by the record reading unit is input, and an attribute value described in a specified attribute value column of the input record is examined, and a plurality of attribute values common to the specified attribute value column are described. 5. The information processing apparatus according to claim 4, further comprising: an event correlation analysis unit that connects event type values of records in accordance with an input order of records and analyzes correlation between events based on the connected event type values. . The input unit is
Enter attribute value column specification information specifying two or more attribute value columns as the specified attribute value column,
The event correlation analysis unit
The record read by the record reading unit is input, the attribute value described in each specified attribute value column of the input record is examined, and a common attribute value is described in the same specified attribute value column 6. The information processing apparatus according to claim 5, wherein event type values of a plurality of records are linked in accordance with an input order of records, and correlation between events is analyzed based on the linked event type values. The information processing apparatus further includes:
A specific attribute value column is designated as a designated attribute value column from among a plurality of attribute value columns based on the type number ratio calculated by the calculation processing unit,
A record read by the record reading unit is input, and an attribute value described in a specified attribute value column of the input record is examined, and a plurality of attribute values common to the specified attribute value column are described. 4. The information processing according to claim 2, further comprising an event correlation analysis unit that connects event type values of records according to an input order of records and analyzes correlation between events based on the connected event type values. apparatus. The event correlation analysis unit
Specify two or more attribute value columns as the specified attribute value column,
The event correlation analysis unit
The record read by the record reading unit is input, the attribute value described in each specified attribute value column of the input record is examined, and a common attribute value is described in the same specified attribute value column The information processing apparatus according to claim 7, wherein event type values of a plurality of records are linked in accordance with an input order of records, and correlation between events is analyzed based on the linked event type values. The event correlation analysis unit
The target format is a specific format, the record read from the record reading unit is input, the format of the input record is inspected, and the record that matches the target format is extracted.
Investigate the attribute value described in the specified attribute value column of the extracted record, concatenate the event type values of multiple records in which the common attribute value is described in the specified attribute value column according to the record input order, The information processing apparatus according to claim 5, wherein a correlation between events is analyzed based on the connected event type value. The event correlation analysis unit
The record that is located at the end of the already entered records in which the attribute value that is common to the attribute value described in the specified attribute value column of the newly input record is described in the specified attribute value column. Search as records,
Concatenates the event type value of the new input record with the event type value of the last record, investigates the combination of the event type value in the new input record and the last record, and counts the number of occurrences of each combination of event type values The information processing apparatus according to claim 5, wherein the information processing apparatus is an information processing apparatus. The event correlation analysis unit
Analyzing concatenated event type values to derive multiple event transition patterns,
The information processing apparatus according to claim 10, wherein the number of appearances of a combination of a transition source event type value representing a transition source event and a transition destination event type value representing a transition destination event is extracted for each event transition pattern. The event correlation analysis unit
In addition to showing multiple event transition patterns, event correlation diagram information indicating the number of occurrences of the combination of the transition source event type value and the transition destination event type value in each event transition pattern is generated in association with each event transition pattern ,
The information processing apparatus according to claim 11, wherein the generated event correlation diagram information is output to a display device. The input unit is
Enter event type value column designation information that designates two or more columns as the event type value column,
The calculation processing unit
The record read by the record reading unit is input, and each event type value column is selected from a plurality of columns of the input record, and each column other than the event type value column is set as an attribute value column. Combine event type values described in the column, compare the combined event type value with each attribute value described in each attribute value column, and combine the event type value and attribute after each attribute value column. Investigate the combination with the value, and for each attribute value column corresponding to the combination of the event type value and the attribute value after the combination, the number of combination types of the event type value and the attribute value after the combination is calculated. It is characterized by counting the number of combination types of event type values and attribute values after combining in multiple input records for each attribute value column. The information processing apparatus according to claim 1. The calculation processing unit
The target format is a specific format, the record read from the record reading unit is input, the format of the input record is inspected, and the record that matches the target format is extracted.
The information processing apparatus according to claim 1, wherein the number of types of combinations of event type values and attribute values in a plurality of extracted records is counted for each attribute value column. The calculation processing unit
Specify two or more specific formats as target formats, and extract matching records for each target format.
The information processing apparatus according to claim 14, wherein the number of types of combinations of event type values and attribute values in a plurality of extracted records is counted for each attribute value column for each target format. The calculation processing unit
For each target format, count the number of occurrences of the event type value in the extracted records,
16. The information processing apparatus according to claim 15, wherein, for each target format, a ratio of the number of types of combinations to the number of appearances of event type values is calculated as a type number ratio for each attribute value column. The calculation processing unit
Count the number of combination types for each attribute value column in units of event type values, count the number of occurrences of event type values in units of event type values,
The information processing apparatus according to claim 16, wherein the type number ratio is calculated for each attribute value column in units of event type values. The calculation processing unit
For each target format, compare the types ratio,
For each target format, generate attribute value column ratio information indicating each attribute value column along with its type ratio in descending order of type number ratio,
The information processing apparatus according to claim 16 or 17, wherein attribute value column ratio information of each target format is output to a display apparatus. The input unit is
An attribute that designates a specific attribute value column as a designated attribute value column from among a plurality of attribute value columns for each target format after attribute value column ratio information of each target format is output from the calculation processing unit to the display device Enter value column specification information,
The information processing apparatus further includes:
The record read from the record reading unit is input, the format of the input record is inspected, the record that matches each target format is extracted, and the specified attribute value column of the record is determined according to the format of the extracted record Investigate the attribute value described in the specified specified attribute value column, and concatenate the event type values of multiple records in which the common attribute value is described in each specified attribute value column according to the record input order. The information processing apparatus according to claim 18, further comprising: an event correlation analysis unit that analyzes a correlation between events based on the connected event type value. The information processing apparatus further includes:
A specific attribute value column is designated as a designated attribute value column from a plurality of attribute value columns for each target format based on the type number ratio calculated by the calculation processing unit,
The record read from the record reading unit is input, the format of the input record is inspected, the record that matches each target format is extracted, and the specified attribute value column of the record is determined according to the format of the extracted record Investigate the attribute value described in the specified specified attribute value column, and concatenate the event type values of multiple records in which the common attribute value is described in each specified attribute value column according to the record input order. The information processing apparatus according to claim 16, further comprising an event correlation analysis unit that analyzes a correlation between events based on the connected event type value. The event correlation analysis unit
The record that is located at the end of the already entered records in which the attribute value that is common to the attribute value described in the specified attribute value column of the newly input record is described in the specified attribute value column. Search as records,
Concatenates the event type value of the new input record with the event type value of the last record, investigates the combination of the event type value in the new input record and the last record, and counts the number of occurrences of each combination of event type values The information processing apparatus according to claim 19 or 20, characterized in that: An information processing method using a computer,
A record reading step of sequentially reading records including a plurality of columns from the storage device;
An input step of inputting event type value column specifying information for specifying an event type value column in which an event type value representing an event type is described among the plurality of columns;
The record read in the record reading step is input, and the event type value column is selected from the plurality of columns of the input record, and the attribute value indicating the event attribute is described in columns other than the event type value column. The attribute type column and the event type value described in the event type value column and the attribute value described in each attribute value column are compared and the event type value and attribute value are Investigate the combination, update the number of types of combination of event type value and attribute value for the attribute value column corresponding to each time a new type appears in the combination of event type value and attribute value, And a calculation processing step for counting the number of combinations of event type values and attribute values for each attribute value column. Information processing method to be. A record read process for sequentially reading records including a plurality of columns from the storage device;
An input process for inputting event type value column specifying information for specifying an event type value column in which an event type value representing an event type among the plurality of columns is described;
The record read by the record reading process is input, the event type value column is selected from the plurality of columns of the input record, and attribute values representing the attribute of the event are described in columns other than the event type value column The attribute type column and the event type value described in the event type value column and the attribute value described in each attribute value column are compared and the event type value and attribute value are Investigate the combination, update the number of types of combination of event type value and attribute value for the attribute value column corresponding to each time a new type appears in the combination of event type value and attribute value, Let the computer execute a calculation process that counts the number of combinations of event type values and attribute values for each attribute value column. Program characterized.

Images