JP5618381B2 - Event log search method, apparatus and program thereof - Google Patents

Description

  The present invention relates to a technique for searching event logs in software.

  In recent years, a number of technologies utilizing event logs have been proposed as solutions for information processing systems such as business systems in enterprises that are realized by software running on computers. Normally, in order to complete a business case, it is necessary to sequentially execute various processes using the functions of the server and client of the information processing system. The event log is a record of the processing and operations performed in the process up to the completion of the matter, and the contents of the system status change (here, these are collectively referred to simply as events) along with the processing time (time stamp). Is. The event log of each case is stored in the storage device. For example, checks whether there are cases in which illegal processing or necessary processing has been missed in business audits, and what types of cases are causing errors. Used for analysis for improvement.

  In inspection and analysis using event logs, a technique is required for assigning conditions to a set of event logs and searching for event logs that match the conditions. A general event log search technique extracts an event log in which an event described as a condition appears, as in a Web search for extracting a document including a search keyword. However, in the actual event log inspection and analysis, there are cases where it is desired to extract an event log in which two or more specific events appear in a specific order, that is, an event log including a specific event occurrence order. Technology needs to be established.

[Conventional technology]
As a search technique for a specific event occurrence order, there is a technique proposed in Non-Patent Document 1. In the technique proposed in Non-Patent Document 1, a condition indicating a specific event occurrence order is described by linear temporal logic, and it is determined whether each event log stored in the storage device satisfies the condition. The technique proposed in Non-Patent Document 1 will be described below.

When a set of event logs stored in the storage device is S and an event log for a matter is π∈S, the event log π is a sequence in which events generated in the process of the matter are arranged in ascending order of time stamps. Can be expressed as That is, _assuming that a set of all events included in the set S of event logs is A, and events that occur in the event log π are e ₁ , e ₂ ,..., E _{n in} ascending order of time stamps, π = e ₁ the e ₂ e ₃ ··· e _n. Here, e ₁ , e ₂ ,..., E _n ∈A. The length of the event log π is expressed as | π |.

  In linear temporal logic formulas described as search conditions, in addition to logical operators such as negation (¬), conjunction (∧), and disjunction (∨) in propositional logic, Next (○), Until (U), etc. Modality operators can be used. FIG. 1 shows the grammar of linear temporal logic written in BNF notation.

To determine whether the event log π satisfies the linear temporal logic formula F, Check (F, π, 0) is executed using the function Check (F, π, i). The Check (F, [pi, i) is a function that determines whether to satisfy a formula F at the i-th event e _i in the event log [pi. The output is true or false, meaning that the logical expression is satisfied or not satisfied, respectively. Check (F, π, 0) is recursively determined for the structure of logical expression F. FIG. 2 shows an outline of the determination process of Check (F, π, i), that is, the determination process of whether the event log π satisfies the linear temporal logic formula F.

  Such a determination method needs to determine event logs individually using the Check function. Therefore, there is a problem in that the amount of calculation for searching the log is proportional to the number of event logs included in the set S.

  Various proposals have been made in the model checking technology field as a technique for speeding up judgment based on temporal logic. In model checking, the behavior of a system is modeled by an automaton, and it is determined whether the behavior satisfies a specification described by a temporal logic expression. Since the amount of calculation required for determination increases in proportion to the number of states of the automaton, the automaton is expressed by a compact data structure called BDD (Binary Decision Diagram), and non-patent literature 2 that speeds up the inspection procedure, Non-Patent Document 3 and the like have been proposed in which a high speed is realized by using a SAT solver by reducing to the SAT problem. Such speed-up technology is based on the premise that the inspection object is an automaton.

  When a high-speed technique used in model checking or the like is applied to the search based on temporal logic of the event log, it is necessary to convert the set S of event logs into an automaton equivalent to it. If each event included in the set of events is expressed by alphabets (a, b, c, etc.), the event log can be expressed as a character string a, abb, ac, bc, etc. An automaton equivalent to the set S of event logs is an automaton that accepts only a character string included in S.

  Non-Patent Document 4 proposes SeqBDD (Sequence BDD) as a data structure that compactly represents a set of character strings of a finite length. SeqBDD is a kind of acyclic directed graph expressed by nodes and edges with directions connecting the nodes.

  There are two types of nodes: an intermediate node having an edge to another node and a sink node having no edge to another node. The intermediate node has a label, and here is an alphabetic character. There are always two edges from the intermediate node to the other nodes, which are referred to as 1 edge and 0 edge, respectively. Further, a node connected to the 1 edge side is called a 1 child node, and similarly a node connected to the 0 edge side is called a 0 child node.

  When one child node is an intermediate node, it indicates the character that appears next to the character indicated by the parent node in the character string. When the 0 child node is an intermediate node, it means that the character indicated by the parent node does not appear in the character string but the character of the 0 child node appears. The order is given to the characters, and there is no restriction on the label of the intermediate node and the intermediate node of its one child node. The labels of the intermediate node and the intermediate node of its 0 child node must follow the order and characters appear. For example, when there is an order of a → b and the label of the intermediate node is b, the label of the intermediate node of the 0 child node is not allowed to be a or b.

  The sink node has a label of 1 or 0 and is called 1 sync node and 0 sync node, respectively. In SeqBDD, there is only one 1 sync node and one 0 sync node. In SeqBDD, a route that passes through an intermediate node represents a character string. When the route reaches one sink node, it means that the character string indicated by the route is included in the set of character strings represented by SeqBDD. If the route reaches 0 sink node, it means that the character string indicated by the route is not included in the set of character strings represented by SeqBDD.

  FIG. 3 shows SeqBDD meaning a set of character strings {abc} composed only of character strings abc. FIG. 4 shows SeqBDD meaning a set of character strings {aaa, aba, bbc, bc} composed of character strings aaa, aba, bbc, bc. In FIG. 4, the edge from the intermediate node to the 0 sync node and the display of the 0 sync node are omitted for ease of explanation. In the following illustrations of SeqBDD, the same is used.

  Intuitively, the height of one edge from one sink node of the intermediate node of SeqBDD indicates the appearance position of the character of the label in the character string to be expressed (the higher one appears at the previous position in the character string). . On the other hand, the relationship between the intermediate node and the intermediate node of the 0 child node represents a variation of the appearing character at the same position in the character string. For example, the a node at the highest position in FIG. 4 means a character string in which the letter a appears at the beginning of the character string. The b node which is a 0 child node of the a node means a character string in which a does not appear at the head of the character string but b appears.

  SeqBDD is a data structure that has recently been applied in the data mining domain. It is mainly used to extract partial character strings that frequently appear from a set of character strings. When SeqBDD is used to search event logs based on temporal logic, it can be considered that a set of event logs is converted to SeqBDD equivalent to it. Since SeqDBB can be regarded as a kind of automaton, it is possible to speed up the search by applying a model checking technique acceleration technique to SeqBDD. However, in the event log search using such SeqBDD, the current technology has the following problems.

In general, in the description of event log search conditions, the event itself is not always described as an atom of a temporal logic formula. For example, it is assumed that an application GUI image is recorded as an event in the event log. Of course, there may be a case where an image itself (which is referred to as an image a) is given to an atom and searched by a temporal logic formula (true U a) such as “event log where an image a appears someday”. However, there is a case where it is desired to search for the appearance order from another viewpoint of “an image in which an error window appears” instead of the event itself. In this case, a function for mapping the event to the viewpoint established by the event is required. That is, the map function m can be expressed as m: A → 2 ^{P where} P is a set of viewpoints.

When a search using a temporal logic formula with the viewpoint as an atom is performed under such a map function m, the event log on the search target, that is, the event sequence on the event set A is a subset 2 ^{P of the} viewpoint. It must be converted to the upper column (here called the viewpoint column).

  For example, when “abc” exists as the event log, the map function m is m (a) = [α], m (b) = [α] for a subset of the viewpoint set P = [α, β]. , M (c) = [β] is considered (the map function m is a pair expression m: (a, [α]), (b, [α]), (c, [β]), etc. May be expressed.) At this time, the event log “abc” is converted into the viewpoint sequence “ααβ” (precisely [α] [α] [β] but abbreviated), and the temporal logic in which atoms are elements of the set P of viewpoints) Search by expression.

  It is desirable that such conversion of the event log into the viewpoint column can be realized on the SeqBDD representing the set S of event logs. A set {aa, aba, bbc, bc} of event logs (character strings) represented by SeqBDD in FIG. Is shown in FIG.

  In order to obtain SeqBDD in FIG. 5, it is conceivable to convert each event log once into a viewpoint column and construct SeqBDD from a set of viewpoint columns. However, with this method, the atoms change in the temporal logic formula of the search condition, that is, it is necessary to reconstruct the SeqBDD from the beginning each time the set of viewpoints P is changed or the mapping between events and viewpoints is changed. SeqBDD is constructed for each search, which contributes to a decrease in search response.

  If it is possible to directly convert SeqBDD representing a set of event logs into SeqBDD representing a set of viewpoint columns, it is possible to prevent a decrease in search response. In SeqBDD, an algorithm for performing various set operations and operations on SeqBDD has been proposed (refer to Table 3 of Non-Patent Document 5 for a brief summary). However, with a simple combination of these proposed operations, conversion from a set of event logs to a set of viewpoint columns that is desired to be realized in the present invention cannot be realized on SeqBDD.

  In the present invention, when searching for a set of event logs using a temporal logic formula with the viewpoint of the event as an atom, a search response is sent each time a set of viewpoints or a mapping between events and viewpoints is changed by changing the search condition. In order to solve the problem of lowering, the following features are provided.

As the first invention of the present invention,
A method for searching an event log including a specific event occurrence order from a set of event logs, an input device, a storage device storing a set of event logs expressed in SeqBDD format, an output device, and search control means And the event log adding means, the map function generating means, the viewpoint sequence set converting means, and the searching means, and the search control means describes a temporal logic describing a condition representing a specific event occurrence order from the input device. If the expression is input, retrieving the SeqBDD representing a set of event logs from the storage device, the mapping function generating unit in accordance with the control of the search control means, the event and time phase logical expressions appearing in the set of event log and creating a map function of a subset of the viewpoint appearing in atom, the viewpoint column set conversion means in accordance with the control of the search control means is taken out from the storage device event And converting the SeqBDD representing a set of equivalent aspect columns based SeqBDD representing a set of Torogu the map function, the search means in response to the control of the search control means, the input from SeqBDD representing a set of viewpoint column A step of extracting viewpoint columns satisfying the temporal logic formula, a step of the search control means converting the extracted viewpoint columns into an event log by an inverse function of a map function, and the search control means Determining whether an event log is included in SeqBDD representing a set of event logs extracted from the storage device, and outputting only the included event log to the output device.

As a second invention of the present invention,
In the step of converting SeqBDD representing a set of event logs taken out from the storage device in the first invention into SeqBDD representing a set of equivalent viewpoint columns based on a map function, a viewpoint according to the control of the search control means A first step in which the column set conversion means replaces the label of the intermediate node of SeqBDD representing the set of event logs from the event to the corresponding viewpoint from the map function, and the reference node that is the vertex node in SeqBDD converted from the label to the viewpoint A second step for determining whether the node is a sink node, a third step for determining whether there is a node having the same label among the comparison nodes that are intermediate nodes that can be reached only by 0 edge from the reference node when the node is not a sink node, and the reference node If there is no comparison node with the same label, the 0 child node and 1 child node of the reference node A fourth step that recursively repeats the second and subsequent steps as a node, and a fifth step in which, when there is a comparison node having the same label as the reference node, the 0 edge to the comparison node is replaced with a 0 sink node And a sixth step for obtaining a SeqBDD representing the union of the SeqBDD having the reference node as the vertex and the SeqBDD having the comparison node as the vertex, and an edge to the reference node with respect to the vertex node of the SeqBDD of the obtained union Executing the seventh step of re-sequencing and the eighth step of recursively repeating the second and subsequent steps, with the 0 child node and 1 child node of the vertex node of the SeqBDD of the obtained union as the reference nodes, respectively. It is characterized by.

As a third invention of the present invention,
A method of updating a memory device in the first or second invention, furthermore, by using the event log additional means, when the search control means, the event log to be searched from the input device is input, the storage device and creating and retrieving SeqBDD representing a set of event log, the event log additional means according to the control of the search control means, the SeqBDD representing a set of said input event logs only elements from the search control step event log addition means according to the control of the means to determine the SeqBDD representing the union of the SeqBDD representing a set of event log retrieved from SeqBDD a memory device representing a set of only the element input event logs that the created When the search control unit, characterized by comprising the steps of: storing SeqBDD representing the union which is the determined in the storage device.

As a fourth invention of the present invention,
A device for searching an event log including a specific event occurrence order from a set of event logs, an input device, a storage device for storing a set of event logs expressed in SeqBDD format, an output device, and an event log Map function generating means for creating a map function between an event appearing in the set and a subset of the viewpoint appearing in the atom of the temporal logic formula, and SeqBDD representing the set of event logs based on the map function m A viewpoint column set conversion means for converting to a SeqBDD representing a set of points, a search means for extracting a viewpoint sequence satisfying a temporal logic expression from a SeqBDD representing a set of viewpoint sequences, and a condition indicating a specific event occurrence order from the input device. when temporal logic expressions when describing is input, retrieves the SeqBDD representing a set of event logs from the storage device, and controls the mapping function generating means, appears in the set of event log To create a map function of a subset of the viewpoint appearing in vent and time phase formulas of atoms, by controlling the aspect column set conversion means, the SeqBDD representing a set of event log retrieved from the storage device to the mapping function based was converted to SeqBDD representing a set of equivalent aspect column, by controlling the retrieval means, from SeqBDD representing a set of viewpoint column to extract the viewpoint columns satisfy the temporal logic expressions when the input was the extracted The viewpoint column is converted into an event log by the inverse function of the map function, and it is determined whether the converted event log is included in SeqBDD representing a set of event logs extracted from the storage device, and only the included event log is output. And at least a search control means for outputting to.

As a fifth invention of the present invention,
In a fourth invention, further, the SeqBDD representing the union of the SeqBDD representing a set of event log create a SeqBDD representing a set of only event logs entered as elements, it is stored in this storage device When the event log to be searched is input from the input device, the search control means further retrieves SeqBDD representing a set of event logs from the storage device, and controls the event log addition means. Te, only event logs the input to create a SeqBDD representing a set of an element controls the event log additional means, removed from SeqBDD a memory device representing a set of only the element input event logs that the created It was sought SeqBDD representing the union of the SeqBDD representing a set of event logs, especially to store SeqBDD representing the union which is the determined in the storage device To.

As a sixth invention of the present invention,
It is a program for causing a computer to function as each means of the fourth or fifth invention .

  According to the present invention, it is possible to perform a set conversion from a set of event logs to a viewpoint column on SeqBDD, and a set of viewpoints and events that appear in atoms of a temporal logic expression described as a search condition Even if the viewpoint mapping is changed, the log can be searched at high speed.

Explanatory diagram showing the grammar of linear temporal logic written in BNF notation Flow chart showing an outline of a determination process of whether the event log π satisfies the linear temporal logic formula F Explanatory drawing which shows SeqBDD showing the set {abc} of character strings Explanatory drawing which shows SeqBDD showing the set {aaa, aba, bbc, bc} of character strings SeqBDDs representing the event log set {aaa, aba, bbc, bc} shown in FIG. 4 are expressed as m (a) = [α], m (b) = [α], m (c) = [β]. Explanatory drawing showing SeqBDD representing a set of viewpoint sequences {ααα, ααβ, αβ} converted based on the map function m The block diagram which shows an example of embodiment of the apparatus which implements the search method of the event log of this invention The flowchart which shows the update process of the set of event logs of this invention Flowchart showing event log search processing of the present invention Flow chart showing map function generation processing Flow chart showing the conversion process of SeqBDD The state of rewriting the label of each intermediate node of SeqBDD shown in FIG. 4 based on the map function m of m (a) = [α], m (b) = [α], m (c) = [β] Explanatory drawing showing FIG. 10 is a flowchart showing details of step S42 in FIG. Explanatory drawing which shows the result of having performed step S54 of FIG. 12 for the vertex node of SeqBDD shown in FIG. Explanatory drawing which shows SeqBDD which has the node 1 of SeqBDD shown in FIG. 13 as a vertex Explanatory drawing which shows SeqBDD which makes node 2 of SeqBDD shown in FIG. 13 a vertex Explanatory drawing which shows the result which calculated | required the union of SeqBDD shown in FIG.14 and FIG.15 Explanatory drawing which shows SeqBDD which makes node 2 'of SeqBDD shown in FIG. 16 a vertex Explanatory drawing which shows SeqBDD which makes node 3 'of SeqBDD shown in FIG. 16 a vertex Explanatory drawing which shows the result which calculated | required the union of SeqBDD shown in FIG.17 and FIG.18 Explanatory drawing which shows the state which replaced the edge to the node 2 'of SeqBDD shown in FIG. 16 to the vertex node of SeqBDD shown in FIG. Explanatory drawing which shows SeqBDD expressing the set which consists only of event log “aaa” Explanatory drawing which shows SeqBDD expressing the set which consists only of event log “aba” Explanatory drawing which shows the result which calculated | required the union of SeqBDD shown in FIG.21 and FIG.22.

  FIG. 6 shows an example of an embodiment of an apparatus for carrying out the method for retrieving an event log according to the present invention, here an example realized on a known computer. In the figure, 11 is an input device, and 12 is a storage device. , 13 is an output device, and 14 is a computer.

  The input device 11 includes a keyboard, a mouse, and the like, and is used by the user to input predetermined information to the computer 14, that is, an event log to be searched and a time phase logical expression to be a search condition. The storage device 12 records an event log input from the input device 11, and stores and holds a set of event logs in the format of SeqBDD. The output device 13 is composed of a display or the like, and is for displaying the progress of the procedure of FIG. 7 and FIG. 8 performed by the computer 14 and the result (extracted event log).

  The computer 14 constitutes a search control unit 15, an event log addition unit 16, a map function generation unit 17, a viewpoint sequence set conversion unit 18, and a search unit 19.

  The search control unit 15 controls each unit configured in the computer 14 and performs the procedures of FIGS. 7 and 8. Specifically, the procedure of FIG. 7 is performed when an event log to be searched is input from the input device 11, the event log input to the set of event logs in the storage device 12 is added, and the storage device 12. Update the set of event logs. The search control unit 15 performs the procedure of FIG. 8 when a time phase logical expression representing a search condition is input from the input device 11, and an event log satisfying the time phase logical expression from the set of event logs in the storage device 12. And the result is output to the output device 13.

  By performing the steps from S21 to S24 in FIG. 8, it is possible to extract a viewpoint column that satisfies the input temporal logic formula f. However, what is needed here is the original event log corresponding to the viewpoint column. In step S25, the viewpoint sequence obtained there is converted into an event log by the inverse function of the map function m. For example, it is assumed that the viewpoint sequence “ααα” is extracted from the set of viewpoint sequences indicated by SeqBDD in FIG. When the map function m is m (a) = [α], m (b) = [α], m (c) = [β], since α corresponds to the event a or b, the viewpoint sequence is performed in step S25. As event logs corresponding to “ααα”, “aaa”, “aab”, “aba”, “baa”, “bab”, “bba”, “bbb” can be obtained.

  Since the event logs obtained in this way include event logs that are not included in the original event log set, it is determined whether or not these event logs are included in the event log set in step S26. Only the event log to be output is output to the output device 13. In the case of this example, the SeqBDD of the set of event logs corresponding to the set of viewpoint columns in FIG. 5 is as shown in FIG. 4, and event logs “aaa” and “aba” are output as a result. Note that determining whether or not a character string is included in a set of character strings on SeqBDD is a well-known matter according to Non-Patent Document 4 and the like, and will not be described.

  The event log adding unit 16 performs steps S12 and S13 in the procedure of FIG. 7 performed by the search control unit 15, creates a SeqBDD representing a set having only the input event log as an element, and the storage device SeqBDD representing the union of SeqBDD representing the set of event logs stored in is obtained.

  That is, when an event log to be searched from the input device 11, here π, is input, the search control unit 15 extracts SeqBDD representing a set of event logs from the storage device 12 (S 11), and the event log adding unit 16. To create a SeqBDD representing a set having only the event log π input in the step of S12 as an element, and the event log adding unit 16 generates a set having only the created input event log π in the step of S13. The SeqBDD representing the union of the SeqBDD represented and the SeqBDD representing the set of event logs extracted from the storage device 12 is obtained, and then the SeqBDD representing the obtained union is stored in the storage device 12 (S14).

  The map function generation unit 17 performs the step of S22 in the procedure of FIG. 8 performed by the search control unit 15, specifically, the procedure of FIG. 9 to convert the event log set into the viewpoint sequence set. A map function m of events that appear in the set of event logs and a subset of viewpoints that appear in the atoms of the temporal logic formula is generated.

  In the procedure of FIG. 9, the set of events that appear in the event log set S in step S31 is A, and the atoms (viewpoints) that appear in the temporal logic formula f are extracted in step S32, and the set P and To do. Next, if the set A is an empty set in step S33, the process is terminated and the process returns to step S23 in the procedure of FIG. If the set A is not an empty set, one event is extracted from the set A in step S34 and represented by e. Next, in step S35, a pair (e, Q) of the extracted event and a set Q⊆P of viewpoints satisfied by the event is created. Further, the created pair (e, Q) is added to the map function m in step S36, the process returns to step S33, and steps S34 to S36 are repeated until the set A becomes an empty set.

  The viewpoint sequence set conversion unit 18 performs the step of S23 in the procedure of FIG. 8 performed by the search control unit 15, specifically the procedure of FIG. 10, and generates SeqBDD representing the set of event logs extracted from the storage device 12. Based on the map function m, it is converted into SeqBDD that represents a set of equivalent viewpoint columns.

  In the procedure of FIG. 10, in step S41, the label of each intermediate node of SeqBDD representing the event log set S is rewritten from the event to the viewpoint set based on the map function m. For example, when the map function m is given by m (a) = [α], m (b) = [α], m (c) = [β] for SeqBDD in FIG. 4, the label of the intermediate node of SeqBDD Rewriting a and b to α and rewriting the label c to β gives SeqBDD in FIG.

  The SeqBDD obtained in this way does not satisfy the SeqBDD condition, and normalization is required. For example, in the SeqBDD of FIG. 11, there are those in which the intermediate node and its 0 child node have the same viewpoint (node 1 and node 2 or node 3 and node 4 in FIG. 11). Therefore, in the subsequent step of S42, the procedure of FIG. 12 is performed on the vertex node (reference node) n of the SeqBDD obtained in the step of S41, and converted into normalized SeqBDD.

  In the procedure of FIG. 12, it is first checked in step S51 whether the given node n is a sink node. If it is a sink node, no further conversion is possible, so the procedure ends. If the node is not a sink node but an intermediate node, it is checked in step S52 whether there is a node n 'having the same label as the node n among the intermediate nodes (comparison nodes) that can be reached from the node n with only 0 edges.

  When there is no same label, the step of S53 is performed, and the procedure after S51 is recursively performed with the 0 child node and the 1 child node of the node n as the node n. If the same label exists, the following steps S54 to S57 are performed. For example, if the procedure of FIG. 12 is performed on the vertex node 1 of FIG. 11, the node 2 that is the 0 child node of the node 1 has the same α label, and therefore the steps from S54 to S57 are performed. .

  In step S54, first, the 0 edge to the node n 'is connected to the 0 sink node. FIG. 13 shows the result of performing this step on the vertex node 1 in FIG. Note that the 0 edge from node 1 to node 2 is deleted in FIG. The 0 edge to node 2 is connected to the 0 sink node, but is omitted from the notation.

  Next, in step S55, a union of SeqBDD having node n as a vertex node and SeqBDD having node n 'as a vertex is obtained. When this step is performed on SeqBDD in FIG. 13, a union of SeqBDD (FIG. 14) having node 1 as a vertex and SeqBDD (FIG. 15) having node 2 as a vertex is obtained. The resulting SeqBDD is shown in FIG. Since the method for obtaining the SeqBDD of the union is a well-known matter according to Non-Patent Document 1, etc., the description is omitted.

  In step S56, if there is an edge to node n, it is replaced with the vertex node of SeqBDD obtained in step S55. In the case of FIG. 16, since node n is the vertex node 1 and there is no edge to node 1, no particular processing is performed.

  Finally, in step S57, the procedure from S51 onward is recursively performed with the 0 child node and 1 child node of the vertex node of SeqBDD created in step S56 as node n. When the step of S57 is executed in SeqBDD of FIG. 16, the 0 sink node (not shown) which is the 0 child node of the vertex node 1 ′ and the node 2 ′ which is the 1 child node are respectively set as the node n and the steps after S51. Implement the procedure.

  When the procedure after S51 is performed on the 0 sync node, the process is terminated without performing any particular processing according to the determination of the sync node in the step of S51. On the other hand, for the node 2 ′, steps S51, S52, and S54 are executed. In step S55, SeqBDD (FIG. 17) having the node 2 ′ that is the node n as a vertex node and the node 3 that is the node n ′. A union with SeqBDD (FIG. 18) having 'as a vertex node is obtained (FIG. 19).

  In the step of S56, the edge (from the node 1 ′) to the node 2 ′ that is the node n in FIG. 16 is replaced with the vertex node 1 ″ of FIG. 19 obtained in S55 to obtain the SeqBDD of FIG. Thereafter, the procedure after S51 is recursively performed with the 0 child node and 1 child node of the node 1 ″ in FIG. 20 as the node n, respectively, but as a result, no particular change occurs, and finally the SeqBDD in FIG. Can be converted to

  In this way, the procedure of FIG. 12 and the viewpoint sequence set conversion unit 18 that performs the procedure can directly obtain SeqBDD that represents a set of equivalent viewpoint sequences from SeqBDD that represents a set of event logs. This eliminates the need to obtain an SeqBDD that represents a set of viewpoint columns by converting the event log into a viewpoint column each time a search condition is input, and can greatly improve the search response.

  The search unit 19 performs the step of S24 in the procedure of FIG. 8 and extracts viewpoint columns that satisfy the input temporal logic formula f for the SeqBDD obtained by the viewpoint column set conversion unit 18. SeqBDD is a kind of automaton, and the technique for extracting a character string that satisfies the temporal logic formula for a set of character strings accepted by the automaton is a well-known matter in Non-Patent Documents 2 and 3, and therefore will not be described. .

  In the above-described embodiment, the example in which the search control unit 15, the event log addition unit 16, the map function generation unit 17, the viewpoint sequence set conversion unit 18, and the search unit 19 are realized on the computer 14 is shown. It may be realized by wear. Each of these devices exists in a distributed manner on a plurality of pieces of hardware connected to each other via an appropriate communication path, and can be executed while communicating with each other.

  Here, as an embodiment of the present invention, an event log search method when the configuration of FIG. 6 is adopted will be described.

  For example, consider a case where no event log stored in the storage device 12 exists. Here, when the event log “aaa” is input from the input device 11, the search control unit 15 configured in the computer 14 performs the procedure of FIG. 7, and the event log adding unit 16 includes only the event log “aaa”. The SeqBDD of FIG. 21 representing the set is created and recorded in the storage device 12. Furthermore, when the event log “aba” is input from the input device 11, the procedure of FIG. 7 is performed in the same manner, and the SeqBDD of FIG. 21 stored in the storage device 12 and the set of only the event log “aba” are represented. The event log adding unit 16 obtains the union (FIG. 23) with SeqBDD in FIG. 22 and stores it in the storage device 12. Further, when the event log “bbc” or “bc” is input from the input device 11, the SeqBDD representing the set of event logs {aaa, aba, bbc, bc} stored in the storage device 12 as a result is as shown in FIG. .

  When SeqBDD stored in the storage device 12 is FIG. 4, a case is considered in which ◇ β (an event log in which β is established sometime) is input from the input device 11 as the time phase logical expression f. Here, β is established only at event c, and is not established at events a and b. At this time, the search control unit 15 configured in the computer 14 performs the procedure of FIG.

  First, in step S21, the SeqBDD of FIG. 4 stored in the storage device 12 is taken out. Next, in step S22, the map function generation unit 17 creates a map function m of an event and a set of viewpoints established by the event. Specifically, the procedure of FIG. 9 is performed. That is, the event set becomes A = {a, b, c} in step S31, and the viewpoint set P becomes P = [β] in step S32. In subsequent steps S33 to S36, events are taken one by one from the event set A, and a subset of viewpoints established by the event is obtained. Here, the subset of viewpoints established by event a and event b is an empty set, and the subset of viewpoints established by event c is [β]. If the empty set is expressed by α, the map function m can be expressed by (a, α), (b, α), (c, β).

  When the map function m is obtained, the search control unit 15 performs the subsequent step of S23 of FIG. 8, and the viewpoint sequence set conversion unit 18 performs the procedure of FIG. First, in step S41, the label of SeqBDD in FIG. 4 is changed from an event to a viewpoint based on the map function m. As a result, the obtained SeqBDD is shown in FIG. Further, the step of S42 is performed, and the SeqBDD of FIG. 11 is converted into the SeqBDD of FIG. 20 by the procedure of FIG. When the SeqBDD representing the set of viewpoint columns is obtained, the search control unit 15 performs the step S24 in the procedure of FIG. 8, and the search unit 19 selects a viewpoint column satisfying the temporal logic formula ◇ β with respect to the SeqBDD of FIG. Ask.

  As a result, viewpoint columns “ααβ” and “αβ” are extracted. The search control unit 15 executes the step of S25 on the viewpoint column extracted in this way, and converts the viewpoint column into an event log using an inverse function of the function m. As a result, event logs “aac”, “abc”, “bbc”, “ac”, “bc” can be obtained. Finally, in step S26, the search control unit 15 determines whether these event logs are included in the SeqBDD of FIG. 4 extracted from the storage device 12, and outputs only those included in the output device 13. In this case, event logs “bbc” and “bc” are output.

  11: input device, 12: storage device, 13: output device, 14: computer, 15: search control unit, 16: event log addition unit, 17: map function generation unit, 18: viewpoint sequence set conversion unit, 19: search Department.

W. M. P. van der Aalst, H. T. de Beer and B.F. van Dongen, "Process Mining and Verification of Properties: An Approach based on Temporal Logic", Lecture Notes in Computer Science, Vol.3760, pp.130-147, Springer, 2005 JR Burch, EM Clarke and KL McMillan, "Symbolic Model Checking: 1020 States and Beyond", Information and Computation, Logic in Computer Science, 1990. LICS '90, Proceedings., Fifth Annual IEEE Symposium one, pp.428-439, 4-7 Jun 1990 A. Biere, A. Cimatti, E. Clarke and Y. Zhu, "Symbolic Model Checking without BDDs", Lecture Notes in Computer Science, Vol.1579, pp.193-207, Springer, 1999 E. Loekito, J. Bailey and J. Pei, "A binary decision diagram based approach for mining frequent subsequences", Knowl. Inf. Syst., Vol.24, pp.235-268, Springer, 2009 Tsuji, "Recent developments of discrete structures and processing systems based on BDD / ZDD", IEICE Fundamentals Review, Vol.4, No.3, pp.224-230, IEICE, 2011

Claims (6)

A method for searching an event log including a specific event occurrence order from a set of event logs,
An input device, a storage device that stores a set of event logs expressed in the SeqBDD format, an output device, a search control unit, an event log addition unit, a map function generation unit, a viewpoint sequence set conversion unit, and a search With means,
When the search control means receives a temporal logic expression describing a condition representing a specific event occurrence order from the input device, a step of retrieving SeqBDD representing a set of event logs from the storage device;
Map function generation means in response to the control of the search control means, and creating a map function of a subset of terms of appearance in the event and time phase formulas of atoms occurring in the set of event log,
A step in which the viewpoint column set conversion means for converting the SeqBDD representing a set of equivalent aspect columns based SeqBDD representing a set of event log retrieved from the storage device to the mapping function in accordance with the control of the search control means,
Retrieval means under the control of the search control means, extracting a viewpoint columns satisfy the temporal logic expressions when the SeqBDD representing a set of viewpoint column is the input,
A search control means for converting the extracted viewpoint sequence into an event log by an inverse function of a map function;
The search control means includes a step of determining whether the converted event log is included in SeqBDD representing a set of event logs extracted from the storage device, and outputting only the included event log to the output device. Search method for event logs. In the step of converting SeqBDD representing a set of event logs retrieved from the storage device into SeqBDD representing a set of equivalent viewpoint columns based on a map function,
According to the control of the search control means, the viewpoint sequence set conversion means
A first step of replacing a label of an intermediate node of SeqBDD representing a set of event logs from an event to a corresponding viewpoint by a map function;
A second step of determining whether a reference node which is a vertex node in SeqBDD converted from a label as a viewpoint is a sink node;
A third step of determining whether there is a node with the same label among the comparison nodes, which are intermediate nodes that can be reached with only 0 edge from the reference node when they are not sink nodes;
A fourth step that recursively repeats the second and subsequent steps using a 0-node and a 1-child node of the reference node as reference nodes, respectively, when there is no comparison node having the same label as the reference node;
A fifth step of replacing the 0 edge to the comparison node with a 0 sink node when there is a comparison node having the same label as the reference node;
A sixth step of obtaining a SeqBDD representing a union of SeqBDD having a reference node as a vertex and a SeqBDD having a comparison node as a vertex;
A seventh step of replacing the edge to the reference node with respect to the vertex node of the SeqBDD of the obtained union;
The eighth step of recursively repeating the second step and subsequent steps is performed with the 0 child node and 1 child node of the vertex node of the SeqBDD of the obtained union as reference nodes, respectively. How to search the described event log. A method for updating a storage device in the event log search method according to claim 1, comprising:
Furthermore , using event log addition means,
When an event log to be searched is input from the input device, the search control means retrieves SeqBDD representing a set of event logs from the storage device;
A step of event log addition means according to the control of the search control means, to create a SeqBDD representing a set of only the element event log said inputted,
Event Log addition means according to the control of the search control means, the SeqBDD representing the union of the SeqBDD representing a set of event log retrieved from SeqBDD a memory device representing a set of only the element input event logs that the created Seeking steps,
Search control means, the search method of the event log according to Claim 1 or 2, characterized by comprising the steps of storing the SeqBDD representing the union which is the determined in the storage device. An apparatus for searching an event log including a specific event occurrence order from a set of event logs,
An input device;
A storage device for storing a set of event logs represented in SeqBDD format;
An output device;
A map function generating means for creating a map function between an event appearing in a set of event logs and a subset of viewpoints appearing in atoms of a temporal logic formula;
Viewpoint column set conversion means for converting SeqBDD representing a set of event logs into SeqBDD representing a set of equivalent viewpoint columns based on the map function m;
A search means for extracting a viewpoint column satisfying a temporal logic formula from SeqBDD representing a set of viewpoint columns;
When a temporal logic expression describing a condition representing a specific event occurrence order is input from the input device, SeqBDD representing a set of event logs is extracted from the storage device,
And it controls the mapping function generating means, to create a map function of a subset of terms of appearance in the event and time phase formulas of atoms occurring in the set of event log,
And it controls the viewpoint column set conversion means, to convert the SeqBDD representing a set of event log retrieved from the storage device SeqBDD representing a set of equivalent aspect columns based on the mapping function,
And it controls the retrieval means, from SeqBDD representing a set of viewpoint column to extract the viewpoint columns satisfy the temporal logic expressions when said input,
Converting the event log by inverse function of the mapping function aspects row in which the extracted,
Search control means for determining whether or not the converted event log is included in a SeqBDD representing a set of event logs extracted from the storage device, and outputting only the included event log to the output device. Event log search device. In addition ,
SeqBDD representing a set having only the input event log as an element is created, and an event log adding means for obtaining SeqBDD representing a union of this and a SeqBDD representing a set of event logs stored in the storage device is provided,
The search control means further includes:
When an event log to be searched is input from the input device, SeqBDD representing a set of event logs is extracted from the storage device,
Controlling the event log additional means, to create a SeqBDD representing a set of said input event logs only element,
Controlling the event log additional means to determine the SeqBDD representing the union of the SeqBDD representing a set of event log by extracting only the input event logs that the created from SeqBDD a storage device that represents the set of the elements,
Search device event log according to claim 4, characterized in that storing SeqBDD representing the union which is the determined in the storage device.   The program for functioning a computer as each means of the search apparatus of the event log of Claim 4 or 5.

Images