JP6572722B2 - Event occurrence notification program, event occurrence notification method, and event occurrence notification device - Google Patents

Description

  The present invention relates to an event occurrence notification program, an event occurrence notification method, and an event occurrence notification apparatus.

  When an event such as a failure occurs, the information processing system outputs a message (also referred to as an error message) indicating an error or a warning. When an error message is output from the information processing system, the system administrator specifies an event occurring in the information processing system based on the error message.

  For example, the system administrator searches the history of past error messages in accordance with the output error message, and identifies an event corresponding to the matched error message as an event occurring on the information processing system. The system administrator then deals with the information processing system according to the identified event.

  A technique for searching for past failure cases is described in Patent Document 1, for example.

JP 2014-134955 A

  However, when an event is specified according to the output error message, a plurality of events may be specified. That is, the same error message may correspond to a plurality of events, and it is not easy to specify an event based on the error message.

  Therefore, for example, a system administrator having know-how specifies an actually occurring event from a plurality of events specified based on an error message according to experience. For this reason, the system administrator needs to have know-how, and man-hours are required to identify the event.

  In one aspect, an object of the present invention is to provide an event occurrence notification program, an event occurrence notification method, and an event occurrence notification device that improve the accuracy of event identification.

  According to the first aspect, the log information of the messages output from the information processing system is acquired by the computer, and the output order and output of the plurality of messages output from the information processing system in response to the occurrence of the specific event Information indicating that the plurality of messages are output in the output order of the storage unit in which the time intervals are stored and the output time intervals within a predetermined time difference from the output time intervals is included in the log information. In response to the detection, notification is made that a specific event corresponding to a plurality of messages in the output order and output time interval included in the log information has occurred on the information processing system.

  In one aspect, event identification accuracy can be improved.

It is a figure explaining an example of the information processing system in this Embodiment. It is a figure which shows an example of message ms contained in the log information which the log collection agent 204 shown in FIG. 1 collected. It is a figure explaining the specific process of the event in a comparative example. It is a flowchart figure explaining the flow of a process of the event generation notification program of this Embodiment. It is a 1st figure which shows the specific example of the event by the event generation notification program in this Embodiment. It is a 2nd figure which shows the specific example of the event by the event generation notification program in this Embodiment. It is a hardware block diagram of the event generation notification apparatus 100 in this Embodiment. The block diagram of the software block of the event generation notification apparatus 100 shown in FIG. 7 and the block diagram of the software block of the information processing system 200 (FIG. 1) are shown. It is a figure explaining the outline | summary of the corresponding | compatible information database 122 demonstrated in FIG. 7, FIG. It is a figure which shows an example of the corresponding | compatible information database. It is a figure explaining the specific process of the event based on the message output from the some software in a comparative example. It is a flowchart explaining the event occurrence notification processing of the event occurrence notification program 121 in the present embodiment described in FIG. 7 and FIG. It is a figure which shows an example of the coefficient of each item of additional information. It is a flowchart figure explaining the process of process S22 of FIG. It is a figure explaining the outline | summary of a process of process S22 of FIG. It is a figure explaining the process of process S23 of FIG. It is a 1st figure explaining the Example of the identification process of the event in this Embodiment. It is a 2nd figure explaining the Example of the specific process of the event in this Embodiment. It is a 3rd figure explaining the Example of the identification process of the event in this Embodiment. It is a 4th figure explaining the Example of the identification process of the event in this Embodiment. It is a figure which shows an example of the generation probability of the event prescribed | regulated to the corresponding | compatible information database.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. However, the technical scope of the present invention is not limited to these embodiments, but extends to the matters described in the claims and equivalents thereof.

[Information processing system]
FIG. 1 is a diagram illustrating an example of an information processing system according to the present embodiment. An information processing system 200 illustrated in FIG. 1 is a system on which a vertically integrated product operates. The vertically integrated product indicates, for example, a system provided by optimally configuring and setting hardware and software. The software of the vertically integrated product includes software such as an operation system, middleware, virtual environment, and system management software.

  In the information processing system 200 shown in FIG. 1, screen output software 201 (also referred to as software A), business processing software 202 (also referred to as software B), business database system 203 (also referred to as software C), and log collection agent 204 operate. . Hereinafter, the screen output software 201, the business processing software 202, and the business database system 203 are also referred to as software.

  The business database system 203 stores data processed by the business processing software 202 according to the database, and performs access processing such as data reference, update, addition, and deletion. The business process software 202 reads data stored in the business database system 203 and executes predetermined processing, and updates the processed data to the business database system 203.

  Further, the business processing software 202 outputs a result of the predetermined processing to the screen output software 201. For example, the screen output software 201 outputs the result information output from the business processing software 202 to an output device such as a screen included in the information processing system 200.

  Each software (screen output software 201, business processing software 202, business database system 203) outputs a message according to the processing result. Therefore, when an event such as a failure or a warning occurs in each software, the software 201 to 203 outputs a message indicating an error or a warning.

  In addition, the log collection agent 204 collects messages output by the software 201 to 203. The log collection agent 204 stores the collected message as log information in a storage medium or the like. The system administrator monitors the state of the information processing system 200 based on the log information collected by the log collection agent 204. For example, when the log information includes a message indicating an error or a warning, the system administrator specifies an event occurring in the information processing system 200 based on the message, and performs a countermeasure corresponding to the event.

[message]
FIG. 2 is a diagram showing an example of the message ms included in the log information collected by the log collection agent 204 shown in FIG. A message ms illustrated in FIG. 2 is a message output from the business database system 203 (FIG. 1) of the information processing system 200. The message shown in FIG. 2 includes a message “<INFO><xxx>-a new connection accepted” and a message “<ERROR> insufficient memory”.

  As described in FIG. 1, the system administrator specifies an event occurring in the information processing system 200 based on the message ms included in the log information as illustrated in FIG. 2. For example, the system administrator holds a history of messages when an event such as a failure occurs. Then, the system administrator searches the message history according to, for example, the message ms indicating the error, warning, information, etc. included in the log information, so that the information processing system 200 is based on the past event that the message matches. Identify the event occurring in.

[Identification of event]
FIG. 3 is a diagram illustrating event identification processing in a comparative example. The message ms illustrated in FIG. 3 corresponds to, for example, the message ms illustrated in FIG. 2 and 3 illustrate a plurality of messages, but a single message may be used.

  As shown in FIG. 3, the messages when two different events occur may be the same. For example, when there are few variations of messages output from software, the same message may be output even for different events. Therefore, the message ms included in the log information may correspond to a plurality of events in the message history. According to the example of FIG. 3, the message ms included in the log information corresponds to two events (event A and event B).

  For example, the event A indicates the event “a large number of connections are occurring”, and indicates a case where a large number of connections exceeding the allowable amount occur in the business database system 203 (FIG. 1). On the other hand, the event B indicates the event “the maximum memory amount setting is small”, and indicates a case where the memory amount set in the business database system 203 (FIG. 1) is insufficient.

  The system administrator deals with the information processing system 200 according to the identified event. When a plurality of events are specified, the system administrator cannot specify an event occurring in the information processing system 200 with high accuracy based on the message ms, and cannot take appropriate measures.

  For example, when the event A has occurred, the system administrator suppresses the processing for the business database system 203 by the business processing software 202 in order to reduce the number of connections to the business database system 203. On the other hand, when the event B has occurred, the setting of the maximum memory amount is updated in order to increase the maximum memory amount of the business database system 203.

  As described above, the action taken by the system administrator for the information processing system 200 differs depending on the identified event. Therefore, it is desirable that an event can be appropriately specified based on the message ms.

[Outline of this embodiment]
In this Embodiment, a memory | storage part memorize | stores an output order and an output time interval about the some message output from the information processing system 200 according to generation | occurrence | production of a specific event. Further, the event occurrence notification program in the present embodiment acquires log information of messages output from the information processing system 200.

  The event occurrence notification program includes, in the log information, information indicating that a plurality of messages are output at an output time interval within a predetermined time difference from the output order and output time interval stored in the storage unit. Determine whether or not. In response to the detection that the event occurrence notification program is included in the log information, a specific event corresponding to a plurality of messages in the output order and output time interval included in the log information has occurred in the information processing system 200 To be notified.

  Even when a plurality of messages output according to an event are the same, the output order and output time interval of the messages are often different depending on the event. Therefore, the event occurrence notification program according to the present embodiment refers to the storage unit that stores the output order and the output time interval for each event in advance for a plurality of messages output according to the event.

  As a result, the event occurrence notification program is generated in the information processing system 200 based on the output time interval including the output order of the plurality of messages and the deviation width of the predetermined time difference in addition to the plurality of messages included in the log information. Specific events can be detected with high accuracy.

  Therefore, even if the system administrator does not have the know-how of the information processing system 200, it is possible to specify the event occurring on the information processing system 200 with high accuracy without cost. Become. In addition, since it is possible to easily identify an event, it is possible to quickly deal with the event.

  FIG. 4 is a flowchart for explaining the flow of processing of the event occurrence notification program according to the present embodiment.

  S11: The event occurrence notification program acquires log information of a message output from the information processing system 200. The log information indicates, for example, a set of messages of each software collected by the log collection agent 204 described with reference to FIG. The event occurrence notification program may acquire the log information one by one or may acquire the log information at predetermined intervals.

  S12: The event occurrence notification program refers to the correspondence information database 122 (corresponding to the storage unit), and outputs a plurality of messages at an output time interval within a predetermined time difference from the output order and the output time interval stored in the correspondence information database 122. Is detected to be included in the log information. The correspondence information database 122 stores an output order and output time intervals for a plurality of messages output from the information processing system 200 in response to occurrence of a specific event.

  The output order of a plurality of messages is the output order between the plurality of messages. The output time interval of a plurality of messages indicates an output time interval when some messages are repeatedly output, an output time interval between a plurality of messages, and the like. The output time interval may be an output time interval of some messages among the plurality of messages. The output time interval may include the number of outputs.

  The output time interval has a predetermined time difference. For example, the output time interval “10-second interval” has a predetermined time difference “2 seconds”. Accordingly, the message of the output time interval “10 seconds interval” includes, for example, messages of “8 seconds interval” to “12 seconds interval”. The system administrator sets a predetermined time difference between output time intervals based on, for example, actual measurement values.

  The message output time interval may vary slightly depending on the load state and timing of the information processing system 200 and the network. Therefore, even when the output time interval has a predetermined time difference, even when the output time is around, information indicating that a plurality of messages are output in the output order and the output time interval of the correspondence information database 122, Inclusion in the log information 123 can be appropriately detected.

  S13: The event occurrence notification program notifies that a specific event corresponding to a plurality of messages in the output order and output time interval included in the log information has occurred on the information processing system 200. Specifically, the event occurrence notification program detects and notifies an event defined on the correspondence information database 122 in response to a plurality of messages in the output order and output time interval included in the log information.

  As described above, the event occurrence notification program according to the present embodiment can identify events with higher accuracy by paying attention to the output order and output time intervals of a plurality of messages. As a result, the event occurrence notification program can efficiently identify an event and promptly take action when a message indicating an error, a warning, or the like is output from the information processing system 200.

  Next, a specific example of an event by the event occurrence notification program according to the present embodiment will be described with reference to FIGS.

  FIG. 5 is a first diagram illustrating a specific example of an event by the event occurrence notification program according to the present embodiment. The multiple messages ms-1 shown in FIG. 5 are the first message “<INFO> <xxx>-New connection accepted” and the second message “<ERROR> Memory shortage occurred”. including.

  According to the example of the message ms-1 in FIG. 5, after the first message is output at intervals of about 10 seconds, the second message is output. That is, the output order of the plurality of messages is the order of the first message and the second message. The output time interval of the first message is 8 seconds to 12 seconds.

  Similar to the example of FIG. 3, in the examples of FIGS. 5 and 6, the first and second messages correspond to two events (event A and event B). However, event A and event B differ in the output time interval of the first message.

  For example, the output time interval of the first message in event A indicates a 10 second interval, and the predetermined time difference is, for example, 2 seconds. On the other hand, the output time interval of the first message in event B shows unequal intervals. Therefore, the event occurrence notification program stores the event A having the same output order and output time interval as those shown in FIG. 5 among the messages A and B stored in the correspondence information database 122. It is specified as an event occurring in the processing system 200.

  FIG. 6 is a second diagram illustrating a specific example of an event by the event occurrence notification program according to the present embodiment. The plurality of messages ms-2 shown in FIG. 6 are similar to the example of FIG. 5, the first message “<INFO> <xxx>-New connection accepted” and the second message “< "ERROR> Insufficient memory occurred".

  On the other hand, according to the example of the message ms-2 in FIG. 6, after the first message is output three times at unequal intervals, the second message is output. That is, the output order of the plurality of messages is the order of the first message and the second message, and the output time intervals of the first message are unequal intervals.

  Therefore, the event occurrence notification program stores the event B having the same output order and output time interval as the messages shown in FIG. 6 among the messages A and B stored in the correspondence information database 122. It is specified as an event occurring in the processing system 200.

  As shown in FIGS. 5 and 6, even if the messages ms-1 and ms-2 output in accordance with the event are the same, the output order and output time interval of the messages ms-1 and ms-2 differ depending on the event. There is a case. The output order and output time interval of a plurality of messages represent the processing content and operation state of the software when the messages are output. Therefore, even if a plurality of messages are the same depending on the event, the output order and output time interval are often different.

  Therefore, the event occurrence notification program according to the present embodiment can specify events easily and with high accuracy by paying attention to not only messages but also message output order and output time interval.

  Next, a hardware configuration diagram of the event occurrence notification apparatus according to the present embodiment will be described with reference to FIG. 7, and a software block diagram of the event occurrence notification apparatus according to the present embodiment will be described with reference to FIG.

[Hardware configuration of event occurrence notification device]
FIG. 7 is a hardware configuration diagram of the event occurrence notification device 100 according to the present embodiment. The event occurrence notification device 100 includes, for example, a central processing unit (CPU) 101, a memory 102 including a main memory 110, an auxiliary storage device 111, and the like, and a communication interface unit 103. Each unit is connected to each other via a bus 104.

  The CPU 101 is connected to the memory 102 and the like via the bus 104 and controls the event occurrence notification device 100 as a whole. The communication interface unit 103 is connected to the information processing system 200 (FIG. 1) and transmits / receives data. A main memory 110 indicating a RAM (Random Access Memory: RAM) or the like stores data to be processed by the CPU 101.

  The auxiliary storage device 111 has an area (not shown) for storing an operating system program executed by the CPU 101 and an event occurrence notification program storage area 121. The auxiliary storage device 111 further includes a correspondence information database storage area 122 and a log information storage area 123. The auxiliary storage device 111 represents a hard disk drive (HDD), a nonvolatile semiconductor memory, or the like.

  The event occurrence notification program in the event occurrence notification program storage area 121 (hereinafter referred to as the event occurrence notification program 121) implements the event identification process and the identified event notification process in the present embodiment by the execution of the CPU 101. To do.

  The correspondence information database (hereinafter referred to as the correspondence information database 122) in the correspondence information database storage area 122 stores the output order and output time intervals for a plurality of messages output from the information processing system 200 in response to the occurrence of a specific event. To do. Details of the correspondence information database 122 will be described later with reference to FIGS.

  The log information (hereinafter referred to as log information 123) in the log information storage area 123 includes a message group output from the information processing system 200. The log information 123 includes, for example, messages collected by the log collection agent 204 illustrated in FIG.

[Software block diagram of event occurrence notification device]
FIG. 8 shows a block diagram of the software block of the event occurrence notifying device 100 shown in FIG. 7 and a block diagram of the software block of the information processing system 200 (FIG. 1). The information processing system 200 shown in FIG. 8 is as described in FIG. 8, the same components as those shown in FIG. 1 are denoted by the same symbols.

  The event occurrence notification program 121 illustrated in FIG. 7 includes an acquisition module 131 and a notification module 132. The acquisition module 131 acquires the message group collected by the log collection agent 204 of the information processing system 200 as log information 123.

  The notification module 132 refers to the correspondence information database 122. The notification module 132 includes, in the log information 123, information indicating that a plurality of messages are output at an output time interval within a predetermined time difference from the output order and the output time interval stored in the correspondence information database 122. Detect that. Further, the notification module 132 notifies that a specific event corresponding to a plurality of messages in the output order and output time interval included in the log information 123 has occurred on the information processing system 200.

  Next, an example of the correspondence information database 122 in the present embodiment will be described with reference to FIGS.

[Corresponding information database 122]
FIG. 9 is a diagram illustrating an overview of the correspondence information database 122 described with reference to FIGS. 7 and 8. Although FIG. 9 illustrates information on three events, the correspondence information database 122 may include information on many events.

  The correspondence information database 122 illustrated in FIG. 9 stores additional information for a plurality of messages output in response to occurrence of an event. The additional information in the present embodiment includes, for example, an output order of a plurality of messages, an output time interval, an output start time, an output condition (additional information), and the like. The additional information only needs to include at least the output order and the output time interval.

  The output order and the output time interval are as described above. The output start time is a time when output of a plurality of series of messages is started. Some events may occur at a predetermined time and have a characteristic in the message output start time. For this reason, in addition to the output order and the output time interval, it is possible to specify the event with higher accuracy by specifying the event based on whether or not the output start times match.

  The output condition is, for example, additional information included in the message. For example, depending on the message, additional information may include information on a user who has instructed processing, position (address) information that can identify a location where a failure has occurred, and the like. For this reason, in addition to the output order and the output time interval, it is possible to specify an event with higher accuracy by specifying an event based on whether or not the additional information matches.

  FIG. 10 is a diagram illustrating an example of the correspondence information database 122. The message of each event in FIG. 10 indicates, for example, a message output from each of the software A to C shown in FIG. However, it is not limited to this example. The message of each event may be a message output from one software (for example, only software A).

  According to the example of FIG. 10, when the event of the item “1” occurs, the message “No item” (0 search results) is output from the software A and the message “<error> network” is output from the software B. "The connection has been disconnected" is output. In addition, the messages “<INFO> <xxx>-New connection accepted” and “<Error> Memory shortage occurred” are output from software C.

  Further, the output order of messages when the event of the item “1” occurs is software C, software B, software A, and software C. The output time interval of software A and B indicates “no repeat”, and the output time interval of the message “<INFO> <xxx>-New connection accepted” of software C is “10 second interval”. It is. The item “1” indicates a case where an event “a large number of connections are occurring”, and the event of the item “1” is also referred to as an event A.

  Further, according to the example of FIG. 10, when the event of the item “2” occurs, the message output from the software A to C is the same as the item “1”. Further, the output order of the messages when the event of the item “2” occurs is software C, software B, and software A. The output time interval of software A and B indicates “no repeat”, and the output time interval of the message “<INFO> <xxx>-New connection accepted” of software C is “unequal interval”. is there. The item “2” indicates a case where the event “setting of the maximum memory amount is small”, and the event of the item “2” is also referred to as an event B.

  In addition, according to the example of FIG. 10, when the event of the item “3” occurs, the message from the software A “<Error> The connection with the network has been disconnected”, ““ No item ”(search result is 0 ) "Is output. Also, the message “<Error> Connection to network <zzzz> has been disconnected” is output from software B. In addition, the messages “<INFO> <xxx>-New connection accepted” and “<Error> Memory shortage occurred” are output from software C.

  Further, when the event of item “3” occurs, the output order of the messages is software C, software A, software B, and software C. Further, the output time intervals of the software A to C indicate “no repeat”. As described above, the additional information may include information indicating that the additional information is not output repeatedly, that is, output only once, as an output time interval. Further, the message B output condition (additional information) of the software B is information “zzz”.

  Item “3” indicates a case where an event “delay occurs in the network between software A and B”, and the event of item “3” is also referred to as event C.

  Further, according to the example of FIG. 10, when the event of the item “4” occurs, the message “No item” (0 search results) is output from the software A. In addition, the messages “<Warning> No response time has reached timeout limit” and “<Error> Disconnected from network” are output from software B. In addition, the messages “<INFO> <xxx>-New connection accepted” and “<Error> Memory shortage occurred” are output from software C.

  Further, when the event of the item “4” occurs, the output order of the messages is software C, software B, software A, and software C. Further, the output time intervals of the software A to C indicate “no repeat”. The message output start time indicates a period of 10 minutes from the time “15:00:00”. The item “4” indicates an event “high load (slow down) of the software C”, and the event of the item “4” is also referred to as an event D.

  Note that the correspondence information database 122 does not necessarily store the same message as the message included in the log information 123. The message stored in the correspondence information database 122 may be partial information of each message. Since it may be possible to determine that they are the same message based on some information, the correspondence information database 122 only needs to store some information indicating the same message.

  Here, before explaining the details of the processing of the event occurrence notification program 121 shown in FIG. 7 and FIG. 8, problems when a plurality of pieces of software operate on the information processing system 200 will be further described.

[Multiple software]
In the present embodiment, as shown in FIG. 1, a plurality of software 201 to 203 (also referred to as software A to C) may operate on the information processing system 200. In this case, when a failure or the like occurs on the information processing system 200, the log information 123 includes messages output from a plurality of software A to C.

  When multiple pieces of software operate in the information processing system 200, different events may occur for each piece of software. Or there may be multiple events. Therefore, when a plurality of pieces of software A to C operate in the information processing system 200, it is not easy to appropriately specify an event.

  FIG. 11 is a diagram illustrating an event specifying process based on messages output from a plurality of software in a comparative example. The log information 323 illustrated in FIG. 11 includes messages output from the software A to C.

  It is not easy for a system administrator to have all software know-how, and the administrator often differs depending on the software. Therefore, the system administrator in charge of each software identifies an event based on the message of each software.

  Specifically, the system administrator in charge of software A specifies event 1 to event 3 by searching the message history 300a of software A according to the message of software A. Similarly, the system administrator in charge of the software B specifies the event 1 by searching the message history 300b of the software B according to the message of the software B.

  Further, the system administrator in charge of the software C specifies the event 1 and the event 3 by searching the message history 300c of the software C according to the message of the software C.

  Thus, when an event is specified for each software, a different event may be specified depending on the software. In addition, as described above with reference to FIGS. 2 and 3, for each software, a plurality of events (for example, events 1 to 3) may be specified based on a message (software A message).

  Therefore, when an event actually occurring on the information processing system 200 is specified, a system administrator having a plurality of software know-how determines the event based on each event specified for each software. However, determination processing by a system administrator who is familiar with a plurality of software is expensive. As described above, it is difficult to specify an event when a plurality of pieces of software operate on the information processing system 200.

  The processing of the event occurrence notification program 121 in this embodiment is also effective when a plurality of software operates in the information processing system 200 and the log information 123 includes a message output from the plurality of software.

  A failure state in the information processing system 200 may occur in conjunction with a plurality of software. The output order and output time interval of a plurality of messages represent processing contents and operation states of a plurality of software when the messages are output. Therefore, depending on the event, even if a plurality of messages are the same, the output order and output time interval of a series of messages by a plurality of software are often different.

  Therefore, the event occurrence notification program 121 according to the present embodiment further identifies one or more events based on the output order and output time interval between the messages output from different software. Thereby, the event occurrence notification program 121 can easily identify one or more events occurring in the information processing system 200 when the log information 123 includes messages output from the plurality of software A to C. It can be specified with high accuracy.

  Hereinafter, in the present embodiment, a case where a plurality of software A to C operate in the information processing system 200 is illustrated.

  Next, details of the processing of the event occurrence notification program 121 shown in FIGS. 7 and 8 will be described with reference to FIGS. An embodiment of processing of the event occurrence notification program 121 will be described with reference to FIGS.

[Processing of Event Occurrence Notification Program 121]
FIG. 12 is a flowchart for explaining the event occurrence notification process of the event occurrence notification program 121 in the present embodiment described with reference to FIGS.

  S21: The acquisition module 131 acquires the message group collected by the log collection agent 204 as log information 123 (FIG. 7). The acquisition module 131 may acquire the messages collected by the log collection agent 204 one by one or at predetermined intervals.

  Further, for example, the acquisition module 131 instructs the notification module 132 to perform the processing after step S22 in response to detection that the log information 123 includes a message indicating an error, a warning, predetermined information, or the like.

  S22: The notification module 132, in response to the instruction, among a plurality of messages defined in the correspondence information database 122, a plurality of messages that match in the log information 123 at a degree equal to or greater than a predetermined value (second reference value). Is detected. Details of the process of step S22 will be described later according to the flowchart of FIG.

  S23: The notification module 132 determines whether at least the output order and the output time interval of the additional information of the plurality of messages in the correspondence information database 122 detected in step S22 match the plurality of messages in the log information 123. . As described above, the output time interval has a predetermined time difference.

  The plurality of messages in the log information 123 have time information such as time stamps, for example. Therefore, the notification module 132 can acquire the output order of messages, the output time interval, and the output start time based on the time information of each message. Further, the notification module 132 can acquire message output conditions based on information included in each message.

  S24: When the output order and the output time interval match (Yes in S23), a plurality of messages are output at an output time interval within a predetermined time difference from the output order and output time interval stored in the correspondence information database 122. Is included in the log information 123. Therefore, the notification module 132 identifies an event corresponding to the information in the correspondence information database 122 detected as being included in the log information 123 as an event occurring on the information processing system 200.

  For example, the notification module 132 notifies the specified event to a display device (not shown in FIG. 7) of the event occurrence notification device 100 (FIG. 7). Alternatively, the notification module 132 may notify the specified event to the information processing system 200 or a terminal device of a system administrator.

  S25: When the output order and the output time interval do not match (No in S23), the notification module 132 notifies the display device or the like that an event not defined in the correspondence information database 122 has occurred. Then, for example, the notification module 132 newly registers additional information about a plurality of messages in the correspondence information database 122 in association with an event identified by a system administrator or the like based on the message.

  That is, the notification module 132 outputs the plurality of messages when the output order and the output time interval are not stored in the storage unit for the plurality of messages output from the information processing system in response to the occurrence of another specific event. The order and the output time interval are stored in the storage unit. Therefore, the notification module 132 registers and updates additional information of a plurality of messages in the correspondence information database 122 when a new event is detected.

  Thus, when the same event reoccurs as the new event, the notification module 132 can appropriately identify the new event by referring to the updated correspondence information database 122. In this way, by sequentially updating and holding the correspondence information database 122 during the operation process of the information processing system 200, even when a new event occurs, the event can be identified constantly with high accuracy. .

  As shown in the flowchart of FIG. 12, the notification module 132 calculates the degree to which the log information 123 includes information indicating that a plurality of messages in the correspondence information database 122 (storage unit) have been output. Then, the notification module 132 outputs a plurality of messages included in the log information 123 at an output time interval in which the output order and output time interval of the plurality of messages in the storage unit whose degree exceeds the second reference value are within a predetermined time difference. When they match, it is detected that they are included in the log information 123.

  That is, the notification module 132 determines the output order and the output time interval for a plurality of messages in the correspondence information database 122 that match a plurality of messages included in the log information 123 by a predetermined degree or more. As a result, the notification module 132 displays a plurality of messages in the output order and the output time interval of the correspondence information database 122 even if some omissions or differences occur in the messages in the log information 123. 123 can be appropriately determined.

  Thereby, the notification module 132 can appropriately detect a plurality of messages in the output order and the output time interval included in the log information 123 among the information in the correspondence information database 122. Therefore, the notification module 132 can identify an event occurring in the information processing system 200 with high accuracy.

  In addition, the storage unit (corresponding information database 122) in the present embodiment further stores either the output start time of a plurality of messages or additional information added to the plurality of messages. In addition to the output order and output time interval of the storage unit, the notification module 132 includes, in the log information, information indicating that a plurality of messages matching either the output start time or the additional information are output. It is detected that

  In this way, the notification module 132 identifies an event by paying attention to the output start time, additional information (corresponding to the output condition), etc. in addition to the output order and the output time interval. As a result, the notification module 132 can identify an event occurring in the information processing system 200 with high accuracy from a plurality of events having the same message. Further, the notification module 132 can specify the event occurring in the information processing system 200 with high accuracy when an event characterized by the output start time or additional information occurs.

(S23: first coefficient of each item of additional information)
Note that the notification module 132 may apply a weighting factor to each item included in the additional information in step S23. That is, each of the items of output order and output time interval, output start time, and / or additional information each have a first coefficient.

  Then, when the log information 123 includes information indicating that a plurality of messages in the storage unit have been output, the notification module 132 adds the first coefficient corresponding to the item according to the item match. Calculate the total value. The notification module 132 detects that it is included in the log information 123 when the total value exceeds the first reference value. The storage unit corresponds to the correspondence information database 122.

  As a result, the event occurrence notification program 121 occurs in the information processing system 200 based on the degree of match of the additional information among the plurality of events whose information indicating that a plurality of messages are output is included in the log information 123. Event can be identified with higher accuracy. In addition, when a plurality of events are specified, the event occurrence notification program 121 can determine the rank of the occurrence probability of the events among the plurality of events based on the degree of coincidence of the additional information.

  FIG. 13 is a diagram illustrating an example of the coefficient of each item of the additional information. According to the example of FIG. 13, the coefficient for the message output order and the output time interval is the value “1.0”. The coefficient for the message output start time is the value “0.5”, and the coefficient for the message output condition is the value “0.3”.

  The first reference value in the present embodiment is the value “1.0”. For example, the system administrator sets the total value of the coefficients when the output order and the output time interval coincide with each other as the first reference value. Therefore, the total value of the coefficients does not reach the first reference value even when the output order and the output time interval do not match or when other items match.

  Thus, the notification module 132 compares the total value of the coefficients of each item with the reference value. Thereby, the notification module 132, when the output order and the output time interval (including a predetermined time difference) match, a plurality of messages having the same output order and output time interval of the log information 123 are stored in the correspondence information database 122. It can be detected appropriately.

  In addition to the output order and the output time interval, when the output start times coincide, the total value of the weight coefficients is the value “1.5 (= 1.0 + 0.5)”. On the other hand, when the output conditions match in addition to the output order and the output time interval, the total value of the weighting coefficients is the value “1.3 (= 1.0 + 0.3)”. Therefore, the notification module 132 can identify an event having a higher probability of actually occurring among a plurality of events according to the degree of matching of the items of additional information.

  Next, the details of the process of step S22 in the flowchart shown in FIG. 12 will be described with reference to FIG.

[Step S22 in FIG. 12]
FIG. 14 is a flowchart for explaining the process in step S22 of FIG. As described above, in step S22, the notification module 132 includes a plurality of messages that match at a degree equal to or greater than a predetermined value (second reference value) in the log information 123 among a plurality of messages defined in the correspondence information database 122. Detect messages.

  S31: The notification module 132 collates a plurality of messages defined in the correspondence information database 122 with messages in the log information 123.

  S 32: The notification module 132 calculates the degree of match between the plurality of messages stored in the correspondence information database 122 and the messages in the log information 123. As described above, some of the plurality of messages may be missing or different depending on the environment and the contents of the event. Therefore, the notification module 132 calculates the degree of coincidence with the messages in the log information 123 for a plurality of messages defined in the correspondence information database 122.

  S33: The notification module 132 extracts a plurality of messages for which the degree of match calculated in step S32 exceeds the second reference value. Accordingly, the notification module 132 can appropriately detect a plurality of messages that match at a predetermined degree or more from the correspondence information database 122 even when all of the plurality of messages do not match. The second reference value in the present embodiment is, for example, 60%.

(S33: Second coefficient for each software)
Note that the notification module 132 may calculate the matching degree of the message by applying a coefficient set for each software in step S33. That is, each software has a second coefficient. Then, the notification module 132 applies the second coefficient corresponding to the output software of the message to the message included in the log information 123 among the messages included in the plurality of messages in the storage unit, and determines the degree. calculate. The storage unit corresponds to the correspondence information database 122.

  For example, the system administrator sets the second coefficient for each software based on the degree of difference in message depending on the event. For example, in the present embodiment, the message of the software B is largely different depending on the event. That is, if the messages of software B match, there is a high possibility that an event corresponding to the message has occurred. Therefore, the system administrator sets the coefficient of software B to a larger value than that of software A and C.

  In the present embodiment, the coefficient of software A is “20%”, the coefficient of software B is “50%”, and the coefficient of software C is “20%”. The notification module 132 then follows the expression “{(Software A message match × 20%) + (Software B message match × 50%) + (Software C message match × 30%)}”. The degree of match is calculated.

  As a result, the notification module 132 can increase the matching degree when messages output from software having different messages according to the event match. That is, the notification module 132 can calculate a higher degree of matching when the messages of the software B match.

  As described above, the notification module 132 indicates that the log information 123 includes information indicating that a plurality of messages defined in the correspondence information database 122 are output when the degree of match exceeds a predetermined reference value. Properly detect. Therefore, the notification module 132 can identify the event with higher accuracy by applying the second coefficient that is different for each software.

(Outline of the process of step S22 in FIG. 12)
FIG. 15 is a diagram for explaining the outline of the process in step S22 of FIG. FIG. 15 is a diagram schematically illustrating information in the correspondence information database 122 illustrated in FIG. Among the ellipses indicating each message defined in the correspondence information database 122 shown in FIG. 15, the ellipses indicated by diagonal lines indicate messages included in the log information 123, and the ellipses indicated by white lines are messages not included in the log information 123. Indicates.

  FIG. 15 illustrates a case where the software A outputs the message “No item” (search result is 0), and the software B outputs the message “connection to the network is disconnected”. Software C also outputs the messages “<INFO> <xxx>-New connection accepted” and “<Error> Memory shortage occurred”.

  When these messages are collated with the correspondence information database 122 shown in FIG. 10, they match all of the plurality of messages of items “1” and “2”. Therefore, the notification module 132 calculates the value “100% (= 20 + 50 + 30)” as the degree of matching between the message of the items “1” and “2” and the message in the log information 123.

  On the other hand, among the plurality of messages in the item “3”, the messages of software B and C match, and only a part of the messages of software A match. Therefore, the notification module 132 calculates the value “80% (= 50 + 30)” as the degree of matching between the message of the item “3” and the message in the log information 123.

  Of the plurality of messages in the item “4”, the messages of software A and C match, and the messages of software B only partially match. Therefore, the notification module 132 calculates the value “50% (= 20 + 30)” as the degree of matching between the message of the item “4” and the message in the log information 123.

  Similarly, among the plurality of messages in the item “5” (not shown in FIG. 10), for example, only the message of the software C matches. Therefore, the notification module 132 calculates the value “30%” as the degree of match between the message of the item “5” and the message in the log information 123.

  As described above, the second reference value in the present embodiment is, for example, 60%. Accordingly, the notification module 132 includes items “1” to “3” that match the second reference value “60%” or more in the log information 123 among the items defined in the correspondence information database 122. Detect multiple messages.

  On the other hand, if the second coefficient is not applied to each software message, the matching degree of the plurality of messages of items “3” and “4” is, for example, the value “66%”. Therefore, the notification module 132 detects a plurality of messages of items “1” to “4”.

  Thus, the notification module 132, by calculating the matching degree by applying different coefficients for each software, information indicating that a plurality of messages in the corresponding information database 122 is output, in the log information 123 Can be detected with higher accuracy. Thereby, the notification module 132 can identify an event more appropriately.

  In addition, the notification module 132 detects a plurality of messages whose items have a degree of match exceeding the second reference value, so that even if the log information 123 has some messages missing or different, the log information A plurality of messages included in 123 can be appropriately detected.

(Outline of processing in step S23 in FIG. 12)
FIG. 16 is a diagram illustrating the process in step S23 of FIG. FIG. 16 schematically shows the information in the correspondence information database 122 shown in FIG. As described above, in step S23, the notification module 132 determines whether at least the output order and the output time interval of the additional information of the plurality of messages in the correspondence information database 122 match the plurality of messages in the log information 123. To do.

  According to the example of FIG. 16, the output order and output time interval of the plurality of messages of the item “1” match the output order and output time intervals of the plurality of messages in the log information 123. Further, the additional information of the item “1” does not include the output start time and the output condition. Therefore, the total value of the coefficients is the value “1.0”.

  Further, according to the example of FIG. 16, the output order and output time interval of the item “2” do not match the output order and output time intervals of the plurality of messages in the log information 123. In addition, since the additional information of the item “2” does not include the output start time or the output condition, the total value of the coefficient is “0”.

  On the other hand, although the output order and output time interval of the item “3” do not match the output order and output time interval of the plurality of messages in the log information 123, the output conditions match. Accordingly, the total value of the coefficients of the item “3” is the value “0.3”.

  Therefore, the notification module 132 detects the item “1” in which the total value of the coefficients is “1.0” or more among the items “1” to “3” of the correspondence information database 122. That is, the notification module 132 detects the item “1” having the same output order and output time interval among the items “1” to “3” of the correspondence information database 122.

  Thus, the notification module 132, an output order and output time interval and a predetermined output time intervals within the time difference between the items of the corresponding information database 122 "1", information indicating that the plurality of messages is output, the log It is detected that it is included in the information 123. Then, the notification module 132 identifies the event A corresponding to the item “1” as an event occurring on the information processing system 200 (S24 in FIG. 12).

  Thus, an event occurrence notification program 121 in the present embodiment, based on the output order and the output time interval of the plurality of message output from the information processing system 200, appropriately, occurring in the information processing system 200 Event can be identified.

  When the total value of the coefficients of any item is less than the value “1.0”, the notification module 132 adds and stores additional information of a plurality of messages in the correspondence information database 122. Thereby, the notification module 132 can appropriately update the additional information of the plurality of messages regarding the new event in the correspondence information database 122.

  Next, Examples 1 to 4 of the event specifying process according to the present embodiment will be described with reference to FIGS.

Example 1
FIG. 17 is a first diagram illustrating an example of the event specifying process according to the present embodiment. FIG. 17 shows an example of a plurality of messages ms-11 included in the log information 123.

  According to the embodiment shown in FIG. 17, for example, the software C receives a message “<INFO> <xxx> -new connection accepted” at an interval of about 10 seconds in response to accepting a large number of connections. Output. When software A instructs software B to perform a search process, software B accesses software C to execute the search process instructed by software A.

  However, the software C cannot respond to the software B even after a predetermined time has elapsed because it is performing a process for accepting a large number of connections. Therefore, the software B outputs a message “connection to the network has been disconnected” and notifies the software A of an error. Software A then outputs the message “No item” (0 search results) when an error is returned. Further, the software C outputs a message “<error> memory shortage has occurred” due to the processing stagnation.

  Accordingly, the log information 123 illustrated in FIG. 17 includes a message “new connection accepted” by the software C at intervals of about 10 seconds. Further, the log information 123 indicates that the message “<Error> Memory shortage has occurred” by the software B at the time “14:10:09” and the message ““ by the software A at the time “14:10:10”. It has “No item” (0 search results). The log information 123 includes a message “<error> memory shortage has occurred” by software C at time “14:10:11”.

  When collated with the correspondence information database 122 shown in FIG. 10, the messages of the plurality of software items “1” to “3” match with a degree of match of 60% (second reference value) or more. Therefore, the notification module 132 collates the additional information of the items “1” to “3” with the additional information of the plurality of messages illustrated in FIG.

  As described above, the notification module 132 according to the present embodiment sets an item that matches a predetermined value or more as a target for comparing additional information. Thus, if, in the log information in FIG. 17, even when the missing and differences of some messages are present, the target item comparing additional information, it is possible to appropriately detect.

  According to the log information 123 shown in FIG. 17, the message output order is software C (part), software B, software A, software C (part). The output time interval of the message of the software C is about 10 seconds and is within the allowable deviation range.

  Therefore, the output order and the output time interval of the log information 123 shown in FIG. 17 coincides with the output order and the output time interval of the item "1" in the corresponding information database 122 shown in FIG. 10, the total value of the coefficients of the additional information Becomes the value “1.0”. In contrast, the output order and output time interval of the other items “2” and “3” do not match the output order and output time interval of the log information 123 shown in FIG. Therefore, the total value of the coefficients of the additional information of the other items “2” to “4” is less than the value “1.0”.

  Thereby, the notification module 132 specifies the event A of the item “1” as an event occurring on the information processing system 200. In other words, the event occurrence notification program 121 specifies that a large number of connections in the software C have occurred on the information processing system 200.

(Example 2)
FIG. 18 is a second diagram for explaining an example of the event specifying process in the present embodiment. FIG. 18 shows an example of a plurality of messages ms-12 included in the log information 123.

  According to the embodiment shown in FIG. 18, for example, the software C accepts a message “<INFO> <xxx> —new connection at unequal intervals in response to accepting a connection three times at unequal intervals. Is output. Similarly to the example of FIG. 17, when software A instructs software B to perform a search process, software B accesses software C to execute the search process instructed by software A.

  However, according to the embodiment of FIG. 18, the maximum memory amount set in the software C is small. As a result, the software C cannot accept a new connection by the software B due to a shortage of memory, and outputs the message “<error> memory shortage has occurred”.

  When the software B does not receive a response from the software C even after a predetermined time has elapsed, the software B outputs a message “connection to the network is disconnected” and notifies the software A of an error. When the error is notified from the software B, the software A outputs the message “No item” (0 search results).

  Therefore, the log information 123 shown in FIG. 18 includes a message “<INFO> <xxx>-New connection accepted” by software C and a message “<< Error> Insufficient memory ”. Further, the log information 123 indicates that the message “<Error> Memory shortage has occurred” by the software B at the time “14:10:09” and the message ““ by the software A at the time “14:10:10”. It has “No item” (0 search results).

  If corresponding information database 122 and collates shown in FIG. 10, in the same manner as the example of FIG. 17, items of "1" to "3", the software message coincides with 60% degree of matching. Accordingly, the notification module 132 extracts a plurality of messages of items “1” to “3” in the correspondence information database 122 in the same manner as in the embodiment of FIG.

  According to the log information 123 shown in FIG. 18, the output order of messages is the order of software C, software B, and software A, and the messages of software C are at unequal intervals. Therefore, the output order and the output time interval of the log information 123 shown in FIG. 17 coincides with the output order and the output time interval of the item "2" in the corresponding information database 122 shown in FIG. 10, the total value of the coefficients of the additional information Is the value “1.0”. On the other hand, the total value of the coefficients of the additional information of the other items “1” and “3” is less than the value “1.0”.

  Therefore, the notification module 132 identifies the event B of the item “2” as an event occurring on the information processing system 200. That is, the event occurrence notification program 121 specifies that the setting value of the maximum memory amount in the software C is insufficient on the information processing system 200.

  In addition, when the number of connectables corresponding to the maximum memory size can be detected, the output time interval is further 3 times for the output of the message "<INFO> <xxx>-New connection accepted". You may have the information to that effect. Thereby, the notification module 132 can specify an event with higher accuracy based on the message and the additional information.

(Example 3)
FIG. 19 is a third diagram for explaining an example of the event specifying process in the present embodiment. FIG. 19 shows an example of a plurality of messages ms-13 included in the log information 123.

  According to the embodiment shown in FIG. 19, there is a network delay between software A and software B. This causes a timeout of the connection, for example, software A, the message "<error> connection to the network has been disconnected", and outputs a message "" No item "(search result is 0)." .

  For example, the software B accesses the software C for search processing, receives a normal response, and tries to respond to the software A. However, since the communication between the software B and software A is the delay status, software B can not send a notification to the software A, and outputs a message "connection to the network <zzz> is cut." The software C notifies the software B of the processing result instructed by the software B, and then outputs a message “<error> memory shortage has occurred” in accordance with, for example, processing stagnation.

  Accordingly, the log information 123 illustrated in FIG. 19 includes the message “<Error> Connection to the network has been disconnected” at time “14:09:59” and time “14:10:00” by software A. Message “No item” (0 search results). In addition, the log information 123 includes a message “Software B disconnects from the network <zzz>” at time “14:10:05” and a message “Software C” at time “14:11:00”. <Error> A memory shortage has occurred.

  When collating with the correspondence information database 122 shown in FIG. 10, the messages of the items “1” to “3” match with a degree of match of 60% or more. Therefore, the notification module 132 extracts a plurality of messages of items “1” to “3” in the correspondence information database 122.

  According to the log information 123 shown in FIG. 19, the output order of the messages, the software C (part), software A, software B, and in that order software C (part), a message of each software, once It is output and does not have an output time interval. Further, the information “zzz” in the message “The connection with the network <zzz> has been disconnected” of the software B indicates an output condition (additional information).

  Accordingly, the output order, output time interval, and output condition of the log information 123 shown in FIG. 19 match the additional information of the item “3” in the correspondence information database 122 shown in FIG. 10, and the total value of the coefficients of the additional information is The value is “1.3”. On the other hand, the total value of the coefficients of the additional information of the other items “1” and “2” is less than the value “1.0”.

  Therefore, the notification module 132 specifies the event C of the item “3” as an event occurring on the information processing system 200. Thus, the event occurrence notification program 121 specifies that a network delay has occurred between the software A and the software B.

  If, the output order and the output time interval of the message shown in FIG. 19 is, if it matches the output order and the output time interval of the item "1" to "3", the notification module 132, the item "1" to "3" Corresponding events A to C are specified as events occurring in the information processing system 200. Therefore, when the additional information includes the output condition in addition to the output order and the output time interval, the notification module 132 can specify the event occurring in the information processing system 200 with higher accuracy.

(Example 4)
FIG. 20 is a fourth diagram illustrating an example of the event specifying process according to the present embodiment. FIG. 20 shows an example of a plurality of messages ms-14 included in the log information 123.

  According to the embodiment shown in FIG. 20, for example, the software C is in a high-load state due to accepting a large number of connections, and the processing is slowed down. When software A instructs software B to perform a search process, software B accesses software C to execute the search process instructed by software A. However, the software C cannot respond to the software B even if a certain time elapses because the processing is slowed down.

  Therefore, software B, the message "<Warning> no answer time has reached the time-out limit", and outputs a message "connection to the network is disconnected", and notifies the error to the software A. Software A then outputs the message “No item” (0 search results) when an error is returned. Further, the software C outputs a message “<error> memory shortage has occurred” after a predetermined period of time has passed since the process has been slowed down.

  Therefore, the log information 123 shown in FIG. 20 includes the message “<warning> no response time reached time-out limit” at time “15:10:04” and time “15:10:05” by software B. Has the message "Connection to the network has been lost". In addition, the log information 123, to the time "15:10:06", the message "" No item "(search result is 0)" by software A, to the time "15:11:00", the message by the software C “<Error> Insufficient memory occurred”.

  When collating with the correspondence information database 122 shown in FIG. 10, only the messages of each software item “4” match with a matching degree of 60% or more. Specifically, the degree of matching of items “1” and “2” indicates the value “50%”, and the degree of matching of item “3” indicates the value “30%”. Therefore, the notification module 132 extracts a plurality of messages of the item “4” in the correspondence information database 122. In this way, by setting the coefficient according to the software from which the message is output, the event can be specified with higher accuracy.

  Further, according to the log information 123 shown in FIG. 20, the output order of the messages is software C (part), software B, software A, software C (part), and each software message is 1 It is output only once and does not have an output time interval. The output start time “15:09:00” of the software C satisfies the output start time indicating a period of 10 minutes from the time “15:00:00”.

  Therefore, the output order and the output time interval, the output start time of the log information 123 shown in FIG. 20 coincides with the additional information item "4" in the corresponding information database 122 shown in FIG. 10, the total value of the coefficients of the additional information Becomes the value “1.5”. As a result, the notification module 132 identifies the event D of the item “4” as an event occurring on the information processing system 200. Therefore, the event occurrence notification program 121 specifies that the software C has entered a high load state due to accepting a large number of connections and the processing is slowing down.

[Judgment of occurrence probability]
Note that the notification module 132 according to the present embodiment may determine, for example, the probability of occurrence of a plurality of events defined in the correspondence information database 122 and output it to a display device or the like. As a result, the system administrator can determine the execution order of countermeasures for events based on the occurrence probability of events.

  FIG. 21 is a diagram illustrating an example of the occurrence probability of an event defined in the correspondence information database 122. The notification module 132 determines the occurrence probability of an event based on, for example, the degree of match of a plurality of messages, the total value of coefficients corresponding to the match of additional information, and the like.

  According to the example of FIG. 21, the matching degree of the plurality of messages corresponding to the event A among the events A to D is the largest. Further, the output order and output time interval of the event A coincide with a plurality of messages in the log information 123. Moreover, matching of the plurality of messages corresponding to the event B is larger next to event A, the even output order and the output time interval of the event B, consistent with the plurality of messages in the log information 123. On the other hand, the degree of match of the plurality of messages corresponding to event C and event D is lower than that of event A and event B, and the output order and output time interval do not match.

  Accordingly, the notification module 132 sets the occurrence probabilities in the order of event A (100%) and event B (80%), for example. Then, the notification module 132 sets the occurrence probability of the event C and the event D to a small value (20%) with respect to the event A and the event B.

  Thereby, the system administrator can confirm the information processing system 200 according to the rank of the occurrence probability of the event, and can efficiently determine the priority of confirmation. Further, the system administrator can efficiently identify an event when a large number of events have occurred on the information processing system 200.

[Other embodiments]
In the above-described embodiment, the case where a single event is specified based on a plurality of messages and additional information is illustrated. However, it is not limited to this example. In the information processing system 200, a plurality of events may actually occur. Accordingly, the notification module 132 may identify a plurality of events based on the plurality of messages and the additional information.

  The correspondence information database 122 in the present embodiment stores a plurality of messages and additional information when an event such as an error or a warning occurs. However, it is not limited to this example, and the correspondence information database 122 may further store a normal message, additional information, and the like.

  The above embodiment is summarized as follows.

(Appendix 1)
On the computer,
Obtain log information of messages output from the information processing system,
An output time interval within a predetermined time difference from the output order and the output time interval of the storage unit in which the output order and output time interval are stored for a plurality of messages output from the information processing system in response to the occurrence of a specific event In response to the detection that the information indicating that the plurality of messages are output is included in the log information, the specific information corresponding to the plurality of messages in the output order and the output time interval included in the log information. Notifying that an event has occurred on the information processing system;
An event occurrence notification program characterized by causing

(Appendix 2)
In Appendix 1,
The information processing system executes a plurality of software,
The log information includes messages output from the plurality of software.
Event occurrence notification program.

(Appendix 3)
In Appendix 1 or 2,
The storage unit further stores one of output start times of the plurality of messages and additional information added to the plurality of messages,
In the notification, in addition to the output order and the output time interval in the storage unit, information indicating that the plurality of messages in which either the output start time or the additional information matches is output, Detect that it is included in log information,
Event occurrence notification program.

(Appendix 4)
In Appendix 3,
The items of the output order and the output time interval, the output start time, and / or the additional information each have a first coefficient,
The notification is
When information indicating that a plurality of messages in the storage unit has been output is included in the log information, a total value is calculated by adding a first coefficient corresponding to the item according to the match of the item. ,
When the total value exceeds a first reference value, it is detected that it is included in the log information.
Event occurrence notification program.

(Appendix 5)
In any one of supplementary notes 1 to 4,
The notification is
Calculating the degree to which the log information includes information indicating that the plurality of messages in the storage unit have been output,
When the output order and output time interval of the plurality of messages in the storage unit whose degree exceeds the second reference value match the plurality of messages included in the log information at an output time interval within the predetermined time difference. To detect that it is included in the log information,
Event occurrence notification program.

(Appendix 6)
In Appendix 5,
The log information includes messages output from a plurality of software,
Each of the plurality of software has a second coefficient;
The notification applies the second coefficient corresponding to the output software of the message to the message included in the log information among the messages included in the plurality of messages of the storage unit, and the degree To calculate,
Event occurrence notification program.

(Appendix 7)
In any one of supplementary notes 1 to 6,
In the case where the output order and output time interval are not stored in the storage unit for the plurality of messages output from the information processing system in response to the occurrence of a specific event, the notification is output order and output for the plurality of messages. Storing the time interval in the storage unit;
Event occurrence notification program.

(Appendix 8)
Obtain log information of messages output from the information processing system,
An output time interval within a predetermined time difference from the output order and the output time interval of the storage unit in which the output order and output time interval are stored for a plurality of messages output from the information processing system in response to the occurrence of a specific event In response to the detection that the information indicating that the plurality of messages are output is included in the log information, the specific information corresponding to the plurality of messages in the output order and the output time interval included in the log information. Notifying that an event has occurred on the information processing system;
Event occurrence notification method.

(Appendix 9)
In Appendix 8,
The information processing system executes a plurality of software,
The log information includes messages output from the plurality of software.
Event occurrence notification method.

(Appendix 10)
In Appendix 8 or 9,
The storage unit further stores one of output start times of the plurality of messages and additional information added to the plurality of messages,
In the notification, in addition to the output order and the output time interval in the storage unit, information indicating that the plurality of messages in which either the output start time or the additional information matches is output, Detect that it is included in log information,
Event occurrence notification method.

(Appendix 11)
In Appendix 10,
The items of the output order and the output time interval, the output start time, and / or the additional information each have a first coefficient,
The notification is
When information indicating that a plurality of messages in the storage unit has been output is included in the log information, a total value is calculated by adding a first coefficient corresponding to the item according to the match of the item. ,
When the total value exceeds a first reference value, it is detected that it is included in the log information.
Event occurrence notification method.

(Appendix 12)
In any one of appendices 8 to 11,
In the case where the output order and output time interval are not stored in the storage unit for the plurality of messages output from the information processing system in response to the occurrence of a specific event, the notification is output order and output for the plurality of messages. Storing the time interval in the storage unit;
Event occurrence notification method.

(Appendix 13)
A storage unit for storing an output order and an output time interval for a plurality of messages output from the information processing system in response to occurrence of a specific event;
An acquisition unit for acquiring log information of a message output from the information processing system;
For detecting that the log information includes information indicating that the plurality of messages are output at an output time interval within a predetermined time difference from the output order and the output time interval stored in the storage unit. In response, a control unit that notifies that a specific event corresponding to a plurality of messages in the output order and output time interval included in the log information has occurred on the information processing system;
An event occurrence notification device characterized by comprising:

(Appendix 14)
In Appendix 13,
The information processing system executes a plurality of software,
The log information includes messages output from the plurality of software.
Event occurrence notification device.

(Appendix 15)
In Appendix 13 or 14,
The storage unit further stores one of output start times of the plurality of messages and additional information added to the plurality of messages,
In the control unit, in addition to the output order and the output time interval in the storage unit, information indicating that the plurality of messages in which any of the output start time and the additional information match is output, Detecting that it is included in the log information;
Event occurrence notification device.

(Appendix 16)
In Appendix 15,
The items of the output order and the output time interval, the output start time, and / or the additional information each have a first coefficient,
The controller is
When information indicating that a plurality of messages in the storage unit has been output is included in the log information, a total value is calculated by adding a first coefficient corresponding to the item according to the match of the item. ,
When the total value exceeds a first reference value, it is detected that it is included in the log information.
Event occurrence notification device.

(Appendix 17)
In any of Supplementary Notes 13 to 16,
When the output order and the output time interval are not stored in the storage unit for the plurality of messages output from the information processing system in response to the occurrence of a specific event, the control unit Storing an output time interval in the storage unit;
Event occurrence notification device.

100: event occurrence notification device, 200: information processing system, 121: event occurrence notification program, 131: acquisition module, 132: notification module, 122: correspondence information database, 123: log information

Claims (7)

On the computer,
Obtain log information of messages output from the information processing system,
A combination of the output order of each message type for a plurality of messages output from the information processing system in response to the occurrence of a specific event and the output time interval of the same type of message included in the plurality of messages is stored. A first combination of the output order and a time interval that is within a predetermined time difference with respect to the output time interval ;
In response to detecting that a plurality of messages corresponding to the identified first combination are included in the log information, notifying that the specific event has occurred on the information processing system;
An event occurrence notification program characterized by causing processing to be executed. In claim 1,
The information processing system executes a plurality of software,
The log information includes messages output from the plurality of software.
Event occurrence notification program. In claim 1 or 2,
The storage unit further stores one of output start times of the plurality of messages and additional information added to the plurality of messages,
In the notification, in addition to the output order and the output time interval in the storage unit, information indicating that the plurality of messages in which either the output start time or the additional information matches is output, Detect that it is included in log information,
Event occurrence notification program. In any one of Claims 1 thru | or 3,
In the case where the output order and the output time interval are not stored in the storage unit for the plurality of messages output from the information processing system in response to the occurrence of the specific event, the notification includes the output order and the plurality of messages. Storing an output time interval in the storage unit;
Event occurrence notification program. In claim 1 ,
The notification is
When it is determined that a plurality of messages corresponding to the identified first combination are included in the log information, the fact that the specific event has occurred on the information processing system is notified.
Event occurrence notification program. Obtain log information of messages output from the information processing system,
A combination of the output order of each message type for a plurality of messages output from the information processing system in response to the occurrence of a specific event and the output time interval of the same type of message included in the plurality of messages is stored. A first combination of the output order and a time interval that is within a predetermined time difference with respect to the output time interval ;
In response to detecting that a plurality of messages corresponding to the identified first combination are included in the log information, notifying that the specific event has occurred on the information processing system;
An event occurrence notification method, characterized by causing a computer to execute processing. Stores a combination of the output order of each message type for a plurality of messages output from the information processing system in response to the occurrence of a specific event, and the output time interval of the same type of message included in the plurality of messages A storage unit;
An acquisition unit for acquiring log information of a message output from the information processing system;
Referring to the storage unit, a first combination of the output order and a time interval that is within a predetermined time difference with respect to the output time interval is specified, and a plurality of messages corresponding to the specified first combination are stored in the log A control unit for notifying that the specific event has occurred on the information processing system in response to detection of being included in the information;
An event occurrence notification device characterized by comprising:

Images