WO2016075915A1 - Système d'analyse de journal, procédé d'analyse de journal, support d'enregistrement de programme - Google Patents

Système d'analyse de journal, procédé d'analyse de journal, support d'enregistrement de programme Download PDF

Info

Publication number
WO2016075915A1
WO2016075915A1 PCT/JP2015/005570 JP2015005570W WO2016075915A1 WO 2016075915 A1 WO2016075915 A1 WO 2016075915A1 JP 2015005570 W JP2015005570 W JP 2015005570W WO 2016075915 A1 WO2016075915 A1 WO 2016075915A1
Authority
WO
WIPO (PCT)
Prior art keywords
log
pattern
appearance
reference pattern
information
Prior art date
Application number
PCT/JP2015/005570
Other languages
English (en)
Japanese (ja)
Inventor
遼介 外川
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to JP2016558878A priority Critical patent/JP6665784B2/ja
Publication of WO2016075915A1 publication Critical patent/WO2016075915A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment

Definitions

  • the present invention relates to a log analysis system, a log analysis method, and a log analysis program for analyzing a log output from an information processing system.
  • the operation manager of an information processing system such as a computer system monitors the log output by the computer system, checks the normality of the system, and analyzes abnormalities such as failures. It is important to monitor and analyze the log based on the relevance of a plurality of messages included in the log.
  • Patent Document 1 discloses a message analysis system that detects the occurrence of a failure based on messages collected from a plurality of computer systems and analyzes the detected failure.
  • the message analysis system disclosed in Patent Document 1 accumulates time elements of messages generated corresponding to cases, and aggregates cases using received message times and accumulated time elements.
  • the message analysis system aggregates and analyzes a plurality of messages for each case.
  • Patent Document 2 discloses a log monitoring system that detects a specific event by analyzing log information output from application software executed by a computer based on a predefined condition.
  • the log monitoring system of Patent Document 2 classifies each log information in a preset time zone unit based on the log onset time included in the accumulated log information.
  • the log monitoring system compares the messages included in each log information within the same time zone, and measures the number of log information including the same message as an expression frequency condition. Then, when the number of occurrences of log information per unit time matches the expression number condition, the log monitoring system generates notification condition information candidates that are referred to by the event detection device that performs the notification process of the log information.
  • the following technology discloses a technology for automatically generating analysis rules for comprehensive analysis of a huge log.
  • Patent Document 3 discloses an information processing apparatus that supports increasing the filter accuracy of a failure message.
  • the information processing apparatus of Patent Literature 3 extracts only relevant messages from a plurality of messages transmitted from a device at the time of failure, and groups the plurality of extracted messages.
  • the information processing apparatus determines a relationship between messages by paying attention to a co-occurrence relationship between an arbitrary message and a message output before and after the message is transmitted.
  • the information processing apparatus groups messages when the value of the index indicating the strength of the co-occurrence relationship is equal to or greater than a certain value.
  • Patent Document 4 discloses a notification device that detects an abnormality of a message that occurs in a distributed system composed of a plurality of information processing devices.
  • the notification device of Patent Document 4 records a message that occurred on an arbitrary day of the week and time zone, and the number of occurrences of the message, and groups the messages as a series of messages up to a separately defined maximum length value. To do.
  • the notification device groups a plurality of normal messages transmitted from the analysis target device as a series of related messages.
  • the message analysis system of Patent Document 1 can analyze a message received in real time by matching processing with examples defined in various formats.
  • the message analysis system has a problem that undefined cases cannot be analyzed in real time. This is because the message analysis system performs message analysis based on predefined cases.
  • conditions necessary for updating a known event and detecting a new event can be generated by analyzing log information including the same message in the same time zone.
  • the log monitoring system has a problem in that conditions necessary for updating a known event and detecting a new event cannot be generated unless the same message is detected.
  • the information processing apparatus of Patent Document 3 defines the relationship between messages using the co-occurrence probability of consecutive messages and the score calculated using the co-occurrence probability. Therefore, for example, when the types of messages for which the relationship must be defined increases as the number of logs increases, the combinations of messages to be considered also increase. As a result, the information processing apparatus has a problem that it takes time to obtain an appropriate solution because the amount of calculation increases when the number of message combinations themselves increases.
  • the notification device of Patent Document 4 defines the number of types of a series of consecutive messages with a maximum length, but does not specifically disclose a standard for defining the maximum length.
  • the notification device has a problem that even unrelated messages are grouped because all messages appearing in an arbitrary time zone are targeted for grouping.
  • the present invention provides a log analysis system capable of reducing the time for extracting a combination of log messages output continuously within a predetermined time when analyzing a log message output from an information processing system. With the goal.
  • the log analysis system includes reference pattern generation means for generating a reference pattern for each combination of log messages that appear synchronously based on appearance information of log messages, and appearance information of log messages included in the reference patterns.
  • Reference pattern combining means for comparing the reference patterns and combining the reference patterns based on the comparison result is provided.
  • a reference pattern is generated for each combination of log messages that appear synchronously, and the log message appearance information included in the reference pattern is generated between the reference patterns.
  • the reference patterns are combined based on the comparison result.
  • a process for generating a reference pattern for each combination of log messages that appear synchronously based on the appearance information of log messages, and the appearance information of the log message included in the reference pattern between the reference patterns executes the process of combining the reference patterns based on the comparison result.
  • FIG. 1 is a block diagram showing a configuration of a log analysis system 1 according to the first embodiment of the present invention.
  • the direction of the arrow shown in all the block diagrams after FIG. 1 shows an example, and does not limit the direction of the signal between blocks.
  • the log analysis system 1 includes a log collection unit 11, a log aggregation unit 12, a reference pattern generation unit 13, a reference pattern combination unit 14, and a pattern storage unit 15. Prepare.
  • the log collection unit 11 collects log files of the analysis target system 10.
  • the log collection unit 11 may receive a log file from the analysis target system 10 or may read the log file from a storage unit (not shown).
  • the log collection unit 11 may accept an input of a log file from the operation manager.
  • FIG. 2 shows an example of log files (log files 101 to 103) collected by the log analysis system 1.
  • a log file is a set of log messages (also called log records), and is composed of at least one log message as shown in FIG.
  • the log message includes a plurality of log elements such as a log ID (Identifier) that is an identifier for identifying each log message, the time when the log message is output, the message body, the log level, and the like.
  • a log ID Identifier
  • the log ID is also referred to as a log identifier, and may be simply referred to as ID below.
  • the log collection unit 11 generates an integrated log in which the log messages stored in all the log files are rearranged in time series based on the collected at least one log file.
  • the log collecting unit 11 transmits the generated integrated log to the log totaling unit 12.
  • FIG. 3 shows an example (integrated log 104) of the integrated log generated by the log collecting means 11.
  • the unified log is a set of log messages and is composed of at least one log message as shown in FIG.
  • the integrated log is a combination of log messages that originally constituted different log files.
  • the integrated log may be a set of information obtained by combining an identifier for identifying a log file and a line number of the log message in the log file.
  • the log collection unit 11 may receive, from the operation manager, specification of the range of log messages to be collected, such as specification of the log file itself to be collected and specification of the date and time of the log message recorded in the log file.
  • the log collection unit 11 reads a file (not shown) in which information necessary for analyzing a log message is defined, and the log analysis system 1 easily analyzes the format of the acquired log file according to the information defined by the file. May be converted to
  • the log totaling unit 12 calculates the appearance information of each log message based on the information received from the log collecting unit 11 and a separately defined time width.
  • the time width indicates the range of the appearance time of the log message to be counted by the log counting means 12.
  • the time width may be defined by the user, or may be recorded in advance in a file (not shown).
  • FIG. 4 is a diagram showing an example of appearance information (appearance information 105).
  • the appearance information is composed of a pair of at least one appearance time and the number of appearances corresponding to the log ID of the log message. Note that the appearance information may include the total number of appearances.
  • the appearance information 105 of FIG. 4 a plurality of appearance times are recorded for each log ID, and the number of appearances corresponding to each of the plurality of appearance times is recorded.
  • the log totaling means 12 reads the integrated log for each time width, and totals the type and number of IDs included in the corresponding portion of the integrated log within the read time width as the number of appearances.
  • the log totaling means 12 selects one arbitrary time from the time divided by the time width and registers it as the appearance time of the ID.
  • the log totaling unit 12 may register the median value, the minimum value, and the maximum value of the divided times as the appearance time.
  • the log totaling unit 12 transmits the calculated appearance information to the reference pattern generating unit 13.
  • the reference pattern generation unit 13 compares at least one piece of appearance information received from the log totaling unit 12 and combines the pieces of appearance information having the same ID. Then, the reference pattern generation unit 13 transmits the combined ID combination and its appearance information to the reference pattern combination unit 14. That is, the reference pattern generation unit 13 generates a reference pattern for each combination of log messages that appear synchronously based on the log message appearance information.
  • the reference pattern generation unit 13 may receive, for example, designation of a determination criterion related to the identity of appearance information from the operation manager. Further, the reference pattern generation unit 13 may read a file (not shown) in which information necessary for determining the identity of appearance information is defined, and compare the appearance information of the input ID based on the file.
  • the reference pattern combining unit 14 compares the appearance information regarding the ID received from the reference pattern generating unit 13 or a combination of a plurality of IDs.
  • the reference pattern combining unit 14 combines a single ID or a combination of a plurality of IDs that satisfy a separately defined condition. That is, the reference pattern combining unit 14 compares the appearance information of the log message included in the reference pattern between the reference patterns, and combines the reference patterns based on the comparison result.
  • the reference pattern combining unit 14 outputs the set of combined results to the pattern storage unit 15 as a “pattern (combination)”. This set of patterns (combinations) is also called a “pattern set”.
  • FIG. 5 shows a combination information table 106 in which patterns (combinations) are summarized in a table format.
  • the pattern (combination) includes a single ID or a combination of a plurality of IDs and appearance information corresponding to them.
  • the appearance information is composed of the appearance time and the number of appearances.
  • the pattern storage unit 15 stores the pattern (combination) output from the reference pattern combination unit 14.
  • FIG. 6 is a flowchart regarding an outline of the operation of the log analysis system 1 according to the present embodiment.
  • the log analysis system 1 according to the present embodiment performs three processes: an appearance information aggregation process, a reference pattern generation process, and a reference pattern combination process.
  • the appearance information totaling process in step S1 is a process in which the log collecting unit 11 reads the log file and the log totaling unit 12 totals the appearance information for each ID.
  • the reference pattern generation process in step S2 is a process in which the reference pattern generation unit 13 combines at least one log message that appears synchronously as a reference pattern based on the appearance information for each ID. Note that “at least one log message appearing synchronously” means “at least one log message output continuously within a certain period of time”.
  • the reference pattern combining process in step S3 is a process in which the reference pattern combining unit 14 combines a combination of IDs based on the reference pattern set to generate a pattern (combination).
  • the operation of the log analysis system 1 according to the first exemplary embodiment will be described in detail by dividing it into three parts, that is, an appearance information aggregation process, a reference pattern generation process, and a reference pattern combination process.
  • the appearance information totaling process is a process in which the log collecting unit 11 reads a log file and the log totaling unit 12 totals appearance information for each ID.
  • FIG. 7 is a flowchart regarding the appearance information tabulation process.
  • the log collection unit 11 reads the log file output from the analysis target system 10 (step S101).
  • the log collecting unit 11 generates an integrated log by combining all acquired log files (step S102).
  • the log collection unit 11 rearranges the log messages of the integrated log in chronological order based on the time information of each log message (step S103).
  • the log totaling means 12 reads the log message of the integrated log based on the defined time width (step S104).
  • the log totaling unit 12 reads a log message in a section from “2014/07 / 01_12: 00: 01” to “2014/07 / 01_12: 00: 10: 00”.
  • the log totaling unit 12 totals the number of appearances of the same ID from the set of read log messages, and records a set of time information and the number of appearances as appearance information for each ID (step S105).
  • the log message with ID “1001” is “10 times” and the log message with ID “2034” Appears “3 times”.
  • the log totaling unit 12 adds the appearance time “2014/07/01 — 12:00:01” and the number of appearances “10” to the appearance information of the ID “1001”.
  • the log totaling unit 12 adds the appearance time “2014/07/01 — 12:00:01” and the appearance count “3” to the appearance information of the ID “2034”.
  • the log totaling unit 12 determines whether or not the last log message of the integrated log has been reached (step S106).
  • the log totaling unit 12 outputs appearance information for each ID to the reference pattern generating unit 12 (step S107).
  • step S106 when the last log message of the integrated log has not been reached (No in step S106), the process returns to step S104.
  • the log totaling unit 12 repeats the processes in steps S104 and S105 until the last log message of the integrated log is reached.
  • the log can be entered by the user so that the reading of the log message can be completed at an arbitrary time, or the time for completing the reading from the definition information (not shown) can be obtained.
  • the counting means 12 may be configured.
  • the reference pattern generation process is a process in which the reference pattern generation unit 13 combines log messages that appear synchronously as reference patterns based on the appearance information for each ID.
  • FIG. 8 is a flowchart regarding reference pattern generation processing. Note that the operation related to log message combination described with reference to FIG. 8 is an example, and any method may be used as long as IDs generated at the same time can be compared and linked.
  • the reference pattern generation unit 13 reads the appearance information for each ID output by the log aggregation unit 12 (step S201).
  • the reference pattern generation unit 13 calculates the total number of appearances (hereinafter referred to as the appearance frequency) for each appearance time of each ID (step S202). ).
  • the reference pattern generation unit 13 rearranges the appearance information constituting the combination candidate set in ascending order of appearance frequency (step S203).
  • the reference pattern generation unit 13 selects an ID as a comparison source (hereinafter referred to as a comparison source ID) from the combination candidate set (step S204).
  • a comparison source ID an ID as a comparison source
  • the reference pattern generation unit 13 selects the ID of the appearance information having the lowest appearance frequency from the combination candidate set as the comparison source ID, and uses the selected comparison source ID as the appearance information of another ID (comparison target ID).
  • the selection may be based on another criterion.
  • the reference pattern generation unit 13 determines whether or not the appearance frequency of the selected comparison source ID is the maximum among the appearance information constituting the combination candidate set (step S205).
  • step S205 When the appearance frequency of the selected comparison source ID is not the maximum (No in step S205), the reference pattern generation unit 13 verifies whether there is an ID having the same appearance information as the selected comparison source ID (step S205). S206). On the other hand, if the appearance frequency of the selected comparison source ID is maximum (Yes in step S205), the process proceeds to step S209.
  • step S206 If there is an ID having the same appearance information as the selected comparison source ID (hereinafter referred to as a comparison target ID) (Yes in step S206), the reference pattern generation unit 13 combines the comparison source ID and the comparison target ID, Are generated (step S207). On the other hand, if there is no ID having the same appearance information as the comparison source ID in step S206 (No in step S206), the process returns to step S204 to acquire another ID as the comparison source ID.
  • step S204 to step S206 is repeated until there is no comparison target ID having the same appearance information as the selected comparison source ID.
  • step S207 a supplementary explanation will be given regarding step S207.
  • step S207 it is assumed that the appearance time of a certain comparison source ID “2048” is as follows. “2014/07 / 01_9: 00: 01, 2014/07 / 01_10: 00: 01, 2014/07 / 01_11: 00: 01, 2014/07 / 01_12: 00: 01, 2014/07 / 01_13: 00: 01 2014/07 / 01_14: 00: 01, 2014/07 / 01_15: 00: 01, 2014/07 / 01_16: 00: 01, 2014/07 / 01_17: 00: 01, 2014/07 / 01_18: 00: 01 " It is assumed that the number of appearances corresponding to each appearance time of the comparison source ID “2048” is “2, 2, 2, 2, 2, 2, 2, 2, 2”.
  • the appearance times of the comparison target ID “2049” are the following 10 types.
  • the number of appearances corresponding to each appearance time of the comparison target ID “2049” is assumed to be “2, 2, 2, 2, 2, 2, 2, 2, 2”.
  • the total number of appearances (appearance frequency) of the comparison source ID “2048” and the comparison target ID “2049” is both “20”, and the appearance time is also the same. Therefore, the comparison source ID “2048” and the comparison target ID “2049” are to be combined.
  • the IDs are regarded as having the same appearance information. May be.
  • the appearance time of a certain comparison source ID “3018” is as follows. "2014/07 / 01_9: 00: 01, 2014/07 / 01_12: 00: 01, 2014/07 / 01_15: 00: 01, 2014/07 / 01_18: 00: 01”
  • the number of appearances corresponding to each appearance time of the comparison source ID “3018” is assumed to be “3, 3, 3, 3”.
  • the appearance time of the comparison target ID “4024” is as follows. “2014/07/01 — 9:00:01, 2014/07/01 — 12:00:01, 2014/07/01 —12: 01: 01, 2014/07/01 —15: 00: 01, 2014/07/01 —18: 00: 01 , 2014/07 / 01_18: 01: 01 "
  • the number of appearances corresponding to each appearance time of the comparison target ID “4024” is assumed to be “3, 2, 1, 3, 1, 2”.
  • the total value (appearance frequency) of the number of appearances of the comparison source ID “3018” and the comparison target ID “4024” is both “12” times.
  • the comparison target ID “4024” there is a difference in appearance time “2014/07 / 01_12: 01: 01, 2014/07 / 01_18: 01: 01” which was not in the comparison source ID “3018”.
  • the difference in appearance time is the appearance time “2014/07 / 01_12: 00: 01, 2014/07 / 01_18: 00: 01 of the comparison source ID“ 3018 ”. It is the time adjacent to. In this case, the difference time belongs to the adjacent time, and the comparison source ID “3018” and the comparison target ID “4024” are to be combined.
  • a threshold may be set for the appearance frequency and the degree of coincidence of the appearance information, and IDs that satisfy the set threshold condition may be combined.
  • the reference pattern generation unit 13 combines the comparison source ID and the comparison target ID in Step S207, and then updates the appearance information of the combination candidate set (Step S208). .
  • the reference pattern generation unit 13 adds the combination of the generated ID combination and the ID appearance information to the combination candidate set.
  • the reference pattern generation unit 13 deletes the comparison source ID and the comparison target ID from the combination candidate set.
  • step S203 to step S208 is repeated until the combination candidate (appearance information) having the maximum appearance frequency is reached in the combination candidate set.
  • the reference pattern generation unit 13 uses the set obtained by rearranging the appearance information constituting the candidate combination set in ascending order of appearance frequency.
  • the pattern set is output to the reference pattern combining unit 14 (step S209). Note that that the appearance frequency of the selected comparison source ID is maximum means that the combination candidate (appearance information) having the maximum appearance frequency in the combination candidate set has been reached.
  • the reference pattern combination process is a process in which the reference pattern combining unit 14 combines a combination of IDs based on a reference pattern set to generate a pattern (combination).
  • 9 and 10 are flowcharts relating to the reference pattern combining process.
  • the reference pattern set is a set of reference patterns, and is a pattern composed of a combination of an ID combination and appearance information of the combination in the same manner as a pattern (combination) set.
  • the reference pattern combining unit 14 reads the reference pattern set generated by the reference pattern generation unit 13 in the reference pattern generation process (step S301).
  • the reference pattern combining unit 14 selects a reference pattern with the lowest appearance frequency from the read reference pattern set (step S302).
  • the reference pattern selected here is called a comparison source pattern.
  • the reference pattern combining unit 14 selects a reference pattern from the reference pattern set in ascending order of appearance frequency.
  • the reference pattern combining unit 14 determines whether or not there is a comparison source pattern in the reference pattern set read in step S301 (step S303).
  • the reference pattern combining unit 14 selects a pattern having a frequency equal to or lower than the appearance frequency of the comparison source pattern as a comparison target pattern (hereinafter referred to as a comparison target pattern) from the reference pattern set (step). S304). This set of comparison target patterns is called a comparison target pattern set. On the other hand, if there is no comparison source pattern (No in step S303), the process proceeds to step S312 in FIG.
  • the reference pattern combining unit 14 determines whether or not there is a comparison target pattern in the reference pattern set read in step S301 (step S305).
  • step S305 When there is a comparison target pattern (Yes in step S305), the reference pattern combining unit 14 compares the appearance information of the comparison source pattern with the appearance information of the comparison target pattern included in the comparison target pattern set, and the similarity of the appearance information The degree is calculated (step S306). On the other hand, when there is no comparison target pattern (No in step S305), the process proceeds to step S308.
  • step S306 a supplementary explanation will be given for step S306.
  • the appearance times of the comparison source patterns “5025, 6036” are as follows. “2014/7 / 1_12: 00: 01, 2014/7 / 2_12: 00: 01, 2014/7 / 3_12: 00: 01, 2014/7 / 4_12: 00: 01, 2014/7 / 5_12: 00: 01 "
  • the number of appearances corresponding to each appearance time of the comparison source pattern “5025, 6036” is “2, 2, 2, 2, 2”.
  • the appearance times of the comparison target patterns “1001, 3009, 7049” are as follows. “2014/7 / 1_12: 00: 01, 2014/7 / 2_12: 00: 01, 2014/7 / 3_12: 00: 01, 2014/7 / 4_12: 00: 01, 2014/7 / 5_12: 00: 01 " Then, it is assumed that the number of appearances corresponding to each appearance time of the comparison target pattern “1001, 3009, 7049” is “2, 1, 1, 2, 2”.
  • the appearance information common to the two reference patterns has the appearance time “2014/7/1 — 12:00:01, 2014/7/2 — 12:00:01, 2014/7/3 — 12:00:01, 2014/7. / 4 — 12:00:01, 2014/7/5 — 12:00:01 ”, and the number of appearances is“ 2, 1, 1, 2, 2 ”.
  • the similarity between the comparison source pattern “5025, 6036” and the comparison target pattern “1001, 3009, 7049” is calculated to be “8/8”, that is, “1.0” from the ratio of the number of appearances.
  • the ratio of the number of appearances is a ratio between “appearance frequency of common appearance information” and “appearance frequency of appearance information to be compared”, and is calculated by the following formula 1.
  • (Appearance ratio) (Appearance frequency of common appearance information) / (Appearance frequency of comparison target appearance information) (1)
  • the ratio of the appearance frequency of the common part to the appearance frequency of the comparison target is used as the similarity index, but in addition, the ratio of the appearance frequency of the common part to the appearance frequency of the comparison source is used. May be.
  • the appearance frequency of the appearance information is used, but the number of appearance times may be used instead.
  • the reference pattern combining unit 14 selects, as a combination candidate pattern, a comparison target pattern in which the similarity calculated in the process of step S306 satisfies a threshold value defined separately (step S307). Then, the process returns to step S304.
  • the threshold condition may be satisfied when, for example, the above-described similarity exceeds a predetermined threshold or is equal to or higher than a predetermined threshold.
  • the reference pattern combining unit 14 repeats the processing of steps S304 to S307 until there is no comparison target pattern (No in step S305), and generates a set of combination candidate patterns.
  • step S307 a supplementary explanation will be given of step S307.
  • the similarity between the comparison source pattern “5025, 6036” and the comparison target pattern “1001, 3009, 7049” is “1.0”.
  • the predetermined threshold is “0.9”
  • the similarity is equal to or higher than the threshold
  • the comparison target patterns “1001, 3009, 7049” are the combination candidate patterns.
  • a single value may be applied as a threshold, or a threshold is individually set for each index. You may prepare.
  • the reference pattern combining unit 14 extracts all appearance information from the set of combination candidate patterns and generates candidate appearance information by combining all the extracted appearance information. (Step S308).
  • step S308 a supplementary explanation will be given regarding step S308.
  • a case where there are two types of combination candidate patterns “1001, 3009, 7049” and “2004, 4016” will be described as an example.
  • the appearance time of the combination candidate pattern “2004, 4016” is “2014/7 / 2_12: 00: 01, 2014/7 / 3_12: 00: 01”, and the number of appearances is “1, 1”.
  • the candidate appearance information has an appearance time “2014/7/1 — 12:00:01, 2014/7/2 — 12:00:01, 2014/7/3 — 12:00:01, 2014/7/4 — 12:00: 01, 2014/7/5 — 12:00:01 ”and the number of appearances is“ 2, 2, 2, 2, 2 ”.
  • the reference pattern combination unit 14 compares the appearance information of the comparison source pattern with the candidate appearance information of the combination candidate pattern, and calculates the similarity between the two in the same manner as the process of step S306 (step S309).
  • the reference pattern combining unit 14 determines whether or not the similarity calculated in step S309 is equal to or greater than a separately defined threshold (step S310). Note that the similarity between the appearance information of the comparison source pattern and the candidate appearance information of the combination candidate pattern may be determined based on whether the similarity satisfies a predetermined threshold condition.
  • the reference pattern combining unit 14 returns to the process of step S302 to acquire the next reference pattern as a new comparison source pattern.
  • the reference pattern combining unit 14 updates the reference pattern (Step S311). In updating the reference pattern, first, the reference pattern combining unit 14 generates a combined pattern obtained by combining the comparison source pattern and the combination candidate pattern, and adds the generated combined pattern to the reference pattern set. Second, the reference pattern combining unit 14 deletes the comparison source pattern and the combination candidate pattern from the reference pattern set. When the reference pattern is updated, the process returns to step S302.
  • the reference pattern combining unit 14 repeats the processing corresponding to Step S302 to Step S309 until the similarity between the appearance information of the comparison source pattern and the candidate appearance information of the combination candidate pattern is equal to or greater than the threshold value.
  • the reference pattern combining unit 14 rearranges the patterns of the reference pattern set in ascending order of appearance frequency (step S312).
  • the reference pattern combining unit 14 acquires reference patterns from the reference pattern set in ascending order of appearance frequency (step S313).
  • the reference pattern selected here corresponds to a reference pattern for comparison (hereinafter referred to as comparison pattern).
  • the reference pattern combining unit 14 determines whether or not there is a comparison source pattern in the reference pattern set (step S314).
  • step S314 If there is a comparison source pattern (Yes in step S314), the reference pattern combining unit 14 selects a pattern having a frequency equal to or lower than the appearance frequency of the comparison source pattern as a comparison target pattern (hereinafter referred to as a comparison target pattern) from the reference pattern set (step). S315). This set of comparison target patterns is called a comparison target pattern set. On the other hand, if there is no comparison source pattern (No in step S314), the process proceeds to step S320.
  • a comparison target pattern hereinafter referred to as a comparison target pattern
  • the reference pattern combining unit 14 determines whether or not there is a comparison target pattern in the reference pattern set (step S316).
  • the reference pattern combining unit 14 compares the appearance information of the comparison source pattern with the appearance information of the comparison target pattern, and compares the appearance information similarity A and similarity.
  • the degree B is calculated (step S317).
  • the similarity A is a ratio between the appearance frequency (also referred to as the first frequency) of the comparison source pattern (also referred to as the first pattern) and the common appearance frequency.
  • the similarity A is calculated by the following formula 2.
  • (Similarity A) (Appearance frequency of common appearance information) / (Appearance frequency of appearance information of comparison source pattern) (2)
  • the similarity B (second similarity) is a ratio between the appearance frequency (also referred to as the second frequency) of the comparison target pattern (also referred to as the second pattern) that is an appearance candidate and the common appearance frequency.
  • the similarity B is calculated by the following formula 3.
  • (Similarity B) (Appearance frequency of common appearance information) / (Appearance frequency of appearance information of comparison target pattern) (3)
  • the common appearance frequency is the appearance time and the number of appearances between the appearance time and the number of appearances in the appearance information of the comparison source pattern and the appearance time and the number of appearances in the appearance information of the comparison target pattern. Is the sum of the number of occurrences of matching. That is, when the first pattern and the second pattern are compared, the total number of appearances of the patterns with the same appearance information corresponds to the common frequency.
  • the appearance time of the comparison source pattern is “2014/7/1 — 12:00:01, 2014/7/2 — 12:00:01, 2014/7/3 — 12:00:01, 2014/7/4 — 12:00:01, 2014/7/5 — 12:00:01 ”.
  • the number of appearances of the comparison source pattern is “2, 1, 1, 1, 2, 2”.
  • the appearance time of the comparison target pattern is “2014/7/1 — 12:00:01, 2014/7/4 — 12:00:01, 2014/7/5 — 12:00:01”.
  • the number of appearances of the comparison target pattern is “2, 2, 2”.
  • the appearance time common to both is “2014/7/1 — 12:00:01, 2014/7/4 — 12:00:01, 2014/7/5 — 12:00:01”.
  • the total appearance frequency “6” is a common appearance frequency.
  • the similarity A is 6/8 based on Expression 2
  • the appearance frequency of the comparison target pattern is “6”
  • the similarity B is 6 / based on Expression 3. 6
  • the predetermined threshold value for the similarity A is 1 and the predetermined threshold value for the similarity B is 0.8
  • both the similarity A and the similarity B satisfy the predetermined threshold.
  • step S316 when there is no comparison target pattern (No in step S316), the process returns to step S313.
  • the reference pattern combining unit 14 determines whether or not each of the similarity A and the similarity B calculated in step S317 is equal to or greater than a predetermined threshold defined separately (step S318). In addition, regarding the similarity A and the similarity B, it may be determined whether other predetermined threshold conditions are satisfied.
  • the reference pattern combining unit 14 uses the step to acquire the next reference pattern as a new comparison source pattern. The process returns to S313.
  • the reference pattern combining unit 14 updates the reference pattern (step S319).
  • the reference pattern combining unit 14 generates a new reference pattern that combines the combination candidate pattern and the reference pattern of the comparison source, and adds the generated new reference pattern to the reference pattern set. .
  • the appearance information of the new reference pattern is a common element between the combination candidate pattern and the comparison source pattern.
  • the reference pattern combining unit 14 deletes the comparison source pattern and the combination candidate pattern from the reference pattern set.
  • the process returns to step S313 to select the next reference pattern as a new comparison source pattern.
  • the reference pattern combining unit 14 leaves the repetition process of steps S313 to S319. Then, the reference pattern combining unit 14 outputs the updated reference pattern set to the pattern storage unit 15 as a pattern set (step S320).
  • the reference pattern generation means 13 generates a reference pattern that combines log messages that appear synchronously based on the appearance information of the log message.
  • the reference pattern combining unit 14 compares the appearance information between the reference patterns and combines at least one reference pattern based on the comparison result.
  • the concept of combining at least one reference pattern includes updating a reference pattern without other reference patterns to be combined as it is.
  • log analysis system it is possible to group only log messages having a high co-occurrence probability by satisfying a certain threshold condition by defining a threshold value at the time of log message analysis.
  • the log analysis system it is possible to correctly extract, as a pattern, a plurality of messages that appear together within a time width that may be divided under the constraint condition of the number of messages. it can. This is because the log analysis system according to the present embodiment reads the integrated log file according to the time width and calculates the relationship between the individual IDs according to the threshold value.
  • FIG. 12 is a block diagram showing a functional configuration of the log analysis system 2 according to the present embodiment.
  • the log analysis system 2 according to the present embodiment has a configuration in which an order learning unit 21 is added to the log analysis system 1 according to the first embodiment. Note that in the log analysis system 2 according to the present embodiment, the same reference numerals are given to the substantially same configuration as the configuration of the log analysis system 1 according to the first embodiment (FIG. 1), and the description thereof is omitted. To do.
  • the order learning means 21 refers to the integrated log based on the pattern set output by the reference pattern combining means 14 and extracts the order information 22 for each pattern.
  • the order information 22 analyzes whether the log IDs included in the pattern (combination) appear in the order included in the “pattern (order)” when analyzing the log using the pattern (combination). This information is used when The pattern (order) is also called “order pattern” and is a pattern in which log IDs are arranged in the order of appearance.
  • the order learning means 21 outputs the generated order information 22 to the pattern storage means 15 and records it.
  • FIG. 12 illustrates a state in which the pattern storage unit 15 stores the order information 22 and the pattern set 150.
  • the order information 22 includes a pattern (combination) obtained by combining at least one ID, a pattern (order) considering the arrangement order of IDs included in the pattern (combination), and the occurrence probability of each pattern (order). Including. Further, the order information 22 may include a set of patterns (combinations) in another format so that the patterns (combinations) can be managed while maintaining uniqueness with a common ID. The order information 22 may include pattern appearance information.
  • FIG. 13 is an order information table 220 as an example of the order information 22.
  • the order information table 220 of FIG. 13 indicates that there are patterns (orders) having two kinds of arrangement orders with respect to the pattern (combination) “1001, 2004, 3009, 5025”.
  • One is a combination of a pattern (combination) “1001, 2004, 3009, 5025”, a pattern (order) “1001, 2004, 3009, 5025”, and an occurrence count “90”.
  • the other is a combination of a pattern (combination) “1001, 2004, 3009, 5025”, a pattern (order) “1001, 3009, 2004, 5025”, and the number of occurrences “10”.
  • a pattern (order) may be stored using a general notation method such as a tree diagram as long as the notation method has a similar meaning. Good. Further, instead of the number of occurrences, a ratio of each number of occurrences to the total number of occurrences may be output as an occurrence probability.
  • FIG. 14 is a flowchart regarding order information generation processing by the log analysis system 2 of the log analysis system 2 according to the present embodiment.
  • the order learning means 21 receives a pattern set from the pattern storage means 15 (step S401).
  • the order learning unit 21 may be configured to directly receive the pattern set from the reference pattern combining unit 14.
  • the order learning means 21 reads the corresponding part of the integrated log based on the appearance information of each pattern included in the received pattern set (step S402).
  • the relevant part of the integrated log read by the order learning means 21 is determined by the appearance time recorded in the appearance information and a separately defined time width. For example, when the appearance time is “2014/7 / 7_09: 01: 00” and the time width is “1 minute”, the order learning unit 21 changes the order from “2014/7 / 7_09: 01: 00” to “2014/7 / 7_09: 01: 01 ”is read.
  • the order learning means 21 reads the order of IDs included in each pattern among the log messages included in the corresponding portion of the read integrated log (step S403).
  • the read data is “1001, 7049, 6036, 4900, 3009, 2004, 8088, 5025” for the pattern “1001, 2004, 3009, 5025”.
  • the order learning means 21 refers to only the IDs included in the pattern “1001, 2004, 3009, 5025” with respect to the read data, the order of IDs “1001, 3009, 2004, 5025” is read.
  • the order learning means 21 adds 1 to the number of occurrences regarding the order of the read ID, and extracts the order information (step S404).
  • the order learning means 21 verifies whether or not the order information 22 has been generated for all the patterns included in the received pattern set (step S405).
  • the order learning means 21 When the order information 22 is generated for all the patterns included in the received pattern set (Yes in step S405), the order learning means 21 outputs the generated order information 22 to the pattern storage means 15 for recording ( Step S406). On the other hand, if the order information 22 has not been generated for all the patterns included in the received pattern set (No in step S405), the process returns to step S402 to generate the order information 22 for the unprocessed pattern. .
  • the order learning unit 21 repeats the processes of steps S402 to S405 described above, and generates order information 22 for all patterns included in the pattern set received from the reference pattern combining unit 14.
  • the log analysis system according to the second embodiment can generate pattern order information based on the result generated by the reference pattern combining unit, and can generate a pattern and its order information with a small amount of calculation.
  • the reason is that the log analysis system according to the present embodiment includes a reference pattern generation unit.
  • FIG. 15 is a block diagram showing a functional configuration of the log analysis system 3 according to the present embodiment.
  • the log analysis system 3 according to the present embodiment has a configuration in which log identification means 31 and log identification information 32 are added to the log analysis system 1 according to the first embodiment. Note that in the log analysis system 3 according to the present embodiment, the same reference numerals are given to the substantially same configuration as the configuration of the log analysis system 1 according to the first embodiment (FIG. 1), and the description thereof is omitted. To do.
  • FIG. 16 is a diagram showing an example of the log identification information 32 (log identification information 320).
  • the log identification information 32 is a set of a set of a log ID and a record expression corresponding to the log ID.
  • the log ID is also called a log identifier and is an identifier given to the log message.
  • the record representation is a representation of the body of the log message corresponding to the log ID.
  • the log message corresponding to the log ID “1001” includes a character string “mysql started”.
  • a character string is shown, but the record expression can be expressed using arbitrary information such as a regular expression or a uniquely defined template as long as it can be compared with the log message. May be.
  • the log identification unit 31 assigns a log ID to the log message included in the integrated log read from the log collection unit 11 with reference to the record expression recorded in the log identification information 32. Then, the log identification unit 31 outputs an integrated log of the log message to which the log ID is assigned to the log totaling unit 12.
  • FIG. 17 is a flowchart regarding log identification processing by the log identification unit 31 of the log analysis system 3 according to the present embodiment.
  • the log identification unit 31 reads the integrated log generated by the log collection unit 11 (step S501).
  • the log identification unit 31 refers to the log identification information 32 and assigns a log ID to the log message included in the read integrated log (step S502).
  • the log identification unit 31 determines whether or not a log ID has been assigned to all log messages included in the read integrated log (step S503).
  • the log identification unit 31 transmits the integrated log to the log totaling unit 12 (step S504).
  • step S503 when there is a log message to which no log ID is assigned (No in step S503), the process returns to step S502 in order to assign a log ID to a log message to which no log ID is assigned.
  • the log analysis system according to the third embodiment can generate a pattern (combination) with a small amount of calculation from a plurality of log files to which a common log ID is not assigned based on the log identification information. This is because the log analysis system according to the third embodiment generates a reference pattern by combining log identification means that assigns a log ID to a log message based on log identification information and logs that appear synchronously. This is because it includes reference pattern generation means.
  • FIG. 18 is a block diagram illustrating a functional configuration of the log analysis system 4 according to the fourth embodiment.
  • the log analysis system according to the fourth embodiment has a configuration in which log classification means 41 is added to the log analysis system 1 according to the first embodiment.
  • the substantially same configuration as the configuration of the log analysis system 1 according to the first embodiment (FIG. 1) is denoted by the same reference numeral, and description thereof is omitted. To do.
  • the log classification unit 41 reads the integrated log from the log collecting unit 11 and calculates the feature similarity based on the characteristics of the log message included in the read integrated log.
  • the log classification means 41 groups and classifies a plurality of log messages having a high degree of similarity, and assigns a common log ID (also referred to as a group identifier) to the log messages classified into the same group. Then, the log classification unit 41 outputs an integrated log of log messages to which a common log ID is assigned for each group to the log aggregation unit 12.
  • FIG. 19 is a flowchart regarding log classification processing by the log classification unit 41 of the log analysis system 4 according to the present embodiment.
  • the log classification unit 41 reads the integrated log generated by the log collection unit 11 (step S601).
  • the log classification means 41 calculates feature amounts for all log messages included in the read integrated log, and performs classification based on the similarity (step S602).
  • an algorithm and an index such as a shortest distance method, a longest distance method, a group average method, a Ward method, and a k-Means method can be used.
  • the log classification means 41 assigns a log ID to each classified group according to the classification result (step S603).
  • the log classification unit 41 assigns a log ID to all log messages included in the integrated log according to the log ID assigned to each group (step S604).
  • the log classification unit 41 outputs an integrated log of log messages to which a common log ID is assigned for each group to the log aggregation unit 12 (step S605).
  • a pattern (combination) can be generated with a small amount of calculation even from a plurality of log files to which a common log ID is not assigned.
  • log classification means for assigning log IDs that can be uniquely identified to similar log messages by calculating and classifying feature amounts based on the log messages, and the logs that appear synchronously together as a reference pattern This is for providing a reference pattern generating means for generating.
  • FIG. 20 is a block diagram illustrating a functional configuration of the log analysis system 5 according to the fifth embodiment.
  • the log analysis system 5 according to the fifth embodiment has a configuration in which a transition time learning unit 51 is added to the log analysis system 2 according to the second embodiment.
  • the same reference numerals are given to the substantially same configuration as the configuration of the log analysis system 2 according to the second embodiment (FIG. 12), and the description thereof is omitted.
  • FIG. 20 illustrates how the pattern storage unit 15 stores the transition information 52 and the pattern set 150. Although omitted in FIG. 20, the pattern storage unit 15 stores the order information 22 as in FIG.
  • the transition time learning means 51 extracts the transition time required for transition between individual log IDs in the pattern based on the order information 22 of each pattern extracted by the order learning means 21.
  • FIG. 21 is a diagram showing an example of the transition time (transition time table 510) output by the transition time learning means 51.
  • the transition time represents a transition between log IDs in the order information 22 and a time required for the transition.
  • the pattern (order) “1001, 2004, 3009, 5025” includes three types of transitions “1001 ⁇ 2004”, “2004 ⁇ 3009”, and “3009 ⁇ 5025”.
  • Each transition time is “1 second”, “2 seconds”, and “1 second” as shown in parentheses in the transition time table 510 of FIG.
  • FIG. 22 is a flowchart regarding the transition time learning process by the log classification unit 41 of the log analysis system 4 according to the present embodiment.
  • the order learning means 21 reads a corresponding portion of the integrated log based on the appearance information of each pattern included in the pattern set (step S ⁇ b> 701).
  • the corresponding portion read by the order learning means 21 is determined by the appearance time recorded in the appearance information and a separately defined time width. For example, if the appearance time is “2014/7 / 7_09: 01: 00” and the time width is “1 minute”, the integration from “2014/7 / 7_09: 01: 00” to “2014/7 / 7_09: 01: 01” Read the log.
  • the order learning means 21 reads the order of IDs included in the pattern among the log messages included in the read corresponding part (step S702).
  • the read data is “1001, 7049, 6036, 4900, 3009, 2004, 8088, 5025” for the pattern “1001, 2004, 3009, 5025”.
  • the order is “1001, 3009, 2004, 5025”.
  • the transition time learning means 51 calculates the transition time between IDs based on the order of the IDs read by the order learning means 21 (step S703).
  • the transition “1001 ⁇ 3009” is “11 seconds”.
  • the transition time learning means 51 determines whether or not the transition time has been calculated for all the appearance times included in the pattern appearance information (step 704).
  • step S704 If all transition times among the appearance times included in the pattern appearance information are calculated (Yes in step S704), the process proceeds to step S705. On the other hand, if the transition time has not been calculated for all the appearance times included in the pattern appearance information (No in step S704), the process returns to step S702.
  • the transition time learning means 51 repeats the processes of step S702 and step S703 described above for all the appearance times included in the pattern appearance information, and acquires the transition time of each transition.
  • the transition time learning means 51 totals the obtained transition times for each transition, calculates values such as an average value and a median value, and records them as transition times for each transition (step S705).
  • the transition time learning means 51 may obtain and record values such as an average value, a median value, and a variance as the transition time, or may record only a set of a maximum value and a minimum value. Alternatively, the transition time learning means 51 may be configured to record all transition times as they are.
  • the transition time learning means 51 determines whether or not the transition time has been calculated for all the patterns included in the pattern set and their transitions (step S706).
  • the transition time learning unit 51 uses the pattern storage unit to store information about the generated transition times (transition information 52). 15 (step S707). On the other hand, if the transition time has not been calculated for all patterns included in the pattern set and their transitions (No in step S706), the process returns to step S701.
  • the transition time learning means 51 repeats the processing from step S701 to step S706 for each pattern, and calculates transition times for all patterns included in the pattern set and their transitions.
  • the transition time between each element in the pattern is generated based on the result generated by the reference pattern combining unit, and the pattern and the identifier included in the pattern with a small amount of calculation
  • the transition time between can be generated. This is because the log analysis system according to the present embodiment includes a reference pattern generation unit and a transition time learning unit.
  • the computer 60 includes a processor 61, a main storage device 62, an auxiliary storage device 63, an input / output interface 64, and a communication interface 67.
  • the processor 61, the main storage device 62, the auxiliary storage device 63, the input / output interface 64, and the communication interface 67 are connected to each other via a bus 68 so as to be able to exchange data.
  • the processor 61, the main storage device 62, the auxiliary storage device 63, and the input / output interface 64 are connected to a network (not shown) through a communication interface 67.
  • the processor 61 expands the program stored in the auxiliary storage device 63 or the like in the main storage device 62, and executes the expanded program.
  • a configuration using a software program installed in the computer 60 may be used.
  • the main storage device 62 may be a volatile memory such as a DRAM (DRAM: Dynamic Random Access Memory). Further, a non-volatile memory such as MRAM may be configured and added as the main storage device 62 (MRAM: Magnetically Random Access Memory). A program is expanded in the main storage device 62.
  • DRAM Dynamic Random Access Memory
  • MRAM Magnetically Random Access Memory
  • the auxiliary storage device 63 is configured by a local disk such as a hard disk or a flash memory. Note that the auxiliary storage device 63 may be an external storage device connected to the computer 60 or a network storage connected via a network.
  • the input / output interface 64 is a device that connects the computer 60 and peripheral devices based on the connection standard between the computer 60 and peripheral devices.
  • the communication interface 67 is a device that mediates data exchange between a network (not shown) and the processor 61. In FIG. 23, the interface is abbreviated as I / F (I / F: Interface).
  • the computer 60 may be provided with input devices such as a keyboard, a mouse, and a touch panel as necessary. These input devices are used to input information and settings. Note that when the touch panel is used as an input device, the display device also serves as the input device. Data exchange between the processor 61 and the input device may be mediated by the input / output interface 64.
  • the computer 60 may be provided with a display device for displaying information.
  • the computer 60 is provided with a display control device (not shown) for controlling the display of the display device.
  • a display device (not shown) may be connected via the input / output interface 64.
  • the computer 60 is provided with a reader / writer as necessary.
  • the reader / writer is connected to the bus 68, mediates data exchange between the processor 61 and a recording medium (program recording medium) (not shown), reads a data program from the recording medium, and records the processing results of the computer 60 as a recording medium.
  • the recording medium can be realized by, for example, a semiconductor recording medium such as an SD card (SD: Secure Digital).
  • SD Secure Digital
  • the recording medium may be realized by a magnetic recording medium such as a flexible disk, or an optical recording medium such as a CD or a DVD (CD: Compact Disc, DVD: Digital Versatile Disc).
  • the above is an example of the hardware configuration for enabling the log analysis system according to the embodiment of the present invention.
  • the hardware configuration in FIG. 23 is an example of a hardware configuration to enable the log analysis system according to the present embodiment, and does not limit the scope of the present invention.
  • a log analysis program that causes a computer to execute the processing of the log analysis system according to the present embodiment is also included in the scope of the present invention.
  • a program recording medium that records a log analysis program according to an embodiment of the present invention is also included in the scope of the present invention.
  • each embodiment described above can be implemented in appropriate combination.
  • the block division shown in each block diagram is a configuration shown for convenience of explanation.
  • the present invention described by taking each embodiment as an example is not limited to the configuration shown in each block diagram in the implementation.
  • a plurality of operations are described in order, but the order of these operations can be changed within a range where there is no problem.
  • these operations are not always executed at different timings. For example, another operation may occur in parallel during the execution of a certain operation, or the execution timing of a certain operation and another operation may partially or entirely overlap.
  • an operation is a trigger for another operation. It does not limit the relationship. Therefore, when each embodiment is implemented, the relationship between the plurality of operations can be changed within a range that does not hinder the contents.
  • the log analysis system according to the embodiment of the present invention can be applied to a technology for operating and managing an information processing system, a physical plant, and the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Selon l'invention, afin de raccourcir le temps requis pour extraire une combinaison de messages de journal qui apparaissent de manière synchrone, lors de l'analyse des messages de journal qui ont été émis par un système de traitement d'informations, un système d'analyse de journal comporte : un moyen de génération de motif de référence qui, sur la base d'informations d'apparition de message de journal, génère un motif de référence pour chaque combinaison de messages de journal qui apparaissent de façon synchronisée ; et un moyen de liaison de motif de référence qui compare, entre les motifs de référence, les informations d'apparition des messages de journal contenus dans les motifs de référence, et relie entre elles des paires de motifs de référence sur la base des résultats de comparaison.
PCT/JP2015/005570 2014-11-10 2015-11-06 Système d'analyse de journal, procédé d'analyse de journal, support d'enregistrement de programme WO2016075915A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2016558878A JP6665784B2 (ja) 2014-11-10 2015-11-06 ログ分析システム、ログ分析方法およびログ分析プログラム

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2014-227706 2014-11-10
JP2014227706 2014-11-10

Publications (1)

Publication Number Publication Date
WO2016075915A1 true WO2016075915A1 (fr) 2016-05-19

Family

ID=55954018

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2015/005570 WO2016075915A1 (fr) 2014-11-10 2015-11-06 Système d'analyse de journal, procédé d'analyse de journal, support d'enregistrement de programme

Country Status (2)

Country Link
JP (1) JP6665784B2 (fr)
WO (1) WO2016075915A1 (fr)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018116322A (ja) * 2017-01-16 2018-07-26 株式会社日立製作所 ログメッセージグループ化装置、ログメッセージグループ化システムおよびログメッセージグループ化方法
WO2019103180A1 (fr) * 2017-11-22 2019-05-31 한화테크윈주식회사 Système et procédé de visualisation de données et support d'enregistrement lisible par ordinateur
JP2019139565A (ja) * 2018-02-13 2019-08-22 日本電気株式会社 管理装置、管理方法とそのプログラム
WO2020122522A1 (fr) * 2018-12-10 2020-06-18 삼성전자(주) Dispositif électronique et procédé de commande de celui-ci
JP2020149250A (ja) * 2019-03-12 2020-09-17 富士通株式会社 出力プログラム、出力方法および情報処理装置
CN112912877A (zh) * 2018-09-03 2021-06-04 松下电器产业株式会社 日志输出装置、日志输出方法以及日志输出系统
CN113595787A (zh) * 2021-07-27 2021-11-02 招商银行股份有限公司 基于日志模板的实时日志自动告警方法、程序及介质
WO2022224582A1 (fr) * 2021-04-23 2022-10-27 日立Astemo株式会社 Dispositif de traitement d'informations, procédé de traitement d'informations, programme et support de stockage
WO2023162390A1 (fr) * 2022-02-25 2023-08-31 三菱電機株式会社 Dispositif d'analyse et procédé d'analyse
CN112912877B (zh) * 2018-09-03 2024-06-04 松下控股株式会社 日志输出装置、日志输出方法以及日志输出系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005216148A (ja) * 2004-01-30 2005-08-11 Yamatake Corp アラーム解析装置、アラーム解析方法及びアラーム解析プログラム
JP2006004346A (ja) * 2004-06-21 2006-01-05 Fujitsu Ltd パターン検出プログラム
JP2014035749A (ja) * 2012-08-10 2014-02-24 Nippon Telegr & Teleph Corp <Ntt> ログ生成則作成装置及び方法

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8738625B2 (en) * 2012-06-05 2014-05-27 Hitachi, Ltd. Log management system and program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005216148A (ja) * 2004-01-30 2005-08-11 Yamatake Corp アラーム解析装置、アラーム解析方法及びアラーム解析プログラム
JP2006004346A (ja) * 2004-06-21 2006-01-05 Fujitsu Ltd パターン検出プログラム
JP2014035749A (ja) * 2012-08-10 2014-02-24 Nippon Telegr & Teleph Corp <Ntt> ログ生成則作成装置及び方法

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018116322A (ja) * 2017-01-16 2018-07-26 株式会社日立製作所 ログメッセージグループ化装置、ログメッセージグループ化システムおよびログメッセージグループ化方法
WO2019103180A1 (fr) * 2017-11-22 2019-05-31 한화테크윈주식회사 Système et procédé de visualisation de données et support d'enregistrement lisible par ordinateur
JP7006347B2 (ja) 2018-02-13 2022-01-24 日本電気株式会社 管理装置、管理方法とそのプログラム
JP2019139565A (ja) * 2018-02-13 2019-08-22 日本電気株式会社 管理装置、管理方法とそのプログラム
CN112912877B (zh) * 2018-09-03 2024-06-04 松下控股株式会社 日志输出装置、日志输出方法以及日志输出系统
CN112912877A (zh) * 2018-09-03 2021-06-04 松下电器产业株式会社 日志输出装置、日志输出方法以及日志输出系统
US11537491B2 (en) 2018-12-10 2022-12-27 Samsung Electronics Co., Ltd. Electronic apparatus and method of controlling the same
WO2020122522A1 (fr) * 2018-12-10 2020-06-18 삼성전자(주) Dispositif électronique et procédé de commande de celui-ci
JP2020149250A (ja) * 2019-03-12 2020-09-17 富士通株式会社 出力プログラム、出力方法および情報処理装置
WO2022224582A1 (fr) * 2021-04-23 2022-10-27 日立Astemo株式会社 Dispositif de traitement d'informations, procédé de traitement d'informations, programme et support de stockage
CN113595787A (zh) * 2021-07-27 2021-11-02 招商银行股份有限公司 基于日志模板的实时日志自动告警方法、程序及介质
CN113595787B (zh) * 2021-07-27 2024-03-29 招商银行股份有限公司 基于日志模板的实时日志自动告警方法、程序及介质
WO2023162390A1 (fr) * 2022-02-25 2023-08-31 三菱電機株式会社 Dispositif d'analyse et procédé d'analyse

Also Published As

Publication number Publication date
JPWO2016075915A1 (ja) 2017-08-17
JP6665784B2 (ja) 2020-03-13

Similar Documents

Publication Publication Date Title
WO2016075915A1 (fr) Système d&#39;analyse de journal, procédé d&#39;analyse de journal, support d&#39;enregistrement de programme
US9753801B2 (en) Detection method and information processing device
US10514974B2 (en) Log analysis system, log analysis method and program recording medium
JP7184078B2 (ja) ログ分析システム、ログ分析方法及びプログラム
WO2014196129A1 (fr) Dispositif d&#39;analyse de défaillance, procédé d&#39;analyse de défaillance et support d&#39;enregistrement
JP5341209B2 (ja) 階層型データベースにおけるポインタの整合性をチェックするためのシステム、方法及びプログラム
US10248517B2 (en) Computer-implemented method, information processing device, and recording medium
US20180349468A1 (en) Log analysis system, log analysis method, and log analysis program
JPWO2017104119A1 (ja) ログ分析システム、方法およびプログラム
JP6242540B1 (ja) データ変換システム及びデータ変換方法
WO2018069950A1 (fr) Procédé, système et programme d&#39;analyse de journaux
JP6955676B2 (ja) ログ分析方法、システムおよび記録媒体
CN104603779A (zh) 文本挖掘设备、文本挖掘方法和计算机可读记录介质
JP2013149061A (ja) 文書類似性評価システム、文書類似性評価方法およびコンピュータ・プログラム
JP5875430B2 (ja) 異常検出装置、プログラムおよび異常検出方法
US10042686B2 (en) Determination method, selection method, and determination device
WO2018122889A1 (fr) Procédé, système et programme de détection d&#39;anomalies
KR102183053B1 (ko) 지식 그래프를 정제하기 위한 장치, 방법, 컴퓨터 판독 가능한 기록 매체 및 컴퓨터 프로그램
JP2019148859A (ja) フローダイアグラムを用いたモデル開発環境におけるデザインパターンの発見を支援する装置および方法
WO2017175375A1 (fr) Système, procédé et programme de nettoyage de données
JP6547341B2 (ja) 情報処理装置、方法及びプログラム
JP2016126532A (ja) 算出プログラム、情報処理装置、および算出方法
JP2008210068A (ja) データ処理装置及びデータ処理方法及びプログラム
JP2016040707A (ja) ソフトウェア検証プログラム、ソフトウェア検証方法及びソフトウェア検証装置
JP7021401B1 (ja) ロギング支援装置、ロギングシステム、ロギング支援方法及びプログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15859991

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2016558878

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15859991

Country of ref document: EP

Kind code of ref document: A1