Content aware heterogeneous log pattern comparative analysis engine
US-2019095417-A1 · Mar 28, 2019 · US
Methods and systems to tag tokens in log messages
US10740211B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10740211-B2 |
| Application number | US-201715824781-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 28, 2017 |
| Priority date | Nov 28, 2017 |
| Publication date | Aug 11, 2020 |
| Grant date | Aug 11, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
This disclosure is directed to tagging tokens or sequences of tokens in log messages generated by a logging source. Event types of log messages in a block of log messages are collected. A series of tagging operations are applied to each log message in the block. For each tagging operation, event types that are qualified to receive the corresponding tag are identified. When a log message is received, the event type is determined and compared with the event types of the block in order to identify a matching event type. The series of tagging operations are applied to the log message to generate a tagged log message with the restriction that each tagging operation only applies a tag to token or sequences of tokens when the event type is qualified to receive the tag. The tagged log message is stored in a data-storage device.
First claim
Opening claim text (preview).
The invention claimed is: 1. An automated method stored in one or more data-storage devices and executed using one or more processors of a computer system for tagging tokens and sequences of tokens in log messages generated by an event source, the method comprising: determining tags each event type of a block of untagged log messages is qualified to receive, the block of untagged log messages generated by the event source; performing event-type analysis on a log message generated by the event source to identify an event type of the log message; determining an event type of the block of untagged log messages that matches the event type of the log message; applying a series of tagging operations to tokens or sequences of tokens of the log message to generate a tagged log message, each tagging operation applying a tag to a token or a sequence of tokens of the log message when the event type of the log message matches an event type of the block of untagged log messages that is qualified to receive the tag; and storing the tagged log message in a data-storage device. 2. The method of claim 1 wherein determining the tags each event type of untagged log messages in the block of log messages are qualified to receive comprises: applying event-type analysis to each log message of the block of untagged log messages; for each event type, determine log messages with the same event type in the block of untagged log messages; applying the series of tagging operations to each log message in the block of untagged log messages; and for each tag and for each event type, determining a count of the log messages with the same event type and with tokens or sequences of tokens that received the same tag; computing a fraction of log messages with the same event type and the same tag as a ratio of the count of log messages with the same event type that received the tag to the number of log messages with the same event type, and identifying the event type as qualified to receive the tag when the fraction of log messages with the tag is greater than a tagging threshold. 3. The method of claim 1 wherein determining an event type of the block of untagged log messages that matches the event type of the log message comprises: comparing the event type of the log message to each of the event types of the block of untagged log message; and identifying the matching event type of the block of untagged log message as having the same non-parametric tokens as the event type of the log message. 4. The method of claim 1 wherein applying the series of tagging operations to the log message to generate the tagged log message comprises for each tagging operation in the series of tagging operations, applying the tag to tokens or sequences of tokens of the log message, when the event type of the log message matches an event type of the block of untagged log messages that is qualified to receive the tag of the tagging operation. 5. A system for tagging tokens and sequences of tokens in log messages generated by an event source, the system comprising: one or more processors; one or more data-storage devices; and machine-readable instructions stored in the one or more data-storage devices that when executed using the one or more processors controls the system to perform the operations comprising: determining tags each event type of a block of untagged log messages is qualified to receive, the block of untagged log messages generated by the event source; performing event-type analysis on a log message generated by the event source to identify an event type of the log message; determining an event type of the untagged block of log messages that matches the event type of the log message; applying a series of tagging operations to tokens or sequences of tokens of the log message to generate a tagged log message, each tagging operation applying a tag to a token or a sequence of tokens of the log message when the event type of the log message matches an event type of the block of untagged log messages that is qualified to receive the tag; and storing the tagged log message in a data-storage device. 6. The system of claim 5 wherein determining the tags each event type of untagged log messages in the block of log messages is qualified to receive comprises: applying event-type analysis to each log message of the block of untagged log messages; for each event type, determine log messages with the same event type in the block of untagged log messages; applying the series of tagging operations to each log message in the block of untagged log messages; and for each tag and for each event type, determining a count of the log messages with the same event type and with tokens or sequences of tokens that received the same tag; computing a fraction of log messages with the same event type and the same tag as a ratio of the count of log messages with the same event type that received the tag to the number of log messages with the same event type, and identifying the event type as qualified to receive the tag when the fraction of log messages with the tag is greater than a tagging threshold. 7. The system of claim 5 wherein determining an event type of the block of untagged log messages that matches the event type of the log message comprises: comparing the event type of the log message to each of the event types of the block of untagged log message; and identifying the matching event type of the block of untagged log message as having the same non-parametric tokens as the event type of the log message. 8. The system of claim 5 wherein applying the series of tagging operations to the log message to generate the tagged log message comprises for each tagging operation in the series of tagging operations, applying the tag to tokens or sequences of tokens of the log message, when the event type of the log message matches an event type of the block of untagged log messages that is qualified to receive the tag of the tagging operation. 9. A non-transitory computer-readable medium encoded with machine-readable instructions that implement a method carried out by one or more processors of a computer system to perform the operations comprising: determining tags each event type of a block of untagged log messages is qualified to receive, the block of untagged log messages generated by the event source; performing event-type analysis on a log message generated by the event source to identify an event type of the log message; determining an event type of the block of untagged log messages that matches the event type of the log message; applying a series of tagging operations to tokens or sequences of tokens of the log message to generate a tagged log message, each tagging operation applying a tag to a token or a sequence of tokens of the log message when the event type of the log message matches an event type of the block of untagged log messages that is qualified to receive the tag; and storing the tagged log message in a data-storage device. 10. The medium of claim 9 wherein determining the tags each event type of log messages in the block of log messages are qualified to receive comprises: applying event-type analysis to each log message of the block of untagged log messages; for each event type, determine log messages with the same event type in the block of untagged log messages; applying the series of tagging operations to each log message in the block of untagged log messages; and for each tag and for each event type, determining a count of the log messages with the same event type and with tokens or sequences of tokens that received the same tag; computing a fraction of log messages with the same event type and the same tag as a
Assignees
Inventors
Classifications
- G06F11/3072Primary
where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting · CPC title
Storage of error reports, e.g. persistent data storage, storage using memory protection · CPC title
using logs of notifications; Post-processing of notifications · CPC title
comprising network management agents or mobile agents therefor · CPC title
Additional information in the notification, e.g. enhancement of specific meta-data · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10740211B2 cover?
- This disclosure is directed to tagging tokens or sequences of tokens in log messages generated by a logging source. Event types of log messages in a block of log messages are collected. A series of tagging operations are applied to each log message in the block. For each tagging operation, event types that are qualified to receive the corresponding tag are identified. When a log message is rece…
- Who is the assignee on this patent?
- Vmware Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F11/3072. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Aug 11 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).