Log Analysis Based on User Activity Volume

What is claimed is: 1 . A log analysis system comprising: an activity engine to monitor user activity of a computer system; a baseline engine to generate an expected baseline of a log based on historical log activity; and an abnormality engine to: compare the log to the expected baseline to identify an abnormality; compare the abnormality to a user activity volume based on a correlation between the user activity volume and the log activity; and classify the log based on the abnormality, the correlation, and the user activity volume. 2 . The log analysis system of claim 1 , wherein the baseline engine is to: adjust the expected baseline based on the user activity volume. 3 . The log analysis system of claim 1 , comprising a template engine to identify a log template based on a log entry of the log, wherein the expected baseline is based on a seasonal effect of the log and the log template. 4 . The log analysis system of claim 3 , wherein the abnormality engine is to: create a graph based on the log template, the graph to represent a number of log entries associated with the log template; and compare the graph to the expected baseline, the abnormality being the difference between the graph and the expected baseline. 5 . The log analysis system of claim 1 , comprising: a display engine to cause a display of the abnormality and a classification of the log. 6 . A computer readable storage medium comprising a set of instructions executable by a processor resource to: generate a first graph, the first graph to represent an expected baseline of log activity of a computer system based on a log template of the log activity and a seasonal effect of the log activity; generate a second graph, the second graph to represent a user activity volume of the computer system; compare the first graph to the second graph to identify a correlation between the expected baseline and the user activity volume; and score the log activity based on the expected baseline, the correlation, and the user activity volume. 7 . The medium of claim 6 , wherein the expected baseline comprises: a degree of relatedness among log activity based on a text template; and wherein the seasonal effect is based on a time-dependent pattern of the log template. 8 . The medium of claim 6 , wherein the set of instructions executable to generate a second graph comprise instructions executable by the processor to: monitor the user activity volume of the computer system; and wherein the set of instructions executable to generate a first graph comprise instructions executable by the processor to: normalize the seasonal effect of the expected baseline based on the user activity volume; and wherein the set of instructions to compare the first graph to the second graph includes using data provided by a real user monitor to determine the correlation between the user activity. 9 . The medium of claim 6 , wherein the set of instructions is executable by the processor to: cause a display of the log activity with an identifier associated with an abnormality of the log activity and the score of the log activity; wherein the set of instructions executable to compare the first graph and the second graph comprise instructions executable by the processor to: identify the abnormality based on the correlation and the difference between the first graph and the log activity. 10 . The medium of claim 9 , wherein the identifier indicates the degree of abnormality based on a context of the log and a severity of the abnormality, the context of the log to include the correlation of the log based on a degree of user activity volume on the log. 11 . A method for analyzing a log comprising: identifying a log template based on a set of entries of the log; generating a baseline graph associated with expected log activity based on the log template; generating a user activity graph associated with a volume of user activity; comparing the user activity graph to the baseline graph to identify a correlation between the log template and the volume of user activity: comparing a potential abnormality of the log to the volume of user activity associated with the log, the potential abnormality being a difference between the log and the baseline; and visually indicating a log status based on the correlation between the potential abnormality and the volume of user activity. 12 . The method of claim 11 , comprising: clustering a set of entries of the log based on a text template to identify the log template; identifying a seasonal effect of the log activity; and identifying a number of the set of entries associated with the log template. 13 . The method of claim 12 , comprising: mapping a log template count of the log to a log graph based on a number of the set of entries associated with the log template; comparing the log graph to the baseline to identify the potential abnormality; and causing to present the log as a node in a map, the map to contain nodes having a color based on the abnormality associated with the log template and the correlation. 14 . The method of claim 11 , comprising at least one of: identifying the log is impacted by the volume of user activity; and identifying the user activity to impact the log. 15 . The method of claim 11 , comprising: estimating the volume of log activity based on a degree of granularity; and providing a degree of abnormality of the log based on the volume of user activity.