AUTOMATIC IDENTIFICATION AND TRACKING OF LOG ENTRY SCHEMAS CHANGES

摘要

A log analysis unit compares log entries describing an event to one or more schemas associated with the event. Each of the schemas describes a different log entry structure. When a log entry is determine to have a structure that does not match any of the structures defined by any of the schemas associated with a particular event, a new schema describing the structure of the log entry is generated. In response to the generation of the new schema, one or more entities are notified. Additionally, instructions for processing log entries adhering to the new schema are generated. A cumulative schema and an intersection schema corresponding to the event are also generated.

主权项

1. A method comprising:
obtaining a first log entry in a log, wherein the first log entry describes a first occurrence of a particular event; wherein data within the first log entry is organized according to a first structure; in the absence of any schema that accurately describes the first structure, generating, based on the first log entry, a first schema describing the first structure; storing the first schema; obtaining a second log entry in the log, wherein the second log entry describes a second occurrence of the particular event; wherein data within the second log entry is organized according to a second structure; determining that the second structure does not match the first structure; in response to determining that the second structure does not match the first structure, generating, based on the second log entry, a second schema describing the second structure; storing the second schema; generating, based on a plurality of schemas for the particular event, a cumulative schema corresponding to the particular event; wherein the plurality of schemas includes at least the first schema and the second schema; wherein the cumulative schema describes each field of each of the plurality of schemas; and wherein the method is performed by one or more computing devices.