A system manager refers to event logs of a system for analyzing a fault of the system. If a great number of event logs occur from a single fault cause in a chain reaction manner or if a plurality of faults occurs simultaneously, a great number of event logs are outputted. In this case, it is difficult that the system manager analyzes each event log individually to identify the fault, and therefore the identification of the fault depends on a skill of the system manager. Consequently, a technique is known which makes a system manager easily identify a fault by relating a plurality of event logs with each other to clarify a relationship among event logs.
Japanese patent application JP 2005-216148 A (Patent literature 1) discloses an invention regarding an event analysis device, an event analysis method and an event analysis program which perform an analysis of an event occurring in a control system using a computer of a chemical plant and the like. An alarm described in JP 2005-216148 A (Patent literature 1) can be treated as the same meanings as an event or an event log in the description of the present invention. Thus, hereinafter, the alarm is called the event. An embodiment of this invention is described, for example, as follows. 24 hours is divided every minute into 1440 division, and then, with respect to data of which the number of samples is 1440, a relationship between an event 1 and an event 2 is searched. First, as for the event 1, each division is made to correspond to “1” if the event 1 occurs in the division, and is made to correspond to “0” if the event 1 does not occur in the division, thereby a bit sequence with 1440 bits is created. Similarly, as for the event 2, a bit sequence with 1440 bits is created. Next, the event 1 is used as a reference and Δt is assumed to be a difference between occurrence times of the events 1 and 2. Then, for example, in a time band −100≦Δt≦+100, a logical AND is executed between the bit sequence of the event 1 and the bit sequence of the event 2 having the time difference Δt with respect to the bit sequence of the event 1. Then, the number of the bits, which has “1” as the result of the logical AND, is defined as the relationship value. In this range of the Δt, 201 relationship values are calculated. Next, the maximum value in the 201 relationship values is defined as the maximum relationship value. Then, the event 1 and the event 2 are related with each other in the occurrence time difference where the maximum relationship value occurs. Since a probability of the maximum relationship value is varied depending on the number of occurrences of the event 1 and the event 2, this probability is defined as an independent probability. The lower the independent probability is, the higher two events are judged to have a relationship. When the cluster analysis is performed on the events, the independent probabilities are calculated for all combinations between the events and the independent probability is defined as dissimilarity. Then, a similarity is obtained as a difference between “1” and the dissimilarity. After that, the cluster analysis is performed based on the similarity, and the events having the relationship are classified.
According to the method of the invention in JP 2005-216148 A (Patent literature 1), the similarity is defined based on the independent probability and then the cluster analysis is performed. However, since the independent probability depends on the number of occurrences of the events, the relationship of the events in which the fault whose occurrence frequency is low is overlooked by the fault whose occurrence frequency is high. This is one of the problems. For example, it is assumed that the event 1 and the event 2 as the chained events occur 10 times from the fault A at the same time division, and the event 1 and the event 3 as the chained events occurs 100 times from the fault B at the same time division. In this case, the fault B occurs a lot of times, and the fault A is low in the occurrence frequency as compared with the fault B. In the invention in JP 2005-216148 A (Patent literature 1), when the independent probability of the event 1 and the event 2 of the fault A is considered, if the event 1 occurs 110 times, the event 1 and the event 2 occur simultaneously 10 times. Therefore, the independent probability of the event 1 and the event 2 of the fault A is high. When the occurrence frequency of the event 1 is calculated summing up for all time divisions, the independent probability of the event 1 and the event 2 is further high. Thus, there is a high probability that the event 1 and the event 2 are deemed not to have the relationship with each other.
In addition, generally, when a fault analysis rule, which relates event logs each of which is supposed to occurs from the same fault, is extracted from an event log file, there is a following problem. Even though an event occurrence pattern of a fault is high in an occurrence frequency, if an event occurrence pattern of another fault is mixed, the property of the event occurrence pattern is averaged, therefore, a fault analysis rule of a fault whose occurrence frequency is high cannot be extracted.
To solve these problems, it is required that a system manager inputs a relationship between a fault and an event, divides events in respective faults and relates event logs. Since this dividing is performed by hand, it takes a lot of man-hours. In addition, there is another problem that the dividing by hand cannot be performed if the know-how regarding the fault is not accumulated.