A complex virtual machine network may include several clusters of individual host computers (hosts) with each host supporting hundreds of virtual machines (VMs). In order to keep track of the functionality of each object, such as VMs and hosts, in the VM network, various events and activities in the VM network are recorded in log files. Log files are typically stored as simple text in a single file which can then be filtered and/or searched to understand the cause of a problem. The log files can be created in many forms including, for example, event logs or message logs and in many different ways. For example, when a new VM or host is added to the VM network or VMs are migrated to a new host, event logs may be generated and written to a log file by an application running on the object or by a subsystem that is part of each object.
If a problem arises in the VM network, a system administrator can review entries in the log files to determine the root cause of the problem. For example, if VMs are found to be inaccessible, then a system administrator might review the log files and determine that the corresponding host is nonresponsive. However, a complex VM network can generate a large volume of log data entries for review (e.g., hundreds of gigabytes of log files in just a few minutes). To reduce the size of log files, codes or abbreviations are used for data entries rather than spelling out the full details in each entry. For example, log data entries often include representative codes that correspond to more complete error messages in a file that is separate from the log file. When reviewing log files using representative codes to find the cause of a problem, it can be difficult to understand the contents of a log file without first translating the log file. Translating an entire log file can be extremely time consuming or practically impossible and important information can be missed if less than the entire log file is translated.
To simplify the review process, log data entries in a log file are often graphically displayed and filtered based on some metric. Typically, the filtering of log data entries is limited to log data entry types (e.g., vxpol, vmkernel, or shell) or the time the log data entry was made. However, filtering cannot always be used to limit the displayed log data entries to just the entries related to the problem. Often, when reviewing log data entries, system administrators must rely on experience and creativity, which can make finding the root cause of the problem very difficult, particularly if there are multiple contributing factors. Thus, there is a need for a way to manage log file data related to complex VM networks in an efficient manner that does not rely so heavily on the experience and creativity of a system administrator to find related log data entries and to determine the root cause of a problem.