The present invention relates to a log message grouping apparatus, a log message grouping system, and a log message grouping method that assist analysis of a log outputted by an information system.
An information system formed of software outputs a log containing a recorded log message showing the action state and other factors of the information system. In general, when system abnormality, such as failure, occurs in the information system, an operator of the information system analyzes the log outputted from the information system to locate a root cause of the system abnormality.
In the log analysis, only a log message clearly representing failure or a symptom thereof, such as an error or a warning, does not allow identification of a root cause of the system abnormality in some cases. The operator therefore extracts, from an enormous number of log messages contained in the log, for example, a first log message showing failure, a symptom thereof, and other factors and a second log message highly associated with the first log message and identifies a root cause by using the extracted log messages.
To extract the second log message associated with the first log message from the enormous number of log messages, a technology for assisting analysis of the log messages by associating the log messages with one another as a group is disclosed, for example, in International Publication No. 2016/132717 and Japanese Patent Laid-Open No. 2016-76020.
International Publication No. 2016/132717 discloses a technology for grouping log messages outputted when a target system is normally operating as a normal pattern that is the combination or time-course order of the log messages, analyzing a log by comparing the log with the normal pattern, storing a pattern that does not match with the normal pattern as an abnormal pattern, and analyzing other logs by using the normal pattern and the abnormal pattern.
Japanese Patent Laid-Open No. 2016-76020 discloses a technology for acquiring a sentence that describes a plurality of messages from a document associated with an output origin apparatus having outputted the plurality of messages and grouping messages associated with one another into a single group on the basis of the acquired description sentence.