The present disclosure relates to information technology (IT) systems, and more specifically, to methods, systems and computer program products for user configurable message anomaly scoring in an IT system to identify unusual activity.
Today's complex IT systems, such as integrated data centers, require a team of experts to monitor various system messages for abnormal behavior, and to diagnose and fix anomalies before they result in systems failures and outages. These tasks are costly and difficult for many reasons, including the fact that a variety of everyday changes can cause system anomalies in the operation of the IT system. In typical complex IT systems, the number of status messages created by the components of the IT system far exceed what can reasonably be read and analyzed by the team of IT experts. As a result, automated systems have been developed for reviewing and filtering these status messages.
Currently available automated systems for reviewing status messages are configured by a domain expert to identify a subset of messages as critical, important, interesting, uninteresting(noise) using the domain knowledge about the system and then to assign an arbitrary score to each of the message based on their classification. In some systems, the messages are then grouped into intervals and a combined score is calculated for the interval. If the calculated score of an interval is greater than an arbitrarily fixed level, the interval is marked as being unusual. Once an interval is marked as unusual, the interval it is selected for further analysis by one of the systems experts.