公开(公告)号：US20190163603A1

公开(公告)日：2019-05-30

申请号：US15824781

申请日：2017-11-28

Applicant: VMware, Inc.

Inventor： Darren Brown ,  Nicholas Kushmerick ,  Junyuan Lin

IPC: G06F11/34 ,  G06F11/30 ,  G06F11/07

Abstract: This disclosure is directed to tagging tokens or sequences of tokens in log messages generated by a logging source. Event types of log messages in a block of log messages are collected. A series of tagging operations are applied to each log message in the block. For each tagging operation, event types that are qualified to receive the corresponding tag are identified. When a log message is received, the event type is determined and compared with the event types of the block in order to identify a matching event type. The series of tagging operations are applied to the log message to generate a tagged log message with the restriction that each tagging operation only applies a tag to token or sequences of tokens when the event type is qualified to receive the tag. The tagged log message is stored in a data-storage device.

公开(公告)号：US20190155953A1

公开(公告)日：2019-05-23

申请号：US15816434

申请日：2017-11-17

Applicant: VMware, Inc.

Inventor： Darren Brown ,  Nicholas Kushmerick ,  Mayank Agarwal ,  Junyuan Lin

IPC: G06F17/30

Abstract: The current document is directed to systems, and methods incorporated within the systems, that execute queries against log-file entries. A monitoring subsystem within a distributed computer system uses query results during analysis of log-file entries in order to detect changes in the state of the distributed computer system, identify problems or potential problems, and predict and forecast system characteristics. Because of the large numbers of log-file-entry containers that may need to be opened and processed in order to execute a single query, and because opening and reading through the entries in a log-file-entry container is a computationally expensive and time-consuming operation, the currently disclosed systems employ event-type metadata associated with log-file-entry containers to avoid opening and reading through the log-file entries of log-file-entry containers that do not contain log-file entries with event types relevant to the query.

公开(公告)号：US10120928B2

公开(公告)日：2018-11-06

申请号：US14318968

申请日：2014-06-30

Applicant: VMware, Inc.

Inventor： Nicholas Kushmerick ,  Junyuan Lin

IPC: G06F15/177 ,  G06F17/30 ,  H04L12/24

Abstract: The current document is directed to methods and systems for processing, classifying, and efficiently storing large volumes of event messages generated in modern computing systems. In a disclosed implementation, received event messages are assigned to event-message clusters based on non-parameter tokens identified within the event messages. A parsing function is generated for each cluster that is used to extract data from incoming event messages and to prepare event records from event messages that more efficiently and accessible store event information. The parsing functions also provide an alternative basis for assignment of event massages to clusters.

公开(公告)号：US10116675B2

公开(公告)日：2018-10-30

申请号：US14963100

申请日：2015-12-08

Applicant: VMware, Inc.

Inventor： Darren Brown ,  Junyuan Lin ,  Nicholas Kushmerick

IPC: G06F21/00 ,  H04L29/06 ,  H04L12/26 ,  G06N7/00

Abstract: Methods and systems that detect computer system anomalies based on log file sampling are described. Computers systems generate log files that record various types of operating system and software run events in event messages. For each computer system, a sample of event messages are collected in a first time interval and a sample of event messages are collected in a recent second time interval. Methods calculate a difference between the event messages collected in the first and second time intervals. When the difference is greater than a threshold, an alert is generated. The process of repeatedly collecting a sample of event messages in a recent time interval, calculating a difference between the event messages collected in the recent and previous time intervals, comparing the difference to the threshold, and generating an alert when the threshold is violated may be executed for each computer system of a cluster of computer systems.

公开(公告)号：US20180165173A1

公开(公告)日：2018-06-14

申请号：US15379005

申请日：2016-12-14

Applicant: VMware, Inc.

Inventor： Junyuan Lin ,  Nicholas Kushmerick ,  Jon Herlocker

IPC: G06F11/34 ,  G06F11/30 ,  G06F17/30

Abstract: The current document is directed to methods and systems that process, classify, efficiently store, and display large volumes of event messages generated in modern computing systems. In a disclosed implementation, event messages are assigned types and transformed into event records with well-defined fields that contain field values. Recurring patterns of event messages, referred to as “transactions,” are identified within streams or sequences of time-associated event messages and streams or sequences of time-associated event records.

公开(公告)号：US20160373293A1

公开(公告)日：2016-12-22

申请号：US15251481

申请日：2016-08-30

Applicant: VMware, Inc.

Inventor： Nicholas Kushmerick ,  Matt Roy McLaughlin ,  Darren Brown ,  Junyuan Lin

IPC: H04L12/24 ,  H04L29/08

CPC classification number: H04L41/0613 ,  H04L41/069 ,  H04L41/22 ,  H04L67/10 ,  H04L67/36 ,  H04L67/38

Abstract: The current document is directed to methods and systems that process, classify, efficiently store, and display large volumes of event messages generated in modern computing systems. In a disclosed implementation, received event messages are assigned to event-message clusters based on non-parameter tokens identified within the event messages. A parsing function is generated for each cluster that is used to extract data from incoming event messages and to prepare event records from event messages that more efficiently and accessible store event information. The parsing functions also provide an alternative basis for assignment of event messages to clusters. Event types associated with the clusters are used for gathering information from various information sources with which to automatically annotate event messages displayed to system administrators, maintenance personnel, and other users of event messages.

Abstract translation: 当前文档针对的是处理，分类，高效地存储和显示在现代计算系统中生成的大量事件消息的方法和系统。 在公开的实现中，基于在事件消息内标识的非参数令牌将接收到的事件消息分配给事件消息群集。 为每个集群生成解析函数，用于从传入事件消息中提取数据，并从事件消息准备更有效和可访问的事件记录存储事件信息。 解析功能还提供了将事件消息分配给集群的替代基础。 与集群相关联的事件类型用于从各种信息源收集信息，从而自动注释向系统管理员，维护人员和事件消息的其他用户显示的事件消息。

公开(公告)号：US11640465B2

公开(公告)日：2023-05-02

申请号：US16682549

申请日：2019-11-13

Applicant: VMware, Inc.

Inventor： Darren Brown ,  Paul Pedersen ,  Keshav Mathur ,  Junyuan Lin ,  Nicholas Kushmerick ,  Jinyi Lu ,  Xing Wang ,  Peng Gao

IPC: G06F21/00 ,  G06F21/56

Abstract: Computational methods and systems for detecting and troubleshooting anomalous behavior in distributed applications executing in a distributed computing system are described herein. Methods and systems discover nodes comprising the application. Anomaly detection monitors the metrics associated with the nodes for anomalous behavior in order to identify an approximate point in time when anomalous behavior begins to adversely impact performance of the application. Anomaly detection also monitors logs messages associated with the nodes to detect anomalous behavior recorded in the log messages. When anomalous behavior is detected in either the metrics and/or the log messages an alert identifying the anomalous behavior is generated. Troubleshooting guides an administrator and/or application owner to investigate the root cause of the anomalous behavior. Appropriate remedial measures may be determined based on the root cause and automatically or manually executed to correct the problem.

公开(公告)号：US20220391279A1

公开(公告)日：2022-12-08

申请号：US17342423

申请日：2021-06-08

Applicant: VMware, Inc

Inventor： Naira Movses Grigoryan ,  Ashot Nshan Harutyunyan ,  Amak Poghosyan ,  Nicholas Kushmerick ,  Janislav Jankov

IPC: G06F11/07 ,  G06N20/00 ,  G06N5/04 ,  G06F16/28

Abstract: Methods and systems are directed to discovering problem incidents in a distributed computing system. Events corresponding to historical problems incidents for the distributed computing system are retrieved from a data base. Sets of representative events of the various historical problem incidents for the distributed computing system are determined. A runtime problem incident in the distributed computing system is characterized by runtime events. The runtime problem incident is classified as corresponding to a historical problem incident of the historical problem incidents based on the runtime events and the sets of representative events. Remedial measures used to correct the historical problem incident may be used to correct the runtime problem.

公开(公告)号：US20210160307A1

公开(公告)日：2021-05-27

申请号：US17165809

申请日：2021-02-02

Applicant: VMware, Inc.

Inventor： Darren Brown ,  Nicholas Kushmerick ,  Junyuan Lin ,  Matt Roy McLaughlin ,  Jon Herlocker

IPC: H04L29/08 ,  G06F11/07 ,  H04L12/26 ,  H04L12/24 ,  G06F17/40

Abstract: The current document is directed to systems, and methods incorporated within the systems, that carry out probability-distribution-based analysis of log-file entries. A monitoring subsystem within a distributed computer system uses probability-distribution-based analysis of log-file entries to detect changes in the state of the distributed computer system. A log-file-analysis subsystem within a distributed computer system uses probability-distribution-based analysis of log-file entries to identify subsets of log-file entries that predict anomalies and impending problems in the distributed computer system. In many implementations, a numerical comparison of probability distributions of log-file-entry types is used to detect state changes in the distributed computer system.

公开(公告)号：US10891148B2

公开(公告)日：2021-01-12

申请号：US15998680

申请日：2018-08-15

Applicant: VMware, Inc.

Inventor： Nicholas Kushmerick

IPC: G06F9/455 ,  G06F11/30 ,  G06F16/28 ,  G06N20/00

Abstract: The current document is directed to automated methods and systems that employ unsupervised-machine-learning approaches as well as rule-based systems to discover distributed applications within distributed-computing environments. These automated methods and systems provide a basis for higher-level distributed-application administration and management tools and subsystems that provide distributed-application-level user interfaces and operations. In one implementation, the currently disclosed methods and systems employ agents within virtual machines that execute routines and programs and that together comprise a distributed application to continuously furnish information about the virtual machines to a pipeline of stream processors that collect and filter the information to provide for periodic application-discovery. The stream processors generate data representations of the processes currently running on the virtual machines and data representations of the communications connections between the virtual machines. An application-discovery subsystem periodically employs these data representations, and additional data derived from them, to identify the different distributed applications running within a distributed-computing facility and to identify tiers of virtual-machine nodes within each identified distributed application. This, in turn, allows the application-discovery subsystem to generate sets of delta changes for the discovered applications after each periodic application discovery.