公开(公告)号：US20180157544A1

公开(公告)日：2018-06-07

申请号：US15366640

申请日：2016-12-01

Applicant: VMware, Inc.

Inventor： Darren Brown ,  Jeremy OlmstedThompson ,  Nicholas Kushmerick

IPC: G06F11/07 ,  G06F17/30

CPC classification number: G06F11/0709 ,  G06F11/0751 ,  G06F11/0781 ,  G06F11/0793 ,  G06F17/30575

Abstract: Methods and systems to narrow a search for potential sources of problems in a distributed computing system are described. A volatile event type of event messages recorded in an event-log file is identified. The volatile event type is an event type that may have unexpectedly increased in frequency over an observation time window. An historical period of time may be selected to search for potential sources of the volatile event type. Frequencies of event messages in the event-log file with the same event type as the volatile event type are determined for time intervals of the historical period of time. A time interval of the historical period of time with a largest increase in frequency of event messages is identified. A list of event messages of the event-log file in a selected sub-time interval of the sub-time intervals of the time interval are displayed in a graphical user interface.

公开(公告)号：US20180095731A1

公开(公告)日：2018-04-05

申请号：US15286291

申请日：2016-10-05

Applicant: VMware, Inc.

Inventor： Darren Brown ,  Nicholas Kushmerick ,  Matt Roy Mclaughlin ,  Dhaval Gada ,  Junyuan Lin

IPC: G06F9/44 ,  G06F9/54

CPC classification number: G06F8/34 ,  G06F9/5077 ,  G06F9/542

Abstract: Methods and systems to identify log write instructions of a source code as potential sources of an event message of interest are described. Methods identify non-parametric tokens, such as text strings and natural language words and phrases, of an event message of interest. Candidate log write instructions and associated line numbers in a source code are identified. Non-parametric tokens of each event message of the one or more candidate log write instructions are determined. A confidence score is calculated for each candidate log write instruction based the number of non-parametric tokens the event message of interest and event message of the candidate log write instruction have in common. The candidate log write instructions are rank ordered based on the corresponding one or more confidence scores and the rank ordered candidate log write instructions and associated line numbers of the source code may be displayed in a graphical user interface.

公开(公告)号：US20150370799A1

公开(公告)日：2015-12-24

申请号：US14319057

申请日：2014-06-30

Applicant: VMware, Inc.

Inventor： Nicholas Kushmerick ,  Junyuan Lin

IPC: G06F17/30 ,  H04L12/26

CPC classification number: G06F16/285 ,  H04L41/046 ,  H04L41/069 ,  H04L43/16

Abstract: The current document is directed to methods and systems for processing, classifying, and efficiently storing large volumes of event messages generated in modern computing systems. In a disclosed implementation, received event messages are assigned to clusters based on metrics computed for the event messages. In addition, a significance value is determined for each received event message. When the significance value exceeds a threshold value, one or more actions are taken, including marking an event record corresponding to the event message, storing an event record corresponding to the event message in a significant-event log, and generating a notice or alarm.

Abstract translation: 当前的文档涉及用于处理，分类和有效地存储在现代计算系统中生成的大量事件消息的方法和系统。 在公开的实现中，基于针对事件消息计算的度量，将所接收的事件消息分配给集群。 另外，对于每个接收的事件消息确定显着性值。 当显着性值超过阈值时，采取一个或多个动作，包括标记对应于事件消息的事件记录，将与事件消息相对应的事件记录存储在重要事件日志中，并且生成通知或报警。

公开(公告)号：US11481300B2

公开(公告)日：2022-10-25

申请号：US16391668

申请日：2019-04-23

Applicant: VMware, Inc.

Inventor： Arnak Poghosyan ,  Ashot Nshan Harutyunyan ,  Naira Movses Grigoryan ,  Nicholas Kushmerick

IPC: G06F11/30 ,  G06F17/18

Abstract: Automated processes and systems for detecting abnormally behaving objects of a distributed computing system are described. Processes and systems obtain metrics that are generated in a historical time window and are associated with an object of the distributed computing system. Processes and system use the metrics to compute a time-dependent system indicator over the historical time window. Each value of the system indicator corresponds to a point in time of the historical time window when the object was in a normal or an abnormal state. Processes and systems use the normal and abnormal states of the system indicator in the historical time window to train a state classifier that is used to detect run-time abnormal behavior of the object. When the state classifier identifies abnormal behavior of the object, an alert is generated, indicating the abnormal behavior of the object.

公开(公告)号：US11316727B2

公开(公告)日：2022-04-26

申请号：US16827457

申请日：2020-03-23

Applicant: VMware, Inc.

Inventor： Nicholas Kushmerick ,  Matt Roy McLaughlin ,  Darren Brown ,  Junyuan Lin

IPC: G06F15/16 ,  H04L41/0604 ,  H04L67/10 ,  H04L41/069 ,  H04L67/131 ,  H04L41/22 ,  H04L67/75

Abstract: The current document is directed to methods and systems that process, classify, efficiently store, and display large volumes of event messages generated in modern computing systems. In a disclosed implementation, received event messages are assigned to event-message clusters based on non-parameter tokens identified within the event messages. A parsing function is generated for each cluster that is used to extract data from incoming event messages and to prepare event records from event messages that more efficiently and accessible store event information. The parsing functions also provide an alternative basis for assignment of event messages to clusters. Event types associated with the clusters are used for gathering information from various information sources with which to automatically annotate event messages displayed to system administrators, maintenance personnel, and other users of event messages.

公开(公告)号：US11182267B2

公开(公告)日：2021-11-23

申请号：US16655883

申请日：2019-10-17

Applicant: VMware, Inc.

Inventor： Ashot Nshan Harutyunyan ,  Arnak Poghosyan ,  Nicholas Kushmerick ,  Naira Movses Grigoryan

IPC: G06F21/55 ,  G06F11/30 ,  G06F9/54 ,  H04L12/24 ,  H04L12/26

Abstract: Automated methods and systems to determine a baseline event-type distribution of an event source and use the baseline event type distribution to detect changes in the behavior of the event source are described. In one implementation, blocks of event messages generated by the event source are collected and an event-type distribution is computed for each of block of event messages. Candidate baseline event-type distributions are determined from the event-type distributions. The candidate baseline event-type distribution has the largest entropy of the event-type distributions. A normal discrepancy radius of the event-type distributions is computed from the baseline event-type distribution and the event-type distributions. A block of run-time event messages generated by the event source is collected. A run-time event-type distribution is computed from the block of run-time event messages. When the run-time event-type distribution is outside the normal discrepancy radius, an alert is generated indicating abnormal behavior of the event source.

公开(公告)号：US20210141900A1

公开(公告)日：2021-05-13

申请号：US16682549

申请日：2019-11-13

Applicant: VMware, Inc.

Inventor： Darren Brown ,  Paul Pedersen ,  Keshav Mathur ,  Junyuan Lin ,  Nicholas Kushmerick ,  Jinyi Lu ,  Xing Wang ,  Peng Gao

IPC: G06F21/56

Abstract: Computational methods and systems for detecting and troubleshooting anomalous behavior in distributed applications executing in a distributed computing system are described herein. Methods and systems discover nodes comprising the application. Anomaly detection monitors the metrics associated with the nodes for anomalous behavior in order to identify an approximate point in time when anomalous behavior begins to adversely impact performance of the application. Anomaly detection also monitors logs messages associated with the nodes to detect anomalous behavior recorded in the log messages. When anomalous behavior is detected in either the metrics and/or the log messages an alert identifying the anomalous behavior is generated. Troubleshooting guides an administrator and/or application owner to investigate the root cause of the anomalous behavior. Appropriate remedial measures may be determined based on the root cause and automatically or manually executed to correct the problem.

公开(公告)号：US10740211B2

公开(公告)日：2020-08-11

申请号：US15824781

申请日：2017-11-28

Applicant: VMware, Inc.

Inventor： Darren Brown ,  Nicholas Kushmerick ,  Junyuan Lin

IPC: G06F11/34 ,  G06F11/30 ,  G06F11/07

Abstract: This disclosure is directed to tagging tokens or sequences of tokens in log messages generated by a logging source. Event types of log messages in a block of log messages are collected. A series of tagging operations are applied to each log message in the block. For each tagging operation, event types that are qualified to receive the corresponding tag are identified. When a log message is received, the event type is determined and compared with the event types of the block in order to identify a matching event type. The series of tagging operations are applied to the log message to generate a tagged log message with the restriction that each tagging operation only applies a tag to token or sequences of tokens when the event type is qualified to receive the tag. The tagged log message is stored in a data-storage device.

公开(公告)号：US20200183769A1

公开(公告)日：2020-06-11

申请号：US16214272

申请日：2018-12-10

Applicant: VMware, Inc.

Inventor： Arnak Poghosyan ,  Ashot Nshan Harutyunyan ,  Naira Movses Grigoryan ,  Nicholas Kushmerick

IPC: G06F11/07 ,  G06N20/00

Abstract: The current document is directed to methods and systems for detecting the occurrences of abnormal events and operational behaviors within the distributed computer system. The currently described methods and systems continuously collect metric data from various metric-data sources, generate a sequence of metric-data observations, each metric-data observation comprising a set of temporally aligned metric data, and employ principle-component analysis to transform the metric-data observations to facilitate reduction of the dimensionality of the metric-data observations. The currently described methods and systems then employ clustering methods to identify outlying transformed-metric-data observations, accordingly label the transformed metric-data observations to generate a training dataset, and then apply one or more of various types of machine-learning techniques to the training dataset in order to generate an abnormal-observation detector that can be used to detect, in real time, abnormal metric-data observations as they are generated within the distributed computing system.

公开(公告)号：US10572329B2

公开(公告)日：2020-02-25

申请号：US15375386

申请日：2016-12-12

Applicant: VMware, Inc.

Inventor： Ashot Nshan Harutyunyan ,  Nicholas Kushmerick ,  Arnak Poghosyan ,  Naira Movses Grigoryan ,  Vardan Movsisyan

IPC: G06F11/07

Abstract: Methods and system described herein are directed to identifying anomalous behaving components of a distributed computing system. Methods and system collect log messages generated by a set of event log source running in the distributed computing system within an observation time window. Frequencies of various types of event messages generated within the observation time window are determined for each of the log sources. A similarity value is calculated for each pair of event sources. The similarity values are used to identify similar clusters of event sources of the distributed computing system for various management purposes. Components of the distributed computing system that are used to host the event source outliers may be identified as potentially having problems or may be an indication of future problems.