Information processing device and program

The information processing device automates event classification by identifying event locations and determining similarity, enhancing troubleshooting and system monitoring efficiency.

WO2026140082A1PCT designated stage Publication Date: 2026-07-02NT T INC

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
NT T INC
Filing Date
2024-12-24
Publication Date
2026-07-02

AI Technical Summary

Technical Problem

Existing systems require manual classification of event information and operation history, leading to inefficiencies and variations in classification results, which prolong troubleshooting and system monitoring.

Method used

An information processing device and program that automates the classification of events by identifying event locations in operation logs, extracting operation logs as snapshots, and determining similarity between classified and unclassified snapshots.

Benefits of technology

Enables rapid access to necessary information by automating the classification process, improving troubleshooting and system monitoring efficiency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure JP2024045751_02072026_PF_FP_ABST
    Figure JP2024045751_02072026_PF_FP_ABST
Patent Text Reader

Abstract

An information processing device (100) according to an embodiment comprises: an event detection unit (111) that identifies, on the basis of an event list, the location of an event included in an operation log consisting of a plurality of records, and thereby labels a record corresponding to the event location; a snapshot extraction unit (112) that scans records from the labeled record in reverse chronological order, and uses a parameter list including information about operation processes to identify the start point record of the operation process corresponding to the event and to thereby extract, as snapshots, a series of operation logs from the start point record to the record preceding the labeled record; a similarity determination unit (113) that determines similarity by comparing unclassified snapshots that have not been assigned a snapshot type ID, with classified snapshots that have been assigned a unique snapshot type ID; and a classification unit (114) that classifies the unclassified snapshots according to the similarity.
Need to check novelty before this filing date? Find Prior Art

Description

Information Processing Apparatus and Program

[0001] The present invention relates to an information processing apparatus and a program.

[0002] During the operation of an information system, there is a technology for aggregating the situations of temporarily occurring events (e.g., system errors, etc.), visualizing them on a dashboard, and summarizing them. This allows for checking detailed information (properties) about individual events, and it is provided for system operators and administrators of the information system and is utilized for troubleshooting and system monitoring.

[0003] Also, there is a technology for acquiring the operation logs on the client terminal side and analyzing the acquired operation logs. This can visualize the processes of screen transitions and operation procedures regarding the operated information system or PC screen, and by comparing two or more operation logs, it becomes possible to calculate the similarity between a series of operations.

[0004] International Publication No. 2020 / 250320 International Publication No. 2022 / 176333

[0005] “JavaScript Error Dashboard”, [online], [searched on December 5, 2024], Internet <URL: https: / / docs.appdynamics.com / appd / 24.x / 24.1 / ja / end-user-monitoring / browser-monitoring / javascript-errors-dashboard>“Technology for Supporting Business Improvement”, [online], 2024 / 09 / 05, NTT, [searched on December 5, 2024], Internet < https: / / www.rd.ntt / research / AS0110.html>

[0006] In order to identify the cause of each generated event (e.g., system error, etc.), it is necessary to organize and analyze the event information and the operation history (e.g., GUI operation procedures, command inputs, screen captures, etc.) on the client terminal side of the system user (hereinafter, user) who generated the event in chronological order. However, it takes operation to find and extract the corresponding information from the database.

[0007] Furthermore, in order to aggregate the extracted event information and time-series data sets of operation history for the same case and process the information as a dashboard or summary, it is necessary to classify them based on the similarity between each time-series data set. Performing this classification manually requires time and can lead to variations in classification results depending on the person.

[0008] Furthermore, there is a concern that troubleshooting and system monitoring may take longer due to the time required to access necessary information.

[0009] This invention has been made in view of the above circumstances, and aims to provide an information processing device and program that enables rapid access to necessary information by automating the classification of events.

[0010] An information processing device according to a first aspect of the present invention includes: a detection unit that identifies the location of an event in an operation log composed of multiple records based on an event list and labels the record corresponding to the location of the event; an extraction unit that scans the labeled record in reverse chronological order and identifies the starting record of the operation process corresponding to the event using a parameter list containing information about the operation process, thereby extracting a series of operation logs from the starting record to the record preceding the labeled record as a snapshot; and a determination and classification unit that determines similarity by comparing an unclassified snapshot that has not been assigned a snapshot type ID with a classified snapshot that has been assigned a unique snapshot type ID, and classifies the unclassified snapshot according to the similarity.

[0011] A program according to a second aspect of the present invention is a program that causes a computer to function as an information processing device according to the first aspect.

[0012] According to the present invention, it is possible to provide an information processing device and program that enables rapid access to necessary information by automating the classification of events.

[0013] Figure 1 is a block diagram showing an example of the functional configuration of an information processing device according to the embodiment. Figure 2 is a diagram showing an example of an event list recorded in the information processing device according to the embodiment. Figure 3 is a diagram showing an example of processing by the event detection unit of the information processing device according to the embodiment. Figure 4 is a flowchart showing an example of processing by the event detection unit of the information processing device according to the embodiment. Figure 5 is a diagram showing an example of a parameter list recorded in the information processing device according to the embodiment. Figure 6 is a diagram showing an example of processing by the snapshot extraction unit of the information processing device according to the embodiment. Figure 7 is a flowchart showing an example of processing by the snapshot extraction unit of the information processing device according to the embodiment. Figure 8 is a diagram showing an example of processing by the similarity determination unit of the information processing device according to the embodiment. Figure 9 is a diagram showing an example of processing by the classification unit of the information processing device according to the embodiment. Figure 10 is a flowchart showing an example of processing by the similarity determination unit and classification unit of the information processing device according to the embodiment. Figure 11 is a block diagram showing an example of the hardware configuration of the information processing device according to the embodiment.

[0014] Each embodiment is described below with reference to the drawings. Each embodiment illustrates an apparatus or method for realizing the technical idea of ​​the invention. The drawings are schematic or conceptual. Hereinafter, components having substantially the same function and configuration are denoted by the same reference numeral. The numbers following the letters that make up the reference numerals are used to distinguish elements that are referred to by reference numerals containing the same letters and have similar configurations. When it is not necessary to distinguish between elements indicated by reference numerals containing the same letters or numbers, these elements are referred to by reference numerals containing only letters or numbers.

[0015] The functional configuration of the information processing device 100 according to the embodiment will be explained using Figure 1. Figure 1 is a block diagram showing an example of the functional configuration of the information processing device 100 according to the embodiment.

[0016] The information processing device 100 is an electronic device such as a computer, and may be, for example, a television receiver (including internet television), a PC (Personal Computer), a mobile terminal (e.g., a tablet, smartphone, laptop, feature phone, digital music player, e-book reader, smartwatch, etc.), a game console (home game console, portable game console), a VR (Virtual Reality) terminal, an AR (Augmented Reality) terminal, etc.

[0017] The information processing device 100 may be connected to an external server or the like via a network, for example. In this case, multiple information processing devices 100 can be connected to the external server via the network, enabling them to communicate with each other and share necessary information. The external server may be a storage device or the like.

[0018] The information processing device 100 comprises a control unit 110, a data storage unit 120, a program storage unit 130, a communication unit 140, and an input / output unit 150.

[0019] The control unit 110 includes an event detection unit 111, a snapshot extraction unit 112, a similarity determination unit 113, and a classification unit 114 as processing functions for implementing this embodiment. The control unit 110 comprehensively controls the data storage unit 120, the program storage unit 130, the communication unit 140, and the input / output unit 150.

[0020] The event detection unit 111 has the function of acquiring user operation logs of the information processing device 100, identifying the locations where various events occurred from the operation logs, and labeling the locations where the events occurred. The operation log is composed of multiple records, for example, and each record contains information about the user operation history on the information processing device 100 (GUI operation procedures, command inputs, screen capture acquisition, event messages that occurred, etc.) as a log. The operation log is also composed of multiple records arranged in chronological order.

[0021] The event detection unit 111 identifies the location of an event from the operation log by referring to the event list. The event list is pre-registered and configured by the user of the information processing device 100 to contain event information that should be detected. The specific details of the event list will be described later. Note that the event detection unit 111 is just one example of a detection unit.

[0022] The snapshot extraction unit 112 scans the records labeled by the event detection unit 111 in reverse chronological order, and uses the parameter list to identify the starting point of the event corresponding to the labeled record. The parameter list is assumed to contain points that will serve as the starting point of any operation process, pre-registered and set by the user of the information processing device 100. The specific details of the parameter list will be described later.

[0023] The snapshot extraction unit 112 extracts a series of operation logs as a snapshot, using the record corresponding to the start point of the event identified from the parameter list (start record) as the starting point of the snapshot, and the labeled record as the ending point of the snapshot. Note that the snapshot extraction unit 112 is an example of an extraction unit.

[0024] The similarity determination unit 113 determines similarity by comparing classified snapshots and unclassified snapshots among the snapshots extracted by the snapshot extraction unit 112. For example, a classified snapshot is assumed to have a snapshot type ID associated with the event type identified from the event list and the operation procedure before the corresponding event occurred. On the other hand, an unclassified snapshot is assumed to have no snapshot type ID assigned, and is instead associated with the event type and the operation procedure before the corresponding event occurred.

[0025] The classification unit 114 assigns a snapshot type ID to unclassified snapshots according to the determination result of the similarity determination unit 113. That is, the classification unit 114 assigns the same snapshot type ID to unclassified snapshots that have been determined to be identical to classified snapshots, as the snapshot type ID assigned to the classified snapshots. Note that the similarity determination unit 113 and the classification unit 114 are examples of determination and classification units.

[0026] The data storage unit 120 stores data or information necessary for carrying out the embodiment, and data or information generated during the execution of various processes. For example, the data storage unit 120 records an operation log, data or information generated by the processing of the event detection unit 111, snapshot extraction unit 112, similarity determination unit 113, and classification unit 114, an event list, and a parameter list.

[0027] The program storage unit 130 stores programs necessary for executing various controls and processes according to the embodiment. Specifically, the program storage unit 130 stores information processing programs, control programs, and other application programs for executing processes in the information processing device 100 according to the embodiment.

[0028] The communication unit 140 has the function of transmitting data, information, and information processing programs according to the embodiment to an external server device or the like via a network.

[0029] The input / output unit 150 transmits data or information input by the user to the control unit 110. The input / output unit 150 also outputs data or information received from the control unit 110 to the user. The input / output unit 150 comprises an input unit 151 and an output unit 152.

[0030] The input unit 151 has a function, for example, to input operation logs to the event detection unit 111. The input unit 151 also has a function to input event information to the event list recorded in the data storage unit 120, and to input parameter information to the parameter list recorded in the data storage unit 120.

[0031] The output unit 152 has the function of acquiring event information and operation information snapshots and related screen captures corresponding to the requested target from the data storage unit 120 based on a request from the user of the information processing device 100, converting them into a displayable format, and displaying them.

[0032] As a variation, the information processing device 100 may be configured as an information processing system comprising, for example, a server and a client terminal. In this case, the client terminal includes at least a log acquisition unit that acquires user operation history (GUI operation procedures, command inputs, screen captures, event messages that occur, etc.) as an operation log, an event detection unit 111, a snapshot extraction unit 112, and a transmission unit that sends the operation log acquired by the log acquisition unit to a database. The server is configured to include at least a database, a similarity determination unit 113, a classification unit 114, and a display unit that acquires snapshots of target events and operation information requested by the search user terminal, related screen captures from the database, converts them into a displayable format, and displays them.

[0033] Alternatively, the client terminal may include at least a log acquisition unit and a transmission unit, and the server may include at least a database, an event detection unit 111, a snapshot extraction unit 112, a similarity determination unit 113, a classification unit 114, and a display unit. In other words, according to the information processing device 100 of this embodiment, the functions may be configured to be centrally integrated as in the information processing device 100, or the functions may be distributed to the client terminal and the server, respectively.

[0034] An example of event information registered in the event list will be explained using Figure 2. Figure 2 is a diagram showing an example of an event list recorded in the information processing device according to the embodiment.

[0035] As shown in Figure 2, the event list includes event information 200, event information 210, and event information 220. Event information 200 includes information about abstract events such as event A, event B, event C, event D, and event E.

[0036] Event information 210 includes information about HTTP status codes, such as the client error response status code (401: Unauthorized) indicating that the request is not applicable due to insufficient valid authentication credentials, the client error response status code (402: Payment Required) indicating that payment is required to view a particular webpage, the client error response status code (403: Forbidden) indicating that access to the page being attempted is prohibited, the server error response status code (503: Service Unavailable) indicating that the server is not ready to process the request, and the server error response status code (508: Loop Detected) indicating that the server detected an infinite loop while processing the request.

[0037] Furthermore, event information 220 includes information on error codes, such as the error code (AccessDenied) displayed when the web server determines that the user does not have permission to view the page and access is denied, the error code (AccountProblem) displayed when the operation is unsuccessful due to an account problem, the error code (AmbiguousGrantByEmailAddress) displayed when the specified email address is associated with multiple accounts, the error code (CredentialsNotSupported) displayed when the requested request does not support a certificate, and the error code (InvalidRange) displayed when the scope of the requested request is insufficient. Note that the event information registered in the event list is not limited to the event information 200, event information 210, and event information 220 described above, and is configured to allow users of the information processing device 100 to register and modify information as appropriate.

[0038] The event detection unit 111 queries (compares) an event list containing multiple event information entries with an operation log consisting of multiple records arranged in chronological order, and detects records that match the conditions. Upon detecting records that match the conditions, the event detection unit 111 assigns a label to the record relating to the event information that matches the conditions.

[0039] Figure 3 shows an example of processing by the event detection unit of the information processing device according to the embodiment. As shown in Figure 3, the event detection unit 111 scans a plurality of records included in the operation log 230 in chronological order and searches for records that match the event information and conditions included in the event list shown in Figure 2, for example. The event detection unit 111 identifies a record 240 that matches the event information and conditions included in the event list and generates a record 250 by labeling the record 240 with information about the event.

[0040] A more detailed procedure regarding the processing of the event detection unit 111 will be described with reference to FIG. 4. FIG. 4 is a flowchart showing an example of the processing by the event detection unit of the information processing apparatus according to the embodiment. For the sake of explanation, the operation log 230, the record 240, and the record 250 shown in FIG. 3 are applied to FIG. 4.

[0041] For example, the processing in FIG. 4 is triggered and started when a user of the information processing apparatus 100 requests an arbitrary activation command via the input unit 151. Also, the processing in FIG. 4 may be executed at an arbitrary timing or periodically.

[0042] The event detection unit 111 acquires an event list including event information to be detected that has been registered and set by the user in advance (step S10). The event detection unit 111 acquires the operation log 230 in association with the acquisition of the event list (step Sll).

[0043] Next, the event detection unit 111 scans a plurality of records in the operation log 230 in chronological order to search for a record that matches the event list (step S12). The event detection unit 111 determines whether there is a record that matches the event list (step S13). That is, the event detection unit 111 compares each record in the operation log 230 with the event list in chronological order to determine whether it matches the condition.

[0044] When the event detection unit 111 determines that there is a record that matches the event list (step S13, YES), it labels the corresponding record that matches the condition with the parameter of "event name: corresponding event information" and generates the record 250 (step S14).

[0045] The event name to be labeled and the corresponding event information are extracted from the event information that matches the conditions included in the event list. The event detection unit 111 resumes scanning in chronological order from the record in the next line of the labeled record 250 (step S15). The event detection unit 111 repeatedly executes the processes from step S13 to step S15 to execute a process of specifying a plurality of records that match the event list and the conditions from the operation log 230.

[0046] When the event detection unit 111 determines that there is no record that matches the event list and the conditions (step S13, NO), the process ends. That is, the event detection unit 111 scans the records included in the operation log 230 in chronological order, and ends the process by determining that the latest record in the time series does not match the event list and the conditions.

[0047] An example of parameter information registered in the parameter list will be described using FIG. 5. FIG. 5 is a diagram showing an example of a parameter list recorded in the information processing apparatus according to the embodiment.

[0048] As shown in FIG. 5, the parameter list 260 is provided with items of item number, application information, window information, URL, operation location, operation type, screen operation position (x, y range), and input value. The above items are an example and are not limited thereto. For example, in the parameter list 260, for each item number, parameter information with different application information, window information, URL, operation location, operation type, screen operation position, and input value is described. In the parameter list 260, parameter information acquired from the record of the operation log corresponding to the point is registered in advance at a point that is the start point of an arbitrary operation process.

[0049] Figure 6 shows an example of processing by the snapshot extraction unit of the information processing device according to the embodiment. As shown in Figure 6, the snapshot extraction unit 112 acquires the operation log 230 processed by the event detection unit 111, scans the labeled record 250 in reverse chronological order, and identifies a record 270 that matches the conditions by querying the records using the parameter list. The snapshot extraction unit 112 extracts a snapshot 280 that includes seven records, starting from the identified record 270 and ending with the record preceding the labeled record 250.

[0050] Snapshot 280 records, for example, event information and multiple records related to the user operation process prior to the event. The information recorded by snapshot 280 is not limited to the above; it may also include parameter information, the time of event occurrence, etc.

[0051] A more detailed procedure regarding the processing of the snapshot extraction unit 112 will be explained using Figure 7. Figure 7 is a flowchart showing an example of processing by the snapshot extraction unit of the information processing device according to the embodiment. For the purpose of explanation, the operation log 230, record 250, record 270, and snapshot 280 shown in Figure 6 will be applied to Figure 7.

[0052] For example, the process shown in Figure 7 is executed after the processing by the event detection unit 111 is completed. The snapshot extraction unit 112 obtains a parameter list containing information indicating the starting point of the operation process (step S20). Along with obtaining the parameter list, the snapshot extraction unit 112 obtains the operation log 230 processed by the event detection unit 111 (step S21).

[0053] The snapshot extraction unit 112 scans the records in the acquired operation log 230 in chronological order and checks for the presence of records 250 that have been labeled with event information (step S22). If the snapshot extraction unit 112 determines that there are no records 250 with event information labels in the operation log 230 (step S23, NO), it terminates the process.

[0054] On the other hand, if the snapshot extraction unit 112 determines that there is a record 250 in the operation log 230 that has a label related to event information (step S23, YES), it searches for a record that matches the parameter list and conditions by going back through the records in the operation log 230 in reverse chronological order, starting from record 250, which is the location where the event occurred (step S24). In addition, the snapshot extraction unit 112 obtains the number of records it has gone back through N during the record search (step S24).

[0055] The snapshot extraction unit 112 determines whether there is a record 270 that matches the parameter list and the conditions (step S25). If the snapshot extraction unit 112 determines that there is a record 270 that matches the parameter list and the conditions (step S25, YES), it extracts N records as snapshots 280, starting from the record 270 that matches the event list and ending with the record preceding the labeled record 250 which is the location where the event occurred, and records the snapshots 280 in the database, i.e., the data storage unit 120 (step S26).

[0056] The snapshot extraction unit 112 determines that there is no record 270 that matches the parameter list and conditions (step S25, NO), or, once the processing in step S26 is complete, it proceeds to the processing in step S27. The snapshot extraction unit 112 initializes the number of retrospective scans N and resumes scanning in chronological order from the record following the labeled record 250, which is the location where the event occurred (step S27).

[0057] The snapshot extraction unit 112 determines whether a record exists on the next line after record 250 (step S28). That is, the snapshot extraction unit 112 determines whether record 250 is the last line of the operation log 230. If the snapshot extraction unit 112 determines that a record exists on the next line after record 250 and that record 250 is not the last line of the operation log 230 (step S28, NO), it proceeds to the process in step S23 and continues processing. On the other hand, if the snapshot extraction unit 112 determines that record 250 is the last line of the operation log 230 (step S28, NO), it terminates processing.

[0058] Next, an example of the processing performed by the similarity determination unit 113 and the classification unit 114 will be explained using Figures 8 and 9. Figure 8 is a diagram showing an example of processing performed by the similarity determination unit of the information processing device according to the embodiment. Figure 9 is a diagram showing an example of processing performed by the classification unit of the information processing device according to the embodiment.

[0059] The similarity determination unit 113 determines similarity by comparing the unclassified snapshot 290 with the classified snapshot 300 and identifies the snapshot type ID of the unclassified snapshot 290. Examples of methods by which the similarity determination unit 113 determines similarity include a method that utilizes the distance of a series of operations (strings), a method that utilizes the co-occurrence of a series of operations (strings), or a method that uses a large-scale language model (LLM) to determine the similarity of a series of operations (strings). The methods by which the similarity determination unit 113 determines similarity are not limited to those described above.

[0060] For example, the similarity determination unit 113 compares the event information contained in the unclassified snapshot 290 with the event information contained in the classified snapshot 300 and determines similarity. The similarity determination unit 113 also compares multiple records corresponding to user operations prior to the event contained in the unclassified snapshot 290 with multiple records corresponding to user operations prior to the event contained in the classified snapshot 300 and determines similarity.

[0061] When the similarity determination unit 113 determines that the unclassified snapshot and the classified snapshot are similar, the classification unit 114 assigns ID-10, which is the snapshot type ID of the classified snapshot 300, to the unclassified snapshot 290 whose snapshot type ID is Null, as shown in Figure 9. In other words, the classification unit 114 records the snapshot type ID in association with the event information and multiple records corresponding to user operations prior to the event recorded in the unclassified snapshot 290.

[0062] A more detailed procedure regarding the processing of the similarity determination unit 113 and the classification unit 114 will be explained using Figure 10. Figure 10 is a flowchart showing an example of the processing of the similarity determination unit and the classification unit of the information processing device according to the embodiment. For the purpose of explanation, snapshots 290 and 300 shown in Figure 8 will be applied to Figure 10.

[0063] The similarity determination unit 113 retrieves one unclassified snapshot 290 with a snapshot type ID of Null from the data storage unit 120, which is a database (step S30). The similarity determination unit 113 determines whether a classified snapshot 300 with a snapshot type ID assigned to it exists in the data storage unit 120 (step S31).

[0064] If the similarity determination unit 113 determines that a classified snapshot 300 with a snapshot type ID is present in the data storage unit 120 (step S31, YES), it obtains the number N of types of classified snapshots 300 present in the data storage unit 120 and sets the count to N (step S32).

[0065] The similarity determination unit 113 acquires one type of classified snapshot 300 at a time from the data storage unit 120, each assigned a snapshot type ID, and sets the count N to N-1 (step S33). The similarity determination unit 113 determines the similarity between the operations in the unclassified snapshot 290 acquired in step S30 and the classified snapshot 300 acquired in step S33 (step S34).

[0066] If the similarity determination unit 113 determines that the unclassified snapshot 290 and the classified snapshot 300 satisfy the conditions for being considered to be the same event and having the same similarity between operations (step S35, YES), it assigns the same snapshot type ID to the unclassified snapshot 290 as the classified snapshot 300 that was used for comparison (step S36), and terminates the process.

[0067] If the similarity determination unit 113 determines that the unclassified snapshot 290 and the classified snapshot 300 do not meet the conditions for being considered the same event and having the same similarity between operations (step S35, NO), it determines whether the current count is greater than 0 (step S37). If the similarity determination unit 113 determines that the current count is greater than 0 (step S37, YES), it proceeds to the process in step S33 and repeats the process from step S33 to step S37.

[0068] If the similarity determination unit 113 determines that there are no classified snapshots 300 with a snapshot type ID assigned to them in the data storage unit 120 (step S31, NO), or if it determines that the current count is 0 or less (step S37, NO), it assigns a new unique snapshot type ID to the unclassified snapshot 290 (step S38) and terminates the process.

[0069] According to the information processing device 100 of this embodiment, by identifying the location of an event in an operation log composed of multiple records based on an event list, the record corresponding to the event location is labeled, the labeled record is scanned in reverse chronological order, and the starting record of the operation process corresponding to the event is identified using a parameter list containing information about the operation process, a series of operation logs from the starting record to the labeled record is extracted as a snapshot, the similarity is determined by comparing unclassified snapshots that do not have a snapshot type ID with classified snapshots that have a unique snapshot type ID, and the unclassified snapshots are classified according to the similarity, making it possible to automatically extract the corresponding event information and chronological data of the operation history for each event that occurred, the work of classifying the extracted event information and chronological data of the operation history for each case is automated, and the classification accuracy is made to a certain quality. Furthermore, it becomes possible to quickly access the necessary information when performing troubleshooting or system monitoring.

[0070] Next, an example of the hardware configuration of the information processing device 100 according to the embodiment will be described using Figure 11. Figure 11 is a block diagram showing an example of the hardware configuration of the information processing device according to the embodiment.

[0071] As shown in Figure 11, the information processing device 100 includes, for example, a processor 101, a ROM (Read Only Memory) 102, a RAM (Random Access Memory) 103, storage 104, a communication interface 105, and an input / output interface 106.

[0072] The control unit 110, which includes the event detection unit 111, snapshot extraction unit 112, similarity determination unit 113, and classification unit 114 shown in Figure 1, corresponds to, for example, the processor 101 and RAM 103. The data storage unit 120 corresponds to, for example, the ROM 102, RAM 103, and storage 104. The program storage unit 130 corresponds to, for example, the ROM 102 and storage 104. The communication unit 140 corresponds to, for example, the communication interface 105. The input / output unit 150 corresponds to, for example, the input / output interface 106 and input / output device 107.

[0073] The processor 101, ROM 102, RAM 103, storage 104, communication interface 105, and input / output interface 106 are each connected via a bus communication line (BUS) and can transmit and receive data from each other. Alternatively, the processor 101, ROM 102, RAM 103, storage 104, communication interface 105, and input / output interface 106 may be configured to transmit and receive data from each other via wireless communication or the like.

[0074] The processor 101 includes at least one processor such as a CPU (Central Process Unit), MPU (micro processing unit), GPU (Graphics Processing Unit), or FPGA (field-programmable gate array), and can realize various functions of the information processing device 100 by executing programs such as system software, application software, or firmware stored in the ROM 102, RAM 103, or storage 104.

[0075] ROM 102 is a read-only non-volatile memory. ROM 102 non-temporarily stores the startup program necessary when the information processing device 100 of this embodiment is started. The information processing device 100 is started when the processor 101 executes the program in ROM 102. ROM 102 is, for example, composed of EPROM (Erasable Programmable Read Only Memory) and stores various startup settings in addition to the startup program.

[0076] RAM 103 is a volatile memory that can be written to and read from. RAM 103 temporarily stores programs necessary for processing in processor 101 and data necessary for executing those programs. For example, processor 101 executes a program in RAM 103 to perform calculations on the data in RAM 103 and stores the calculation results in RAM 103.

[0077] The storage 104 is composed of non-volatile memory such as an HDD (Hard Disk Drive) or SSD (Solid State Drive). The storage 104 non-temporarily stores the program executed by the processor 101 and the data necessary for the execution of the program. The processor 101 reads the program and data from the storage 104 into the RAM 103 and executes various functions by executing the program.

[0078] The communication interface 105 is connected to a communication network and enables the reception of information from and transmission of information to server devices, etc.

[0079] The input / output interface 106 is connected to an input device 1071 and an output device 1072, respectively. The input / output interface 106 enables the input of information from the input device 1071 and the output of information to the output device 1072. The input device 1071 includes, for example, a keyboard, mouse, touch panel, and disk drive. The input device 1071 is not limited to these and may include any other input device. The output device 1072 includes, for example, a display and disk drive. The output device 1072 is not limited to these and may include audio output means such as a speaker or any other output device. The input device 1071 and the output device 1072 may be configured as an input / output device 107 that has the functions of both.

[0080] The program for operating the information processing device 100 according to this embodiment is provided to the computer, for example, via a computer-readable storage medium 108. This storage medium 108 is a non-temporary computer-readable storage medium. Non-temporary computer-readable storage media include, for example, disks such as flexible disks, optical disks (CD-ROM, CD-R, DVD-ROM, DVD-R, etc.), magneto-optical disks (MO, etc.), semiconductor memory, USB memory, etc.

[0081] Furthermore, the above program may be stored on a server device on a communication network, downloaded from the server device, and temporarily stored in the storage device 104.

[0082] For example, in response to an input signal instructing the startup of the information processing device 100, the processor 101 reads a program from the storage 104 into the program area of ​​the RAM 103, and also reads the data necessary for executing the program from the storage 104 into the data area of ​​the RAM 103. The processor 101 performs calculations on the data in the data area according to the program and writes the calculation results to the data area. Through these operations, the processor 101, RAM 103, storage 104, communication interface 105, and input / output interface 106 cooperate to perform at least some of the functions of the components of the information processing device 100, namely the event detection unit 111, the snapshot extraction unit 112, the similarity determination unit 113, and the classification unit 114.

[0083] It should be noted that the present invention is not limited to the embodiments described above, and can be modified in various ways during implementation without departing from its essence. Furthermore, each embodiment may be combined as appropriate, and in that case, the combined effects can be obtained. Moreover, the above embodiments include various inventions, and various inventions can be extracted by selecting combinations from the multiple constituent elements disclosed. For example, if the problem can be solved and effects obtained even if some constituent elements are deleted from all the constituent elements shown in the embodiment, then the configuration with these deleted constituent elements can be extracted as an invention.

[0084] 100... Information processing device 101... Processor 102... ROM 103... RAM 104... Storage 105... Communication interface 106... Input / output interface 107... Input / output device 1071... Input device 1072... Output device 108... Storage medium 110... Control unit 111... Event detection unit 112... Snapshot extraction unit 113... Similarity determination unit 114... Classification unit 120... Data storage unit 130... Program storage unit 140... Communication unit 150... Input / output unit 151... Input unit 152... Output unit

Claims

1. An information processing device comprising: a detection unit that identifies the location of an event in an operation log composed of multiple records based on an event list and labels the record corresponding to the location of the event; an extraction unit that scans the labeled record in reverse chronological order and identifies the starting record of the operation process corresponding to the event using a parameter list containing information about the operation process, thereby extracting a series of operation logs from the starting record to the record preceding the labeled record as a snapshot; and a determination and classification unit that determines similarity by comparing an unclassified snapshot that has not been assigned a snapshot type ID with a classified snapshot that has been assigned a unique snapshot type ID, and classifies the unclassified snapshot according to the similarity.

2. The information processing apparatus according to claim 1, wherein the determination and classification unit determines the similarity between a string of characters corresponding to a series of operations included in the unclassified snapshot and a string of characters corresponding to a series of operations included in the classified snapshot, using the distance, co-occurrence, or large-scale language model.

3. The information processing apparatus according to claim 2, wherein, when the determination and classification unit determines that the unclassified snapshot and the classified snapshot are similar, it assigns the unclassified snapshot the same snapshot type ID as the snapshot type ID of the classified snapshot.

4. A program that causes a computer to function as an information processing device according to any one of claims 1 to 3.