Jacob Perkins, profile picture
Uploaded byJacob Perkins
PPTX, PDF5,998 views

NLP techniques for log analysis

This document discusses using NLP techniques like tokenization, feature extraction, classification, clustering, and anomaly detection to analyze log files. It provides examples of how each technique can be applied including tokenizing log records, extracting features like n-grams and token shapes, classifying records by type or priority level, clustering records to find anomalies, and detecting outliers. The document also recommends tools like NLTK, Scikit-Learn, Logpai and references the author's own work at Insight Engines on log search and analysis products.

Embed presentation

Downloaded 89 times
NLP Techniques for Log Analysis Jacob Perkins, CTO @ Insight Engines
● Speculative ideas with specific techniques ● Python is great for NLP, ML, simple text processing Overview
Author of Text Processing with NLTK Cookbook Contributor to Bad Data Handbook Blog @ StreamHacker.com Helped create Seahorse / Gnome Keyring (GPG UI) CTO @ InsightEngines.com About me
1. Tokenization 2. Feature Extraction 3. Classification 4. Clustering 5. Anomaly Detection Topics
• Split text into tokens • Many options beyond whitespace • Works on any arbitrary text • NLTK has many tokenizers Tokenization
Sep 19 19:18:40 acmepayroll syslog: 04/30/10 12:18:51 39480627 wksh: HANDLING TELNET CALL (User: root, Branch: ABCDE, Client: 10101) pid=9644 https://text-processing.com/demo/tokenize/
Sep 19 19:18:40 acmepayroll syslog: 04/30/10 12:18:51 39480627 wksh: HANDLING TELNET CALL (User: root, Branch: ABCDE, Client: 10101) pid=9644 https://text-processing.com/demo/tokenize/
Sep 19 19:18:40 acmepayroll syslog: 04/30/10 12:18:51 39480627 wksh: HANDLING TELNET CALL (User: root, Branch: ABCDE, Client: 10101) pid=9644 https://text-processing.com/demo/tokenize/
• Edit distance (a.k.a Levenshtein distance) • Fuzzywuzzy • Can use to identify similar strings • Ex: Google vs Go0gle = edit distance 1 Fuzzy Matching
• Transform text into discrete values • Use for data analysis, machine learning • Art, not science Feature Extraction
• Date parsing with dateutil • Regex patterns • Grammars with pyparsing • Automatic log parsing with Logpai logparser Parsing
● Bigram: (acmepayroll, syslog) ● Trigram: (HANDLING, TELNET, CALL) ● Skipgram: (syslog, HANDLING, CALL) Ngram Features
• acmepayroll -> aa • User -> Aa • ABCDE -> AA • 10101 -> nn • pid=9644 -> aa=nn Token Shapes
Log -> Token Shapes & Date Parsing date aa syslog: date nn wksh: AA AA AA (User: aa, Branch: AA, Client: nn) pid=nn Sep 19 19:18:40 acmepayroll syslog: 04/30/10 12:18:51 39480627 wksh: HANDLING TELNET CALL (User: root, Branch: ABCDE, Client: 10101) pid=9644
• Count tokens across all records & types (ie ssh) • How uniform are tokens within a record type? • Mostly uniform ~= clean data • In a given record, does it have rare tokens? • Rare = anomaly? Identifying Rare Tokens
1. Log record -> feature extraction 2. Features -> Classifier 3. Classifier returns class probabilities Classification • Must train on good labeled data • Binary classification is most accurate • Scikit-learn has many options
● Spam vs Ham ● Sentiment & Opinion analysis: positive vs negative ● Fraud Real World Classification
1. Train on record type (ssh vs everything else) 2. What has type ssh but doesn’t classify? 3. What is not ssh but does classify? Log Classification Anomalies
Features: ● Description ● Rules / thresholds ● Log record features Labels = priority level (high, medium, low) Alert Classification
● No training needed (unsupervised) ● Group by feature similarity / distance ● Must operate on large batch of records ● Scikit-learn has many options ● Gensim for topic modeling Clustering
1. Cluster a few different record types 2. Does each type correspond to a single cluster? 3. Which records don’t cluster well? (far from centroid) Data Clustering Anomalies
● A.k.a. Novelty / Outlier detection ● A.k.a. One-class classification ● Learn from good data set ● Identify new records that don’t fit ● Scikit-learn has a few options ● Automated anomaly detection with Logpai loglizer Anomaly Detection
● Tokenization ● Feature extraction ● Classification ● Clustering ● Anomaly detection Summary
• NLTK • Scikit-Learn • Gensim • Logpai • Text-processing.com • Streamhacker.com References
● Investigator: plain english log search -> multiple visualizations & recommendations to do next ● Analyzer: data health analysis ● InsightEngines.com About Insight Engines
Thank you!

More Related Content

PDF
Apache Kafka Architecture & Fundamentals Explained
byconfluent
 
PPTX
Kibana overview
byRinat Tainov
 
PPTX
Apache HBase™
byPrashant Gupta
 
PDF
Introduction to MongoDB
byMike Dirolf
 
PDF
Migrating Apache Hive Workload to Apache Spark: Bridge the Gap with Zhan Zhan...
byDatabricks
 
PDF
Enabling Vectorized Engine in Apache Spark
byKazuaki Ishizaki
 
PDF
The Rise of ZStandard: Apache Spark/Parquet/ORC/Avro
byDatabricks
 
PPTX
Introduction to Apache Spark
byRahul Jain
 
Apache Kafka Architecture & Fundamentals Explained
byconfluent
 
Kibana overview
byRinat Tainov
 
Apache HBase™
byPrashant Gupta
 
Introduction to MongoDB
byMike Dirolf
 
Migrating Apache Hive Workload to Apache Spark: Bridge the Gap with Zhan Zhan...
byDatabricks
 
Enabling Vectorized Engine in Apache Spark
byKazuaki Ishizaki
 
The Rise of ZStandard: Apache Spark/Parquet/ORC/Avro
byDatabricks
 
Introduction to Apache Spark
byRahul Jain
 

What's hot

PDF
NOSQL- Presentation on NoSQL
byRamakant Soni
 
PPTX
introduction to NOSQL Database
bynehabsairam
 
PPTX
OLAP
bySlideshare
 
PDF
Introduction to elasticsearch
byhypto
 
PDF
[Meetup] a successful migration from elastic search to clickhouse
byVianney FOUCAULT
 
PPTX
Cql – cassandra query language
byCourtney Robinson
 
PPTX
Demystifying data engineering
byThang Bui (Bob)
 
PPTX
Elasticsearch
byJean-Philippe Chateau
 
PDF
C* Summit 2013: The World's Next Top Data Model by Patrick McFadin
byDataStax Academy
 
PDF
ksqlDB로 실시간 데이터 변환 및 스트림 처리
byconfluent
 
PPTX
Kafka 101
byAparna Pillai
 
PDF
Introduction to Apache Calcite
byJordan Halterman
 
PDF
Scaling your Data Pipelines with Apache Spark on Kubernetes
byDatabricks
 
PPTX
What is AWS Glue
byjeetendra mandal
 
PPTX
Data council sf amundsen presentation
byTao Feng
 
PDF
Introduction to Kafka Streams
byGuozhang Wang
 
PDF
Spark SQL
byJoud Khattab
 
PDF
Top 5 Mistakes When Writing Spark Applications
bySpark Summit
 
PDF
Diving into Delta Lake: Unpacking the Transaction Log
byDatabricks
 
PDF
Apache Spark Overview
byVadim Y. Bichutskiy
 
NOSQL- Presentation on NoSQL
byRamakant Soni
 
introduction to NOSQL Database
bynehabsairam
 
OLAP
bySlideshare
 
Introduction to elasticsearch
byhypto
 
[Meetup] a successful migration from elastic search to clickhouse
byVianney FOUCAULT
 
Cql – cassandra query language
byCourtney Robinson
 
Demystifying data engineering
byThang Bui (Bob)
 
Elasticsearch
byJean-Philippe Chateau
 
C* Summit 2013: The World's Next Top Data Model by Patrick McFadin
byDataStax Academy
 
ksqlDB로 실시간 데이터 변환 및 스트림 처리
byconfluent
 
Kafka 101
byAparna Pillai
 
Introduction to Apache Calcite
byJordan Halterman
 
Scaling your Data Pipelines with Apache Spark on Kubernetes
byDatabricks
 
What is AWS Glue
byjeetendra mandal
 
Data council sf amundsen presentation
byTao Feng
 
Introduction to Kafka Streams
byGuozhang Wang
 
Spark SQL
byJoud Khattab
 
Top 5 Mistakes When Writing Spark Applications
bySpark Summit
 
Diving into Delta Lake: Unpacking the Transaction Log
byDatabricks
 
Apache Spark Overview
byVadim Y. Bichutskiy
 

Similar to NLP techniques for log analysis

PDF
Text analysis using python
byVijay Ramachandran
 
PDF
Analyzing Log Data With Apache Spark
bySpark Summit
 
PPTX
SEMLA_logging_infra
byswy351
 
PPTX
Debugging Skynet: A Machine Learning Approach to Log Analysis - Ianir Ideses,...
byDevOpsDays Tel Aviv
 
PDF
Text classification in scikit-learn
byJimmy Lai
 
PPTX
Analyzing-Logs-of-Distributed-System-Components-Using-AIML-Techniques.pptx
byRonitSharma65
 
PDF
Statistical Learning and Text Classification with NLTK and scikit-learn
byOlivier Grisel
 
PPTX
Text Mining_big_data_machine_learning.pptx
bybenidiktuskurniawan
 
PPT
Making Logs Sexy Again: Can We Finally Lose The Regexes?
byAnton Chuvakin
 
PDF
Crash-course in Natural Language Processing
byVsevolod Dyomkin
 
DOCX
Silhouette Threshold Based Text Clustering for Log Analysis
byIIRindia
 
PPTX
Text analytics
byUtkarsh Sharma
 
PDF
Machine Learning as a Service: making sentiment predictions in realtime with ...
byDaniel Pyrathon
 
PDF
Natural language processing (NLP) introduction
byRobert Lujo
 
PPTX
Document Classification using the Python Natural Language Toolkit
byBen Healey
 
ODP
Get the most out of your security logs using syslog-ng
byPeter Czanik
 
PDF
AWS re:Invent presentation: Unmeltable Infrastructure at Scale by Loggly
bySolarWinds Loggly
 
PPTX
Analyzing Data With Python
bySarah Guido
 
PDF
Machine Learning for Incident Detection: Getting Started
bySqrrl
 
PDF
Shrinking the haystack wes caldwell - final
bylucenerevolution
 
Text analysis using python
byVijay Ramachandran
 
Analyzing Log Data With Apache Spark
bySpark Summit
 
SEMLA_logging_infra
byswy351
 
Debugging Skynet: A Machine Learning Approach to Log Analysis - Ianir Ideses,...
byDevOpsDays Tel Aviv
 
Text classification in scikit-learn
byJimmy Lai
 
Analyzing-Logs-of-Distributed-System-Components-Using-AIML-Techniques.pptx
byRonitSharma65
 
Statistical Learning and Text Classification with NLTK and scikit-learn
byOlivier Grisel
 
Text Mining_big_data_machine_learning.pptx
bybenidiktuskurniawan
 
Making Logs Sexy Again: Can We Finally Lose The Regexes?
byAnton Chuvakin
 
Crash-course in Natural Language Processing
byVsevolod Dyomkin
 
Silhouette Threshold Based Text Clustering for Log Analysis
byIIRindia
 
Text analytics
byUtkarsh Sharma
 
Machine Learning as a Service: making sentiment predictions in realtime with ...
byDaniel Pyrathon
 
Natural language processing (NLP) introduction
byRobert Lujo
 
Document Classification using the Python Natural Language Toolkit
byBen Healey
 
Get the most out of your security logs using syslog-ng
byPeter Czanik
 
AWS re:Invent presentation: Unmeltable Infrastructure at Scale by Loggly
bySolarWinds Loggly
 
Analyzing Data With Python
bySarah Guido
 
Machine Learning for Incident Detection: Getting Started
bySqrrl
 
Shrinking the haystack wes caldwell - final
bylucenerevolution
 

Recently uploaded

PDF
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PPTX
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
PDF
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
PPTX
AI and Digital Transformation Solutions.
byBuildingblocks
 
DOCX
Mathematical reviewer gor mmw in theofern
byyeojlevantinojesalva
 
PDF
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
LUXHUB: a detailed look at 2025...and fast forward to 2026
byalexandrekeilmann1
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
PDF
Getting the Best of TrueDEM – January News & Updates
bypanagenda
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PPTX
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
PDF
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
PDF
Skills to Pass the UiPath Agentic Automation Associate (UiAAA) Certification
byUiPathCommunity
 
PPTX
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
PDF
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
PPTX
CrowdStrike Falcon Insight (01212026).pptx
bypjsantos17
 
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
AI and Digital Transformation Solutions.
byBuildingblocks
 
Mathematical reviewer gor mmw in theofern
byyeojlevantinojesalva
 
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
LUXHUB: a detailed look at 2025...and fast forward to 2026
byalexandrekeilmann1
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
Getting the Best of TrueDEM – January News & Updates
bypanagenda
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
Skills to Pass the UiPath Agentic Automation Associate (UiAAA) Certification
byUiPathCommunity
 
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
CrowdStrike Falcon Insight (01212026).pptx
bypjsantos17
 

NLP techniques for log analysis

  • 1.
    NLP Techniques forLog Analysis Jacob Perkins, CTO @ Insight Engines
  • 2.
    ● Speculative ideaswith specific techniques ● Python is great for NLP, ML, simple text processing Overview
  • 3.
    Author of TextProcessing with NLTK Cookbook Contributor to Bad Data Handbook Blog @ StreamHacker.com Helped create Seahorse / Gnome Keyring (GPG UI) CTO @ InsightEngines.com About me
  • 4.
    1. Tokenization 2. FeatureExtraction 3. Classification 4. Clustering 5. Anomaly Detection Topics
  • 5.
    • Split textinto tokens • Many options beyond whitespace • Works on any arbitrary text • NLTK has many tokenizers Tokenization
  • 6.
    Sep 19 19:18:40acmepayroll syslog: 04/30/10 12:18:51 39480627 wksh: HANDLING TELNET CALL (User: root, Branch: ABCDE, Client: 10101) pid=9644 https://text-processing.com/demo/tokenize/
  • 7.
    Sep 19 19:18:40acmepayroll syslog: 04/30/10 12:18:51 39480627 wksh: HANDLING TELNET CALL (User: root, Branch: ABCDE, Client: 10101) pid=9644 https://text-processing.com/demo/tokenize/
  • 8.
    Sep 19 19:18:40acmepayroll syslog: 04/30/10 12:18:51 39480627 wksh: HANDLING TELNET CALL (User: root, Branch: ABCDE, Client: 10101) pid=9644 https://text-processing.com/demo/tokenize/
  • 9.
    • Edit distance(a.k.a Levenshtein distance) • Fuzzywuzzy • Can use to identify similar strings • Ex: Google vs Go0gle = edit distance 1 Fuzzy Matching
  • 10.
    • Transform textinto discrete values • Use for data analysis, machine learning • Art, not science Feature Extraction
  • 11.
    • Date parsingwith dateutil • Regex patterns • Grammars with pyparsing • Automatic log parsing with Logpai logparser Parsing
  • 12.
    ● Bigram: (acmepayroll,syslog) ● Trigram: (HANDLING, TELNET, CALL) ● Skipgram: (syslog, HANDLING, CALL) Ngram Features
  • 13.
    • acmepayroll ->aa • User -> Aa • ABCDE -> AA • 10101 -> nn • pid=9644 -> aa=nn Token Shapes
  • 14.
    Log -> TokenShapes & Date Parsing date aa syslog: date nn wksh: AA AA AA (User: aa, Branch: AA, Client: nn) pid=nn Sep 19 19:18:40 acmepayroll syslog: 04/30/10 12:18:51 39480627 wksh: HANDLING TELNET CALL (User: root, Branch: ABCDE, Client: 10101) pid=9644
  • 15.
    • Count tokensacross all records & types (ie ssh) • How uniform are tokens within a record type? • Mostly uniform ~= clean data • In a given record, does it have rare tokens? • Rare = anomaly? Identifying Rare Tokens
  • 16.
    1. Log record-> feature extraction 2. Features -> Classifier 3. Classifier returns class probabilities Classification • Must train on good labeled data • Binary classification is most accurate • Scikit-learn has many options
  • 18.
    ● Spam vsHam ● Sentiment & Opinion analysis: positive vs negative ● Fraud Real World Classification
  • 19.
    1. Train onrecord type (ssh vs everything else) 2. What has type ssh but doesn’t classify? 3. What is not ssh but does classify? Log Classification Anomalies
  • 20.
    Features: ● Description ● Rules/ thresholds ● Log record features Labels = priority level (high, medium, low) Alert Classification
  • 21.
    ● No trainingneeded (unsupervised) ● Group by feature similarity / distance ● Must operate on large batch of records ● Scikit-learn has many options ● Gensim for topic modeling Clustering
  • 23.
    1. Cluster afew different record types 2. Does each type correspond to a single cluster? 3. Which records don’t cluster well? (far from centroid) Data Clustering Anomalies
  • 24.
    ● A.k.a. Novelty/ Outlier detection ● A.k.a. One-class classification ● Learn from good data set ● Identify new records that don’t fit ● Scikit-learn has a few options ● Automated anomaly detection with Logpai loglizer Anomaly Detection
  • 26.
    ● Tokenization ● Featureextraction ● Classification ● Clustering ● Anomaly detection Summary
  • 27.
    • NLTK • Scikit-Learn •Gensim • Logpai • Text-processing.com • Streamhacker.com References
  • 28.
    ● Investigator: plainenglish log search -> multiple visualizations & recommendations to do next ● Analyzer: data health analysis ● InsightEngines.com About Insight Engines
  • 29.

Editor's Notes

  • #7 Punctuation in weird places
  • #8 NLP example: can’t
  • #9 Trained on WSJ news articles
  • #12 Grammars ~= multi-line regex
  • #13 Bigram & Trigram features can add a lot to classification & clustering accuracy
  • #16 Use token shapes to normalize? Technique based on TF/IDF & search indexing to identify high information words
  • #19 Sentiment used a lot for marketing analytics
  • #20 One vs all classification.
  • #21 Triage, identify false positives or negatives
  • #22 Topic modeling is different type of clustering