Symptom matching for event streams

Enterprise systems produce a vast amount of logging data. This critical and valuable information must be processed automatically for timely system analysis and recovery. As a result of industry demands, a standard database containing known issues has been introduced - a symptom database. Each symptom consists of a rule pattern and corresponding solutions. Patterns used for symptom identification are encoded as a XPath expression and matched against a stream of events in a standardised WSGI format common base event. The ability of an efficient matching for symptom patterns has been raised as an important requirement by industries. The authors present a real-time symptom identification in a stream of events. The implementation will allow multiple autonomic computing components such as self-monitoring sensors to effectively match known patterns in large datasets in run time. Unlike current state of the art approaches, the proposed solution allows users to define patterns using all the complex XPath functions in addition to standard numeric and Boolean operators. In particular, it was aimed at efficient simultaneous matching of a large set of XPath-based symptom patterns against a high-volume event stream, which is crucial for symptom identification but was not addressed efficiently by currently available XPath-matching engines.