VMware Aria Operations for Logs (SaaS) summarizes a large number of individual events into a smaller number of broad event types. The system uses machine learning to group similar events together, with each group showing the approximate number of events in the group. Grouping events helps identify the most communicative events and the most quiet ones, both of which are critical for troubleshooting.

VMware Aria Operations for Logs (SaaS) automatically detects groups of similar events based on their common parts. For example, consider the following events:

  • [2019-05-20 06:41:24.291+0000] ["SearchWorker-thread-12999"/10.113.164.150 INFO] [com.company.product.analytics.distributed.LogSearchWorkerService] [Worker fully completed query (token=5f6e5e1faf93e4ce) in 11 msec]
  • [2019-05-20 06:41:24.284+0000] ["SearchWorker-thread-11961"/10.113.164.167 INFO] [com.company.product.analytics.distributed.SearchWorkerService] [Worker fully completed query (token=3b247b2ba6057c47) in 24 msec]

These events have eight common parts - time stamp, thread name, host IP, logging level, class name, message text, token number, and duration.

Now, consider the following events:

  • [2019-05-20 06:41:24.291+0000] ["LogSearchWorker-thread-12999"/10.113.164.150 INFO] [com.vmware.loginsight.analytics.distributed.LogSearchWorkerService] [Worker finished search (wait=59500 token=5f6e5e1faf93e4ce) in 12 msec]
  • [2019-05-20 06:41:20.136+0000] ["AliasStudentStudyPool-thread-1"/192.168.110.24 INFO] [com.vmware.loginsight.analytics.alias.AliasStudent] [looking for alias due to rule DatastoreFromVmFileSystem]

These events only have three common parts - time stamp, host IP, and logging level.

On the Explore Logs page, the Types tab provides an aggregated view of similar events.

The Event Types tab on the Explore Logs page.

A maximum of 50 event types are displayed based on the count of event occurrences. To sort event types by size, you can select Size of Events from the Count of Events drop-down menu. You can also click the three dots icon next to an event to add a filter in the query with similar or dissimilar events.