vRealize Log Insight summarizes a large number of individual events into a smaller number of broad event types. vRealize Log Insight uses machine learning to group similar events together, with each group showing the approximate number of events in the group. Grouping events helps identify the most communicative events and the most quiet ones, both of which are critical for troubleshooting.
The Event Types tab on the Interactive Analytics page, under the search bar, provides an aggregated view of the events for the given time range of the query. An event in a group is selected as the representative event. You can click the Expand link under each representative event to view the events in the group.
As a result of grouping events, an Event Type is assigned to each event. An appropriate event_type field is created, which you can further use in regular queries.
vRealize Log Insight does not document the exact mechanism for grouping events. It tries to automatically detect groups of similar events based on the number of common parts that the events have. For example, let us consider the following events:
[2019-05-20 06:41:24.291+0000] ["SearchWorker-thread-12999"/10.113.164.150 INFO] [com.company.product.analytics.distributed.LogSearchWorkerService] [Worker fully completed query (token=5f6e5e1faf93e4ce) in 11 msec]
[2019-05-20 06:41:24.284+0000] ["SearchWorker-thread-11961"/10.113.164.167 INFO] [com.company.product.analytics.distributed.SearchWorkerService] [Worker fully completed query (token=3b247b2ba6057c47) in 24 msec]
These events have eight common parts - timestamp, thread name, host IP, logging level, class name, message text, token number, and duration.
Now, let us consider the following events:
[2019-05-20 06:41:24.291+0000] ["LogSearchWorker-thread-12999"/10.113.164.150 INFO] [com.vmware.loginsight.analytics.distributed.LogSearchWorkerService] [Worker finished search (wait=59500 token=5f6e5e1faf93e4ce) in 12 msec]
[2019-05-20 06:41:20.136+0000] ["AliasStudentStudyPool-thread-1"/192.168.110.24 INFO] [com.vmware.loginsight.analytics.alias.AliasStudent] [looking for alias due to rule DatastoreFromVmFileSystem]
These events only have three common parts - timestamp, host IP, and logging level.
In addition to grouping events together, vRealize Log Insight identifies useful fields in each event of the group, known as smart fields. Each smart field appears within the representative event as a hyperlink with a drop-down menu icon next to it. You can click the icon to view a histogram for the values of the field or to define an extracted field based on the smart field.