Stronger, Cheaper and Demonstration-Free Log Parsing with LLMs
Yi Xiao, Van-Hoang Le, Hongyu Zhang
TL;DR
The paper tackles the high cost and reliance on demonstrations in LLM-based log parsing for large-scale logs. It introduces LogBatcher, a training-free, demonstration-free framework that partitions logs, caches results, and batches inputs to LLMs to parse logs. Key contributions include a log-specific prompting strategy, TF-IDF vectorization with DBSCAN partitioning, a cache-based matching mechanism, and a batching-query workflow that reduces token usage while maintaining or improving accuracy. Experiments on 16 public LogPai-derived datasets show that LogBatcher achieves state-of-the-art GA/MLA/ED and substantially lowers LLM invocation costs, making practical deployment more feasible.
Abstract
Log parsing, the process of converting raw log messages into structured formats, is an important initial step for automated analysis of logs of large-scale software systems. Traditional log parsers often rely on heuristics or handcrafted features, which may not generalize well across diverse log sources or require extensive model tuning. Recently, some log parsers have utilized powerful generative capabilities of large language models (LLMs). However, they heavily rely on demonstration examples, resulting in substantial overhead in LLM invocations. To address these issues, we propose LogBatcher, a cost-effective LLM-based log parser that requires no training process or labeled data. To leverage latent characteristics of log data and reduce the overhead, we divide logs into several partitions through clustering. Then we perform a cache matching process to match logs with previously parsed log templates. Finally, we provide LLMs with better prompt context specialized for log parsing by batching a group of logs from each partition. We have conducted experiments on 16 public log datasets and the results show that LogBatcher is effective and efficient for log parsing.