Analyzing Logs of Large-Scale Software Systems using Time Curves Visualization

TL;DR

This paper addresses the challenge of analyzing massive, semi-structured logs from large-scale software systems by introducing Time Curves visualization combined with a holistic pipeline that includes automatic event detection, template clustering, and a semimetric distance for checkpoint comparison. The method projects events into a 2D space via Multidimensional Scaling, preserves temporal context, and supports overlap across multiple systems, enabling efficient identification of trends, outliers, and bottlenecks. A key contribution is a Levenshtein-based, normalized semimetric that accounts for semantic similarity and template cardinality, along with extensions to the original Time Curves to support multiple curves, animation, and LLM-based enrichment. The approach is validated on stream-processing workloads and public datasets, demonstrating explainability, scalability, and practical utility for debugging, performance optimization, and security risk assessment, with potential for faster analysis and deeper insight when combined with LLMs and retrieval-augmented generation.

Abstract

Logs are crucial for analyzing large-scale software systems, offering insights into system health, performance, security threats, potential bugs, etc. However, their chaotic nature$\unicode{x2013}$characterized by sheer volume, lack of standards, and variability$\unicode{x2013}$makes manual analysis complex. The use of clustering algorithms can assist by grouping logs into a smaller set of templates, but lose the temporal and relational context in doing so. On the contrary, Large Language Models (LLMs) can provide meaningful explanations but struggle with processing large collections efficiently. Moreover, representation techniques for both approaches are typically limited to either plain text or traditional charting, especially when dealing with large-scale systems. In this paper, we combine clustering and LLM summarization with event detection and Multidimensional Scaling through the use of Time Curves to produce a holistic pipeline that enables efficient and automatic summarization of vast collections of software system logs. The core of our approach is the proposal of a semimetric distance that effectively measures similarity between events, thus enabling a meaningful representation. We show that our method can explain the main events of logs collected from different applications without prior knowledge. We also show how the approach can be used to detect general trends as well as outliers in parallel and distributed systems by overlapping multiple projections. As a result, we expect a significant reduction of the time required to analyze and resolve system-wide issues, identify performance bottlenecks and security risks, debug applications, etc.

Figures (7)

• Figure 1: Example Time Curve corresponding to the analysis of the execution of a stream processing application, where data points represent events of the system, consecutive events in time are connected, while similar events are positioned close. Color of connection shows time, i.e. start of observation purple -- end of observation green.
• Figure 2: Workflow illustration of the proposed method to generate a Time Curve from a set of logs.
• Figure 3: Projections of the collected logs for three stream processing framework executions and their unfolding according to the ratio of similarity and time influences. The annotated labels (A to D) represent checkpoints of interest for the analysis of the system, namely (A) startup, (B1-B5) failure injections, (C1-C5) recovery and (D) shutdown. In addition, C1'-C5' mark normal processing after recovery and a $\ast$ represents a singular checkpoint in Kafka Streams.
• Figure 4: Identified sections of interest corresponding to the Zookeeper log dataset. Labels A to F represent points of interest. Two planes marked with a gradient color separate the projection into left, middle and right sections, corresponding to different stability stages of the system.
• Figure 5: Multiple curve analysis of three instances of the same application. Each system is represented with a different color and line style to ease visualization. In addition, due to the fact that different colors are used to represent different systems, the time dimension is no longer represented besides the order of checkpoints. Labels A to E represent stages of interest.