DESC:
FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENTS RULES, 2003

COMPLETE SPECIFICATION
(See section 10 and rule 13)
1. TITLE OF THE INVENTION
METHOD AND SYSTEM FOR LOG AGGREGATION IN A NETWORK
2. APPLICANT(S)
NAME NATIONALITY ADDRESS
JIO PLATFORMS LIMITED INDIAN OFFICE-101, SAFFRON, NR. CENTRE POINT, PANCHWATI 5 RASTA, AMBAWADI, AHMEDABAD 380006, GUJARAT, INDIA
3.PREAMBLE TO THE DESCRIPTION

THE FOLLOWING SPECIFICATION PARTICULARLY DESCRIBES THE NATURE OF THIS INVENTION AND THE MANNER IN WHICH IT IS TO BE PERFORMED.

FIELD OF THE INVENTION
[0001] The present invention relates to the field of wireless communication networks, more particularly relates to a method and a system for log aggregation in the wireless communication network.
BACKGROUND OF THE INVENTION
[0002] In a communication network, server(s) receive multiple requests from users over a single time frame, process the received requests and deliver results to a user end. There are instances when the server may fail to process the request due to errors may it be operational error or errors resulted by malfunction of physical components. The errors are analyzed, and logs are kept for future references so that a better performance of the server may be achieved. The log is a detailed compilation of the error or where it occurred, what were associated conditions with it, which is usually stored in a system folder or a directory. The logs are helpful in debugging errors occurring in the system and provide useful information. During a positive production environment, there are not many errors to be recorded so the logs generated are lower which usually have no detrimental effect on the server performance. However, in adverse production environment, high number of errors logs would drive the server to operate with stagnant memory and thus decrease performance efficiency.
[0003] For example, on days with adverse weather, the errors occurring in the system may be large in number and may range from few 100 to 1000 per second. Adverse weather may imply high error events in the application/system. Most logging frameworks are not capable of supporting a high rate of event handling and it is possible that the system storage may not keep up with the write speed of the logging framework and experience bottle-neck situations leading to slower performance. This may ultimately cause the server to hang/freeze up till the write is complete, or the server may process requests a lot slower leading to overloading and consecutive cascading to further errors down the line.
[0004] Presently there is no solution to efficiently manage logs where the live log write up may be inclusive of repetitive error that were logged previously memory which would only lead to redundancy of data and memory cluttering of the server. There is a need for a suitable mechanism to determine error cause, categorize errors and assess them while comparing them to past data during runtime and thereby creating an efficient logging framework so that the server can perform in a better way.
[0005] Therefore, from the above cases, it becomes necessary to implement a system and method to effectively manage the logging framework, so as to prevent possibility of server shutdowns due to excessive log write up while maintaining the server health. However, the current available solutions are not able to offer the optimized log aggregation system and method with provision to minimize data overload and server bottleneck in real-time error analysis.
SUMMARY OF THE INVENTION
[0006] One or more embodiments of the present disclosure provide a method and a system for log aggregation in a network.
[0007] In one aspect of the present invention, the method for log aggregation in the network is disclosed. The method includes the step of initiating, by one or more processors, an error cause analysis in response to triggering of an error event in the network. The method includes the step of extracting, by the one or more processors, a plurality of attributes from the error event based on the initiation of the error cause analysis. The method includes the step of mapping, by the one or more processors, the extracted plurality of attributes with an identical plurality of attributes stored in a database. The method includes the step of updating, by the one or more processors, an occurrence count and a latest error time event triggered in response to mapping the extracted plurality of attributes with the identical plurality of attributes stored in the database.
[0008] In one embodiment, the error event triggered is predefined by a network operator with respect to network traffic conditions and network capacity.
[0009] In another embodiment, the plurality of attributes includes at least one of, error message, error class, error stack trace head, error stack trace tail, and error cause.
[0010] In yet another embodiment, the error event is triggered in the network in response to breach of network conditions predefined in the network by the network operator.
[0011] In yet another embodiment, for extracting the plurality of attributes, the method includes the step of assessing, by the one or more processors, each of the plurality of attributes of the error event triggered.
[0012] In yet another embodiment, for mapping, the method includes the step of parsing, by the one or more processors, the error message by mapping the extracted plurality of attributes with the identical plurality of attributes stored in the database.
[0013] In yet another embodiment, the method includes the step of creating, by the one or more processors, an entry in the database in response to a failure in mapping the extracted plurality of attributes with the identical plurality of attributes stored in the database. The entry includes the plurality of attributes. Further, the method includes the step of displaying, by the one or more processors, a summary of the event events and clearing the error events in the database in order to avoid over aggregation of the logs of the error events in the network.
[0014] In another aspect of the present invention, the system for log aggregation in the network is disclosed. The system includes an initiating unit configured to initiate, an error cause analysis in response to triggering of an error event in the network. The system includes an extracting unit configured to extract a plurality of attributes from the error event based on the initiation of the error cause analysis. The system includes a mapping unit configured to map, the extracted plurality of attributes with an identical plurality of attributes stored in a database. The system includes an updating unit configured to update the occurrence count and the time of latest error event triggered in response to mapping the extracted plurality of attributes with an identical plurality of attributes stored in the database.
[0015] In yet another aspect of the present invention, a non-transitory computer-readable medium having stored thereon computer-readable instructions that, when executed by a processor is disclosed. The processor is configured to initiate an error cause analysis in response to triggering of an error event in the network. The processor is configured to extract a plurality of attributes from the error event based on the initiation of the error cause analysis. The processor is configured to map, the extracted plurality of attributes with an identical plurality of attributes stored in a database. The processor is configured to update the occurrence count, and the time of latest error event triggered in response to mapping the extracted plurality of attributes with an identical plurality of attributes stored in the database.
[0016] Other features and aspects of this invention will be apparent from the following description and the accompanying drawings. The features and advantages described in this summary and in the following detailed description are not all-inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the relevant art, in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter.
BRIEF DESCRIPTION OF THE DRAWINGS
[0017] The accompanying drawings, which are incorporated herein, and constitute a part of this disclosure, illustrate exemplary embodiments of the disclosed methods and systems in which like reference numerals refer to the same parts throughout the different drawings. Components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present disclosure. Some drawings may indicate the components using block diagrams and may not represent the internal circuitry of each component. It will be appreciated by those skilled in the art that disclosure of such drawings includes disclosure of electrical components, electronic components or circuitry commonly used to implement such components.
[0018] FIG. 1 is an exemplary block diagram of an environment for log aggregation in a network, according to one or more embodiments of the present disclosure;
[0019] FIG. 2 is an exemplary block diagram of a system for log aggregation in the network, according to one or more embodiments of the present disclosure;
[0020] FIG. 3 is a block diagram of an architecture that can be implemented in the system of FIG.2, according to one or more embodiments of the present disclosure;
[0021] FIG. 4 is an exemplary block diagram of a database storage structure of the system of FIG.2, according to one or more embodiments of the present disclosure;
[0022] FIG. 5 is a flow diagram illustrating a method for log aggregation in the network, according to one or more embodiments of the present disclosure; and
[0023] FIG. 6 is a flow diagram illustrating the method for log aggregation in the network, according to one or more embodiments of the present disclosure.
[0024] The foregoing shall be more apparent from the following detailed description of the invention.
DETAILED DESCRIPTION OF THE INVENTION
[0025] Some embodiments of the present disclosure, illustrating all its features, will now be discussed in detail. It must also be noted that as used herein and in the appended claims, the singular forms "a", "an" and "the" include plural references unless the context clearly dictates otherwise.
[0026] Various modifications to the embodiment will be readily apparent to those skilled in the art and the generic principles herein may be applied to other embodiments. However, one of ordinary skill in the art will readily recognize that the present disclosure including the definitions listed here below are not intended to be limited to the embodiments illustrated but is to be accorded the widest scope consistent with the principles and features described herein.
[0027] A person of ordinary skill in the art will readily ascertain that the illustrated steps detailed in the figures and here below are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0028] Referring to FIG. 1, FIG. 1 illustrates an exemplary block diagram of an environment 100 for log aggregation in a network 105, according to one or more embodiments of the present invention. The environment 100 includes the network 105, a User Equipment (UE) 110, a server 115, and a system 120. The UE 110 aids a user to interact with the system 120 for log aggregation in the network 105. In an embodiment, the user is one of, but not limited to, a network operator or a service provider. The log aggregation refers to the process of collecting and centralizing logs from various network devices, applications, and services into a single repository. The logs process is essential for monitoring, analyzing, and troubleshooting network performance and security issues. By aggregating the logs, the network operator achieves a comprehensive view of network activity, detects anomalies, and ensures the efficient operation of the network 105.
[0029] For the purpose of description and explanation, the description will be explained with respect to the UE 110, or to be more specific will be explained with respect to a first UE 110a, a second UE 110b, and a third UE 110c, and should nowhere be construed as limiting the scope of the present disclosure. Each of the UE 110 from the first UE 110a, the second UE 110b, and the third UE 110c is configured to connect to the server 115 via the network 105.
[0030] In an embodiment, each of the first UE 110a, the second UE 110b, and the third UE 110c is one of, but not limited to, any electrical, electronic, electro-mechanical or an equipment and a combination of one or more of the above devices such as smartphones, virtual reality (VR) devices, augmented reality (AR) devices, laptop, a general-purpose computer, desktop, personal digital assistant, tablet computer, mainframe computer, or any other computing device.
[0031] The network 105 includes, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet-switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, or some combination thereof. The network 105 may include, but is not limited to, a Third Generation (3G), a Fourth Generation (4G), a Fifth Generation (5G), a Sixth Generation (6G), a New Radio (NR), a Narrow Band Internet of Things (NB-IoT), an Open Radio Access Network (O-RAN), and the like.
[0032] The server 115 may include by way of example but not limitation, one or more of a standalone server, a server blade, a server rack, a bank of servers, a server farm, hardware supporting a part of a cloud service or system, a home server, hardware running a virtualized server, one or more processors executing code to function as a server, one or more machines performing server-side functionality as described herein, at least a portion of any of the above, some combination thereof. In an embodiment, the entity may include, but is not limited to, a vendor, a network operator, a company, an organization, a university, a lab facility, a business enterprise, a defense facility, or any other facility that provides content.
[0033] The environment 100 further includes the system 120 communicably coupled to the server 115 and each of the first UE 110a, the second UE 110b, and the third UE 110c via the network 105. The system 120 is configured for log aggregation in the network 105. The system 120 is adapted to be embedded within the server 115 or is embedded as the individual entity, as per multiple embodiments of the present invention.
[0034] Operational and construction features of the system 120 will be explained in detail with respect to the following figures.
[0035] FIG. 2 is an exemplary block diagram of the system 120 for log aggregation in the network 105, according to one or more embodiments of the present disclosure.
[0036] The system 120 includes a processor 205, a memory 210, a user interface 215, and a database 250. For the purpose of description and explanation, the description will be explained with respect to one or more processors 205, or to be more specific will be explained with respect to the processor 205 and should nowhere be construed as limiting the scope of the present disclosure. The one or more processors 205, hereinafter referred to as the processor 205 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, single board computers, and/or any devices that manipulate signals based on operational instructions.
[0037] As per the illustrated embodiment, the processor 205 is configured to fetch and execute computer-readable instructions stored in the memory 210. The memory 210 may be configured to store one or more computer-readable instructions or routines in a non-transitory computer-readable storage medium, which may be fetched and executed to create or share data packets over a network service. The memory 210 may include any non-transitory storage device including, for example, volatile memory such as RAM, or non-volatile memory such as EPROM, flash memory, and the like.
[0038] The user interface 215 includes a variety of interfaces, for example, interfaces for a Graphical User Interface (GUI), a web user interface, a Command Line Interface (CLI), and the like. The user interface 215 facilitates communication of the system 120. In one embodiment, the user interface 215 provides a communication pathway for one or more components of the system 120. Examples of the one or more components include, but are not limited to, the user equipment 110, and the database 250.
[0039] The database 250 is one of, but not limited to, a centralized database, a cloud-based database, a commercial database, an open-source database, a distributed database, an end-user database, a graphical database, a No-Structured Query Language (NoSQL) database, an object-oriented database, a personal database, an in-memory database, a document-based database, a time series database, a wide column database, a key value database, a search database, a cache databases, and so forth. The foregoing examples of database 250 types are non-limiting and may not be mutually exclusive e.g., a database can be both commercial and cloud-based, or both relational and open-source, etc.
[0040] Further, the processor 205, in an embodiment, may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processor 205. In the examples described herein, such combinations of hardware and programming may be implemented in several different ways. For example, the programming for the processor 205 may be processor-executable instructions stored on a non-transitory machine-readable storage medium and the hardware for processor 205 may comprise a processing resource (for example, one or more processors), to execute such instructions. In the present examples, the memory 210 may store instructions that, when executed by the processing resource, implement the processor 205. In such examples, the system 120 may comprise the memory 210 storing the instructions and the processing resource to execute the instructions, or the memory 210 may be separate but accessible to the system 120 and the processing resource. In other examples, the processor 205 may be implemented by electronic circuitry.
[0041] In order for the system 120 to perform the log aggregation in the network 105, the processor 205 includes an initiating unit 220, an extracting unit 225, a mapping unit 230, an updating unit 235, a creating unit 240, and a display unit 245 communicably coupled to each other. In an embodiment, operations and functionalities of the initiating unit 220, the extracting unit 225, the mapping unit 230, the updating unit 235, the creating unit 240, and the display unit 245 can be used in combination or interchangeably.
[0042] The initiating unit 220 is configured to initiate an error cause analysis in response to triggering of an error event in the network 105. The network 105 may continuously observe network operations. When the error event occurs (e.g., a network device failure, or unexpected traffic pattern), the initiating unit 220 is configured to initiate the error cause analysis. The error cause analysis refers to the systematic process of identifying the underlying reasons or factors that led to the error event within the network 105. When the error event, such as a network device failure or an unexpected traffic pattern, is detected, the error cause analysis is triggered to investigate the root cause of the issue. The initiating unit 220 is configured to collect data related to the error event. In an embodiment, the data includes, but is not limited to, log files, performance metrics, configuration settings, and other relevant information from network devices. The error event triggered is predefined by the network operator with respect to network traffic conditions and network capacity. The error event is triggered in the network 105 in response to breach of network conditions predefined by the network operator. In an example, the error event trigger is set when performance metrics, such as latency, packet loss, or bandwidth usage, exceeds or falls below predefined thresholds. For example, if the latency exceeds 100ms, the error event may be triggered. If a critical service or application becomes unavailable or experiences downtime, the error event may be triggered.
[0043] The extracting unit 225 is configured to extract a plurality of attributes from the error event based on the initiation of the error cause analysis. The extracting unit 225 is configured to analyze the error event to identify and isolate different parts of the error data, which involves breaking down a log entry into its constituent parts or interpreting a structured error message. In an embodiment, the plurality of attributes includes at least one of, an error message 425 (as shown in FIG.4), an error class 405 (as shown in FIG.4), an error cause 410 (as shown in FIG.4), an error stack trace head 415 (as shown in FIG.4), and an error stack trace tail 420 (as shown in FIG.4). In an embodiment, the extracting unit 225 is configured to identify and extract a main error message, determine the classification of the error, include, but not limited to, a critical error, a warning, or an informational message. The extracting unit 225 is configured to identify an underlying cause of the error based on predefined categories like network issues, hardware failure, software bugs, etc. Further, the extracting unit 225 is configured to extract an initial part of the error stack trace head 415, which typically includes the most recent calls or operations leading up to the error and extract an end part of the error stack trace tail 420, which might include the origin of the error or the initial calls in the sequence that led to the error.
[0044] Upon extracting the plurality of attributes from the error event, the extracting unit 225 is further configured to assess each of the plurality of attributes of the error event triggered. The extracting unit 225 is configured to validate each attribute of the plurality of attributes to ensure specific criteria meets or falls within expected ranges. Each attribute of the plurality of attributes is classified based on the predefined categories, such as severity (e.g., critical, warning, informational), type (e.g., network error, system error, application error), or source (e.g., hardware, software). In an example, the error message is analyzed to determine its severity, relevance, or possible solutions, which involves keyword analysis, comparison with known error messages, or pattern matching. The extracting unit 225 is configured to determine if the error class 405 is correctly identified and whether the error class 405 aligns with historical data or predefined criteria for that class of errors. The extracting unit 225 is configured to assess the error cause 410 to accurately reflect the underlying issue, which involves cross-referencing with logs, configuration data, or known issues. The extracting unit 225 is further configured to evaluate the initial part of the stack trace to understand the most recent actions leading to the error, which includes checking for common failure points or recent code changes. Further, the extracting unit 225 is configured to assess the end part of the stack trace to identify the origin of the error, which involves tracing back through the call hierarchy to pinpoint the root cause.
[0045] Upon extracting and assessing of the plurality of attributes of the error event triggered, the mapping unit 230 is configured to map the extracted plurality of attributes with an identical plurality of attributes stored in the database 250. In this regard, the mapping unit 230 is configured to compare each of the extracted plurality of attributes with the corresponding stored attribute in the database 250. If the extracted plurality of attributes matches with the identical plurality of attributes stored in the database 250, the mapping unit 230 is configured to link an active error event to the corresponding historical error events, which enables more accurate diagnosis and resolution. Upon recognizing the patterns or similarities with the historical error events, the mapping unit 230 is configured to apply previously successful solutions or preventative measures, for reducing downtime and improving the overall efficiency of the network's error management process. The mapping unit 230 is further configured to parse the database 250 to map the extracted plurality of attributes with the identical plurality of attributes stored in the database 250. The mapping unit 230 is configured to parse the database 250 to retrieve the stored plurality of attributes corresponding to the historical error events. The parsing process involves querying the database 250 for records that contain the extracted plurality of attributes matches with the identical plurality of attributes.
[0046] In one embodiment, the updating unit 235 is configured to update an occurrence count and the latest error time of event triggered in response to mapping the extracted plurality of attributes with the identical plurality of attributes stored in the database 250. The occurrence count refers to the total number of times when a particular error has occurred, which aids in identifying recurring issues. The latest error time refers to the most recent timestamp when the error event occurred, which aids in understanding the timing of error events.
[0047] The updating unit 235 is configured to increment the occurrence count and update the latest error time of event triggered in the database 250 for the matched record. The updated information is saved back to the database 250, providing an accurate and up-to-date view of error event occurrences. In this regard, by increasing the occurrence count, the system 120 can identify recurring issues, and the updating of the latest error time provides a clear history of when the error events occur, which is useful for pinpointing a problem before starts. Further, the updating unit 235 is configured to track the frequency and recency of each type of error event for identifying recurring issues, prioritizing fixes for frequent errors, and analyzing the trend of errors over time to improve response efficiency, resource optimization, and improve user experience
[0048] In another embodiment, the mapping unit 230 fails to find the match for the extracted attributes in the database 250. The creating unit 240 is configured for creating a new entry in the database 250 with the attributes of the unmatched error event. The creating unit 240 is configured to create the new entry in the database 250 in response to a failure in mapping the extracted plurality of attributes with the identical plurality of attributes stored in the database 250. In an embodiment, the new entry includes the plurality of attributes. The creating unit 240 is configured to collect all the extracted attributes that failed to match any existing records. The failed extracted attributes include, but are not limited to, error codes, timestamps, network identifiers, or other relevant data points. The creating unit 235 is configured to create the new entry in the database 250 with the extracted attributes, setting the occurrence count to 1 and recording the current time as the latest error time. The new entry is assigned a unique identifier (e.g., an entry ID) to distinguish the entry ID from other records in the database 250. The entry ID is used for future reference, retrieval, or updates to track the error event.
[0049] Upon creating the new entry in the database 250, the display unit 245 is configured to print a summary of the error events and clear the error events in the database 250. The summary of error events typically provides a concise overview of the error codes, the timestamps, the network identifiers, or the other relevant data points regarding the errors logged within the system 120. The summary aids in understanding the nature and frequency of errors. The summary of error events is generated by retrieving all error records within a specified timeframe or based on certain criteria (e.g., recent errors, specific error classes). Upon retrieving the error records, the retrieved error records are grouped based on the plurality of attributes or any other relevant attributes to calculate the occurrence count and latest error time. The aggregated data is arranged into a readable format, highlighting the error codes, the timestamps, the network identifiers, or the other relevant data points for each error type. Thereafter, the display unit 245 is configured to display the summary of error events to users, typically in the log file, a dashboard, or a notification. Further, the display unit 245 is configured to clear the error events in the database 250 in order to avoid over aggregation of the logs of the error events in the network 105.
[0050] By doing so, the system 120 is able to, advantageously, prevent the server 115 from freezing up/hanging or ‘out of memory’ issue when a lot of logging events that may be triggered due to adverse conditions. The system 120 reduces amount of redundant/duplicate data being stored for similar event resulting in efficient IOPS (input/output operations per second), utilizes the aggregated logs for possible trend analysis and fault management, realizes efficient management of memory requirement by means of clearing the log data in a regular interval.
[0051] FIG. 3 is a block diagram of an architecture 300 that can be implemented in the system of FIG.2, according to one or more embodiments of the present disclosure.
[0052] The architecture 300 includes a Virtual Machine (VM) 305, an application module 310, a protocol stack module 315, a log aggregation module 320, the database 250 to store past and present data/information and a network layer 325.
[0053] The application module 310 and the protocol stack module 315 run on the VM 305. The VM 305 is a crucial component of the Java runtime environment that enables at least one of, but not limited to, java applications to run on any device or operating system without modification. The VM 305 provides the environment necessary for at least one of, but not limited to, the java applications to execute by interpreting or compiling a java bytecode into a machine code. The application module 310 and the protocol stack module 315 incorporates java-based application executable by the processor 205 with the memory.
[0054] The application module 310 is configured to communicate from one node to another node via a Hypertext Transfer Protocol 2.0 (HTTP 2.0) utilizing the protocol stack module 315. The application module 310 is responsible for handling the main operations of the application, such as processing data, handling user requests, and communicating with other modules or systems.
[0055] The protocol stack module 315 is configured to interact with the network 105 to communicate from the one node to another node via the HTTP 2.0. The protocol stack module 315 is configured to provide the necessary protocols and communication mechanisms required for network operations. Specifically, the protocol stack module 315 implements the HTTP 2.0 protocol, which is an advanced version of the HTTP protocol designed to improve performance and efficiency by supporting features like multiplexing, header compression, and server push. The protocol stack module 315 is configured to provide Application Peripheral Interface (APIs) for further development of the application around with a plurality of components. In an embodiment, the plurality of components includes, but is not limited to, connection management, log management, transport messages, overload protection, rate limit protection, and the like.
[0056] The architecture 300 of the system 120 is configured to receive the requests from users and send alerts via the user interface 215. The user interface 215 includes a variety of interfaces, for example, interfaces for a Graphical User Interface (GUI), a web user interface, a Command Line Interface (CLI), and the like. The user interface 215 facilitates communication of the system 120. In one embodiment, the user interface 215 provides a communication pathway for one or more components of the system 120.
[0057] The protocol stack module 315 includes the log aggregation module 320 to generate the log by way of assessing the past and present data on the error occurred. When the error event occurs in the network 105. The application module 310 is configured to interact with the server 115 and a network layer 325 to gather the data related to any received requests from the UE 110 as well as various related information like processing status of the requests, errors occurred in processing if any and basic health of the server 115.
[0058] The protocol stack module 315 is configured to manage the server 115 related resources and initiate the error cause analysis in case the error has occurred in the network 105. The log aggregation module 320 is configured to assess the error events based on the plurality of attributes. In an embodiment, the plurality of attributes includes, but is not limited to the error message 425, the error class 405, the error cause 410, the error stack trace head 415 and the error stack trace tail 420. When the error log event is triggered by the protocol stack module 315. The log aggregation module 320 is configured to extract the plurality of parameters associated and compare the plurality of parameters in the database 250 for any previous events. If the current plurality of parameters is matched with the previous plurality of parameters, then the occurrence count and latest event time is updated accordingly, and no log is printed in the log file. If the parameters don’t match, then the new entry is created in the database 250 and the log is printed in the log file for indicating the first occurrence of the error.
[0059] The log aggregation module 320 is configured to perform a search in the database 250 in a specific sequence of attributes/parameters for a possible match. For example, the search sequence may be the error class 405, the error cause 410, the error stack trace head 415, the error stack trace tail 420 and the error message 425. The order of plurality of parameters for search sequences may vary based on the importance of each attribute in identifying the uniqueness. In a preferred embodiment, the log aggregation module 320 is configured to reduce the log output during high error event trigger scenarios so as to maintain consistent performance of the server 115. However, the performance of the log aggregation is not only limited to the above and in various embodiments, the functionalities of the log aggregation module 320 are extended to normal logging events as well.
[0060] FIG. 4 is an exemplary block diagram of a database 250 storage structure of the system of FIG.2, according to one or more embodiments of the present disclosure.
[0061] The database 250 storage structure includes the plurality of attributes from the error event based on the initiation of the error cause analysis. In an embodiment, the plurality of attributes includes at least one of, error class 405, error cause 410, error stack trace head 415, error stack trace tail 420, and error message 425. The error class 405 is configured to analyze the error event to identify and isolate different parts of the error data, which involves breaking down the log entry into its constituent parts or interpreting the error message 425. In an embodiment, the error cause 410 is performed to identify and extract the main error message or description, determine the classification of the error, such as whether it’s the critical error, the warning, or the informational message, and identify the underlying the error cause 410 based on the predefined categories like network issues, hardware failure, software bugs, etc.
[0062] Further, the error stack trace head 415 is configured to extract an initial part of the error stack trace head 415, which typically includes the most recent calls or operations leading up to the error. The error stack trace tail 420 is configured to extract the end part of the error stack trace tail 420, which might include the origin of the error or the initial calls in the sequence that led to the error. The error message 425 is analyzed to determine its severity, relevance, or possible solutions, which involves keyword analysis, comparison with known error messages, or pattern matching.
[0063] The database 250 storage structure is configured to determine if the error class 405 is correctly identified and whether the error class 405 aligns with historical data or predefined criteria for that class of errors and assess the error cause 410. The database 250 storage structure is configured to accurately reflect the underlying issue, which involves cross-referencing with logs, configuration data, or known issues. The database 250 storage structure is configured to evaluate the initial part of the stack trace head 415 to understand the most recent actions leading to the error, which includes checking for common failure points or recent code changes. Further, the database 250 storage structure is configured to assess the end part of the stack trace tail 420 to identify the origin of the error, which involves tracing back through the call hierarchy to pinpoint the root cause.
[0064] The database 250 is configured to store the extracted plurality of attributes with the identical plurality of attributes. Further, the database 250 is compared with each extracted plurality of attributes with the corresponding stored attributes. The database 250 matches the extracted plurality of attributes with the identical plurality of attributes. The current error event is linked to the corresponding historical error events when the extracted plurality of attributes with the identical plurality of attributes. The database 250 is parsed to retrieve the stored plurality of attributes corresponding to the historical error events. The parsing process involves querying the database 250 for records that contain similar types of attributes.
[0065] FIG. 5 is a flow diagram illustrating a method 500 for log aggregation in the network 105, according to one or more embodiments of the present disclosure. For the purpose of description, the method 500 is described with the embodiments as illustrated in FIG. 2 and should nowhere be construed as limiting the scope of the present disclosure.
[0066] At step 505, the method 500 includes the step of initiating the error cause analysis in response to triggering of the error event in the network 105 by the initiating unit 220. The network 105 may continuously observe network operations. The initiating unit 220 is configured to initiate the error cause analysis. The initiating unit 220 is configured to collect the data related to the error event. The error event triggered is predefined by the network operator with respect to network traffic conditions and network capacity. The error event is triggered in the network 105 in response to breach of network conditions predefined by the network operator.
[0067] At step 510, the method 500 includes the step of extracting the plurality of attributes from the error event based on the initiation of the error cause analysis by the extracting unit 225. The extracting unit 225 is configured to analyze the error event to identify and isolate different parts of the error data, which involves breaking down the log entry into its constituent parts or interpreting the structured error message. In an embodiment, the plurality of attributes includes at least one of, error message 425, error class 405, error cause 410, error stack trace head 415, and error stack trace tail 420. The extracting unit 225 receives the log entry as input. In an embodiment, the log entry includes, but not limited to, timestamp, severity level, error code, user ID, and error description. The extracting unit 225 is configured to identify and extract a main error message, determine the classification of the error, include, but not limited to, a critical error, a warning, or an informational message. The extracting unit 225 is configured to identify an underlying cause of the error based on predefined categories like network issues, hardware failure, software bugs, etc. Further, the extracting unit 225 is configured to extract an initial part of the error stack trace head 415, which typically includes the most recent calls or operations leading up to the error and extract an end part of the error stack trace tail 420, which might include the origin of the error or the initial calls in the sequence that led to the error.
[0068] At step 515, the method 500 includes the step of mapping the extracted plurality of attributes with the identical plurality of attributes stored in the database 250 by the mapping unit 230. The mapping unit 230 is configured to compare each extracted plurality of attributes with the corresponding stored attribute in the database 250. If the extracted plurality of attributes matches with the identical plurality of attributes stored in the database 250, then the mapping unit 230 is configured to link the active error event to the corresponding historical error events, which enables more accurate diagnosis and resolution.
[0069] At step 520, the method 500 includes the step of updating the occurrence count and the latest error time of event triggered in response to mapping the extracted plurality of attributes with an identical plurality of attributes stored in the database by the updating unit 235. The updating unit 235 is configured to increment the occurrence count and update the latest error time of event triggered in the database 250 for the matched record. The updated information is saved back to the database 250, providing an accurate and up-to-date view of error event occurrences. In this regard, by increasing the occurrence count, the system 120 can identify recurring issues, and the updating of the latest error time provides a clear history of when the error events occur, which is useful for pinpointing a problem before starts. In an example embodiment, the error log entry is parsed, and the plurality of attributes are extracted. In an example, the plurality of attributes includes the error code (DB_CONN_FAILURE), and the timestamp (2024-09-02, 14:35:12). The updating unit 235 maps the plurality of attributes against existing records in the database 250. In this regard, the occurrence count is 1, latest error time is 2024-09-02 14:35:12. Subsequent, identical error occurs at 2024-09-02 14:45:30. The occurrence count is incremented from 1 to 2. The latest error time is updated to 2024-09-02 14:45:30. The database 250 reflects that the DB_CONN_FAILURE error has occurred twice, with the most recent occurrence at 14:45:30. This helps the system 120 identify that the issue is recurring, prompting further investigation. Further, the updating unit 235 is configured to track the frequency and recency of each type of error event for identifying recurring issues, prioritizing fixes for frequent errors, and analyzing the trend of errors over time.
[0070] FIG. 6 is a flow diagram illustrating the method 600 for log aggregation in the network 105, according to one or more embodiments of the present disclosure.
[0071] At step 605, the method 600 includes the step of creating the new entry in the database 250 with the attributes of the unmatched error event by the creating unit 240. The creating unit 240 is configured to create the new entry in the database 250 in response to the failure in mapping the extracted plurality of attributes with the identical plurality of attributes stored in the database 250. The creating unit 240 is configured to create the new entry in the database 250 with the extracted attributes, setting the occurrence count to 1 and recording the current time as the latest error time. The new entry is saved in the database 250, ensuring that the error event is tracked for future reference.
[0072] At step 610, the method 600 includes the step of displaying the summary of the error events and clearing the error events in the database 250 by the display unit 245. In an embodiment, the display unit reports the summary of the error events and clears the error events in the database 250 to avoid over aggregation of the logs of the error events in the network 105. The summary of error events typically provides a concise overview of the key details regarding the errors logged within the system 120. The summary aids in understanding the nature and frequency of errors. The display unit 245 is configured to display the summary of error events to users, typically in the log file, the dashboard, or the notification. Further, the display unit 245 is configured to clear the error events in the database 250 in order to avoid over aggregation of the logs of the error events in the network 105.
[0073] The present invention further discloses a non-transitory computer-readable medium having stored thereon computer-readable instructions. The computer-readable instructions are executed by the processor 205. The processor 205 is configured to initiate, an error cause analysis in response to triggering of an error event in the network 105. The processor 205 is configured to extract a plurality of attributes from the error event based on the initiation of the error cause analysis. The processor 205 is configured to map, the extracted plurality of attributes with an identical plurality of attributes stored in a database 250. The processor 205 is configured to update the occurrence count and the time of latest error event triggered in response to mapping the extracted plurality of attributes with an identical plurality of attributes stored in the database 250.
[0074] A person of ordinary skill in the art will readily ascertain that the illustrated embodiments and steps in description and drawings (FIG.1-6) are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0075] The present disclosure provides technical advancement for updating the occurrence count and the latest error time event triggered in response to mapping the extracted plurality of attributes with the identical plurality of attributes stored in the database. Further, the present disclosure creates an entry in the database in response to the failure in mapping the extracted plurality of attributes with the identical plurality of attributes stored in the database and clears the database in order to avoid over aggregation of the logs of the error events in the network.
[0076] The present disclosure provides advantages for preventing the server from freezing up/hanging or ‘out of memory’ issue when a lot of logging events that is triggered due to adverse conditions, reduces amount of redundant /duplicate data being stored for similar event resulting in efficient IOPS (input/output operations per second), recognizes the similar patterns in the errors to log only once per unique event, aggregates the duplicate event and store their event times, occurrence count and unique messages associated with the errors, utilizes the aggregated logs for possible trend analysis and fault management, and realizes efficient management of memory by means of clearing the log data in a regular interval.
[0077] The present invention offers multiple advantages over the prior art and the above listed are a few examples to emphasize on some of the advantageous features. The listed advantages are to be read in a non-limiting manner.

REFERENCE NUMERALS

[0078] Environment - 100
[0079] Network-105
[0080] User equipment- 110
[0081] Server - 115
[0082] System -120
[0083] Processor - 205
[0084] Memory - 210
[0085] User interface-215
[0086] Initiating unit – 220
[0087] Extracting unit– 225
[0088] Mapping unit – 230
[0089] Updating unit– 235
[0090] Creating unit – 240
[0091] Display unit-245
[0092] Database-250
[0093] Virtual machine- 305
[0094] Application module– 310
[0095] Protocol stack module- 315
[0096] Log aggregation module- 320
[0097] Network layer- 325
[0098] Error class- 405
[0099] Error cause- 410
[00100] Stack trace head- 415
[00101] Stack trace tail- 420
[00102] Error message- 425

,CLAIMS:CLAIMS
We Claim:
1. A method (500) of log aggregation in a network (105), the method (500) comprising the steps of:
initiating, by one or more processors (205), an error cause analysis in response to triggering of an error event in the network (105);
extracting, by the one or more processors (205), a plurality of attributes from the error event based on the initiation of the error cause analysis;
mapping, by the one or more processors (205), the extracted plurality of attributes with an identical plurality of attributes stored in a database (250); and
updating, by the one or more processors (205), an occurrence count and a latest error time event triggered in response to mapping the extracted plurality of attributes with the identical plurality of attributes stored in the database (250).

2. The method (500) as claimed in claim 1, wherein the error event triggered is predefined by a network operator with respect to network traffic conditions and network capacity.

3. The method (500) as claimed in claim 1, wherein the plurality of attributes includes at least one of, error message (425), error class (405), error cause (410), error stack trace head (415), and error stack trace tail (420).

4. The method (500) as claimed in claim 1, wherein for extracting the plurality of attributes, the method (500) comprises the step of assessing, by the one or more processors (205), each of the plurality of attributes of the error event triggered.

5. The method (500) as claimed in claim 1, wherein for mapping, the method (500) includes the step of, parsing, by the one or more processors (205), the error message by mapping the extracted plurality of attributes with the identical plurality of attributes stored in the database (250).

6. The method (500) as claimed in claim 1, further comprising the steps of:
creating, by the one or more processors (205), an entry in the database (250) in response to a failure in mapping the extracted plurality of attributes with the identical plurality of attributes stored in the database (250), wherein the entry includes the plurality of attributes; and
displaying, by the one or more processors (205), a summary of the error events and clear the error events in the database (250).

7. A system (120) for log aggregation in a network, the system (120) comprising:
an initiating unit (220) configured to initiate an error cause analysis in response to triggering of an error event in the network (105);
an extracting unit (225) configured to extract a plurality of attributes from the error event based on the initiation of the error cause analysis;
a mapping unit (230) configured to map the extracted plurality of attributes with an identical plurality of attributes stored in a database (250); and
an updating unit (235) configured to update an occurrence count and a latest error time event triggered in response to mapping the extracted plurality of attributes with the identical plurality of attributes stored in the database (250).

8. The system (120) as claimed in claim 8, wherein the plurality of attributes includes at least one of, error message (425), error class (405), error cause (410), error stack trace head (415), and error stack trace tail (420).

9. The system (120) as claimed in claim 8, wherein the extracting unit (225) is further configured to assess each of the plurality of attributes of the error event triggered.

10. The system (120) as claimed in claim 8, wherein the mapping unit (230) is further configured to parse the error message by mapping the extracted plurality of attributes with the identical plurality of attributes stored in the database (250).

11. The system (120) as claimed in claim 8, further comprising:
a creating unit (240) configured to create an entry in the database (250) in response to a failure in mapping the extracted plurality of attributes with the identical plurality of attributes stored in the database (250), wherein the entry includes the plurality of attributes; and
a display unit (245) configured to display a summary of the error events and clear the error events in the database (250).