Search

US-12627688-B2 - Low-code parser creation

US12627688B2US 12627688 B2US12627688 B2US 12627688B2US-12627688-B2

Abstract

A system may include one or more operations, which may include obtaining a first structured event log. The first structured event log may include one or more event log key-value pairs. The operations may further include identifying, among one or more predefined fields, a predefined field for an event log key of a first event log key-value pair of the one or more event log key-value pairs. The operations may include generating a portion of parser code to map the event log key of the first event log key-value pair to the identified predefined field. The operations may further include generating an event log parser that includes the portion of the parser code. The operations may further include causing the event log parser to be executed on a second structured event.

Inventors

  • Adam Licata
  • James Paul Black
  • Ashish Garg

Assignees

  • GOOGLE LLC

Dates

Publication Date
20260512
Application Date
20231221

Claims (20)

  1. 1 . A system, comprising: a memory; and at least one processing device, coupled to the memory, configured to perform operations, comprising: obtaining a first structured event log of a first plurality of event logs of first telemetry log data, wherein the first structured event log comprises a plurality of event log key-value pairs; identifying, among a plurality of predefined fields, a predefined field for an event log key of a first event log key-value pair of the plurality of event log key-value pairs; generating a portion of parser code to map the event log key of the first event log key-value pair to the identified predefined field; generating an event log parser, wherein the event log parser comprises the portion of the parser code; and causing the event log parser to be executed on a second structured event log of a second plurality of event logs of second telemetry log data.
  2. 2 . The system of claim 1 , wherein: the first plurality of event logs are generated by a plurality of nodes of a cloud-based system at a first point in time, and the second plurality of event logs are generated by the plurality of nodes of the cloud-based system at a second point in time; and execution of the event log parser results in detection of an indication of malicious activity with respect to a node of the plurality of nodes of the cloud-based system.
  3. 3 . The system of claim 1 , wherein: the operations further comprise presenting, on a user interface, at least a portion of the plurality of predefined fields; and identifying the predefined field comprises obtaining an input indicating the predefined field from the user interface.
  4. 4 . The system of claim 1 , wherein the parser code comprises computer-executable instructions.
  5. 5 . The system of claim 1 , wherein: the parser code comprises source code configured to be compiled into computer-executable instructions; and the operations further comprise presenting, on a user interface, the source code.
  6. 6 . The system of claim 1 , wherein the first structured event log comprises at least one of JavaScript Object Notation (JSON) data, Extensible Markup Language (XML) data, or comma-separated values (CSV) data.
  7. 7 . The system of claim 1 , wherein the operations further comprise validating the event log parser, comprising testing a performance of the event log parser on at least a subset of the first plurality of event logs.
  8. 8 . The system of claim 7 , wherein testing the performance of the event log parser comprises determining whether the event log parser successfully executes on at least a predetermined percentage of the subset of the first plurality of event logs.
  9. 9 . The system of claim 1 , wherein the event log parser comprises an event log parser extension associated with a second event log parser.
  10. 10 . The system of claim 1 , wherein causing the event log parser to be executed on the second structured event log comprises causing the portion of the parser code to be executed on a plurality of event log key-value pairs of the second structured event log.
  11. 11 . A method, comprising: obtaining a first semi-structured event log of a first plurality of event logs of first telemetry log data, wherein the first semi-structured event log comprises an unstructured portion and a structured portion, and wherein the structured portion comprises a plurality of event log key-value pairs; obtaining pattern-matching data, the pattern-matching data enabling extraction of the structured portion from the first semi-structured event log; identifying, among a plurality of predefined fields, a predefined field for an event log key of an event log key-value pair of the plurality of event log key-value pairs; generating a portion of parser code, wherein the parser code comprises computer-executable instructions that map the event log key of the event log key-value pair to the identified predefined field; generating an event log parser, wherein the event log parser comprises the pattern-matching data and the portion of parser code; and causing the event log parser to be executed on a second semi-structured event log of a second plurality of event logs of second telemetry log data.
  12. 12 . The method of claim 11 , wherein the unstructured portion of the first semi-structured event log comprises a syslog header.
  13. 13 . The method of claim 11 , wherein: the second plurality of event logs comprises a plurality of test event logs; and causing the event log parser to be executed on the second semi-structured event log comprises presenting, on a user interface, a preview parsing of the second semi-structured event log, wherein the preview parsing comprises a visualization of mappings from a plurality of event log keys of the second semi-structured event log to their corresponding predefined fields based on the portions of the parser code.
  14. 14 . The method of claim 11 , wherein causing the event log parser to be executed on the second semi-structured event log comprises converting a value of an event log key-value pair of the second semi-structured event log to a different format.
  15. 15 . The method of claim 11 , wherein causing the event log parser to be executed on the second semi-structured event log comprises normalizing a value of an event log key-value pair of the second semi-structured event log.
  16. 16 . The method of claim 15 , further comprising validating the event log parser, comprising determining whether the normalized value is within a predetermined range.
  17. 17 . A method, comprising: obtaining a first structured event log of a first plurality of event logs of first telemetry data, wherein the first structured event log comprises a first event log key-value pair and a second event log key-value pair, and wherein the first and second event log key-value pairs each comprise a respective event log key and a corresponding value; generating a portion of parser code, wherein: in response to the value of the first event log key-value pair including a predetermined first value, the portion of parser code maps the event log key of the second event log key-value pair to a first predefined field, and in response to the value of the first event log key-value pair including a predetermined second value, the portion of parser code maps the event log key of the second event log key-value pair to a second predetermined field; generating an event log parser, wherein the event log parser comprises the portion of the parser code; and causing the event log parser to be executed on a second structured event log of a second plurality of event logs of second telemetry data.
  18. 18 . The method of claim 17 , wherein the first event log key-value pair comprises the second event log key-value pair.
  19. 19 . The method of claim 17 , wherein: the first structured event log includes an event type; and the method further includes associating the event log parser with the event type.
  20. 20 . The method of claim 19 , wherein causing the event log parser to be executed on the second structured event log comprises causing the event log parser to be executed in response to the second structured event log belonging to the event type.

Description

TECHNICAL FIELD The instant specification generally relates to computing devices. More specifically, the instant specification relates to low-code parser creation. BACKGROUND Computing devices-including servers, storage devices, or network devices- and software applications generate event logs in response to certain actions that occur on the computing devices or in the applications. The actions can include an operating system event, an error generated by a software application, or other actions that can occur on a computing device or in an application. An event log often takes the form of one or more key-value pairs where a key can include text that indicates what the corresponding value means. Data analytics platforms can analyze these event logs to determine a variety of phenomena that can occur on the computing devices or in the software applications, including identifying trends regarding use of the computing devices or identifying malicious activity such as a cyberattack. SUMMARY Disclosed herein are systems and methods for creating low-code parsers for event log data. One aspect of the disclosure includes a system. The system may include a memory and at least one processing device coupled to the memory and configured to perform operations. The operations may include obtaining a first structured event log of one or more first event logs of first telemetry log data. The first structured event log may include one or more event log key-value pairs. The operations may further include identifying, among one or more predefined fields, a predefined field for an event log key of a first event log key-value pair of the one or more event log key-value pairs. The operations may include generating a portion of parser code to map the event log key of the first event log key-value pair to the identified predefined field. The operations may further include generating an event log parser that includes the portion of the parser code. The operations may further include causing the event log parser to be executed on a second structured event log of one or more second of event logs of second telemetry log data. Another aspect of the disclosure includes a method. The method may include obtaining a first semi-structured event log of one or more first event logs of first telemetry log data. The first semi-structured event log may include an unstructured portion and a structured portion. The structured portion may include one or more event log key-value pairs. The method may include obtaining pattern-matching data configured to extract the structured portion from the first semi-structured event log. The method may include identifying, among one or more predefined fields, a predefined field for an event log key of an event log key-value pair of the one or more of event log key-value pairs. The method may include generating a portion of parser code. The parser code may include computer-executable instructions that map the event log key of the event log key-value pair to the identified predefined field. The method may include generating an event log parser that includes the pattern-matching data and the portion of parser code. The method may include causing the event log parser to be executed on a second semi-structured event log of one or more second of event logs of second telemetry log data. Another aspect of the disclosure includes a method. The method may include obtaining a first structured event log of one or more first event logs of first telemetry data. The first structured event log may include a first event log key-value pair and a second event log key-value pair. The first and second event log key-value pairs may each include a respective event log key and a corresponding value. The method may include generating a portion of parser code. In response to the value of the first event log key-value pair including a predetermined first value, the portion of parser code may map the event log key of the second event log key-value pair to a first predefined field. In response to the value of the first event log key-value pair including a predetermined second value, the portion of parser code may map the event log key of the second event log key-value pair to a second predefined field. The method may include generating an event log parser that includes the portion of the parser code. The method may include causing the event log parser to be executed on a second structured event log of one or more second event logs of second telemetry data. BRIEF DESCRIPTION OF THE DRA WINGS Aspects and implementations of the present disclosure will be understood more fully from the detailed description given below and from the accompanying drawings of various aspects and implementations of the disclosure, which, however, should not be taken to limit the disclosure to the specific aspects or implementations, but are for explanation and understanding only. FIG. 1 schematically illustrates an example system for low-code parser creation in which