Search

US-20260127354-A1 - GENERATING MEANINGFUL SYSTEM EVENT SUMMARIES USING AN LLM

US20260127354A1US 20260127354 A1US20260127354 A1US 20260127354A1US-20260127354-A1

Abstract

In one implementation, a device extracts event data from logs generated by one or more entities in a computer network that are indicative of events that occurred in the computer network. The device detects, using the event data, a relationship between the events that occurred in the computer network. The device generates, based on the relationship, a prompt for input to a language model. The device provides the prompt to the language model, to generate a summary of the events that occurred in the computer network.

Inventors

  • Sofia Karygianni
  • Yannick Weibel
  • Arnaud Quirin
  • Mohit Dubey

Assignees

  • CISCO TECHNOLOGY, INC.

Dates

Publication Date
20260507
Application Date
20241104

Claims (20)

  1. 1 . A method, comprising: extracting, by a device, event data from logs generated by one or more entities in a computer network that are indicative of events that occurred in the computer network; detecting, by the device and using the event data, a relationship between the events that occurred in the computer network; generating, by the device and based on the relationship, a prompt for input to a language model; and providing, by the device, the prompt to the language model, to generate a summary of the events that occurred in the computer network.
  2. 2 . The method as in claim 1 , wherein the logs comprise unstructured text.
  3. 3 . The method as in claim 1 , wherein the language model is a large language model (LLM).
  4. 4 . The method as in claim 1 , wherein generating the prompt comprises: inserting text from one or more reference documents regarding computer networking into the prompt.
  5. 5 . The method as in claim 1 , further comprising: providing the summary to a user interface for review.
  6. 6 . The method as in claim 5 , further comprising: adjusting how the device generates event summaries using the language model based on feedback for the summary from the user interface.
  7. 7 . The method as in claim 5 , further comprising: providing a generated plot or a hyperlink in conjunction with the summary of events to the user interface.
  8. 8 . The method as in claim 1 , wherein the device detects the relationship between the events based on at least one of: their periodicity or a common location in the computer network.
  9. 9 . The method as in claim 1 , wherein extracting the event data from the logs generated by the one or more entities in the computer network comprises: removing duplicate entries, overlapping attributes, or unnecessary fields from the logs.
  10. 10 . The method as in claim 1 , wherein the one or more entities in the computer network comprise at least one of: a router, a switch, or an access point.
  11. 11 . An apparatus, comprising: one or more network interfaces; a processor coupled to the one or more network interfaces and configured to execute one or more processes; and a memory configured to store a process that is executable by the processor, the process when executed configured to: extract event data from logs generated by one or more entities in a computer network that are indicative of events that occurred in the computer network; detect, using the event data, a relationship between the events that occurred in the computer network; generate, based on the relationship, a prompt for input to a language model; and provide the prompt to the language model, to generate a summary of the events that occurred in the computer network.
  12. 12 . The apparatus as in claim 11 , wherein the logs comprise unstructured text.
  13. 13 . The apparatus as in claim 11 , wherein the language model is a large language model (LLM).
  14. 14 . The apparatus as in claim 11 , wherein the apparatus generates the prompt by: inserting text from one or more reference documents regarding computer networking into the prompt.
  15. 15 . The apparatus as in claim 11 , wherein the process when executed is further configured to: provide the summary to a user interface for review.
  16. 16 . The apparatus as in claim 15 , wherein the process when executed is further configured to: adjust how the apparatus generates event summaries using the language model based on feedback for the summary from the user interface.
  17. 17 . The apparatus as in claim 15 , wherein the process when executed is further configured to: providing a generated plot or a hyperlink in conjunction with the summary of events to the user interface.
  18. 18 . The apparatus as in claim 11 , wherein the apparatus detects the relationship between the events based on at least one of: their periodicity or a common location in the computer network.
  19. 19 . The apparatus as in claim 11 , wherein the apparatus extracts the event data from the logs generated by the one or more entities in the computer network by: removing duplicate entries, overlapping attributes, or unnecessary fields from the logs.
  20. 20 . A tangible, non-transitory, computer-readable medium storing program instructions that cause a device to execute a process comprising: extracting, by the device, event data from logs generated by one or more entities in a computer network that are indicative of events that occurred in the computer network; detecting, by the device and using the event data, a relationship between the events that occurred in the computer network; generating, by the device and based on the relationship, a prompt for input to a language model; and providing, by the device, the prompt to the language model, to generate a summary of the events that occurred in the computer network.

Description

TECHNICAL FIELD The present disclosure relates generally to generating meaningful system event summaries using a large language model (LLM). BACKGROUND As the number of devices, services, and communication mechanisms in a computer network continues to increase, so too does the complexity of the network. This complexity also makes detecting and troubleshooting issues in the network difficult. For instance, poor application performance during a video conference could be attributable to a lack of resources on the endpoint device of a participant in the video conference, to poor network performance (e.g., high packet loss, latency, etc.), or to even problems associated with the application itself (e.g., an overloaded server, etc.). Network devices, controllers, and monitoring tools produce a vast array of operational and status reports, which are referred to herein collectively as “events.” Commonly, events demand the expertise of a trained operator for interpretation and subsequent action. However, the sheer volume of events generated by most computer networks, coupled with their intricate and underlying interactions, exceeds the capacity for effective human management. BRIEF DESCRIPTION OF THE DRAWINGS The implementations herein may be better understood by referring to the following description in conjunction with the accompanying drawings in which like reference numerals indicate identically or functionally similar elements, of which: FIG. 1 illustrates an example computer network; FIG. 2 illustrates an example computing device/node; FIG. 3 illustrates an example of a user interfacing with a language model; FIG. 4 illustrates an example architecture for an artificial intelligence (AI) agent; FIG. 5 illustrates an example architecture for generating meaningful system event summaries using a large language model (LLM); and FIG. 6 illustrates an example of a simplified procedure for generating meaningful system event summaries using an LLM, in accordance with one or more implementations described herein. DESCRIPTION OF EXAMPLE IMPLEMENTATIONS Overview According to one or more implementations of the disclosure, a device extracts event data from logs generated by one or more entities in a computer network that are indicative of events that occurred in the computer network. The device detects, using the event data, a relationship between the events that occurred in the computer network. The device generates, based on the relationship, a prompt for input to a language model. The device provides the prompt to the language model, to generate a summary of the events that occurred in the computer network. Other implementations are described below, and this overview is not meant to limit the scope of the present disclosure. Description A computer network is a geographically distributed collection of nodes interconnected by communication links and segments for transporting data between end nodes, such as personal computers and workstations, or other devices, such as sensors, etc. Many types of networks are available, ranging from local area networks (LANs) to wide area networks (WANs). LANs typically connect the nodes over dedicated private communications links located in the same general physical location, such as a building or campus. WANs, on the other hand, typically connect geographically dispersed nodes over long-distance communications links, such as common carrier telephone lines, optical lightpaths, synchronous optical networks (SONET), synchronous digital hierarchy (SDH) links, and others. The Internet is an example of a WAN that connects disparate networks throughout the world, providing global communication between nodes on various networks. Other types of networks, such as field area networks (FANs), neighborhood area networks (NANs), personal area networks (PANs), enterprise networks, etc. may also make up the components of any given computer network. In addition, a Mobile Ad-Hoc Network (MANET) is a kind of wireless ad-hoc network, which is generally considered a self-configuring network of mobile routers (and associated hosts) connected by wireless links, the union of which forms an arbitrary topology. FIG. 1 is a schematic block diagram of an example simplified computing system (e.g., the computing system 100), which includes client devices 102 (e.g., a first through nth client device), one or more servers 104, and databases 106 (e.g., one or more databases), where the devices may be in communication with one another via any number of networks (e.g., network(s) 110). The network(s) 110 may include, as would be appreciated, any number of specialized networking devices such as routers, switches, access points, etc., interconnected via wired and/or wireless connections. For example, client devices 102, the one or more servers 104 and/or the intermediary devices in network(s) 110 may communicate wirelessly via links based on WiFi, cellular, infrared, radio, near-field communication, satellite, or the like. O