Log parsing test data
j4d opened this issue · 2 comments
I use logparser to parse my training data then loglizer to build the model. The issue however is when we have some test data that we want to check whether it's an anomaly or not, running logparser on the test data by itself produces different and suboptimal event log templates compared to the training data since the test data is much smaller than the training data. Having different event templates throws off the analysis in loglizer.
Is there a way for logparser to check new test data against the templates that were already produced by the training data? Or does that requires modifications to logparser? Any suggestions are welcome.
Just to add: I am using the Drain algorithm for the log parsing.
If the test data is much smaller than the training data, typically the parser should already learn enough event templates from the training data. So I am not sure what's the root cause of your case. Do you mean the event templates in the test data is completely different from those in the training data? It may be better if you can provide some examples.