Skip to main content

Overview

Patterns automatically identify the common message structures in your log data as it is ingested. No configuration, schema definitions, or instrumentation changes are required. Log messages usually contain a static structure and dynamic values. For example, these events have the same structure even though their hostnames and retry counts differ: 
Connection to db-1.prod failed after 3 retries
Connection to db-2.prod failed after 7 retries
Bronto represents both events with a Pattern: 
Connection to hostname:<String> failed after num_retries:<Integer>
Each unique Pattern receives a stable Pattern ID. When an ingested log event matches a Pattern, Bronto writes the Pattern ID to the event as an attribute before storing it. The ID remains unchanged for the retention period of the associated log data. Pattern IDs are first-class fields. You can use them to:
  • Filter searches to a specific message structure
  • Build logical query expressions
  • Group events and graph Pattern frequency over time
  • Identify the log statements generating the most volume
  • Create monitor filters that continue to target the intended log structure

How Pattern Discovery Works

Bronto automatically trains Patterns on up to the most recent 1 million events in a dataset. If the dataset contains fewer events, Bronto trains on the events available. Training typically completes within a few minutes of data first arriving, but there is no guaranteed completion time. After training completes, new events that match a discovered Pattern are annotated with its Pattern ID during ingestion.
Events ingested before Pattern training completes are not retroactively assigned a Pattern ID.
Patterns that first appear after the training sample was collected may not be identified. A retraining mechanism may be added in the future to discover later message structures.

Search and Analyze Patterns

Patterns let you search by message structure instead of relying only on text shared by potentially unrelated log messages. For example, a text search for timeout might match several different code paths: 
Request to payments timed out after 10s
Lock acquisition timed out for key:checkout
Client connection timed out:192.0.2.10
With Patterns, you can select or query the specific message structure you want to investigate. Because the Pattern ID is stored as an event attribute, Pattern queries use Bronto’s indexing and can be combined with other attributes. For example: 
("$pattern_id" IN ('66fadcfb98d5c032', '4a465fe8dd5fbecd') AND response_code >= 500)
OR ("$pattern_id" != '7c23016da7db413e' AND error IS NOT NULL)
See Search Syntax for details about building queries.

Group and Visualize

Group by the Pattern ID to see the distinct message structures in a dataset and compare their frequency. This can help you:
  • Understand the normal behavior of an unfamiliar service
  • Identify Patterns that appear only during errors
  • Spot high-volume or noisy log statements
  • Track changes in log volume and investigate ingestion costs

Use Patterns in Monitors

You can use a Pattern ID in a monitor’s filter to target a specific log structure. This avoids matching new, unrelated log messages that happen to contain the same words as the original event. For example, a text filter for payment failed could later match a recoverable payment failed, retrying in 5s message. A filter using the original Pattern ID continues to match only the selected message structure. See Monitoring Overview & Threshold Monitors for information about creating monitor queries.
There is currently no dedicated Pattern-based alerting workflow in the UI. Bronto does not yet provide alerts for a newly discovered Pattern or an anomalous change in a Pattern’s frequency.

Inferred Value Types

Bronto attempts to infer the type of each dynamic value and replaces it with a corresponding placeholder.
PlaceholderDescription
<*>A wildcard used when a more specific type cannot be inferred, typically when a value can be a string or number
<UUID>A UUID
<URL>A URL
<Timestamp>A timestamp
<Boolean>A Boolean value
<IPv4>An IPv4 address
<Semver>A semantic version, such as 4.7.12
<Duration>A number followed by a time unit, such as 10ms, 2m, or 5h
<Float>A floating-point number
<Number>A value observed as both a float and an integer
<Integer>An integer
<Host>A value from the event’s hostname field
<AWSHost>A default AWS EC2 hostname, such as ip-123-123-123-123
<String>A string

Getting Started

Patterns are enabled automatically for logs sent to Bronto. No changes to your logging configuration are required.
  1. Send log data to a Bronto dataset.
  2. Allow Pattern training to complete. This typically takes a few minutes after data first arrives.
  3. Search or group by the $pattern_id event attribute.
  4. Use a Pattern ID in queries, visualizations, or monitor filters like any other event field.
Detected Patterns are also available through the /patterns API endpoint.