U

UI Message

This pattern is very useful for troubleshooting system-wide issues because we can map visual behavior to various Activity Regions and consider such messages as Significant Events.

# Module PID TID Time Message​
[...]​
2782 ModuleA 2124 5648 10:58:03.356 CreateWindow: Title "..." Class "..."​
[...]​
3512 ModuleA 2124 5648 10:58:08.154 Menu command: Save Data​
[...]​
3583 ModuleA 2124 5648 10:58:08.155 CreateWindow: Title "Save As" Class "Dialog"​
[... Data update and replication-related messages ...]​
4483 ModuleA 2124 5648 10:58:12.342 DestroyWindow: Title "Save As" Class "Dialog"​
[...]

By filtering the emitting module, we can create Adjoint Thread:

# Module PID TID Time Message​
[...]​
2782 ModuleA 2124 5648 10:58:03.356 CreateWindow: Title "..." Class "..."​
3512 ModuleA 2124 5648 10:58:08.154 Menu command: Save Data​
3583 ModuleA 2124 5648 10:58:08.155 CreateWindow: Title "Save As" Class "Dialog"​
4483 ModuleA 2124 5648 10:58:12.342 DestroyWindow: Title "Save As" Class "Dialog"​
[...]

Ultrasimilar Messages

Certain types of blind SQL injection¹⁴⁵ attacks may leave log messages with a one-byte difference. We call with analysis pattern Ultrasimilar Messages by analogy with an ultrametric space¹⁴⁶ in mathematics and the interpretation of messages as p-adic numbers¹⁴⁷. Since such messages may be scattered in a log, we can choose Message Pattern based on some Message Invariant (for example, parts of SQL request) and then analyze its Fiber of Activity (for example, Data Flow of its variable part). A log with two different types of Ultrasimilar Messages is shown in the following diagram:

Unsynchronized Traces

Often, for Inter-Correlational trace and log analysis, we need to make sure that we have synchronized traces. The one version of Unsynchronized Traces analysis pattern is depicted in the following diagram where one trace ends (possibly Truncated Trace) before the start of another trace, and both were traced within one hour:

If tracing was done in different time zones with different local times specified in logs, we could determine whether the traces are synchronized (when time zone information is not available in Basic Facts) by looking at minutes as shown in the third trace in the diagram above. This technique can also be used in trace calibration (see Calibrating Trace).

There is a similar analysis pattern for memory dump analysis called Unsynchronized Dumps¹⁴⁸.

Use Case Trail

Use cases¹⁴⁹ are implemented in various components such as subsystems, processes, modules, and source code files. Most of the time, with good logging implementation, we can see Use Case Trails: log messages corresponding to use case scenarios. For simple systems, one log may fully correspond to just one use case, but for complex systems, especially distributed client-server ones, there may be several use case instances present simultaneously in one log. One way to disentangle them in the absence of UCID (Use Case ID) or some other grouping tag is to use Event Sequence Phase.

Master Traces may also correspond to use cases, but they should ideally correspond to only one use case instance.