Show HN: Root Cause as a Service – Never dig through logs again

25 points by stochastimus ↗ HN
Hey Folks – Larry, Ajay and Rod here!

We address the age old painful problem of digging through logs to find the root cause when a problem occurs. No-one likes searching through logs, and so we spent a few years analyzing 100’s of real world incidents to understand how humans troubleshoot in logs. And then we built a solution that automatically finds the same root cause indicators a human would have had to manually search for. We call it Root Cause as a Service. RCaaS works with any app and does not require manual training or rules. Our foundational thoughts and more details can be found here: https://www.zebrium.com/blog/its-time-to-automate-the-observer.

Obviously, everyone is skeptical when they hear about RCaaS. We encourage you try it yourself, but we also have a really strong validation point. One of our customers performed a study using 192 actual customer incidents from 4 different products and found that Zebrium correctly identified the root cause indicators in the logs in over 95% of the incidents – see https://www.zebrium.com/cisco-validation.

For those that are interested, this is actually our second SHOW HN post, our first was last June - https://news.ycombinator.com/item?id=23490609. The link in that post points to our current home page but our initial comment was, "We're excited to share Zebrium's autonomous incident detection software". At the time, our focus was on a tool that used unsupervised ML to automatically detect any kind of new or unknown software incident. We had done a lot of customer testing and were achieving > 90% detection accuracy in catching almost any kind of problem. But what we underestimated is just how high the bar is for incident detection. If someone is going to hook you up to a pager, then even an occasional false positive is enough for a user to start cursing your product! And users quickly forget about the times when your product saved their bacon by catching problems that they would otherwise have missed.

But late last year we had a huge aha moment! Most customers already have monitoring tools in place that are really good at detecting problems, but what they don't have is an automated way to find the root cause. So, we built some really elegant integrations for Datadog, New Relic, Elastic, Grafana, Dynatrace, AppDynamics and ScienceLogic (and more to come via our open APIs) so that when there's a problem, you see details of the root cause directly on your monitoring dashboard. Here's a 2 minute demo of what it looks like: https://youtu.be/t83Egs5l8ok.

You're welcome to sign-up for a free trial at https://www.zebrium.com and we'd love to hear your questions and feedback.

19 comments

[ 3.0 ms ] story [ 50.3 ms ] thread
> Here's a 2 minute demo of what it looks like: https://youtu.be/t83Egs5l8ok.

The problem with this demo is that it uses something that's 100% broken due to something that happened immediately before the failure. That's not hard to debug and I don't really see value there.

The scenarios that could use this sort of tool are things like someone turning on a flag that breaks 1% of a specific end point but only 0.1% of overall requests. So something sub-alert level and with not nearly an immediately obvious cause & effect. If you can detect something like that without generating a ton of noise and give a hint to root cause then that'd be something killer.

It's a cool idea and I can see the value. We've had scenarios like the one I mentioned (and worse) go undetected because of the noise Sentry generates. If you can solve that then you've really got something.

>"... I don't really see value there ... I can see the value."

Huh!?!

They're referring to different things....
Hey! Founder here. Thanks for your comment!

> That's not hard to debug

I agree there's a large class of problems where that's the case, and I also agree it's perhaps easier than many of the issues we've caught in the real world, such as are discussed in the Cisco case study. But I still want to defend the example as non-trivial.

So of course we pick up the errors in services that are fall-out from the breakage, and we pick up the chaos test running, which leaves a pretty wide footprint. But if something like this happened in the real world, the important event would have been that one that's in the RC report, that's not even an error (though it is quite unusual): the kernel log entry pointing out the eth0 misconfig. It can take a long time for someone to get around to poring through their various host kernel logs and looking at everything, even non-errors, so having it surfaced to you right away feels like a very useful thing.

At the same time though, I like the example you gave even more. What many people will do is upload their own incident data via the CLI, or deploy our chart into a staging environment and just break things, to see what happens. Based on your description, there's a good chance we would pick it up since we track anomalies and perform anomaly correlation across all pairs of streams: we're not looking for a threshold percentage of overall error rates, for example, anywhere. If you'd be willing to help us test this use-case, I'd love to work with you personally to help you get up-and-running.

Also, as we see more and more failure modes, we continue to make our detection algorithms more robust. While we generally achieve >>90% detection of incidents and their root cause indicators overall, there are always places we can and would love to do better. I think you'd find that our solution would catch most of what you'd want out-of-the-box, and that we're responsive enough to learn from every customer.

Lastly, I would ask: do you think that we should do videos of some more "subtle" examples (for lack of a better word)? As someone viewing the website, would you have watched them?

Thanks again for your feedback!

Having worked on a machine learning time series document search solution for the last 2 years, I know exactly why the cost of this is so high. Running logs through a model must be VERY expensive.

I had a good friend at Splunk who passed a few years ago. He was working on something similar, well before we had decent models. His anomaly detection used differences in regular expression patterns to detect "strange things". I guess that's why he carried the title "Chief Mind".

I'm excited where ML and time series data is going. It's going to be interesting!

It's really quite inexpensive - but would love to get your feedback on pricing, esp. at scale! pls. do reach out
95.8% of the time it's kind of obvious what happened, at least with reasonable monitoring. Digging through logs is for the other 4.2% of the time. Having done that kind of thing more than once, I don't see ML as being helpful. You often end up writing scripts to search for specific combnations of events, that are only identifiable after the incident has happened.
I feel that vendors have really muddied the playing field by claiming ML features and then not delivering value. That’s why we tend not to talk about ML. But, I think saying that ML is unhelpful for the problem is a bit like saying programming is unhelpful for the problem - the solution space is vast, and has hardly been explored.
FWIW: In my career doing this kind of work, I found logs to be archeologically interesting, but seldom of value. Products that claimed to do things with logs gave me skepticism, because they were often like trying to do brain surgery through your foot - better to just go straight to the head. That is to say, if you could replicate the problem, better to watch it via full-stack monitoring tools in real-time than wading through gigabytes (terabytes?) of log data after the fact, often which had a randomness to their shape (IE: consisted of whatever garbage some developer thought was useful long ago and far away).
If you knew exactly what to monitor and control, you would also have put in mitigations for the problem. Log analysis is for when something went wrong that you didn't anticipate, such as a security exploit. It's part of a post-incident investigation.
My point is log analysis is noise to the signal. A poor way to discern what went wrong or to proactively monitor to avoid an incident in the first place. There are loads of tools out there, some of which have been mentioned in this thread, that monitor from network to user to app layer and are superior for triage. If someone is down in the bowels of logs, it's gonna be a bad time. I spent a decade triaging high-profile incidents around the world and teaching organizations how to do this stuff.
This is all true. So for the times you end up there, wouldn’t you prefer a tool to surface for you the things you were going to have to spend hours digging for?
The logs are what you have. It's like the investigation after a plane crash, where you have some black boxes, some radar images, observed distribution of wreckage, whatever. You probably don't have all the data you would like to, but you use whatever you can get your hands on.

Better tools for analyzing logs are fine, but the idea of some ML tool that you throw random logs through and have it automatically identify significant events seems like a pipe dream.

do you not take volume of logs into consideration for pricing then ?
We do indeed since we need to process an amount of data in proportion to that volume, and so more resources are required - you can also run it on-prem, if you want
I give you credit for working in this space and trying to create a more automated approach... I spent many years in the app performance world both as a consultant and working on products, so again - good on you.

For what it's worth, my immediate reaction is that you might work on different terminology in how you present what your product does. I get that you are trying to create a contrived example in order to demo the product and show value, and that can be a very difficult thing to do. That said, in my line of thinking, an HTTP 500 isn't actually the root cause, it's a symptom of the cause. The password being set incorrectly isn't the root cause either. The real root cause is something in the deployment pipeline, the configuration control, the change management, the architecture, etc, etc. that got us to this point.

I guess I'm struggling here a bit too because I think of how many times I would have been the manual version of this, where I would show information like this to a client's technical team, and I had to absolutely spoon feed them on how to remedy. I remember a team that was supposed to be crack guys from a vendor, an app team, etc who had been working on a problem for months that I fixed in a matter of hours because they just didn't understand what the line in the log meant. So it isn't clear to me how your product is actually creating better visibility + interpretation of the problem toward a solution.

In the ten or so years I did that kind of work, what really stood out to me was that the seemingly obvious tech issues were not obvious because of a lack of education / experience /training on the part of the client personnel, but more often than not the real problems were much much larger architectural issues way beyond just the message in the log. Those are much harder to both identify and correct, but products like yours and the ones you integrate with are almost just a band-aid on the problem.

So, take that for what it's worth - again, good work trying to improve the state of the art in this area.

We go back and forth on this as well. When I talk to people I will usually say something like “we find the stuff in the logs you were going to have to dig for, and surface it in a report on your dashboard”. I think the RCaaS is in that sense aspirational, and there’s a bunch of other stuff you’d want to do as well like integrate log and metric AD for example. I really appreciate your thoughtful comment and I think you’re right, we can still communicate better about this concept with the broader community. Pls do reach out if you’d be willing, Id love to pick ur brain over a drink or w/e. larry@zebrium.com