DeepParse: Hybrid Log Parsing with LLM-Synthesized Regex Masks
This work addresses log parsing for system reliability and security, offering a cost-efficient solution that improves accuracy and reduces false alarms, though it is incremental as it builds on existing methods like Drain and LLMs.
The paper tackled the problem of log parsing for distributed systems by introducing DeepParse, a hybrid framework that combines LLM-synthesized regex masks with the Drain algorithm, achieving 97.6% average parsing accuracy and reducing false alarms by over 30% and inference latency by 36% in anomaly detection.
Modern distributed systems produce massive, heterogeneous logs essential for reliability, security, and anomaly detection. Converting these free-form messages into structured templates (log parsing) is challenging due to evolving formats and limited labeled data. Machine-learning-based parsers like Drain are fast but accuracy often degrades on complex variables, while Large Language Models (LLMs) offer better generalization but incur prohibitive inference costs. This paper presents DeepParse, a hybrid framework that automatically mines reusable variable patterns from small log samples using an LLM, then applies them deterministically through the Drain algorithm. By separating the reasoning phase from execution, DeepParse enables accurate, scalable, and cost-efficient log structuring without relying on brittle handcrafted rules or per-line neural inference. Across 16 benchmark datasets, DeepParse achieves higher accuracy in variable extraction (97.6% average Parsing Accuracy) and better consistency than both heuristic and LLM-only baselines. Integrating DeepParse into an anomaly detection pipeline reduced false alarms by over 30% and reduced inference latency by 36% compared to heuristic baselines.