LLM拡張による階層的ログ異常分析の対話型フレームワーク Detect, Localize, and Explain: Interactive Hierarchical Log Anomaly Analytics with LLM Augmentation

Log anomaly detection has been a long-standing pillar of system observability, yet operators still struggle with two downstream problems: pinpointing where exactly an anomaly originates inside a noisy log stream, and understanding why a model flagged it. This paper proposes a hierarchical framework that unifies detection, localization, and explanation, and augments the pipeline with a large language model to produce human-readable rationales and support interactive triage.

Classical approaches such as DeepLog, LogAnomaly, and LogBERT focus primarily on sequence-level scoring, treating logs as token or template sequences and learning normal patterns through LSTMs or transformer encoders. While effective at producing anomaly scores, these models tend to be opaque: they rarely indicate which template, field, or time window drove the decision, and they offer little narrative that an SRE can act upon. The proposed system appears to address this gap by first narrowing down suspicious sequences, then drilling into finer-grained templates or events, and finally letting an LLM compose a contextual explanation drawing on the localized evidence.

The interactive dimension is arguably the most interesting design choice. Rather than emitting a static alert, the framework seems intended to support follow-up queries from operators, letting them ask for related events, historical precedents, or alternative hypotheses. This direction echoes the broader AIOps research agenda pursued at Microsoft, Meta, and several cloud vendors, where copilots increasingly mediate between raw telemetry and on-call engineers. Recent work such as RCACopilot and LogPrompt has shown that LLMs can meaningfully assist with incident triage when grounded in structured signals, and this paper fits squarely within that emerging line.

Hierarchical decomposition also helps with a very practical issue: token budgets. Feeding entire log streams into an LLM is infeasible at scale, so the layered approach of filtering, localizing, and only then explaining is a sensible way to bound context size and inference cost. It may also improve faithfulness, since the LLM is asked to reason over a small, pre-selected slice of evidence rather than freely hallucinate over megabytes of text.

Several caveats remain. LLM-generated explanations carry well-known risks of plausible-sounding but incorrect narratives, and grounding them in retrieved log evidence does not eliminate the problem. Operational deployment also raises concerns about latency, cost per incident, and sensitivity of log content, which often contains credentials, customer identifiers, or internal hostnames that organizations are reluctant to send to external models. Integration with existing SIEM and observability stacks such as Elastic, Splunk, or OpenTelemetry-based pipelines will likely determine whether such frameworks see real adoption, and the empirical sections of the paper should be read with those constraints in mind.

Overall, the contribution looks incremental rather than revolutionary, but it reflects a meaningful trend: log analytics is shifting from pure anomaly scoring toward explainable, conversational workflows where the model is expected not only to detect but also to justify and converse. Whether this particular hierarchy generalizes beyond the benchmark datasets typically used in the field, such as HDFS or BGL, remains to be seen.