Operational logs are a central information source for monitoring and diagnosing complex information systems, yet the effect of log-sequence representation on anomaly detection remains underexplored. This paper investigates three families of sequence embeddings, E1 (template-ID lookup), E2 (semantic), and E3 (hybrid), for log-based anomaly detection. Each embedding is paired with CNN, LSTM, and Transformer heads under a unified training protocol. We conduct controlled experiments on diverse public corpora to assess in-domain and cross-dataset generalization. We report PR–AUC (primary), AUROC, F1, and precision at recall ≥0.9, with 95% bootstrap confidence intervals. Beyond accuracy, we analyze the impact of sequence length, parser choice, and out-of-vocabulary (OOV) rates at both token and template levels within and across datasets. The results suggest that representation choice can meaningfully influence detection performance, particularly under distribution shift. Open-vocabulary semantic and hybrid embeddings can improve robustness to OOV effects, but transfer gains are inconsistent, and degradation often persists under strict cross-dataset transfer.
Musaad Alzahrani (Fri,) studied this question.