Processes write logs, and sometimes you have the data without access to the process. I was trying out generating log data using number of repeating loggers defined by graphs. The next step I ran some statistics on the log, and depending on the parameters of the log data generator, it was more or less easy to guess what the original log generating graphs were. There can be tons of records on the randomized log events, given using some specified scheme for the writer and other details.
Many types of patterns can be found from the data, like succession and overlap. How do you store the found pattern? Two easy answers would be: naming the function calls that find the pattern, or with a table that describes the pattern instances. A less context dependent answer is, using formulas of temporal logic. Rewriting the found patterns in the logical syntax, you get a long list of features that are true for the studied data, and that can be tested against new data. Once the validating component has been set up, it is straightforward to modify the list of formulas when needed, and no reference to the component itself is required. Crafting the actual logical formulas is one challenge, compared to using equivalent function calls for scripted checks.