CN112784025B - Method and device for determining target event - Google Patents
Method and device for determining target event Download PDFInfo
- Publication number
- CN112784025B CN112784025B CN202110035249.6A CN202110035249A CN112784025B CN 112784025 B CN112784025 B CN 112784025B CN 202110035249 A CN202110035249 A CN 202110035249A CN 112784025 B CN112784025 B CN 112784025B
- Authority
- CN
- China
- Prior art keywords
- target
- event
- map
- log
- nodes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/33—Querying
- G06F16/332—Query formulation
- G06F16/3329—Natural language query formulation or dialogue systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/36—Creation of semantic tools, e.g. ontology or thesauri
- G06F16/367—Ontology
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The application relates to a method and a device for determining a target event, wherein the method comprises the following steps: acquiring a log map of target log data, wherein the log map comprises a first event map contained in the log data, the first event map comprises a plurality of initial nodes, and a first association relationship is formed among the plurality of initial nodes; searching a target map in the log map based on the sub-map set, wherein a second event map corresponding to the reference event is stored in the sub-map set, the second event map comprises a plurality of reference nodes, and a second association relationship exists among the plurality of reference nodes; and determining the reference event corresponding to the target map as a target event contained in the target log data. The method and the device solve the technical problem of low efficiency of determining the target event contained in the log data.
Description
Technical Field
The present application relates to the field of knowledge graph technologies, and in particular, to a method and an apparatus for determining a target event.
Background
During operation of each stage of a power system, a number of system monitoring alarm signals are generated in order to track the operation of each section of the substation. In the related art, the alarm signal is manually judged so as to identify the accident during the operation, but when the accident occurs frequently, the monitoring personnel is easy to have the condition of missing notification and misjudgment on the alarm signal, so that the accident identification efficiency is low.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The application provides a method and a device for determining a target event, which at least solve the technical problem that the efficiency of determining the target event contained in log data in the related technology is low.
According to an aspect of an embodiment of the present application, there is provided a method for determining a target event, including: acquiring a log map of target log data, wherein the log map comprises a first event map contained in the log data, the first event map comprises a plurality of initial nodes, and a first association relationship is formed among the plurality of initial nodes; searching a target spectrum in the log spectrum based on a sub-spectrum set, wherein a second event spectrum corresponding to a reference event is stored in the sub-spectrum set, the second event spectrum comprises a plurality of reference nodes, and a second association relationship exists among the plurality of reference nodes; and determining the reference event corresponding to the target map as a target event contained in the target log data.
Optionally, searching the target spectrum in the log spectrum based on the sub-spectrum set includes: searching a corresponding target node set in the log spectrum based on the second event spectrum in the sub-graph spectrum, wherein the target node set comprises a plurality of target nodes, a third association relationship is arranged among the target nodes, the target nodes and the reference node in the second event spectrum meet a first matching relationship, and the third association relationship and the second association relationship in the second event spectrum meet a second matching relationship; determining the second event profile as the target profile corresponding to the set of target nodes in the log profile.
Optionally, searching for the corresponding target node set in the log spectrum based on the second event spectrum in the sub-graph spectrum set includes: determining event information corresponding to the second event map based on the reference node in the second event map and the second association relation; ranking the second event spectrum in the sub-spectrum set based on the event information; screening the second event patterns after sequencing to obtain third event patterns after screening; and searching the corresponding target node set in the log map based on the third event map, wherein one initial node contained in the log map only belongs to one target node set.
Optionally, searching for the corresponding target node set in the log spectrum based on the third event spectrum includes: acquiring the reference node of the third event map and the second association information; generating a target query instruction according to the reference node and the second association information; and searching the corresponding target node set in the log map based on the target query instruction.
Optionally, generating the target query instruction according to the reference node and the second association information includes: performing target calculation on the reference node and the second associated information to obtain a node calculation value; generating a first target query instruction under the condition that the node calculation value is larger than a set threshold value, wherein the first target query instruction is used for indicating to query the target node set in the log map by using a central point method; and generating a second target query instruction under the condition that the node calculation value is smaller than the set threshold value, wherein the second target query instruction is used for indicating that the target node set is queried in the log map by using a direct matching method.
Optionally, searching the corresponding target node set in the log map based on the target query instruction includes: searching a corresponding core node set in the log map based on the target query instruction, wherein the core node set is a node set forming a basic feature set of an event, the core node set comprises a plurality of core nodes, and a third association relationship exists among the core nodes; the set of core nodes is determined as the set of target nodes.
Optionally, after determining the set of core nodes as the set of target nodes, the method further comprises at least one of: searching a corresponding accompanying node set in the log map based on the target query instruction, and supplementing the accompanying node set to the target node set to obtain the supplemented target node set, wherein the accompanying node set is a node set of accompanying characteristics of a constructed event; searching a corresponding target supplementary node set in the log map based on the target query instruction, and supplementing the target supplementary node set to the target node set to obtain the supplemented target node set, wherein the target supplementary node set comprises node sets of remote signaling signals.
According to another aspect of the embodiment of the present application, there is also provided a device for determining a target event, including: the acquisition module is used for acquiring a log map of target log data, wherein the log map comprises a first event map contained in the log data, the first event map comprises a plurality of initial nodes, and a first association relationship is formed among the plurality of initial nodes; the first searching module is used for searching a target spectrum in the log spectrum based on a sub-spectrum set, wherein a second event spectrum corresponding to a reference event is stored in the sub-spectrum set, the second event spectrum comprises a plurality of reference nodes, and a second association relationship is formed among the plurality of reference nodes; and the determining module is used for determining that the reference event corresponding to the target map is a target event contained in the target log data.
According to another aspect of the embodiments of the present application, there is also provided a storage medium including a stored program that executes the above-described method when running.
According to another aspect of the embodiments of the present application, there is also provided an electronic device including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor executing the method described above by the computer program.
In the embodiment of the application, a log map for acquiring target log data is adopted, wherein the log map comprises a first event map contained in the log data, the first event map comprises a plurality of initial nodes, and a first association relationship is arranged among the plurality of initial nodes; searching a target map in the log map based on the sub-map set, wherein a second event map corresponding to the reference event is stored in the sub-map set, the second event map comprises a plurality of reference nodes, and a second association relationship exists among the plurality of reference nodes; the method comprises the steps of determining that a reference event corresponding to a target pattern is a target event contained in target log data, generating the corresponding log pattern from the log data according to a second event pattern formed by a reference node of an existing event and a second incidence relation between the reference nodes, searching the target pattern corresponding to the second event pattern in the log pattern by using the second event pattern of the existing event, and determining the reference event corresponding to the target pattern, so that the target event contained in the log data is identified, the purpose of rapidly and accurately determining the target event contained in the log data is achieved, the technical effect of improving the efficiency of determining the target event contained in the log data is achieved, and the technical problem that the efficiency of determining the target event contained in the log data is low is solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the application or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, and it will be obvious to a person skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a schematic diagram of a hardware environment of a method of determining a target event according to an embodiment of the present application;
FIG. 2 is a flow chart of an alternative method of determining a target event according to an embodiment of the application;
FIG. 3 is a flowchart of an alternative center point method implementation in accordance with an embodiment of the present application;
FIG. 4 is an alternative target node set lookup flow diagram in accordance with an embodiment of the present application;
FIG. 5 is a schematic diagram of an alternative target event determination apparatus according to an embodiment of the present application;
fig. 6 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to an aspect of the embodiment of the application, an embodiment of a method for determining a target event is provided.
Alternatively, in the present embodiment, the above-described determination method of the target event may be applied to a hardware environment constituted by the terminal 101 and the server 103 as shown in fig. 1. Fig. 1 is a schematic diagram of a hardware environment of a method for determining a target event according to an embodiment of the present application, where, as shown in fig. 1, a server 103 is connected to a terminal 101 through a network, and may be used to provide services (data query service, data calculation service, etc.) to the terminal or a client installed on the terminal, and a database may be set on the server or independent of the server, for providing a data storage service to the server 103, where the network includes, but is not limited to: the terminal 101 is not limited to a PC, a mobile phone, a tablet computer, or the like. The method for determining the target event according to the embodiment of the present application may be performed by the server 103, may be performed by the terminal 101, or may be performed by both the server 103 and the terminal 101. The method for determining the target event executed by the terminal 101 according to the embodiment of the present application may be executed by a client installed thereon.
FIG. 2 is a flow chart of an alternative method of determining a target event according to an embodiment of the application, as shown in FIG. 2, the method may include the steps of:
step S202, a log map of target log data is obtained, wherein the log map comprises a first event map contained in the log data, the first event map comprises a plurality of initial nodes, and a first association relationship is formed among the plurality of initial nodes;
step S204, searching a target spectrum in the log spectrum based on a sub-spectrum set, wherein the sub-spectrum set stores a second event spectrum corresponding to a reference event, the second event spectrum comprises a plurality of reference nodes, and a second association relationship exists among the plurality of reference nodes;
step S206, determining that the reference event corresponding to the target map is a target event included in the target log data.
Through the steps S202 to S206, the corresponding log pattern is generated from the log data according to the second event pattern formed by the reference nodes of the existing event and the second association relationship between the reference nodes, the target pattern corresponding to the second event pattern is searched in the log pattern by using the second event pattern of the existing event, and the reference event corresponding to the target pattern is determined, so that the target event contained in the log data is identified, the purpose of quickly and accurately determining the target event contained in the log data is achieved, the technical effect of improving the efficiency of determining the target event contained in the log data is achieved, and the technical problem of low efficiency of determining the target event contained in the log data is solved.
In the technical solution provided in step S202, the target log data may be a monitoring signal generated by each device during operation of each substation of the power system, or may be a monitoring signal of a device on a certain workshop assembly line, which is not limited in this solution.
Alternatively, in this embodiment, the method of acquiring the log spectrum of the log data may be obtained by performing recognition analysis on the log data using an existing spectrum generation model.
Alternatively, in the present embodiment, the initial node may include, but is not limited to, a switching operation of the device, a closing of a switch knife, a protection signal of the device, and the like.
Alternatively, in the present embodiment, the first association relationship may be generated according to, but not limited to, an event and a spatial constraint between nodes.
In the solution provided in step S204, the second event spectrum is a spectrum of some existing events, and the sub-spectrum set may include a plurality of second event spectrums.
Optionally, in this embodiment, the method of searching for the target spectrum in the log spectrum may, but is not limited to, searching for a spectrum similar to the graph of the second event spectrum in the log spectrum, or searching for the target spectrum with the largest matching degree in the log spectrum according to the attribute of the node, which is not limited in this scheme.
As an alternative embodiment, searching the target atlas in the log atlas based on the sub atlas set comprises:
s11, searching a corresponding target node set in the log map based on the second event map in the sub-map set, wherein the target node set comprises a plurality of target nodes, a third association relationship is arranged between the target nodes, the target nodes and the reference nodes in the second event map meet a first matching relationship, and the third association relationship and the second association relationship in the second event map meet a second matching relationship;
s12, determining the second event map as the target map corresponding to the target node set in the log map.
Optionally, in this embodiment, the target event is composed of one or more target nodes, and according to the node attribute of each target node, and the time constraint and the space constraint between the target node and the target node, a map of the corresponding event may be formed.
Optionally, in this embodiment, the first matching relationship may be that a matching degree between a reference node in the second event spectrum and a target node in the target node set meets a certain threshold, or may be that a matching degree between a reference node in the second event spectrum and a target node in the target node set is higher than a matching degree between reference nodes of other second event spectrums in the sub-graph spectrum and a target node in the target node set. The matching relationship between the reference node and the target node can be determined by node attributes, different nodes have different node attributes, and the node attributes comprise the states of the nodes, the node characteristics and the like.
Optionally, in this embodiment, the second matching relationship may be, but is not limited to, determined according to a similarity between the third association relationship and the second association relationship, where the association relationship between the nodes is determined according to constraint conditions such as a node time constraint, a space constraint, and the like, and the corresponding association relationship is accurately matched by comparing the similarity of the time constraint and the space constraint.
Alternatively, in this embodiment, when the first matching relationship and the second matching relationship are used to determine the target node set, the weight information may be set according to the importance degree of the node attribute and the association relationship, for example, when the node attribute is more important, the weight value of the first matching relationship may be set to be higher than the weight value of the second matching relationship.
Through the steps, the corresponding target node set is searched in the log map according to the matching relation between the nodes and the matching relation of the association relation between the nodes, and the aim of improving the accuracy of the determined target node set is fulfilled.
As an optional embodiment, searching the log spectrum for the corresponding target node set based on the second event spectrum in the sub-graph spectrum set includes:
S21, determining event information corresponding to the second event map based on the reference nodes in the second event map and the second association relation;
s22, sorting the second event patterns in the sub-pattern set based on the event information;
s23, screening the second event patterns after sequencing to obtain third event patterns after screening;
s24, searching the corresponding target node set in the log map based on the third event map, wherein one initial node contained in the log map only belongs to one target node set.
Optionally, in this embodiment, the event information includes operation information of the device, failure information of the device, and the like, the events are ranked according to the importance degree of the events according to the event information, for example, the importance degree of the failure information may be higher than the operation information of the device, so that the ranking of the events corresponding to the failure information is higher than the ranking of the events corresponding to the operation information, and when the event patterns are matched, the target node set is searched in the log patterns according to the second event pattern according to the sequence of the event ranking.
Optionally, in this embodiment, the filtering of the second event spectrum may, but is not limited to, filtering the second event spectrum that is inconsistent with the spatial constraint of the log spectrum according to the temporal constraint, based on the attribute of the node and the association relationship determined by the spatial constraint and the temporal constraint between the nodes.
Through the steps, the second event patterns are ordered according to the event information corresponding to the event patterns, and the target node sets are searched in the log patterns by using the event patterns according to the ordering sequence, so that one initial node in the log patterns corresponds to one target node set only, and the accuracy of the searched target node sets is improved. And screening the second event patterns, wherein the attribute information of the second event patterns does not meet the requirement, so that the workload of searching the target node set contained in the log patterns according to the third event patterns is reduced, and the system load pressure is greatly reduced.
As an optional embodiment, searching the log spectrum for the corresponding target node set based on the third event spectrum includes:
s31, acquiring the reference node of the third event map and the second association information;
s32, generating a target query instruction according to the reference node and the second association information;
s33, searching the corresponding target node set in the log map based on the target query instruction.
As an alternative embodiment, generating the target query instruction according to the reference node and the second association information includes:
S41, performing target calculation on the reference node and the second associated information to obtain a node calculation value;
s42, generating a first target query instruction when the node calculation value is larger than a set threshold value, wherein the first target query instruction is used for indicating to query the target node set in the log map by using a central point method;
and S43, generating a second target query instruction under the condition that the node calculation value is smaller than the set threshold value, wherein the second target query instruction is used for indicating that the target node set is queried in the log map by using a direct matching method.
Alternatively, in the present embodiment, the set threshold may include, but is not limited to, values of 5, 10, 15, 16, 20, and the like.
Optionally, in this embodiment, the idea of the direct matching method is to sort the target node sets obtained by query from small to large according to nodes, for example, there are 1 to 30 nodes, the first target node set [13, 23, 20] represents nodes with numbers of 13, 23, 20, the second target node set [13, 27, 23] represents nodes with numbers of 13, 27, 23, the first target node set and the second target node set are sorted to [ [13, 20, 23], [13, 23, 27] ], and the list is sorted from small to large on the basis of the internal sorting of the nodes, such as [ [13, 23, 27], [13, 20, 23] ] - > [ [13, 20, 23], [13, 23, 27] ]; finally, because node deduplication is performed according to the principle that the same signal node can only appear once, for the regular query result, each list is internal, if a certain node appears in the previous list, the sub-list is deleted, such as [ [13, 20, 23], [13, 27, 23] ], and the final retention result is [ [13, 20, 23] ].
Optionally, in this embodiment, the idea of the central point method is to reduce the query range, save a single query constraint, and avoid causing the query performance to be too low. FIG. 3 is a flowchart of an alternative center point method implementation, as shown in FIG. 3, according to an embodiment of the present application:
s301, taking the association relation between nodes in the map as an edge, and defining a center point in an initial node according to the quantity of source in the changed relation.
S302, searching for a center point meeting the conditions according to attribute information of the center point and other one-degree relations as constraint conditions (in order to improve efficiency, at most 10 sides from the center point can be arbitrarily selected).
S303, judging whether a center point meeting the point-edge relation exists, wherein the center point appears in the existing regular reference node set, if the center point meeting the point-edge relation exists, executing the step S304, and if the center point meeting the point-edge relation does not exist, executing the step S308.
S304, the query and the path of the first degree are composed by the center point ID and other edges, if the center point is arranged on the source, the description contains a second degree relation, the starting point of the second degree relation exists in the first degree end point of the center point, the second degree query is assembled and combined, and the target node set meeting the rule is obtained.
S305, judging whether the value of each edge in the target node set is completely consistent with the value of the edge in the rule file, if so, executing step S306, and if not, executing step S307.
S306, saving the node ID and the rule number according to a specific format, and adding the entity ID to a list of the next wave cycle.
S307, whether the reference nodes are completely matched is checked, and n composition query results are obtained in the target node set according to the ID sequence and are compared with rules according to the number n of the reference nodes.
S308, the center points which do not meet the point-edge relationship are not considered.
Through the steps, the reference nodes and the second association relations in the third map are calculated, and different query methods are adopted according to calculation results, so that the accuracy of query is realized.
As an optional embodiment, searching the corresponding target node set in the log map based on the target query instruction includes:
S51, searching a corresponding core node set in the log map based on the target query instruction, wherein the core node set is a node set forming a basic feature set of an event, the core node set comprises a plurality of core nodes, and a third association relationship is formed among the core nodes;
s52, determining the core node set as the target node set.
Optionally, in this embodiment, the event is composed of event features, the event feature types are divided into basic features, accompanying features, and the like, and a node covered by a feature type of a non-accompanying feature is a core node, and a node covered by an accompanying feature is an accompanying node.
Alternatively, in the present embodiment, the number of core nodes included in the core node set may include, but is not limited to, 2, 3, 5, 10, and the like.
As an alternative embodiment, after determining the set of core nodes as the set of target nodes, the method further comprises at least one of:
s61, searching a corresponding accompanying node set in the log map based on the target query instruction, and supplementing the accompanying node set to the target node set to obtain the supplemented target node set, wherein the accompanying node set is a node set of accompanying characteristics of a constructed event;
S62, searching a corresponding target supplementary node set in the log map based on the target query instruction, and supplementing the target supplementary node set to the target node set to obtain the supplemented target node set, wherein the target supplementary node set comprises node sets of remote signaling signals.
Optionally, in this embodiment, the accompanying node and the supplemental node are selectable items of event matching, if there are an accompanying node set and a supplemental node set in the event, the accompanying node set and the supplemental node set may form a target node set together, and when it is determined that the target event corresponding to the target node set is determined according to the core node set, the accompanying node set and the supplemental node set, different weight values may be given to the core node set, the accompanying node set and the supplemental node set, for example, the core signal corresponds to a basic feature of the event, and then the weight value of the core node set is greater than the weight value of the accompanying node set and the weight value of the supplemental node set.
Optionally, in this embodiment, according to the attribute information of each accompanying node, all the accompanying nodes that satisfy the attribute constraint are found out; judging each accompanying node, if the accompanying node meets a certain group of instantiation event N in the instantiation event result M, expanding the accompanying node set into N, setting a new N as a Value corresponding to the original Key, and facilitating the next expansion and result return based on the new N; thus, the accompanying node supplement of the core node set under one rule can be completed, and a new signal list of the instantiation event is obtained.
Optionally, in the present embodiment, the implementation step of adding the supplemental node set to the target node set is similar to the step of adding the companion node set to the target node set, supplementing the temporal and spatial constraints between nodes, and if satisfied, adding to the target node set.
Fig. 4 is an alternative target node set lookup flow diagram, as shown in fig. 4, according to an embodiment of the application:
s401, collecting alarm signal data in a period of time, and sorting the alarm signal data into a log map according to a map stream, wherein the log map comprises nodes (generated according to entity information for generating alarm signals) and association relations among the nodes.
S402, the core idea of the eventing of the alarm signals is to search a signal set meeting the event rule in a plurality of alarm signals, and the method is to search whether a reference event map meeting the rule exists in the sub-graph set or not by traversing each event rule, so that the generated log map needs to be loaded into the sub-graph set.
S403, sorting the reference event patterns according to the event attribute information corresponding to the reference event patterns and the event levels, for example, the events with the front sorting levels need to be matched preferentially.
S404, screening out reference event patterns which do not necessarily meet the log patterns according to the time constraint and the space constraint of the nodes, and obtaining the screened reference event patterns.
S405, matching the log patterns according to one of the sorting sequences for the screened reference event patterns so as to find a target pattern contained in the log patterns.
S406, since there are a large number of rules with node attributes being null (i.e. the node attributes are not constrained, so there are often multiple events satisfied by the same signal point), which is obviously contrary to reality, so that the signal point needs to be de-duplicated, and if the previous rule is satisfied, the time appearing in the subsequent rule is deleted.
S407, the same event often comprises a plurality of signal nodes and association relations among the signal nodes, so that core signal sets of the same event in different rules are combined first, if all nodes of two core node sets are fused together and still meet the condition that the time of any two nodes does not exceed the time constraint corresponding to the event, the two nodes are matched together, and otherwise, the operation is not performed.
In S408, in addition to the necessary core nodes, there are also accompanying nodes in the event rule, and in the event recognition process, the nodes belong to or are related, and in the rule matching, the constraint relation of the nodes is not necessary, but if the accompanying nodes occur, the accompanying nodes can be supplemented outside the core node set.
S409, after the node sets of the core node and the accompanying node are fused, a time range in which part of the nodes meet the fused node set still exists, if the nodes belong to the nodes of the protection signal, the nodes are added into the target node set, and the integrity of the nodes is improved.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present application is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present application.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) comprising several instructions for causing an electronic device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present application.
According to another aspect of the embodiment of the present application, there is also provided a target event determining apparatus for implementing the above-mentioned target event determining method. FIG. 5 is a schematic diagram of an alternative target event determination apparatus according to an embodiment of the present application, as shown in FIG. 5, the apparatus may include:
an obtaining module 52, configured to obtain a log map of target log data, where the log map includes a first event map included in the log data, the first event map includes a plurality of initial nodes, and a first association relationship is provided between a plurality of the initial nodes;
a first searching module 54, configured to search a target spectrum in the log spectrum based on a sub-spectrum set, where the sub-spectrum set stores a second event spectrum corresponding to a reference event, and the second event spectrum includes a plurality of reference nodes, and a second association relationship is provided between a plurality of the reference nodes;
the determining module 56 is configured to determine that the reference event corresponding to the target map is a target event included in the target log data.
It should be noted that, the acquiring module 52 in this embodiment may be used to perform step S202 in the embodiment of the present application, the first searching module 54 in this embodiment may be used to perform step S204 in the embodiment of the present application, and the determining module 56 in this embodiment may be used to perform step S206 in the embodiment of the present application.
It should be noted that the above modules are the same as examples and application scenarios implemented by the corresponding steps, but are not limited to what is disclosed in the above embodiments. It should be noted that the above modules may be implemented in software or hardware as a part of the apparatus in the hardware environment shown in fig. 1.
By the aid of the module, the technical problem that the efficiency of determining the target event contained in the log data is low can be solved, and the technical effect of improving the efficiency of determining the target event contained in the log data is achieved.
Optionally, the first search module includes: the searching unit is used for searching a corresponding target node set in the log map based on the second event map in the sub-map set, wherein the target node set comprises a plurality of target nodes, a third association relation is arranged between the target nodes, the target nodes and the reference nodes in the second event map meet a first matching relation, and the third association relation and the second association relation in the second event map meet a second matching relation; a determining unit configured to determine the second event map as the target map corresponding to the target node set in the log map.
Optionally, the search unit is configured to: determining event information corresponding to the second event map based on the reference node in the second event map and the second association relation; ranking the second event spectrum in the sub-spectrum set based on the event information; screening the second event patterns after sequencing to obtain third event patterns after screening; and searching the corresponding target node set in the log map based on the third event map, wherein one initial node contained in the log map only belongs to one target node set.
Optionally, the search unit is configured to: acquiring the reference node of the third event map and the second association information; generating a target query instruction according to the reference node and the second association information; and searching the corresponding target node set in the log map based on the target query instruction.
Optionally, the search unit is configured to: performing target calculation on the reference node and the second associated information to obtain a node calculation value; generating a first target query instruction under the condition that the node calculation value is larger than a set threshold value, wherein the first target query instruction is used for indicating to query the target node set in the log map by using a central point method; and generating a second target query instruction under the condition that the node calculation value is smaller than the set threshold value, wherein the second target query instruction is used for indicating that the target node set is queried in the log map by using a direct matching method.
Optionally, the search unit is configured to: searching a corresponding core node set in the log map based on the target query instruction, wherein the core node set is a node set forming a basic feature set of an event, the core node set comprises a plurality of core nodes, and a third association relationship exists among the core nodes; the set of core nodes is determined as the set of target nodes.
Optionally, the apparatus further comprises at least one of: the supplementing module is used for searching a corresponding accompanying node set in the log map based on the target query instruction after the core node set is determined to be the target node set, supplementing the accompanying node set to the target node set to obtain the supplemented target node set, wherein the accompanying node set is a node set of accompanying characteristics of a constructed event; and the second searching module is used for searching a corresponding target supplementary node set in the log map based on the target query instruction, and supplementing the target supplementary node set to the target node set to obtain the supplemented target node set, wherein the target supplementary node set comprises node sets of remote signaling signals.
It should be noted that the above modules are the same as examples and application scenarios implemented by the corresponding steps, but are not limited to what is disclosed in the above embodiments. It should be noted that the above modules may be implemented in software or in hardware as part of the apparatus shown in fig. 1, where the hardware environment includes a network environment.
According to another aspect of the embodiment of the present application, there is also provided an electronic device for implementing the method for determining a target event.
Fig. 6 is a block diagram of an electronic device according to an embodiment of the present application, and as shown in fig. 6, the electronic device may include: one or more (only one is shown in the figure) processors 601, memory 603, and transmission means 605, which may also include input output devices 607, as shown in fig. 6.
The memory 603 may be configured to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for determining a target event in the embodiment of the present application, and the processor 601 executes the software programs and modules stored in the memory 603, thereby performing various functional applications and data processing, that is, implementing the method for determining a target event. Memory 603 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory. In some examples, the memory 603 may further include memory remotely located with respect to the processor 601, which may be connected to the electronic device through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 605 is used to receive or transmit data via a network, and may also be used for data transmission between the processor and the memory. Specific examples of the network described above may include wired networks and wireless networks. In one example, the transmission device 605 includes a network adapter (Network Interface Controller, NIC) that may be connected to other network devices and routers via a network cable to communicate with the internet or a local area network. In one example, the transmission device 605 is a Radio Frequency (RF) module that is configured to communicate wirelessly with the internet.
In particular, the memory 603 is used to store applications.
The processor 601 may call an application program stored in the memory 603 through the transmission means 605 to perform the steps of: acquiring a log map of target log data, wherein the log map comprises a first event map contained in the log data, the first event map comprises a plurality of initial nodes, and a first association relationship is formed among the plurality of initial nodes; searching a target spectrum in the log spectrum based on a sub-spectrum set, wherein a second event spectrum corresponding to a reference event is stored in the sub-spectrum set, the second event spectrum comprises a plurality of reference nodes, and a second association relationship exists among the plurality of reference nodes; and determining the reference event corresponding to the target map as a target event contained in the target log data.
The embodiment of the application provides a method and a device for determining a target event. According to the method, a corresponding log map is generated from log data according to a second event map formed by reference nodes of existing events and a second association relation between the reference nodes, a target map corresponding to the second event map is searched in the log map by using the second event map of the existing events, and a reference event corresponding to the target map is determined, so that the target event contained in the log data is identified, the purpose of rapidly and accurately determining the target event contained in the log data is achieved, the technical effect of improving the efficiency of determining the target event contained in the log data is achieved, and the technical problem that the efficiency of determining the target event contained in the log data is lower is solved.
Alternatively, specific examples in this embodiment may refer to examples described in the foregoing embodiments, and this embodiment is not described herein.
It will be appreciated by those skilled in the art that the structure shown in fig. 6 is merely illustrative, and the electronic device may be a smart phone (such as an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a mobile internet device (Mobile Internet Devices, MID), a PAD, etc. Fig. 6 is not limited to the structure of the electronic device. For example, the electronic device may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 6, or have a different configuration than shown in FIG. 6.
Those of ordinary skill in the art will appreciate that all or a portion of the steps in the various methods of the above embodiments may be implemented by a program for instructing an electronic device to execute in conjunction with hardware, the program may be stored on a computer readable storage medium, and the storage medium may include: flash disk, read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), magnetic or optical disk, and the like.
The embodiment of the application also provides a storage medium. Alternatively, in the present embodiment, the above-described storage medium may be used for program code for executing the determination method of the target event.
Alternatively, in this embodiment, the storage medium may be located on at least one network device of the plurality of network devices in the network shown in the above embodiment.
Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of: acquiring a log map of target log data, wherein the log map comprises a first event map contained in the log data, the first event map comprises a plurality of initial nodes, and a first association relationship is formed among the plurality of initial nodes; searching a target spectrum in the log spectrum based on a sub-spectrum set, wherein a second event spectrum corresponding to a reference event is stored in the sub-spectrum set, the second event spectrum comprises a plurality of reference nodes, and a second association relationship exists among the plurality of reference nodes; and determining the reference event corresponding to the target map as a target event contained in the target log data.
Alternatively, specific examples in this embodiment may refer to examples described in the foregoing embodiments, and this embodiment is not described herein.
Alternatively, in the present embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
The integrated units in the above embodiments may be stored in the above-described computer-readable storage medium if implemented in the form of software functional units and sold or used as separate products. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing one or more computer devices (which may be personal computers, servers or network devices, etc.) to perform all or part of the steps of the method described in the embodiments of the present application.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In several embodiments provided by the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, such as the division of the units, is merely a logical function division, and may be implemented in another manner, for example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application, which are intended to be comprehended within the scope of the present application.
Claims (10)
1. A method for determining a target event, comprising:
acquiring a log map of target log data, wherein the log map comprises a first event map contained in the log data, the first event map comprises a plurality of initial nodes, and a first association relationship is formed among the plurality of initial nodes;
searching a target spectrum in the log spectrum based on a sub-spectrum set, wherein a second event spectrum corresponding to a reference event is stored in the sub-spectrum set, the second event spectrum comprises a plurality of reference nodes, and a second association relationship exists among the plurality of reference nodes;
And determining the reference event corresponding to the target map as a target event contained in the target log data.
2. The method of claim 1, wherein looking up the target atlas in the log atlas based on the sub atlas set comprises:
searching a corresponding target node set in the log spectrum based on the second event spectrum in the sub-graph spectrum, wherein the target node set comprises a plurality of target nodes, a third association relationship is arranged among the target nodes, the target nodes and the reference node in the second event spectrum meet a first matching relationship, and the third association relationship and the second association relationship in the second event spectrum meet a second matching relationship;
determining the second event profile as the target profile corresponding to the set of target nodes in the log profile.
3. The method of claim 2, wherein looking up the corresponding set of target nodes in the log spectrum based on the second event spectrum in the sub-graph spectrum set comprises:
determining event information corresponding to the second event map based on the reference node in the second event map and the second association relation;
Ranking the second event spectrum in the sub-spectrum set based on the event information;
screening the second event patterns after sequencing to obtain third event patterns after screening;
and searching the corresponding target node set in the log map based on the third event map, wherein one initial node contained in the log map only belongs to one target node set.
4. The method of claim 3, wherein looking up the corresponding set of target nodes in the log graph based on the third event graph comprises:
acquiring the reference node of the third event map and the second association information;
generating a target query instruction according to the reference node and the second association information;
and searching the corresponding target node set in the log map based on the target query instruction.
5. The method of claim 4, wherein generating the target query instruction from the reference node and the second association information comprises:
performing target calculation on the reference node and the second associated information to obtain a node calculation value;
Generating a first target query instruction under the condition that the node calculation value is larger than a set threshold value, wherein the first target query instruction is used for indicating to query the target node set in the log map by using a central point method;
and generating a second target query instruction under the condition that the node calculation value is smaller than the set threshold value, wherein the second target query instruction is used for indicating that the target node set is queried in the log map by using a direct matching method.
6. The method of claim 4, wherein looking up the corresponding set of target nodes in the log map based on the target query instruction comprises:
searching a corresponding core node set in the log map based on the target query instruction, wherein the core node set is a node set forming a basic feature set of an event, the core node set comprises a plurality of core nodes, and a third association relationship exists among the core nodes;
the set of core nodes is determined as the set of target nodes.
7. The method of claim 6, wherein after determining the set of core nodes as the set of target nodes, the method further comprises at least one of:
Searching a corresponding accompanying node set in the log map based on the target query instruction, and supplementing the accompanying node set to the target node set to obtain the supplemented target node set, wherein the accompanying node set is a node set of accompanying characteristics of a constructed event;
searching a corresponding target supplementary node set in the log map based on the target query instruction, and supplementing the target supplementary node set to the target node set to obtain the supplemented target node set, wherein the target supplementary node set comprises node sets of remote signaling signals.
8. A target event determining apparatus, comprising:
the acquisition module is used for acquiring a log map of target log data, wherein the log map comprises a first event map contained in the log data, the first event map comprises a plurality of initial nodes, and a first association relationship is formed among the plurality of initial nodes;
the first searching module is used for searching a target spectrum in the log spectrum based on a sub-spectrum set, wherein a second event spectrum corresponding to a reference event is stored in the sub-spectrum set, the second event spectrum comprises a plurality of reference nodes, and a second association relationship is formed among the plurality of reference nodes;
And the determining module is used for determining that the reference event corresponding to the target map is a target event contained in the target log data.
9. A storage medium comprising a stored program, wherein the program when run performs the method of any one of the preceding claims 1 to 7.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor performs the method of any of the preceding claims 1 to 7 by means of the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110035249.6A CN112784025B (en) | 2021-01-12 | 2021-01-12 | Method and device for determining target event |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110035249.6A CN112784025B (en) | 2021-01-12 | 2021-01-12 | Method and device for determining target event |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112784025A CN112784025A (en) | 2021-05-11 |
| CN112784025B true CN112784025B (en) | 2023-08-18 |
Family
ID=75757086
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110035249.6A Active CN112784025B (en) | 2021-01-12 | 2021-01-12 | Method and device for determining target event |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112784025B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115050085B (en) * | 2022-08-15 | 2022-11-01 | 珠海翔翼航空技术有限公司 | Method, system and equipment for recognizing objects of analog machine management system based on map |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107046550A (en) * | 2017-06-14 | 2017-08-15 | 微梦创科网络科技(中国)有限公司 | A kind of detection method and device of abnormal login behavior |
| CN109286511A (en) * | 2017-07-19 | 2019-01-29 | 东软集团股份有限公司 | The method and device of data processing |
| CN110069463A (en) * | 2019-03-12 | 2019-07-30 | 北京奇艺世纪科技有限公司 | User behavior processing method, device electronic equipment and storage medium |
| CN110213077A (en) * | 2019-04-18 | 2019-09-06 | 国家电网有限公司 | A kind of method, apparatus and system of determining electric power monitoring system security incident |
| CN110933101A (en) * | 2019-12-10 | 2020-03-27 | 腾讯科技(深圳)有限公司 | Security event log processing method, device and storage medium |
| CN111177417A (en) * | 2020-04-13 | 2020-05-19 | 中国人民解放军国防科技大学 | Security event correlation method, system and medium based on network security knowledge graph |
| CN111177405A (en) * | 2019-12-18 | 2020-05-19 | 深圳壹账通智能科技有限公司 | Data search matching method and device, computer equipment and storage medium |
| CN111224981A (en) * | 2019-12-31 | 2020-06-02 | 北京天融信网络安全技术有限公司 | Data processing method and device, electronic equipment and storage medium |
| CN112148933A (en) * | 2020-10-26 | 2020-12-29 | 北京明略软件系统有限公司 | Map conversion method and device for rule analysis result of power grid alarm event |
| CN112149759A (en) * | 2020-10-26 | 2020-12-29 | 北京明略软件系统有限公司 | Event map matching method and device, electronic equipment and storage medium |
-
2021
- 2021-01-12 CN CN202110035249.6A patent/CN112784025B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107046550A (en) * | 2017-06-14 | 2017-08-15 | 微梦创科网络科技(中国)有限公司 | A kind of detection method and device of abnormal login behavior |
| CN109286511A (en) * | 2017-07-19 | 2019-01-29 | 东软集团股份有限公司 | The method and device of data processing |
| CN110069463A (en) * | 2019-03-12 | 2019-07-30 | 北京奇艺世纪科技有限公司 | User behavior processing method, device electronic equipment and storage medium |
| CN110213077A (en) * | 2019-04-18 | 2019-09-06 | 国家电网有限公司 | A kind of method, apparatus and system of determining electric power monitoring system security incident |
| CN110933101A (en) * | 2019-12-10 | 2020-03-27 | 腾讯科技(深圳)有限公司 | Security event log processing method, device and storage medium |
| CN111177405A (en) * | 2019-12-18 | 2020-05-19 | 深圳壹账通智能科技有限公司 | Data search matching method and device, computer equipment and storage medium |
| CN111224981A (en) * | 2019-12-31 | 2020-06-02 | 北京天融信网络安全技术有限公司 | Data processing method and device, electronic equipment and storage medium |
| CN111177417A (en) * | 2020-04-13 | 2020-05-19 | 中国人民解放军国防科技大学 | Security event correlation method, system and medium based on network security knowledge graph |
| CN112148933A (en) * | 2020-10-26 | 2020-12-29 | 北京明略软件系统有限公司 | Map conversion method and device for rule analysis result of power grid alarm event |
| CN112149759A (en) * | 2020-10-26 | 2020-12-29 | 北京明略软件系统有限公司 | Event map matching method and device, electronic equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 基于图模型的传感网事件检测技术研究;薛晓乐;《万方》;1-58 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112784025A (en) | 2021-05-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111158977B (en) | Abnormal event root cause positioning method and device | |
| CN111740868B (en) | Alarm data processing method and device and storage medium | |
| CN112953738B (en) | Root cause alarm positioning system, method and device and computer equipment | |
| CN109240876A (en) | Example monitoring method, computer readable storage medium and terminal device | |
| CN106202126B (en) | A kind of data analysing method and device for logistics monitoring | |
| CN111431736A (en) | Alarm association rule generation method and device | |
| CN112764920A (en) | Edge application deployment method, device, equipment and storage medium | |
| CN114265927A (en) | Data query method and device, storage medium and electronic device | |
| CN114327964A (en) | Method, device, equipment and storage medium for processing fault reasons of service system | |
| CN112800197A (en) | Method and device for determining target fault information | |
| CN111147306B (en) | Fault analysis method and device of Internet of things equipment and Internet of things platform | |
| CN112784025B (en) | Method and device for determining target event | |
| CN110909129B (en) | Abnormal complaint event identification method and device | |
| CN114091610A (en) | Intelligent decision method and device | |
| CN110109803B (en) | User behavior reporting method and system | |
| CN116668264A (en) | Root cause analysis method, device, equipment and storage medium for alarm clustering | |
| Sozuer et al. | A new approach for clustering alarm sequences in mobile operators | |
| CN114706893A (en) | Fault detection method, device, equipment and storage medium | |
| CN114356712A (en) | Data processing method, device, equipment, readable storage medium and program product | |
| CN112328464A (en) | Index data storage, correlation analysis method, and computer-readable storage medium | |
| CN113485886B (en) | Alarm log processing method and device, storage medium and electronic device | |
| CN113535594B (en) | Method, device, equipment and storage medium for generating service scene test case | |
| CN116680303A (en) | Data quality detection method and device, electronic equipment and storage medium | |
| CN113448747B (en) | Data transmission method, device, computer equipment and storage medium | |
| CN112596936A (en) | Method and device for determining system fault reason, storage medium and electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220808 Address after: 100023 03, floors 1-2, building 4, yard 1, Huangchang Nanli, Chaoyang District, Beijing Applicant after: Beijing Mingyuan Electronics Technology Co.,Ltd. Address before: 100084 a1002, 10th floor, building 1, yard 1, Zhongguancun East Road, Haidian District, Beijing Applicant before: MININGLAMP SOFTWARE SYSTEMS Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20230328 Address after: 266399 No.3 Changjiang Road, Jiaozhou Economic and Technological Development Zone, Jiaozhou City, Qingdao City, Shandong Province Applicant after: Qingdao Mingyue Software Technology Development Co.,Ltd. Address before: 100023 03, floors 1-2, building 4, yard 1, Huangchang Nanli, Chaoyang District, Beijing Applicant before: Beijing Mingyuan Electronics Technology Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |