CN117112371A - Observable full-link log tracking method and system - Google Patents

Observable full-link log tracking method and system Download PDF

Info

Publication number
CN117112371A
CN117112371A CN202311392622.9A CN202311392622A CN117112371A CN 117112371 A CN117112371 A CN 117112371A CN 202311392622 A CN202311392622 A CN 202311392622A CN 117112371 A CN117112371 A CN 117112371A
Authority
CN
China
Prior art keywords
alarm
determining
link
data
analysis
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202311392622.9A
Other languages
Chinese (zh)
Other versions
CN117112371B (en
Inventor
林飞
陈敏
朱思雷
陶嘉驹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangyin Consumer Finance Co ltd
Original Assignee
Hangyin Consumer Finance Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangyin Consumer Finance Co ltd filed Critical Hangyin Consumer Finance Co ltd
Priority to CN202311392622.9A priority Critical patent/CN117112371B/en
Publication of CN117112371A publication Critical patent/CN117112371A/en
Application granted granted Critical
Publication of CN117112371B publication Critical patent/CN117112371B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/32Monitoring with visual or acoustical indication of the functioning of the machine
    • G06F11/324Display of status information
    • G06F11/327Alarm or error message display
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Quality & Reliability (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides an observable full-link log tracking method and system, which belong to the technical field of data processing, and specifically comprise the following steps: determining association conditions of different types of alarm data and different link modules according to different types of alarm data of the operation log, and determining association degrees of different link modules and analyzing the link modules based on the association conditions of the different link modules; and determining the full-link analysis block diagram of the alarm data according to the data transmission conditions of different types of alarm data of the operation log when the abnormal condition does not exist in the analysis link module, and analyzing and processing the alarm data according to the full-link analysis block diagram, so that the processing accuracy of the alarm data of the log is further improved.

Description

Observable full-link log tracking method and system
Technical Field
The invention belongs to the technical field of data processing, and particularly relates to an observable full-link log tracking method and system.
Background
With the progressive complexity of the number of modules and the composition architecture of software systems such as a trust system, if the running log of the software system is abnormal, if the whole link cannot be observed according to the abnormal data condition of the running log, the abnormal processing efficiency of the running log will be affected to a certain extent.
In order to realize the full-link observation of the data of the operation log, in the invention patent CN201911242804.1, "a system full-link monitoring method and device", the starting point data amount and the end point data amount of each link are analyzed, and when the processing condition data do not meet the processing reference condition, alarm information is generated, so that the dynamic analysis of different links is realized, but the following technical problems exist:
in the prior art, the difference analysis of different link modules is firstly performed according to the log alarm data, specifically, the log alarm data is often caused by the abnormal data processing of the link modules, so if different log alarm data are associated with the same link module, the possibility of abnormality is greatly enhanced, and if the factors are not considered, the efficiency of abnormality analysis is possibly reduced.
In the prior art, analysis of historical similarity conditions is not performed according to current log alarm data, specifically, when different link modules are abnormal, certain similarity exists between the abnormal types of the log alarm data and the data processing time, so that if similarity analysis cannot be performed according to the abnormal conditions of the current log data, the processing efficiency of the abnormality analysis is reduced.
In order to solve the technical problems, the invention provides an observable full-link log tracking method and system.
Disclosure of Invention
In order to achieve the purpose of the invention, the invention adopts the following technical scheme:
according to one aspect of the present invention, an observable full-link log tracking method is provided.
The method for tracking the observable full-link log is characterized by comprising the following steps of:
s1, determining different types of alarm data of the operation log based on the operation result of the operation log, determining an abnormality degree evaluation value based on the different types of alarm data, and entering the next step when the abnormality degree evaluation value is not in a preset range or the operation time is longer than an analysis period;
s2, carrying out similarity analysis on the alarm data of different types and the historical operation results of the operation log to obtain historical similarity abnormal results, judging whether the times of the historical similarity abnormal results are larger than the preset times, if so, carrying out determination of an analysis link module through the historical similarity analysis results, and entering a step S4, otherwise, entering a next step;
s3, determining association conditions of different types of alarm data and different link modules according to different types of alarm data of the operation log, and determining association degrees of different link modules and analyzing the link modules based on the association conditions of the different link modules;
s4, determining abnormal conditions of different analysis link modules based on the operation data of the analysis link modules, determining a full-link analysis block diagram of the alarm data according to the data transmission conditions of different types of alarm data of the operation log when the analysis link modules have no abnormal conditions, and analyzing and processing the alarm data based on the full-link analysis block diagram.
The invention has the beneficial effects that:
1. by determining the abnormal degree evaluation value based on different types of alarm data, the accurate evaluation of the severity degree of the alarm data of the operation log on the operation reliability of the operation log is realized, and the operation reliability of a software system corresponding to the operation log is ensured.
2. And carrying out similarity analysis on the different types of alarm data and the historical operation results of the operation log to obtain historical similar abnormal results, so that the similarity evaluation of the historical operation results and the current alarm data is realized, and a foundation is laid for the targeted screening of the analysis link module.
3. By determining the association conditions of different types of alarm data and different link modules according to different types of alarm data of the operation log, the difference of the association degrees of the different link modules and the alarm data is considered, the accurate evaluation of the association degrees of the link modules is realized, the reliability of determining the analysis link modules is further ensured, and the analysis efficiency and reliability of the alarm data are further realized.
The further technical scheme is that the alarm data are determined according to the alarm information of the operation log, and particularly according to the data output result of the alarm information of the operation log.
The further technical scheme is that the analysis period is determined according to the data quantity of the operation log of the software system and the number of the users, wherein the larger the data quantity of the operation log of the software system is, the more the number of the users of the software system is, the shorter the analysis period is.
The further technical scheme is that when the association degree of the link module is within a preset association degree interval, the link module is determined to be an analysis link module.
The further technical scheme is that based on the operation data of the analysis link module, the abnormal conditions of different analysis link modules are determined, and the method specifically comprises the following steps:
determining whether abnormal time of the operation data exists according to the operation data of the analysis link module, if so, determining that the analysis link module has abnormal conditions, and determining the association condition of the abnormal operation data of the abnormal time of the operation data of the analysis link module and the alarm data of different types according to the abnormal conditions of the analysis link module.
In a second aspect, the present invention provides an observable full-link log tracking system, and the method for tracking an observable full-link log is characterized by comprising:
the system comprises an operation condition evaluation module, a similarity evaluation module, a relevance evaluation module and an abnormality analysis module;
the operation condition evaluation module is responsible for determining different types of alarm data of the operation log based on the operation result of the operation log, determining an abnormal degree evaluation value based on the different types of alarm data, and entering the next step when the abnormal degree evaluation value is not in a preset range or the operation time is greater than an analysis period;
the similarity evaluation module is responsible for obtaining a historical similar abnormal result through similarity analysis between the different types of alarm data and the historical operation result of the operation log, and judging whether the frequency of the historical similar abnormal result is larger than a preset frequency;
the association degree evaluation module is responsible for determining association conditions of different types of alarm data and different link modules according to different types of alarm data of the operation log, and performing association degrees of different link modules and determining analysis link modules based on the association conditions of the different link modules;
the abnormal analysis module is responsible for determining abnormal conditions of different analysis link modules based on the operation data of the analysis link modules, determining a full-link analysis block diagram of the alarm data according to data transmission conditions of different types of alarm data of the operation log when the abnormal conditions do not exist in the analysis link modules, and analyzing and processing the alarm data based on the full-link analysis block diagram.
Additional features and advantages will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and drawings.
In order to make the above objects, features and advantages of the present invention more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
The above and other features and advantages of the present invention will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings;
FIG. 1 is a flow chart of an observable full link log tracking method;
FIG. 2 is a flow chart of a method of determining an abnormality degree evaluation value;
FIG. 3 is a flowchart showing specific steps for determining historical similar anomaly results;
FIG. 4 is a flowchart of specific steps of determining the association of link modules;
fig. 5 is a block diagram of an observable full link log tracking system.
Detailed Description
In order to make the technical solutions in the present specification better understood by those skilled in the art, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only some embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present disclosure.
The applicant finds that in the prior art scheme, when the analysis of the alarm data of the operation log is performed, the association condition of different link modules and different alarm data is ignored, and the link modules associated with multiple groups of alarm data exist. The possibility of the existence of the problems is further increased, meanwhile, the similarity of different alarm data and the historical operation data is ignored, and for the similar historical operation data, if the link module to be analyzed is determined in a targeted manner, the analysis efficiency of the alarm data is further increased.
In order to solve the technical problems, the applicant adopts the following technical scheme:
firstly, determining the operation severity through the alarm data of the operation log, specifically determining the operation severity according to the interval where the number of times of the alarm data is located, and entering the next step when the operation severity is higher or the operation time reaches a preset analysis period;
then, according to the similarity between the alarm data of different operation logs and the historical operation data, similar historical abnormal data is determined, specifically, the similarity is evaluated according to the type of the alarm data and the time delay amount of the alarm data of different types from input data to output of the alarm data, when more similar alarm data types exist and the time delay amounts of the alarm data of different types are not different, the similar historical abnormal data is used as the similar historical abnormal data, and the determination of an analysis link module is performed according to the similar historical abnormal data;
determining an analysis link module by the association condition of the alarm data of different operation logs and different link modules, and particularly, if more than three types of operation logs exist and are associated with the link modules, using the alarm data of the operation logs as the analysis link module;
determining whether an abnormality exists according to the analysis condition of the analysis link module, and when the abnormality does not exist, determining a full-link analysis block diagram according to the input data of different alarm data on the transmission paths of different link modules, and analyzing the alarm data through the full-link analysis block diagram.
The following is a detailed description from both the perspective of the method class embodiment and the system class embodiment.
In order to solve the above problem, according to one aspect of the present invention, as shown in fig. 1, there is provided an observable full-link log tracking method, which specifically includes:
s1, determining different types of alarm data of the operation log based on the operation result of the operation log, determining an abnormality degree evaluation value based on the different types of alarm data, and entering the next step when the abnormality degree evaluation value is not in a preset range or the operation time is longer than an analysis period;
it should be noted that, in step S1, the alarm data is determined according to the alarm information of the running log, and specifically, the alarm data is determined according to the data output result of the alarm information of the running log.
In one possible embodiment, as shown in fig. 2, the method for determining the abnormality degree evaluation value in the step S1 is as follows:
s11, determining the alarming times of the running log based on the alarming data, determining whether the abnormal situation of the software system is serious based on the alarming times, if so, determining the abnormal degree evaluation value according to the alarming times, and if not, entering the next step;
s12, judging whether the alarm times of the operation log are smaller than preset alarm times, if so, entering a step S14, and if not, entering a step S13;
s13, determining the number of different types of alarms of the running log based on the type of the alarm data, determining whether an alarm type with the number of alarms being greater than the preset number of alarms exists based on the number of alarms of the different types, if yes, determining the abnormal degree evaluation value through the number of alarms and the number of types with the number of alarms being greater than the preset number of alarms in the alarm type, and if no, entering the next step;
s14, determining the types and the number of the frequent alarm types according to the alarm times of the different types, determining the alarm severity of the running log according to the alarm times and the average alarm times of the frequent alarm types, determining whether the abnormal situation of the software system is serious according to the alarm severity of the running log, if so, determining the abnormal degree evaluation value according to the alarm times, and if not, entering the next step;
in one possible embodiment, the determining of the weights of different frequent alarm types is performed by the alarm times of the frequent alarm types, the determining of the weights and the determining of the weights are performed in combination with the number of the frequent alarm types, and the determining of the alarm severity of the running log is performed by the product of the average alarm times of the frequent alarm types and the weights.
S15, acquiring the number of alarming times and the number of alarming types of the operation log, and determining an abnormal degree evaluation value by combining the alarming severity of the operation log.
In one possible embodiment, the determination of the other abnormality degree evaluation value is performed by the number of alarms of the running log and the achievement of the number of alarm types, and the determination of the abnormality severity evaluation value is performed by the difference between the preset value and the product of the inverse of the alarm severity of the running log and the inverse of the other abnormality severity.
It can be appreciated that when the number of alarms of the alarm type is not within the preset alarm number range, the alarm type is determined to be a frequent alarm type.
In another possible embodiment, the method for determining the abnormality degree evaluation value in the step S1 is as follows:
determining the alarm times of the operation log based on the alarm data, and when the alarm times of the operation log are smaller than preset alarm times:
and determining the types and the quantity of the frequent alarm types according to the alarm times of the different types, determining the alarm severity of the running log according to the alarm times and the average alarm times of the frequent alarm types, acquiring the alarm times and the quantity of the alarm types of the running log, and determining the abnormality degree evaluation value according to the alarm severity of the running log.
When the alarm times of the operation log are not less than the preset alarm times:
and determining the number of frequent alarm types according to the alarm times of the different types, and determining the abnormality degree evaluation value according to the alarm times, the number of frequent alarm types and the alarm times.
Further, the analysis period is determined according to the data amount of the operation log of the software system and the number of the users, wherein the larger the data amount of the operation log of the software system is, the more the number of the users of the software system is, the shorter the analysis period is.
In the embodiment, by determining the abnormal degree evaluation value based on different types of alarm data, the accurate evaluation of the severity of the alarm data of the operation log on the operation reliability of the operation log is realized, and the operation reliability of the software system corresponding to the operation log is ensured.
S2, carrying out similarity analysis on the alarm data of different types and the historical operation results of the operation log to obtain historical similarity abnormal results, judging whether the times of the historical similarity abnormal results are larger than the preset times, if so, carrying out determination of an analysis link module through the historical similarity analysis results, and entering a step S4, otherwise, entering a next step;
in one possible embodiment, as shown in fig. 3, the specific steps of determining the historical similar abnormal result in the step S2 are:
s21, determining whether a historical operation result consistent with the type of the alarm data exists or not according to the alarm data of different types and the historical operation result of the operation log, if so, setting the similarity of the historical operation result to be 1, taking the historical operation result as a historical similar abnormal result, and if not, entering the next step;
s22, determining whether the historical operation result is a screening operation result or not according to the same number of the types of the historical alarm data of the historical operation result of the operation log and the types of the alarm data, if so, entering a step S23, and if not, determining that the historical operation result does not belong to a historical similar abnormal result;
s23, determining alarm data processing time of different types of historical alarm data based on the types of the historical alarm data of the screening operation results, determining time deviation amounts of the historical alarm data and the alarm data of the same type based on the alarm data processing time, determining similar historical alarm data through the time deviation amounts, determining whether the similarity of the screening operation results meets requirements or not according to the number of the similar historical alarm data of the screening operation results, if yes, entering the next step, and if no, determining that the historical operation results do not belong to the historical similar abnormal results;
s24, carrying out similarity between the screening operation result and the alarm data of different types according to the number and time deviation amount of the similar historical alarm data of the screening operation result, the same number and time deviation amount of the type of the historical alarm data and the type of the alarm data, and determining the historical similar abnormal result based on the similarity.
Further, the alarm data processing time is determined according to the time difference between the output result of the alarm data and the input data corresponding to the alarm data.
In another possible embodiment, the specific steps of determining the historical similar abnormal result in the step S2 are:
determining the same number of the types of the historical alarm data of the historical operation result of the operation log and the types of the alarm data according to the different types of the alarm data and the historical operation result of the operation log;
evaluating initial similarity of the historical operation result and the alarm data according to the same number of the types of the historical alarm data and the types of the alarm data of the historical operation result of the operation log and the proportion of the number of the types of the alarm data;
determining alarm data processing time of different types of historical alarm data based on the types of the historical alarm data of the screening operation result, determining time deviation amounts of the historical alarm data and the alarm data of the same type based on the alarm data processing time, and determining similar historical alarm data through the time deviation amounts;
when the initial similarity between the historical operation result and the alarm data is within a preset similarity range:
determining the similarity between the historical operation result and the type of alarm data based on the number of similar historical alarm data, and determining that the historical operation result is a historical similar abnormal result;
when the initial similarity between the historical operation result and the alarm data is not within a preset similarity range:
and carrying out similarity between the screening operation result and the alarm data of different types according to the quantity and time deviation amount of the similar historical alarm data of the screening operation result, the same quantity and time deviation amount of the type of the historical alarm data and the type of the alarm data, and determining the historical similar abnormal result based on the similarity.
In this embodiment, the historical similar abnormal result is obtained by performing similarity analysis on the different types of alarm data and the historical operation result of the operation log, so that the similarity evaluation of the historical operation result and the current alarm data is realized, and a foundation is laid for the targeted screening of the analysis link module.
S3, determining association conditions of different types of alarm data and different link modules according to different types of alarm data of the operation log, and determining association degrees of different link modules and analyzing the link modules based on the association conditions of the different link modules;
in one possible embodiment, as shown in fig. 4, the specific steps of determining the association degree of the link module in the step S3 are as follows:
determining the associated alarm types of the link modules and the alarm data of different types based on the association conditions of the different link modules, judging whether the number of the associated alarm types is larger than the number of preset alarm types, if so, entering the next step, and if not, determining that the link modules do not belong to an analysis link module;
determining a core alarm type according to the alarm times of the associated alarm types, judging whether the number of the core alarm types meets the requirement, if so, determining the link module as an analysis link module, determining the association degree of the link module through the number of the core alarm types, and if not, entering the next step;
determining weight values of different associated alarm types according to the alarm times of the associated alarm types, determining the weight sum of the associated alarm types of the link module according to the number of the associated alarm types and the weight values, determining whether the link module is an analysis link module or not according to the weight sum, if yes, determining that the link module is an analysis link module, and determining the association degree of the link module according to the weight sum of the associated alarm types of the link module, if not, entering the next step;
and determining the association degree of the link module through the number of the associated alarm types, the number of the core alarm types and the weight of the associated alarm types of the link module.
Further, when the association degree of the link module is within a preset association degree interval, determining that the link module is an analysis link module.
In this embodiment, the association conditions of the different types of alarm data and the different link modules are determined according to the different types of alarm data of the running log, so that the difference of the association degrees of the different link modules and the alarm data is considered, the accurate evaluation of the association degrees of the link modules is realized, the reliability of determining the analysis link modules is further ensured, and the efficiency and the reliability of analyzing the alarm data are further realized.
S4, determining abnormal conditions of different analysis link modules based on the operation data of the analysis link modules, determining a full-link analysis block diagram of the alarm data according to the data transmission conditions of different types of alarm data of the operation log when the analysis link modules have no abnormal conditions, and analyzing and processing the alarm data based on the full-link analysis block diagram.
In one possible embodiment, the determining of the abnormal situation of the different analysis link module in the step S4 based on the operation data of the analysis link module specifically includes:
determining whether abnormal time of the operation data exists according to the operation data of the analysis link module, if so, determining that the analysis link module has abnormal conditions, and determining the association condition of the abnormal operation data of the abnormal time of the operation data of the analysis link module and the alarm data of different types according to the abnormal conditions of the analysis link module.
On the other hand, as shown in fig. 5, the present invention provides an observable full-link log tracking system, and the method for tracking the observable full-link log is characterized by comprising:
the system comprises an operation condition evaluation module, a similarity evaluation module, a relevance evaluation module and an abnormality analysis module;
the operation condition evaluation module is responsible for determining different types of alarm data of the operation log based on the operation result of the operation log, determining an abnormal degree evaluation value based on the different types of alarm data, and entering the next step when the abnormal degree evaluation value is not in a preset range or the operation time is greater than an analysis period;
the similarity evaluation module is responsible for obtaining a historical similar abnormal result through similarity analysis between the different types of alarm data and the historical operation result of the operation log, and judging whether the frequency of the historical similar abnormal result is larger than a preset frequency;
the association degree evaluation module is responsible for determining association conditions of different types of alarm data and different link modules according to different types of alarm data of the operation log, and performing association degrees of different link modules and determining analysis link modules based on the association conditions of the different link modules;
the abnormal analysis module is responsible for determining abnormal conditions of different analysis link modules based on the operation data of the analysis link modules, determining a full-link analysis block diagram of the alarm data according to data transmission conditions of different types of alarm data of the operation log when the abnormal conditions do not exist in the analysis link modules, and analyzing and processing the alarm data based on the full-link analysis block diagram.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for apparatus, devices, non-volatile computer storage medium embodiments, the description is relatively simple, as it is substantially similar to method embodiments, with reference to the section of the method embodiments being relevant.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The foregoing is merely one or more embodiments of the present description and is not intended to limit the present description. Various modifications and alterations to one or more embodiments of this description will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, or the like, which is within the spirit and principles of one or more embodiments of the present description, is intended to be included within the scope of the claims of the present description.

Claims (11)

1. The method for tracking the observable full-link log is characterized by comprising the following steps of:
s1, determining different types of alarm data of the operation log based on the operation result of the operation log, determining an abnormality degree evaluation value based on the different types of alarm data, and entering the next step when the abnormality degree evaluation value is not in a preset range or the operation time is longer than an analysis period;
s2, carrying out similarity analysis on the alarm data of different types and the historical operation results of the operation log to obtain historical similar abnormal results, judging whether the times of the historical similar abnormal results are larger than the preset times, if so, determining an analysis link module through the historical similar analysis results, and entering a step S4, otherwise, entering a next step;
s3, determining association conditions of different types of alarm data and different link modules according to different types of alarm data of the operation log, and determining association degrees of different link modules and analyzing the link modules based on the association conditions of the different link modules;
s4, determining abnormal conditions of different analysis link modules based on the operation data of the analysis link modules, determining a full-link analysis block diagram of the alarm data according to the data transmission conditions of different types of alarm data of the operation log when the analysis link modules have no abnormal conditions, and analyzing and processing the alarm data based on the full-link analysis block diagram.
2. The method for tracking the observable full-link log according to claim 1, wherein the alarm data is determined according to the alarm information of the running log, and specifically, according to the data output result of the alarm information of the running log.
3. The method for tracking an observable full-link log according to claim 1, wherein the determining the abnormality degree evaluation value is:
s11, determining the alarming times of the running log based on the alarming data, determining whether the abnormal situation of the software system is serious based on the alarming times, if so, determining the abnormal degree evaluation value according to the alarming times, and if not, entering the next step;
s12, judging whether the alarm times of the operation log are smaller than preset alarm times, if so, entering a step S14, and if not, entering a step S13;
s13, determining the number of different types of alarms of the running log based on the type of the alarm data, determining whether an alarm type with the number of alarms being greater than the preset number of alarms exists based on the number of alarms of the different types, if yes, determining the abnormal degree evaluation value through the number of alarms and the number of types with the number of alarms being greater than the preset number of alarms in the alarm type, and if no, entering the next step;
s14, determining the types and the number of the frequent alarm types according to the alarm times of the different types, determining the alarm severity of the running log according to the alarm times and the average alarm times of the frequent alarm types, determining whether the abnormal situation of the software system is serious according to the alarm severity of the running log, if so, determining the abnormal degree evaluation value according to the alarm times, and if not, entering the next step;
s15, acquiring the number of alarming times and the number of alarming types of the operation log, and determining an abnormal degree evaluation value by combining the alarming severity of the operation log.
4. The method of claim 1, wherein when the number of alarms of the alarm type is not within a preset alarm number range, the alarm type is determined to be a frequent alarm type.
5. The method of claim 1, wherein the analysis period is determined according to the data amount of the operation log of the software system and the number of users, and wherein the larger the data amount of the operation log of the software system is, the more the number of users of the software system is, the shorter the analysis period is.
6. The method for tracking an observable full-link log of claim 1, characterized by the specific steps of determining said historical similar anomaly results are:
s21, determining whether a historical operation result consistent with the type of the alarm data exists or not according to the alarm data of different types and the historical operation result of the operation log, if so, setting the similarity of the historical operation result to be 1, taking the historical operation result as a historical similar abnormal result, and if not, entering the next step;
s22, determining whether the historical operation result is a screening operation result or not according to the same number of the types of the historical alarm data of the historical operation result of the operation log and the types of the alarm data, if so, entering a step S23, and if not, determining that the historical operation result does not belong to a historical similar abnormal result;
s23, determining alarm data processing time of different types of historical alarm data based on the types of the historical alarm data of the screening operation results, determining time deviation amounts of the historical alarm data and the alarm data of the same type based on the alarm data processing time, determining similar historical alarm data through the time deviation amounts, determining whether the similarity of the screening operation results meets requirements or not according to the number of the similar historical alarm data of the screening operation results, if yes, entering the next step, and if no, determining that the historical operation results do not belong to the historical similar abnormal results;
s24, carrying out similarity between the screening operation result and the alarm data of different types according to the number and time deviation amount of the similar historical alarm data of the screening operation result, the same number and time deviation amount of the type of the historical alarm data and the type of the alarm data, and determining the historical similar abnormal result based on the similarity.
7. The method of claim 6, wherein the alarm data processing time is determined according to a time difference between an output result of the alarm data and input data corresponding to the alarm data.
8. The method for tracking the observable full-link log according to claim 1, wherein the specific steps of determining the association degree of the link module are as follows:
determining the associated alarm types of the link modules and the alarm data of different types based on the association conditions of the different link modules, judging whether the number of the associated alarm types is larger than the number of preset alarm types, if so, entering the next step, and if not, determining that the link modules do not belong to an analysis link module;
determining a core alarm type according to the alarm times of the associated alarm types, judging whether the number of the core alarm types meets the requirement, if so, determining the link module as an analysis link module, determining the association degree of the link module through the number of the core alarm types, and if not, entering the next step;
determining weight values of different associated alarm types according to the alarm times of the associated alarm types, determining the weight sum of the associated alarm types of the link module according to the number of the associated alarm types and the weight values, determining whether the link module is an analysis link module or not according to the weight sum, if yes, determining that the link module is an analysis link module, and determining the association degree of the link module according to the weight sum of the associated alarm types of the link module, if not, entering the next step;
and determining the association degree of the link module through the number of the associated alarm types, the number of the core alarm types and the weight of the associated alarm types of the link module.
9. The method of claim 1, wherein when the association of the link module is within a predetermined association interval, determining the link module as an analysis link module.
10. The method for tracking the observable full-link log according to claim 1, wherein the determining of the abnormal condition of the different analysis link modules based on the operation data of the analysis link modules specifically comprises:
determining whether abnormal time of the operation data exists according to the operation data of the analysis link module, if so, determining that the analysis link module has abnormal conditions, and determining the association condition of the abnormal operation data of the abnormal time of the operation data of the analysis link module and the alarm data of different types according to the abnormal conditions of the analysis link module.
11. An observable full-link log tracking system, adopting an observable full-link log tracking method according to any one of claims 1-10, characterized in that it specifically comprises:
the system comprises an operation condition evaluation module, a similarity evaluation module, a relevance evaluation module and an abnormality analysis module;
the operation condition evaluation module is responsible for determining different types of alarm data of the operation log based on the operation result of the operation log, determining an abnormal degree evaluation value based on the different types of alarm data, and entering the next step when the abnormal degree evaluation value is not in a preset range or the operation time is greater than an analysis period;
the similarity evaluation module is responsible for obtaining a historical similar abnormal result through similarity analysis between the different types of alarm data and the historical operation result of the operation log, and judging whether the frequency of the historical similar abnormal result is larger than a preset frequency;
the association degree evaluation module is responsible for determining association conditions of different types of alarm data and different link modules according to different types of alarm data of the operation log, and performing association degrees of different link modules and determining analysis link modules based on the association conditions of the different link modules;
the abnormal analysis module is responsible for determining abnormal conditions of different analysis link modules based on the operation data of the analysis link modules, determining a full-link analysis block diagram of the alarm data according to data transmission conditions of different types of alarm data of the operation log when the abnormal conditions do not exist in the analysis link modules, and analyzing and processing the alarm data based on the full-link analysis block diagram.
CN202311392622.9A 2023-10-25 2023-10-25 Observable full-link log tracking method and system Active CN117112371B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311392622.9A CN117112371B (en) 2023-10-25 2023-10-25 Observable full-link log tracking method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311392622.9A CN117112371B (en) 2023-10-25 2023-10-25 Observable full-link log tracking method and system

Publications (2)

Publication Number Publication Date
CN117112371A true CN117112371A (en) 2023-11-24
CN117112371B CN117112371B (en) 2024-01-26

Family

ID=88807808

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311392622.9A Active CN117112371B (en) 2023-10-25 2023-10-25 Observable full-link log tracking method and system

Country Status (1)

Country Link
CN (1) CN117112371B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117648213A (en) * 2024-01-30 2024-03-05 杭银消费金融股份有限公司 Data transmission path model building method and system

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105991339A (en) * 2015-03-05 2016-10-05 腾讯科技(深圳)有限公司 Alarm source positioning method and device
CN110830438A (en) * 2019-09-25 2020-02-21 杭州优行科技有限公司 Abnormal log warning method and device and electronic equipment
CN113312241A (en) * 2021-06-29 2021-08-27 中国农业银行股份有限公司 Abnormal alarm method, access log generation method and operation and maintenance system
CN114116396A (en) * 2021-11-29 2022-03-01 重庆富民银行股份有限公司 Full link tracking method, system, storage medium and equipment
CN114189430A (en) * 2021-12-09 2022-03-15 兴业银行股份有限公司 Three-dimensional log full-link monitoring system, method, medium and equipment
WO2022111659A1 (en) * 2020-11-30 2022-06-02 中兴通讯股份有限公司 Warning method, apparatus and device, and storage medium
CN114615018A (en) * 2022-02-15 2022-06-10 北京云集智造科技有限公司 Abnormity detection method for financial transaction full link log
CN115437870A (en) * 2021-06-01 2022-12-06 平安证券股份有限公司 Monitoring method and device for business process data, computer equipment and storage medium
WO2022257423A1 (en) * 2021-06-08 2022-12-15 天翼云科技有限公司 Warning information association method and apparatus, and electronic device and readable storage medium
CN116881100A (en) * 2023-06-26 2023-10-13 人保信息科技有限公司 Log detection method, log alarm method, system, equipment and storage medium

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105991339A (en) * 2015-03-05 2016-10-05 腾讯科技(深圳)有限公司 Alarm source positioning method and device
CN110830438A (en) * 2019-09-25 2020-02-21 杭州优行科技有限公司 Abnormal log warning method and device and electronic equipment
WO2022111659A1 (en) * 2020-11-30 2022-06-02 中兴通讯股份有限公司 Warning method, apparatus and device, and storage medium
CN115437870A (en) * 2021-06-01 2022-12-06 平安证券股份有限公司 Monitoring method and device for business process data, computer equipment and storage medium
WO2022257423A1 (en) * 2021-06-08 2022-12-15 天翼云科技有限公司 Warning information association method and apparatus, and electronic device and readable storage medium
CN113312241A (en) * 2021-06-29 2021-08-27 中国农业银行股份有限公司 Abnormal alarm method, access log generation method and operation and maintenance system
CN114116396A (en) * 2021-11-29 2022-03-01 重庆富民银行股份有限公司 Full link tracking method, system, storage medium and equipment
CN114189430A (en) * 2021-12-09 2022-03-15 兴业银行股份有限公司 Three-dimensional log full-link monitoring system, method, medium and equipment
CN114615018A (en) * 2022-02-15 2022-06-10 北京云集智造科技有限公司 Abnormity detection method for financial transaction full link log
CN116881100A (en) * 2023-06-26 2023-10-13 人保信息科技有限公司 Log detection method, log alarm method, system, equipment and storage medium

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
WEI CHUNLEI, ET AL: "Research and design of a service gateway for power grid dispatching control system", 《2021 3RD INTERNATIONAL CONFERENCE ON ELECTRICAL ENGINEERING AND CONTROL TECHNOLOGIES》, pages 30 - 36 *
常龙尉,崔龙: "基于网络态势分析实现省级广电监测多层级管理", 《广播电视信息》, no. 04, pages 61 - 65 *
曲光学: "基于模糊场景关联分析的技术研究与实践", 无线互联科技, vol. 2016, no. 14, pages 115 - 118 *
武斌;郑康锋;杨义先;: "Honeynet中的告警日志分析", 北京邮电大学学报, vol. 2008, no. 06, pages 63 - 66 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117648213A (en) * 2024-01-30 2024-03-05 杭银消费金融股份有限公司 Data transmission path model building method and system
CN117648213B (en) * 2024-01-30 2024-05-07 杭银消费金融股份有限公司 Data transmission path model building method and system

Also Published As

Publication number Publication date
CN117112371B (en) 2024-01-26

Similar Documents

Publication Publication Date Title
CN117112371B (en) Observable full-link log tracking method and system
US20190392252A1 (en) Systems and methods for selecting a forecast model for analyzing time series data
Gegick et al. Prioritizing software security fortification throughcode-level metrics
Ohlsson et al. Predicting fault-prone software modules in telephone switches
US9274869B2 (en) Apparatus, method and storage medium for fault cause extraction utilizing performance values
US20070271219A1 (en) Performance degradation root cause prediction in a distributed computing system
CN116743501B (en) Abnormal flow control method and system
US8386849B2 (en) Noisy monitor detection and intermittent fault isolation
CN113242218A (en) Network security monitoring method and system
Wang et al. New control charts for monitoring the Weibull percentiles under complete data and Type‐II censoring
Jayawardhana et al. Statistical damage sensitive feature for structural damage detection using AR model coefficients
Berenguer et al. Inspection and maintenance planning: An application of semi-Markov decision processes
CN111309502A (en) Solid state disk service life prediction method
CN115952446A (en) Method, device and equipment for predicting steady-state vibration response of rocket engine
CN115311829A (en) Accurate alarm method and system based on mass data
Mollineaux et al. Structural health monitoring of progressive damage
Tufan et al. Modal plot—System identification and fault detection
CN118101528A (en) Information equipment health degree assessment method and system
CN116232851A (en) Early warning method and device for network abnormality, electronic equipment and storage medium
CN114938339A (en) Data processing method and related device
CN112398706B (en) Data evaluation standard determining method and device, storage medium and electronic equipment
CN116627093B (en) Nitrile glove processing control method, system, equipment and storage medium
CN116776502B (en) Intelligent prediction method and system for service life of spring hydraulic mounting machine
CN117114693B (en) Event-based resource loss detection method and system
CN117851789B (en) Industrial control equipment operation quality evaluation system based on artificial intelligence

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant