CN117573498A - Log analysis model training method and device for multi-application system - Google Patents

Abstract

The application relates to a log analysis model training method and device for a multi-application system. The method comprises the following steps: extracting normal sample log data and abnormal sample log data from sample log data of at least one application system; according to the normal sample log data and the abnormal sample log data of each application system, determining the association relation among the application systems; according to the association relation between the application systems and the sample log data, training to obtain a log analysis model, wherein the log analysis model consists of a plurality of sub-models, each sub-model corresponds to at least one application system, and for any sub-model, the application systems corresponding to the sub-models have direct association relation or indirect association relation. By adopting the method, the system state prediction precision aiming at the total system in the environment that the total system comprises a plurality of application systems can be improved.

Description

Log analysis model training method and device for multi-application system

Technical Field

The present disclosure relates to the field of big data technologies, and in particular, to a method and an apparatus for training a log analysis model for multiple application systems.

Background

With the increasing reliance of enterprises and society on informatization, the situation that a large system comprises multiple application systems is becoming wider and wider. These Application systems may include operating systems, databases, APPs (applications), web pages, and the like. Each application system generates a large amount of log data, and the log data contains information such as the running state, abnormal conditions and the like of the application system.

However, due to different log data formats of the application systems, difficulty in determining weights of the application systems in the whole system, and other reasons, the conventional log analysis method only can analyze the log data of each application system individually, but cannot effectively combine the log data of each application system for analysis, so that the system state of the whole system can be judged only according to the system state of a single application system displayed by the log data, and the system state judgment precision is low.

Disclosure of Invention

Accordingly, it is necessary to provide a method and apparatus for training a log analysis model for a multi-application system in order to solve the above-mentioned problems.

In a first aspect, the present application provides a log analysis model training method for a multi-application system.

The method comprises the following steps:

extracting normal sample log data and abnormal sample log data from sample log data of at least one application system;

determining the association relation between the application systems according to the normal sample log data and the abnormal sample log data of the application systems;

training to obtain a log analysis model according to the association relation between the application systems and the sample log data, wherein the log analysis model consists of a plurality of sub-models, each sub-model corresponds to at least one application system, and for any sub-model, the application systems corresponding to the sub-models have direct association relation or indirect association relation with each other.

In one embodiment, training to obtain a log analysis model according to the association relationship between the application systems and the sample log data includes:

determining an association relation value between two application systems aiming at the application systems with association relation between every two application systems;

determining at least one application system group according to the association relation value between the application systems, wherein the group association relation value corresponding to the application system group is larger than a preset association relation value threshold value, and the group association relation value is determined according to the association relation value between the application systems in the application system group;

And training to obtain a sub-model corresponding to the application system group according to the sample log data corresponding to each application system in the application system group aiming at any application system group.

In one embodiment, the determining at least one application system group according to the association relation value between the application systems includes:

traversing each application system, determining a first target application system group corresponding to the target application system in each current application system group aiming at the current traversed target application system, and determining an expected group association relation value of the target application system aiming at each first target application system group, wherein the expected group association relation value is used for representing the group association relation value which the first target application system group will have after the target application system joins the first target application system group, and at least one application system in the first target application system group has a direct association relation or an indirect association relation with the target application system;

and determining a second target application system group corresponding to the target application system according to the expected group association relation value and the preset association relation value threshold value of the target application system for each first target application system group, and updating the second target application system group through the target application system.

In one embodiment, the determining, according to the expected association value of the target application system for each first target application system group and the preset association value threshold, the second target application system group corresponding to the target application system includes:

aiming at any first target application system group, taking the first target application system group as a candidate application system group under the condition that the expected group association relation value of the first target application system group is larger than the preset association relation value threshold;

determining a second target application system group from each of the candidate application system groups if the candidate application system groups exist; or,

and if the candidate application system group does not exist, a new application system group is established, and the new application system group is used as the second target application system group.

In one embodiment, the extracting normal sample log data and abnormal sample log data from the sample log data of at least one application system includes:

performing anomaly detection processing on the sample log data of each application system through an anomaly detection algorithm to obtain anomaly sample log data;

And taking the sample log data which does not belong to the abnormal sample log data in the sample log data as normal sample log data.

In one embodiment, the determining the association relationship between the application systems according to the normal sample log data and the abnormal sample log data of each application system includes:

and determining the association relation between the two application systems according to at least one of the appearance time sequence of the normal sample log data, the appearance time sequence of the abnormal sample log data and the text content of the sample log data of any two application systems.

In one embodiment, the method further comprises:

extracting application log data from at least one application system;

and analyzing the application log data through the log analysis model to obtain a system state corresponding to the application log data.

In a second aspect, the present application further provides a log analysis model training device for a multi-application system. The device comprises:

the first extraction module is used for extracting normal sample log data and abnormal sample log data from the sample log data of at least one application system;

The determining module is used for determining the association relation between the application systems according to the normal sample log data and the abnormal sample log data of the application systems;

the training module is used for training to obtain a log analysis model according to the association relation among the application systems and the sample log data, wherein the log analysis model consists of a plurality of sub-models, each sub-model corresponds to at least one application system, and for any sub-model, the application systems corresponding to the sub-models have direct association relation or indirect association relation with each other.

In one embodiment, the training module is further configured to:

determining an association relation value between two application systems aiming at the application systems with association relation between every two application systems;

determining at least one application system group according to the association relation value between the application systems, wherein the group association relation value corresponding to the application system group is larger than a preset association relation value threshold value, and the group association relation value is determined according to the association relation value between the application systems in the application system group;

And training to obtain a sub-model corresponding to the application system group according to the sample log data corresponding to each application system in the application system group aiming at any application system group.

In one embodiment, the training module is further configured to:

traversing each application system, determining a first target application system group corresponding to the target application system in each current application system group aiming at the current traversed target application system, and determining an expected group association relation value of the target application system aiming at each first target application system group, wherein the expected group association relation value is used for representing the group association relation value which the first target application system group will have after the target application system joins the first target application system group, and at least one application system in the first target application system group has a direct association relation or an indirect association relation with the target application system;

and determining a second target application system group corresponding to the target application system according to the expected group association relation value and the preset association relation value threshold value of the target application system for each first target application system group, and updating the second target application system group through the target application system.

In one embodiment, the training module is further configured to:

aiming at any first target application system group, taking the first target application system group as a candidate application system group under the condition that the expected group association relation value of the first target application system group is larger than the preset association relation value threshold;

determining a second target application system group from each of the candidate application system groups if the candidate application system groups exist; or,

and if the candidate application system group does not exist, a new application system group is established, and the new application system group is used as the second target application system group.

In one embodiment, the first extraction module is further configured to:

performing anomaly detection processing on the sample log data of each application system through an anomaly detection algorithm to obtain anomaly sample log data;

and taking the sample log data which does not belong to the abnormal sample log data in the sample log data as normal sample log data.

In one embodiment, the determining module is further configured to:

and determining the association relation between the two application systems according to at least one of the appearance time sequence of the normal sample log data, the appearance time sequence of the abnormal sample log data and the text content of the sample log data of any two application systems.

In one embodiment, the apparatus further comprises:

the second extraction module is used for extracting application log data from at least one application system;

and the analysis module is used for analyzing the application log data through the log analysis model to obtain a system state corresponding to the application log data.

In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing any of the methods above when executing the computer program.

In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements any of the methods above.

In a fifth aspect, the present application also provides a computer program product. The computer program product comprising a computer program which, when executed by a processor, implements any of the methods above.

According to the method and the device for training the log analysis model for the multiple application systems, the association relation between the application systems is determined according to the normal sample log data and the abnormal sample log data, and then the application systems with direct or indirect association relation are used as subtasks to train to obtain the log analysis model comprising the subtoxes corresponding to the subtasks, so that the system state of the total system can be obtained through the log data of each application system. Moreover, the application systems have association relations with each other to indicate whether the log data of one application system is abnormal or not, so that the application model with the association relations is used as a subtask for training, and the prediction precision of the model can be improved.

Drawings

FIG. 1 is a flow diagram of a log analysis model training method for a multi-application system in one embodiment;

FIG. 2 is a flow chart of step 106 in one embodiment;

FIG. 3 is a flow chart of step 204 in one embodiment;

FIG. 4 is a flow chart of step 304 in one embodiment;

FIG. 5 is a flow chart of step 102 in one embodiment;

FIG. 6 is a flow diagram of a log analysis model training method for a multi-application system in one embodiment;

FIG. 7 is a flow diagram of a log analysis model training method for a multi-application system in one embodiment;

FIG. 8 is a block diagram of a log analysis model training apparatus for a multi-application system in one embodiment;

fig. 9 is an internal structural diagram of a computer device in one embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.

In one embodiment, as shown in fig. 1, a log analysis model training method for a multi-application system is provided, where the method is applied to a server for illustration, it is understood that the method may also be applied to a terminal, and may also be applied to a system including the terminal and the server, and implemented through interaction between the terminal and the server. In this embodiment, the method includes the steps of:

Step 102, extracting normal sample log data and abnormal sample log data from the sample log data of at least one application system.

In the embodiment of the application system, the application systems refer to each application system under the same overall system, for example, a front-end webpage for an order system, a payment system, a warehouse system, a database and the like. Each application system generates log data in the running process. The format of the log data generated by each application system may also be different due to the different underlying architecture of each application system.

Log data generated by each application system for a fixed period of time may be used as sample log data. The normal sample log data and the abnormal sample log data may be extracted from the sample log data of each application system separately. For example, the sample log data generated when the application system fails to run due to error reporting can be used as abnormal sample log data, and the rest sample log data can be used as normal sample log data; alternatively, the log data of each sample may be uniformly processed into feature vectors to which a detection algorithm may be applied (the feature vectors may be extracted by using a bag-of-word model, a time sequence feature, or the like), an anomaly detection algorithm (e.g., an outlier detection algorithm) may be adopted, the detected anomaly log data may be used as anomaly sample log data, and the remaining log data may be used as normal sample log data.

Step 104, determining the association relation between the application systems according to the normal sample log data and the abnormal sample log data of the application systems.

In the embodiment of the application, the association relationship between the application systems can be obtained according to the occurrence rules of the normal sample log data and the abnormal sample log data of the application systems. The association relationship between the application systems refers to the association between log data of two application systems. If the time rule of the abnormal sample log data of the application system A and the application system B is similar, the association relationship between the application system A and the application system B can be determined. Further, the association relationship may be divided into various types such as a causal relationship and a co-occurrence relationship. For each association, a corresponding algorithm may be used to determine whether the association exists between the application systems. For example, an Apriori algorithm, an FP-Growth algorithm may be used to determine whether a co-occurrence relationship exists between two application systems, a causal relation mining algorithm may be used to determine whether a causal relation exists between two application systems, and the embodiment of the present application is not limited in detail.

And 106, training to obtain a log analysis model according to the association relation among the application systems and the sample log data, wherein the log analysis model consists of a plurality of sub-models, each sub-model corresponds to at least one application system, and aiming at any sub-model, the application systems corresponding to the sub-models have direct association relation or indirect association relation.

In the embodiment of the application, if any association relationship exists between two application systems, a direct association relationship exists between the two application systems; if no association relationship exists between the two application systems, but the two application systems respectively have association relationships with other application systems which have association relationships with each other, an indirect association relationship exists between the two application systems. For example, if there is an association relationship between the application system a and the application system B, and there is an association relationship between the application system B and the application system C, there is an indirect association relationship between the application system a and the application system C.

A group of application systems with association relations can be used as a subtask, and each subtask is trained in a combined mode through a multi-task learning algorithm, so that a log analysis model comprising a plurality of sub-models is obtained, and the number of models to be trained is saved. Moreover, the application systems have association relations with each other, so that whether the log data of one application system is abnormal or not can be presumed through whether the log data of the other application system is abnormal or not, the application systems with association relations are used as a subtask for training, the situation that model prediction errors occur when the model is independently trained for each application system can be reduced, and the accuracy of system state prediction according to the model is improved.

For example, the application systems may be first grouped according to the association relationship between each other, and then each group of application systems is used as a subtask to train through a multi-task learning algorithm. For example, the sample log data and the corresponding system state when the sample log data is generated can be used as a sample pair, and a loss function and a loss weight are set for each subtask; and then taking weighted summation of each loss function and loss weight as a total loss function, and calibrating the optimization objective to ensure that the loss value of the total loss function is smaller than a certain threshold value, and further analyzing the model by training the log through a sample pair until the optimization objective is reached. The grouping standard can be preset by a person skilled in the art, for example, each application system in each group of application systems can be set to have a direct association relationship, and the direct association relationship can be further limited to be a strong association relationship such as a causal relationship, so that the trained sub-model only uses data with strong association relationship to predict, and the accuracy of prediction is improved; or the method can also be set as long as each application system in each group of application systems has an indirect association relation, so that the number of each application system in each group of application systems is as large as possible, and the number of submodels needing training is further reduced. The multi-task learning algorithm used in the embodiments of the present application is not particularly limited, and may be any multi-task learning algorithm based on any framework, such as a multi-task learning algorithm based on a TensorFlow (a machine learning platform) training, a multi-task learning algorithm based on a Pytorch (a machine learning library) training, and the like.

After the trained log analysis model is obtained, log data acquired from each application system in real time can be input into the log analysis model in actual application, so that the system state of the current total system is obtained.

According to the log analysis model training method for the multi-application system, the association relation between the application systems is determined according to the normal sample log data and the abnormal sample log data, and then the application system with the direct or indirect association relation is used as a subtask to train and obtain the log analysis model comprising the subtmodel corresponding to the subtasks, so that the system state of the total system can be obtained through the log data of each application system. Moreover, the application systems have association relations with each other to indicate whether the log data of one application system is abnormal or not, so that the application model with the association relations is used as a subtask for training, and the prediction precision of the model can be improved.

In one embodiment, as shown in fig. 2, in step 106, training to obtain a log analysis model according to the association relationship between the application systems and the sample log data includes:

Step 202, determining an association relation value between two application systems aiming at each two application systems with association relation.

Step 204, determining at least one application system group according to the association relation value among the application systems, wherein the group association relation value corresponding to the application system group is greater than a preset association relation value threshold value, and the group association relation value is determined according to the association relation value among the application systems in the application system group.

Step 206, training to obtain a sub-model corresponding to the application system group according to the sample log data corresponding to each application system in the application system group for any application system group.

In the embodiment of the application, the association value may be determined according to whether a direct association or an indirect association exists between two application systems, and the types of the direct association and the indirect association. For example, the association value of two application systems having a direct association relationship may be determined as 2 points, and the association value of two application systems having an indirect association relationship may be determined as 1 point (or any other point as long as the point of the direct association relationship is greater than the point of the indirect association relationship). Or the types of the association relationships can be further divided into strong association relationships and weak association relationships, wherein the strong association relationships represent whether the log data of one application system is normal or not and directly influence whether the log data of the other application system is normal or not, for example, the application system with the upstream and downstream relationship usually has the strong association relationship. The weak association relationship characterizes that although two application systems still have association relationship (such as similarity in time when log data is abnormal), whether the log data of one application system is normal or not generally does not affect whether the log data of the other application system is normal or not. A score may be assigned to the strong association and the weak association, for example, the strong association is 2 points, the weak association is 1 point, or any other score, as long as the score of the strong association is greater than the score of the weak association. Under the condition of dividing the strong association relationship and the weak association relationship, the association relationship value between two application systems with indirect association relationship can be determined according to how many strong association relationships and how many weak association relationships are connected by the indirect association relationship between the two application systems. The association value may be determined, for example, by an average of the score of each strong association and the score of each weak association on the indirect association: for example, in the case that there is a strong association relationship between the application system a and the application system B, and there is a weak association relationship between the application system B and the application system C, the association relationship value between the application systems a and C may be an average value of 2 and 1, that is, 1.5.

It should be noted that there may be an application system group in which only one application system is present. In this case, the group association value of the application system group may be set to a larger value exceeding the preset association value threshold.

The application systems may be divided into a plurality of application system groups, so that each application system of each application system group has a direct association relationship or an indirect association relationship with each other, and the group association relationship value of the application system group is greater than a preset association relationship value threshold. The preset association relation value threshold value can be set according to actual requirements, for example, if prediction accuracy needs to be improved, the preset association relation value threshold value can be set higher; if the number of models is required to be further reduced and the training efficiency is improved, the threshold value of the preset association relation value can be set lower. The group association relationship value of the application system group may be determined according to the association relationship value between every two application systems in the application system group, for example, an average value of each association relationship value, a sum of each association relationship value, etc., which is not specifically limited in the embodiment of the present application.

After dividing each application system group, each application system group can be used as a subtask, and the log analysis model is trained based on sample log data of each application system in the subtask through a multitask learning algorithm so as to obtain a log analysis model formed by the sub-models corresponding to each application system group.

According to the log analysis model training method for the multi-application system, the association relation value among the application systems is calculated, the application system groups are divided according to the association relation value, so that the association relation value of the group corresponding to the application system group is larger than the preset association relation value threshold, and the application model with the association relation meeting the requirement is used as a subtask for training, so that the prediction precision of the model can be improved.

In one embodiment, as shown in fig. 3, in step 204, determining at least one application system group according to the association relationship value between the application systems includes:

step 302, traversing each application system, determining a first target application system group corresponding to the target application system in each current application system group according to the current traversed target application system, and determining an expected group association relation value of the target application system according to each first target application system group, wherein the expected group association relation value is used for representing a group association relation value which the first target application system group will have after the target application system joins the first target application system group, and at least one application system in the first target application system group has a direct association relation or an indirect association relation with the target application system.

Step 304, determining a second target application system group corresponding to the target application system according to the expected group association relation value and the preset association relation value threshold of the target application system for each first target application system group, and updating the second target application system group through the target application system.

According to the method, the first target application system group with the association relation between at least one application system and the target application system can be determined from the current target application system groups by traversing each application system, and then expected group association relation values which each first target application system group should have after the target application system joins each first target application system group are calculated, so that the first target application system group which each application system should belong to is determined. For example, since the association relationship between the application systems is already determined, all application systems having association relationship (including direct association relationship and indirect association relationship) with the currently traversed target application system can be determined, and then the application system group where the application systems are located is used as the first target application system group.

The expected association value that the first target application system group should have after the target application system joins the first target application system group may be calculated for each first target application system group. For practical example, assume that the manner of calculating the association relationship value of the group is to calculate the average value of the association relationship values between the application systems in the application system group, and that there are currently an application system a and an application system B in a certain first target application system group, the association relationship value of the application system a and the application system B is 2 (i.e., the current group association relationship value of the first target application system group is 2), the association relationship value of the current target application system C and the application system a is 1, the association relationship value of the current target application system C and the application system B is 1.5, and after the target application system C is added to the first target application system group, the expected group association relationship value of the first target application system group is (1+1.5+2)/3=1.5. For other first target application system groups, the expected group association value may also be calculated in a similar manner.

After the expected group association relation values of all the first target application system groups are calculated, the second target application system groups can be selected according to the expected group association relation values and a preset association relation value threshold. For example, when the group association relationship value is calculated according to an average value of association relationship values between application systems in the application system groups, a first target application system group with an expected group association relationship value greater than a preset association relationship value threshold and a highest expected group association relationship value may be used as a second target application system group, or a first target application system group with a strong association relationship between the target application system group and at least one application system, with an expected group association relationship value greater than a preset association relationship value threshold and a highest expected group association relationship value may be used as a second target application system group. Under the condition that the group association relationship value is calculated according to the sum of association relationship values among all application systems in the application system group, a first target application system group, of which any original group association relationship value does not reach a preset association relationship value threshold value but the expected group association relationship value is larger than the preset association relationship value threshold value after the target application system is added, can be used as a second target application system group, and the embodiment of the application is not particularly limited. It should be noted that, when there is no first target application system group or there is no first target application system group whose expected group association relationship value satisfies the requirement, a new application system group may be established as the second target application system group.

After the second target application system group is determined, the target application system can be added into the second target application system group, so that the second target application system group is updated. When traversing the next application system, the current application system group corresponding to the next application system is the application system groups updated according to the current target application system.

According to the log analysis model training method for the multiple application systems, the application systems are traversed, the expected group association relation value of the application systems for each first target application system group is calculated, the second target application system group to which the application systems should belong is determined, the group association relation value corresponding to the application system group is enabled to be larger than the preset association relation value threshold, the application model with the association relation meeting the requirements can be used as a subtask for training, and the prediction accuracy of the model is improved.

In one embodiment, as shown in fig. 4, in step 304, determining, according to the expected association value of the target application system for each first target application system group and the preset association value threshold, a second target application system group corresponding to the target application system includes:

Step 402, regarding any first target application system group, taking the first target application system group as a candidate application system group when the expected group association relationship value of the first target application system group is greater than a preset association relationship value threshold.

Step 404, determining a second target application system group from the candidate application system groups when the candidate application system groups exist; or,

in step 406, in the case that there is no candidate application system group, a new application system group is established, and the new application system group is used as a second target application system group.

In this embodiment of the present application, a group association relationship value may be calculated according to an average value of association relationship values between application systems in an application system group, and whether a first target application system group may be used as a candidate application system group may be determined according to whether an expected group association relationship value is greater than a preset association relationship value threshold, and further a second target application system group may be selected from the candidate application system groups, for example, a candidate application system group with a highest expected group association relationship value may be used as a second target application system group, or a candidate application system group with a strong association relationship between the target application system group and at least one application system therein and a highest expected group association relationship value may be used as a second target application system group.

And under the condition that no candidate application system group exists, the association relation between the target application system and any one first target application system group is weak, and the group association relation value of the first target application system group is only pulled down when the target application system is added into any one first target application system group. In this case, a new application system group may be established and used as a second target application system group, that is, a new application system group including only the target application system is created for the target application system, so as to avoid the situation that some application systems cannot be allocated to any application system group.

According to the log analysis model training method for the multiple application systems, the candidate application system groups are determined according to the expected group association relation value of the application system for each first target application system group, the second target application system group to which the target application system should belong is determined from the candidate application system groups, and the application system groups are newly built under the condition that the candidate application system groups do not exist, so that the situation that some application systems cannot belong to any application system groups can be avoided.

In one embodiment, as shown in fig. 5, in step 102, extracting normal sample log data and abnormal sample log data from sample log data of at least one application system includes:

step 502, performing anomaly detection processing on the sample log data of each application system through an anomaly detection algorithm to obtain anomaly sample log data.

In step 504, sample log data which does not belong to abnormal sample log data among the sample log data is used as normal sample log data.

In the embodiment of the application, the abnormal sample log data can be obtained through detection by any abnormal detection algorithm. The anomaly detection algorithm may include a statistical-based anomaly detection algorithm (e.g., if the distribution of the sample log data is subject to a normal distribution, in statistics, the sample log data that is greater than the sum of the normal distribution mean and three times the standard deviation, or less than the difference of the normal distribution mean and three times the standard deviation may be used as the anomaly log data), a cluster-based anomaly detection algorithm (e.g., the sample log data that cannot be clustered into one large class may be used as the anomaly sample log data), and the embodiment of the present application is not limited in particular.

Since log data may contain various data such as text, time series data, and the like, each sample log data may be first expressed as a feature vector before using an anomaly detection algorithm. For example, feature extraction may be performed on the text by using a bag of words model, TF-IDF (term frequency-inverse text frequency index) or the like, and feature extraction may be performed on other structured data by using a statistical feature, a time sequence feature or the like. Moreover, since each piece of log data may include multiple dimensions (such as an operation performed by the system, a time for performing the operation, an initiator of the operation, an object of the operation, etc.), in order to facilitate anomaly detection, any method may be used to perform a dimension reduction process on a feature vector corresponding to the sample log data, such as a deep representation learning algorithm, which is not specifically limited in the embodiments of the present application.

After the abnormal sample log data is screened out by adopting an algorithm, the rest sample log data can be used as normal sample log data.

According to the log analysis model training method for the multi-application system, the abnormal sample log data is obtained through detection by adopting the abnormal detection algorithm, and then the rest sample log data is used as the normal sample log data, so that the detection precision of the abnormal sample log data and the normal sample log data can be improved, and the determination precision of the association relation and the training precision of the log analysis model are further improved.

In one embodiment, in step 104, determining the association relationship between the application systems according to the normal sample log data and the abnormal sample log data of each application system includes:

for any two application systems, determining the association relation between the two application systems according to at least one of the appearance time sequence of normal sample log data, the appearance time sequence of abnormal sample log data and the text content of the sample log data of the two application systems.

In this embodiment of the present application, the appearance time sequence is a sequence formed by appearance times of normal sample log data or abnormal sample log data, for example, for an application system, the sample log data between a time and B time is normal sample log data, the sample log data between B time and C time is abnormal sample log data, the sample log data between C time and D time is normal sample log data, and the appearance time sequence of the normal sample log data of the application system is [ a: B, C: D ] (a: B represents from a to B, and so on), and the appearance time sequence of the abnormal sample log data is [ B: C ].

The text content of the sample log data may be the text content of the vectorized representation or the text content still expressed in text. Whether or not an association relationship exists between two application systems can be determined according to the similarity between the appearance time sequence of normal sample log data (hereinafter, simply referred to as a normal sequence) of the two application systems, the appearance time sequence of abnormal sample log data (hereinafter, simply referred to as an abnormal sequence) and the text content of the sample log data. The relevance between the two application systems can be scored according to whether the normal sequences are similar, whether the abnormal sequences are similar and whether the text content is similar, and whether the two application systems have the relevance relationship or not can be determined according to the scoring.

For example, if the normal sequence of application a and the normal sequence of application B overlap more, then the normal sequences of the two applications may be considered similar (more overlapping may refer to the length of the time period that the two normal sequences overlap exceeding a certain threshold). Similarly, if the abnormal sequence of application a and the abnormal sequence of application B overlap more, the abnormal sequences of the two application systems can be considered similar. If the text contents are represented by vectors, it is possible to determine whether the two text contents are similar according to cosine similarity between the two vectors, or the like; if the text content is represented in text, it may be determined whether the two text contents are similar by an algorithm such as word frequency, edit distance, etc. Under the condition that any indexes are similar, the relevance between the two application systems can be added with 1 score; if the total score of the relevance between the two application systems is greater than a certain threshold value, the two application systems can be considered to have a relevance relationship.

According to the log analysis model training method for the multi-application system, the association relation between the two application systems is determined according to at least one of the appearance time sequence of the normal sample log data, the appearance time sequence of the abnormal sample log data and the text content of the sample log data of the two application systems, so that the determination accuracy of the association relation can be improved, and the training accuracy of the log analysis model is further improved.

In one embodiment, as shown in fig. 6, the method further includes:

in step 602, application log data is extracted from at least one application system.

And step 604, analyzing the application log data through a log analysis model to obtain a system state corresponding to the application log data.

In the embodiment of the application, after the log analysis model is trained, the system state of the total system can be analyzed by collecting the application log data from each application system in real time.

Referring to fig. 7, a schematic flow chart of the above process is shown. The real-time application log data of each application system can be collected to the same log center through a unified data collector, and then the collected application log data are cleaned and standardized, for example, the operations of removing irrelevant information, unifying data formats, processing missing values and the like are performed. Inputting the cleaned and standardized application log data into a log analysis model, wherein the log analysis model can output the current total system state represented by each application log data, such as whether the total system state is normal or abnormal; if the abnormality occurs, it is specific which application system is abnormal, the cause of the abnormality occurs, and the like. According to the system state, the log analysis model can also generate early warning information according to a preset text template, for example, if the system state represents the current system abnormality, and particularly, the environment abnormality occurs in the application system A, the log analysis model can generate early warning information ' predicting that the environment abnormality occurs in the application system A ' according to the text of the application system A, please refer to log data (the application log data corresponding to the application system A can be filled in here) ', so as to provide reference information for processing the system abnormality for operation and maintenance personnel.

According to the log analysis model training method for the multi-application system, the system state corresponding to the current application log data is output in the application according to the trained log analysis model, and the prediction accuracy of the system state is improved.

It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.

Based on the same inventive concept, the embodiment of the application also provides a log analysis model training device for the multi-application system, which is used for realizing the log analysis model training method for the multi-application system. The implementation scheme of the device for solving the problem is similar to the implementation scheme described in the method, so the specific limitation in the embodiment of the log analysis model training device for the multi-application system provided below can be referred to the limitation of the log analysis model training method for the multi-application system hereinabove, and the description is omitted here.

In one embodiment, as shown in fig. 8, there is provided a log analysis model training apparatus 800 for a multi-application system, including: a first extraction module 802, a determination module 804, a training module 806, wherein:

a first extraction module 802, configured to extract normal sample log data and abnormal sample log data from sample log data of at least one application system;

a determining module 804, configured to determine an association relationship between the application systems according to the normal sample log data and the abnormal sample log data of each application system;

the training module 806 is configured to train to obtain a log analysis model according to the association relationship between the application systems and the sample log data, where the log analysis model is composed of a plurality of sub-models, each sub-model corresponds to at least one application system, and for any sub-model, the application systems corresponding to the sub-models have a direct association relationship or an indirect association relationship with each other.

According to the log analysis model training device for the multi-application system, the association relation between the application systems is determined according to the normal sample log data and the abnormal sample log data, and then the application system with the direct or indirect association relation is used as a subtask to train and obtain the log analysis model comprising the subtmodel corresponding to the subtasks, so that the system state of the total system can be obtained through the log data of each application system. Moreover, the application systems have association relations with each other to indicate whether the log data of one application system is abnormal or not, so that the application model with the association relations is used as a subtask for training, and the prediction precision of the model can be improved.

In one embodiment, the training module 806 is further configured to:

determining an association relation value between two application systems aiming at the application systems with association relation between every two application systems;

determining at least one application system group according to the association relation value between the application systems, wherein the group association relation value corresponding to the application system group is larger than a preset association relation value threshold value, and the group association relation value is determined according to the association relation value between the application systems in the application system group;

and training to obtain a sub-model corresponding to the application system group according to the sample log data corresponding to each application system in the application system group aiming at any application system group.

In one embodiment, the training module 806 is further configured to:

traversing each application system, determining a first target application system group corresponding to the target application system in each current application system group aiming at the current traversed target application system, and determining an expected group association relation value of the target application system aiming at each first target application system group, wherein the expected group association relation value is used for representing the group association relation value which the first target application system group will have after the target application system joins the first target application system group, and at least one application system in the first target application system group has a direct association relation or an indirect association relation with the target application system;

And determining a second target application system group corresponding to the target application system according to the expected group association relation value and the preset association relation value threshold value of the target application system for each first target application system group, and updating the second target application system group through the target application system.

In one embodiment, the training module 806 is further configured to:

aiming at any first target application system group, taking the first target application system group as a candidate application system group under the condition that the expected group association relation value of the first target application system group is larger than the preset association relation value threshold;

determining a second target application system group from each of the candidate application system groups if the candidate application system groups exist; or,

and if the candidate application system group does not exist, a new application system group is established, and the new application system group is used as the second target application system group.

In one embodiment, the first extraction module 802 is further configured to:

performing anomaly detection processing on the sample log data of each application system through an anomaly detection algorithm to obtain anomaly sample log data;

And taking the sample log data which does not belong to the abnormal sample log data in the sample log data as normal sample log data.

In one embodiment, the determining module 804 is further configured to:

and determining the association relation between the two application systems according to at least one of the appearance time sequence of the normal sample log data, the appearance time sequence of the abnormal sample log data and the text content of the sample log data of any two application systems.

In one embodiment, the apparatus further comprises:

the second extraction module is used for extracting application log data from at least one application system;

and the analysis module is used for analyzing the application log data through the log analysis model to obtain a system state corresponding to the application log data.

The above-described modules in the log analysis model training apparatus for a multi-application system may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 9. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements a log analysis model training method for a multi-application system.

It will be appreciated by those skilled in the art that the structure shown in fig. 9 is merely a block diagram of a portion of the structure associated with the present application and is not limiting of the computer device to which the present application applies, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.

In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the method embodiments described above when the computer program is executed.

In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, carries out the steps of the method embodiments described above.

In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.

It should be noted that, user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.

Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.

The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.

Claims (11)

1. A method for training a log analysis model for a multi-application system, the method comprising:

extracting normal sample log data and abnormal sample log data from sample log data of at least one application system;

determining the association relation between the application systems according to the normal sample log data and the abnormal sample log data of the application systems;

Training to obtain a log analysis model according to the association relation between the application systems and the sample log data, wherein the log analysis model consists of a plurality of sub-models, each sub-model corresponds to at least one application system, and for any sub-model, the application systems corresponding to the sub-models have direct association relation or indirect association relation with each other.

2. The method according to claim 1, wherein training to obtain the log analysis model according to the association relationship between the application systems and the sample log data comprises:

determining an association relation value between two application systems aiming at the application systems with association relation between every two application systems;

determining at least one application system group according to the association relation value between the application systems, wherein the group association relation value corresponding to the application system group is larger than a preset association relation value threshold value, and the group association relation value is determined according to the association relation value between the application systems in the application system group;

and training to obtain a sub-model corresponding to the application system group according to the sample log data corresponding to each application system in the application system group aiming at any application system group.

3. The method according to claim 2, wherein determining at least one application system group according to the association relation value between the application systems comprises:

traversing each application system, determining a first target application system group corresponding to the target application system in each current application system group aiming at the current traversed target application system, and determining an expected group association relation value of the target application system aiming at each first target application system group, wherein the expected group association relation value is used for representing the group association relation value which the first target application system group will have after the target application system joins the first target application system group, and at least one application system in the first target application system group has a direct association relation or an indirect association relation with the target application system;

and determining a second target application system group corresponding to the target application system according to the expected group association relation value and the preset association relation value threshold value of the target application system for each first target application system group, and updating the second target application system group through the target application system.

4. The method according to claim 3, wherein the determining, according to the expected group association value and the preset association value threshold value of the target application system for each of the first target application system groups, the second target application system group corresponding to the target application system includes:

aiming at any first target application system group, taking the first target application system group as a candidate application system group under the condition that the expected group association relation value of the first target application system group is larger than the preset association relation value threshold;

determining a second target application system group from each of the candidate application system groups if the candidate application system groups exist; or,

and if the candidate application system group does not exist, a new application system group is established, and the new application system group is used as the second target application system group.

5. The method according to claim 1, wherein the extracting normal sample log data and abnormal sample log data from the sample log data of at least one application system includes:

performing anomaly detection processing on the sample log data of each application system through an anomaly detection algorithm to obtain anomaly sample log data;

And taking the sample log data which does not belong to the abnormal sample log data in the sample log data as normal sample log data.

6. The method of claim 1, wherein determining the association between the application systems based on the normal sample log data and the abnormal sample log data of the application systems comprises:

and determining the association relation between the two application systems according to at least one of the appearance time sequence of the normal sample log data, the appearance time sequence of the abnormal sample log data and the text content of the sample log data of any two application systems.

7. The method according to claim 1, wherein the method further comprises:

extracting application log data from at least one application system;

and analyzing the application log data through the log analysis model to obtain a system state corresponding to the application log data.

8. A log analysis model training apparatus for a multi-application system, the apparatus comprising:

The first extraction module is used for extracting normal sample log data and abnormal sample log data from the sample log data of at least one application system;

the determining module is used for determining the association relation between the application systems according to the normal sample log data and the abnormal sample log data of the application systems;

the training module is used for training to obtain a log analysis model according to the association relation among the application systems and the sample log data, wherein the log analysis model consists of a plurality of sub-models, each sub-model corresponds to at least one application system, and for any sub-model, the application systems corresponding to the sub-models have direct association relation or indirect association relation with each other.

9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 7 when the computer program is executed.

10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.

11. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.