WO2023245911A1 - Complex event detection method and apparatus and storage medium - Google Patents

Complex event detection method and apparatus and storage medium Download PDF

Info

Publication number
WO2023245911A1
WO2023245911A1 PCT/CN2022/123107 CN2022123107W WO2023245911A1 WO 2023245911 A1 WO2023245911 A1 WO 2023245911A1 CN 2022123107 W CN2022123107 W CN 2022123107W WO 2023245911 A1 WO2023245911 A1 WO 2023245911A1
Authority
WO
WIPO (PCT)
Prior art keywords
event
stream
rules
complex
water level
Prior art date
Application number
PCT/CN2022/123107
Other languages
French (fr)
Chinese (zh)
Inventor
任超超
陈政
黄国财
张慢丽
Original Assignee
深圳前海微众银行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳前海微众银行股份有限公司 filed Critical 深圳前海微众银行股份有限公司
Publication of WO2023245911A1 publication Critical patent/WO2023245911A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/38Concurrent instruction execution, e.g. pipeline, look ahead
    • G06F9/3867Concurrent instruction execution, e.g. pipeline, look ahead using instruction pipelines

Abstract

A complex event detection method and apparatus, and a storage medium. The method comprises: obtaining an operation event stream, there are a plurality of events in the operation event stream (S101); binding a plurality of event rules and a plurality of pieces of event determination logic to each event in the operation event stream (S102); using a calculation engine to determine the matchability between the operation event stream and the plurality of bound event rules (S103); in the case of matching, screening, from the operation event stream, for a target event having an event operation time less than a target watermark, the target watermark being a time determined according to a plurality of event operation times corresponding to the operation event stream (S104); and determining a determination result of the target event according to the plurality of pieces of event determination logic, so as to determine the target event as a complex event according to the determination result (S105).

Description

一种复杂事件检测方法及装置、存储介质A complex event detection method, device and storage medium
相关申请的交叉引用Cross-references to related applications
本申请要求在2022年06月24日提交中国专利局、申请号为202210739018.8、申请名称为“一种复杂事件检测方法及装置、存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to a Chinese patent application filed with the China Patent Office on June 24, 2022, with application number 202210739018.8 and the application title "A complex event detection method, device and storage medium", the entire content of which is incorporated by reference. in this application.
技术领域Technical field
本申请涉及金融技术领域,尤其涉及一种复杂事件检测方法及装置、存储介质。This application relates to the field of financial technology, and in particular to a complex event detection method, device, and storage medium.
背景技术Background technique
随着计算机技术的发展,越来越多的技术应用在金融领域,传统金融业正在逐步向金融科技(Fintech)转变,然而,由于金融行业的安全性、实时性要求,金融科技也对技术提出了更高的要求。金融科技领域下,复杂事件检测越来越重要,现有技术中多是利用Flink进行复杂技术检测的。With the development of computer technology, more and more technologies are applied in the financial field. The traditional financial industry is gradually transforming into financial technology (Fintech). However, due to the security and real-time requirements of the financial industry, Fintech also puts forward technical requirements. higher requirements. In the field of financial technology, complex event detection is becoming more and more important. Most of the existing technologies use Flink to detect complex technologies.
现有技术中,Flink复杂事件检测,是依靠规则广播流跟预先定义的n个规则计算单元来实现复杂事件检测,若新增的规则不在预先定义的规则计算单元中,就需要先新增规则计算单元的代码,并对该代码进行编译运行,如此,降低了增加复杂事件检测规则时的速度。In the existing technology, Flink complex event detection relies on the rule broadcast stream and n predefined rule calculation units to implement complex event detection. If the new rule is not in the predefined rule calculation unit, you need to add a new rule first. The code of the calculation unit is compiled and run, thus reducing the speed when adding complex event detection rules.
发明内容Contents of the invention
为解决上述技术问题,本申请实施例期望提供一种复杂事件检测方法及装置、存储介质,能够提高增加复杂事件检测规则时的速度。In order to solve the above technical problems, embodiments of the present application are expected to provide a complex event detection method, device, and storage medium, which can increase the speed when adding complex event detection rules.
本申请的技术方案是这样实现的:The technical solution of this application is implemented as follows:
本申请实施例提供一种复杂事件检测方法,所述复杂事件检测方法包 括:The embodiment of the present application provides a complex event detection method. The complex event detection method includes:
获取操作事件流,所述操作事件流中的事件数量为多个;Obtain an operation event stream, where the number of events in the operation event stream is multiple;
对所述操作事件流中的每一个事件绑定多个事件规则与多个事件确定逻辑;Bind multiple event rules and multiple event determination logic to each event in the operation event stream;
利用计算引擎确定所述操作事件流与绑定的多个事件规则之间的匹配性;Using a calculation engine to determine the match between the operation event stream and the multiple bound event rules;
在匹配的情况下,从所述操作事件流中筛选事件操作时间小于目标水位线的目标事件;所述目标水位线为根据所述操作事件流对应的多个事件操作时间确定的时间;In the case of matching, target events whose event operation time is less than a target water level are screened from the operation event stream; the target water level is a time determined based on multiple event operation times corresponding to the operation event stream;
根据所述多个事件确定逻辑确定所述目标事件的确定结果,以根据所述确定结果确定所述目标事件为复杂事件。The determination result of the target event is determined according to the plurality of event determination logics, so that the target event is determined to be a complex event according to the determination result.
本申请实施例提供了一种复杂事件检测装置,所述装置包括:An embodiment of the present application provides a complex event detection device, which includes:
获取部分,配置为获取操作事件流,所述操作事件流中的事件数量为多个;The acquisition part is configured to acquire an operation event stream, where the number of events in the operation event stream is multiple;
绑定部分,配置为对所述操作事件流中的每一个事件绑定多个事件规则与多个事件确定逻辑;The binding part is configured to bind multiple event rules and multiple event determination logic to each event in the operation event stream;
确定部分,配置为利用计算引擎确定所述操作事件流与绑定的多个事件规则之间的匹配性;根据所述多个事件确定逻辑确定目标事件的确定结果,以根据所述确定结果确定所述目标事件为复杂事件;The determination part is configured to use the calculation engine to determine the matching between the operation event stream and the multiple bound event rules; determine the determination result of the target event according to the multiple event determination logic, so as to determine the determination result according to the determination result. The target event is a complex event;
筛选部分,配置为在匹配的情况下,从所述操作事件流中筛选事件操作时间小于目标水位线的所述目标事件;所述目标水位线为根据所述操作事件流对应的多个事件操作时间确定的时间。The filtering part is configured to, in the case of matching, filter the target events whose event operation time is less than the target water level from the operation event stream; the target water level is a plurality of event operations corresponding to the operation event stream. Time determined time.
本申请实施例提供了一种复杂事件检测装置,所述装置包括:An embodiment of the present application provides a complex event detection device, which includes:
存储器、处理器和通信总线,所述存储器通过所述通信总线与所述处理器进行通信,所述存储器存储所述处理器可执行的复杂事件检测的程序,当所述复杂事件检测的程序被执行时,通过所述处理器执行上述所述的复 杂事件检测方法。A memory, a processor and a communication bus. The memory communicates with the processor through the communication bus. The memory stores a complex event detection program executable by the processor. When the complex event detection program is During execution, the above-mentioned complex event detection method is executed by the processor.
本申请实施例提供了一种存储介质,其上存储有计算机程序,应用于复杂事件检测装置,该计算机程序被处理器执行时实现上述所述的复杂事件检测方法。Embodiments of the present application provide a storage medium on which a computer program is stored, which is used in a complex event detection device. When the computer program is executed by a processor, the complex event detection method described above is implemented.
本申请实施例提供了一种复杂事件检测方法及装置、存储介质,复杂事件检测方法包括:获取操作事件流,操作事件流中的事件数量为多个;对操作事件流中的每一个事件绑定多个事件规则与多个事件确定逻辑;利用计算引擎确定操作事件流与绑定的多个事件规则之间的匹配性;在匹配的情况下,从操作事件流中筛选事件操作时间小于目标水位线的目标事件;目标水位线为根据操作事件流对应的多个事件操作时间确定的时间;根据多个事件确定逻辑确定目标事件的确定结果,以根据确定结果确定目标事件为复杂事件。采用上述方法实现方案,复杂事件检测装置由于多个事件规则与多个事件确定逻辑为表达式形式的规则与逻辑,在新增复杂事件检测规则和事件确定逻辑的情况下,可以直接将新增的复杂事件检测规则和事件确定逻辑广播至计算引擎,以利用计算引擎对表达式形式的新增规则进行解析、运算,不需要再新增规则计算单元的代码,也不需要在对代码进行编译运行,提高了增加复杂事件检测规则时的速度。Embodiments of the present application provide a complex event detection method, device, and storage medium. The complex event detection method includes: obtaining an operation event stream. The number of events in the operation event stream is multiple; binding each event in the operation event stream. Define multiple event rules and multiple event determination logic; use the calculation engine to determine the match between the operation event stream and the bound multiple event rules; in the case of matching, filter events from the operation event stream whose operation time is less than the target The target event of the water level; the target water level is a time determined based on the operation time of multiple events corresponding to the operation event stream; the determination result of the target event is determined based on the multiple event determination logic, and the target event is determined to be a complex event based on the determination result. Using the above method to implement the solution, the complex event detection device has multiple event rules and multiple event determination logics in the form of expressions. When adding complex event detection rules and event determination logic, the newly added complex event detection rules and event determination logic can be directly added. The complex event detection rules and event determination logic are broadcast to the calculation engine, so that the calculation engine can be used to parse and calculate the new rules in the form of expressions. There is no need to add code for the rule calculation unit, and there is no need to compile the code. Run, which improves the speed when adding complex event detection rules.
附图说明Description of the drawings
此处的附图被并入说明书中并构成本说明书的一部分,这些附图示出了符合本申请的实施例,并与说明书一起用于说明本申请的技术方案。The accompanying drawings herein are incorporated into the specification and constitute a part of the specification. These drawings illustrate embodiments consistent with the present application, and together with the description, are used to explain the technical solutions of the present application.
图1为本申请实施例提供的一种现有技术中的复杂事件检测方法示意图;Figure 1 is a schematic diagram of a complex event detection method in the prior art provided by an embodiment of the present application;
图2为本申请实施例提供的一种复杂事件检测方法流程图;Figure 2 is a flow chart of a complex event detection method provided by an embodiment of the present application;
图3为本申请实施例提供的一种示例性的复杂事件检测方法流程图;Figure 3 is a flow chart of an exemplary complex event detection method provided by an embodiment of the present application;
图4为本申请实施例提供的一种示例性的复杂事件检测示意图;Figure 4 is a schematic diagram of an exemplary complex event detection provided by an embodiment of the present application;
图5为本申请实施例提供的一种复杂事件检测装置的组成结构示意图一;Figure 5 is a schematic structural diagram of a complex event detection device provided by an embodiment of the present application;
图6为本申请实施例提供的一种复杂事件检测装置的组成结构示意图二。Figure 6 is a schematic diagram 2 of the composition and structure of a complex event detection device provided by an embodiment of the present application.
具体实施方式Detailed ways
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述。应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application. It should be understood that the specific embodiments described here are only used to explain the present application and are not used to limit the present application.
目前主流的Flink实时复杂事件检测技术步骤如图1所示,Flink读取复杂事件检测规则形成规则流,再通过广播算子将规则转换成广播流,再将广播流跟事件流绑定,然后通过keyBy算子按照某个固定的字段(一般是用户id、设备id)分组计算,在计算过程中先遍历所有规则,再通过JAVA反射机制识别各个规则,然后将每个事件送入对应的预先定义好的n个规则计算单元中计算,得出计算结果。具体包含以下步骤:The current mainstream Flink real-time complex event detection technology steps are shown in Figure 1. Flink reads complex event detection rules to form a rule stream, then converts the rules into a broadcast stream through broadcast operators, and then binds the broadcast stream to the event stream, and then The keyBy operator is used to group and calculate according to a fixed field (usually user ID, device ID). During the calculation process, all rules are first traversed, and then each rule is identified through the JAVA reflection mechanism, and then each event is sent to the corresponding pre- Calculate in the defined n rule calculation units to obtain the calculation results. Specifically, it includes the following steps:
1、Flink读取复杂事件检测规则形成规则流,其中,规则格式一般是JSON格式的字符串,比如,“dcp用户隐私授权”复杂事件检测规则定义为:1. Flink reads complex event detection rules to form a rule flow. The rule format is generally a string in JSON format. For example, the "dcp user privacy authorization" complex event detection rule is defined as:
{{
"rule_id":"dcp_privacy_grant","rule_id":"dcp_privacy_grant",
"rule_name":"dcp用户隐私授权","rule_name":"dcp user privacy authorization",
"rule_begin_key":"defined_name","rule_begin_key":"defined_name",
"rule_begin_value":"dcp-login-succ","rule_begin_value":"dcp-login-succ",
"rule_middle_key":"action_name","rule_middle_key":"action_name",
"rule_middle_value":"read-privacy-statement","rule_middle_value":"read-privacy-statement",
"rule_end_key":"click_name","rule_end_key":"click_name",
"rule_end_value":"agree","rule_end_value":"agree",
"rule_calc_id":"calc_grant""rule_calc_id":"calc_grant"
}}
2、Flink抽取实时事件流中的事件时间字段来生成实时事件流的水位线。2. Flink extracts the event time field in the real-time event stream to generate the watermark of the real-time event stream.
3、Flink通过广播算子将规则流转换成广播流。3. Flink converts the rule stream into a broadcast stream through the broadcast operator.
4、Flink通过Connect算子将规则流绑定到事件流上,生成绑定规则的事件流。比如,事件流中的某个事件为:4. Flink binds the rule stream to the event stream through the Connect operator to generate an event stream bound to the rules. For example, an event in the event stream is:
Figure PCTCN2022123107-appb-000001
Figure PCTCN2022123107-appb-000001
绑定规则的事件流中的某个事件为:An event in the event stream bound to a rule is:
Figure PCTCN2022123107-appb-000002
Figure PCTCN2022123107-appb-000002
Figure PCTCN2022123107-appb-000003
Figure PCTCN2022123107-appb-000003
5、Flink通过keyBy算子抽取某个固定的字段(一般是用户id、设备id等)将绑定规则的事件流转换成分组流进行分组计算,包括以下具体步骤:5. Flink uses the keyBy operator to extract a fixed field (usually user id, device id, etc.) to convert the event stream of bound rules into a group stream for group calculation, including the following specific steps:
5.1、Flink遍历分组流中的每个事件的每个规则。5.1. Flink traverses each rule of each event in the packet stream.
5.2、Flink通过JAVA反射机制识别各个事件绑定的复杂事件检测规则,包括规则id、规则name、开始规则key、开始规则value、中间规则key、中间规则value、结束规则key、结束规则value、规则计算单元id等信息。5.2. Flink uses the JAVA reflection mechanism to identify complex event detection rules bound to each event, including rule id, rule name, start rule key, start rule value, intermediate rule key, intermediate rule value, end rule key, end rule value, rule Calculate unit id and other information.
5.3、Flink将每个事件送入对应的预先定义好的n个规则计算单元中计算,得出计算结果。其中,复杂事件的计算方法预先定义在各个规则计算单元中。比如,“用户隐私授权”这个复杂事件检测计算单元calc_grant定义为:登录成功事件+阅读协议动作事件+点击同意按钮事件,这3个事件都发生则输出YES,表示检测到“用户隐私授权”这个复杂事件。5.3. Flink sends each event to the corresponding predefined n rule calculation units for calculation and obtains the calculation results. Among them, the calculation method of complex events is predefined in each rule calculation unit. For example, the complex event detection calculation unit calc_grant of "User Privacy Authorization" is defined as: login success event + read agreement action event + click agree button event. If these three events occur, YES will be output, indicating that "User Privacy Authorization" has been detected. Complex events.
对于现有技术中存在的问题,具体可通过以下实施例中的方法进行解决。Problems existing in the prior art can be specifically solved by the methods in the following embodiments.
本申请实施例提供了一种复杂事件检测方法,一种复杂事件检测方法应用于复杂事件检测装置,图2为本申请实施例提供的一种复杂事件检测 方法流程图,如图2所示,复杂事件检测方法可以包括:The embodiment of the present application provides a complex event detection method. The complex event detection method is applied to a complex event detection device. Figure 2 is a flow chart of the complex event detection method provided by the embodiment of the present application. As shown in Figure 2, Complex event detection methods can include:
S101、获取操作事件流,操作事件流中的事件数量为多个。S101. Obtain the operation event stream. The number of events in the operation event stream is multiple.
本申请实施例提供的一种复杂事件检测方法适用于检测复杂事件的场景下。The complex event detection method provided by the embodiment of the present application is suitable for the scenario of detecting complex events.
在本申请实施例中,复杂事件检测装置可以以各种形式来实施。例如,本申请中描述的复杂事件检测装置可以包括诸如服务器等装置。In the embodiment of the present application, the complex event detection device can be implemented in various forms. For example, the complex event detection device described in this application may include a device such as a server.
在本申请实施例中,埋点系统在检测到实时的操作事件的情况下,埋线系统就将该操作事件上报至Kafka消息队列中,复杂事件检测装置可以定时从Kafka消息队列中获取到多个操作事件,得到操作事件流。In the embodiment of this application, when the embedded system detects a real-time operation event, the embedded system reports the operation event to the Kafka message queue. The complex event detection device can regularly obtain multiple messages from the Kafka message queue. operation events to obtain the operation event stream.
需要说明的是,复杂事件检测装置也可以在预设的时间段,就从Kafka消息队列中获取到多个操作事件,得到操作事件流;复杂事件检测装置还可以在Kafka消息队列中的操作事件的数量为预设数量的情况下,复杂事件检测装置就从Kafka消息队列中获取到多个操作事件,得到操作事件流;具体的可以根据实际情况进行确定,本申请实施例对此不作限定。It should be noted that the complex event detection device can also obtain multiple operation events from the Kafka message queue in a preset time period to obtain the operation event stream; the complex event detection device can also obtain operation events in the Kafka message queue. When the number is the preset number, the complex event detection device obtains multiple operation events from the Kafka message queue and obtains the operation event stream; the details can be determined according to the actual situation, and the embodiments of this application are not limited to this.
需要说明的是,预设时间段可以为复杂事件检测装置中配置的时间段;预设时间段也可以为用户输入至复杂事件检测装置中的时间段;具体的复杂事件检测装置得到预设时间段的方式可以根据实际情况进行确定,本申请实施例对此不作限定。It should be noted that the preset time period can be a time period configured in the complex event detection device; the preset time period can also be a time period input by the user into the complex event detection device; a specific complex event detection device obtains the preset time The segment method can be determined according to the actual situation, and the embodiment of the present application does not limit this.
需要说明的是,预设数量可以为复杂事件检测装置中配置的数量;预设数量还可以为其他设备传输至复杂事件检测装置中的数量;具体的复杂事件检测装置得到预设数量的方式可以根据实际情况进行确定,本申请实施例对此不作限定。It should be noted that the preset number can be the number configured in the complex event detection device; the preset number can also be the number transmitted to the complex event detection device by other devices; the specific method for the complex event detection device to obtain the preset number can be The determination is made based on the actual situation, which is not limited in the embodiments of this application.
示例性的,以小额度贷款产品(DCP)为例,检测“DCP用户授权行为耗时”的操作事件检测过程:埋点系统将操作事件实时上报至kafka消息队列,Flink实时消费kafka中的实时的操作事件形成埋点事件实时的操作事件流。操作事件流中的某一操作事件可以为:For example, taking the small loan product (DCP) as an example, the operation event detection process of detecting "DCP user authorization behavior is time-consuming": the hidden system reports the operation event to the Kafka message queue in real time, and Flink consumes the real-time information in Kafka in real time. The operation events form a real-time operation event stream of hidden events. An operation event in the operation event stream can be:
Figure PCTCN2022123107-appb-000004
Figure PCTCN2022123107-appb-000004
需要说明的是,操作事件流中的每一个操作事件都携带有事件操作时间。It should be noted that each operation event in the operation event stream carries the event operation time.
S102、对操作事件流中的每一个事件绑定多个事件规则与多个事件确定逻辑。S102. Bind multiple event rules and multiple event determination logic to each event in the operation event stream.
在本申请实施例中,复杂事件检测装置获取操作事件流之后,复杂事件检测装置就可以对操作事件流中的每一个事件绑定多个事件规则与多个事件确定逻辑。In the embodiment of the present application, after the complex event detection device obtains the operation event stream, the complex event detection device can bind multiple event rules and multiple event determination logics to each event in the operation event stream.
在本申请实施例中,复杂事件检测装置在对操作事件流中的每一个事件绑定多个事件规则与多个事件确定逻辑之后,在多个事件规则或者多个事件确定逻辑变更的情况下,复杂事件检测装置就同时将绑定有操作事件的多个事件规则或者多个事件确定逻辑也进行变更。In the embodiment of the present application, after the complex event detection device binds multiple event rules and multiple event determination logics to each event in the operation event stream, when multiple event rules or multiple event determination logics are changed, , the complex event detection device also changes multiple event rules or multiple event determination logics bound to the operation events at the same time.
需要说明的是,多个事件规则可以与多个事件确定逻辑一一对应,多个事件规则也可以与多个事件确定逻辑不一一对应;具体的可以根据实际情况进行确定,本申请实施例对此不作限定。It should be noted that multiple event rules may have a one-to-one correspondence with multiple event determination logics, and multiple event rules may not have a one-to-one correspondence with multiple event determination logics; the specific determination may be based on the actual situation. Examples of this application There is no limit to this.
在本申请实施例中,复杂事件检测装置可以利用Flink通过Connect算子对操作事件流中的每一个事件绑定多个事件规则与多个事件确定逻辑;复杂事件检测装置也可以利用其他的方式对操作事件流中的每一个事件绑 定多个事件规则与多个事件确定逻辑;具体的复杂事件检测装置对操作事件流中的每一个事件绑定多个事件规则与多个事件确定逻辑的方式可以根据实际情况进行确定,本申请实施例对此不作限定。In the embodiment of this application, the complex event detection device can use Flink to bind multiple event rules and multiple event determination logics to each event in the operation event stream through the Connect operator; the complex event detection device can also use other methods. Bind multiple event rules and multiple event determination logic to each event in the operation event stream; a specific complex event detection device binds multiple event rules and multiple event determination logic to each event in the operation event stream. The method can be determined according to actual conditions, and is not limited in the embodiments of this application.
在本申请实施例中,复杂事件检测装置对操作事件流中的每一个事件绑定多个事件规则与多个事件确定逻辑之前,复杂事件检测装置还会接收配置的多个事件规则与多个事件确定逻辑;复杂事件检测装置向计算引擎广播多个事件规则与多个事件确定逻辑。In the embodiment of the present application, before the complex event detection device binds multiple event rules and multiple event determination logics to each event in the operation event stream, the complex event detection device will also receive multiple configured event rules and multiple event determination logics. Event determination logic; the complex event detection device broadcasts multiple event rules and multiple event determination logic to the computing engine.
在本申请实施例中,多个事件规则与多个事件确定逻辑可以为采用Aviator表达式定义的规则和逻辑;多个事件规则与多个事件确定逻辑还可以为采用其他的方式定义的规则和逻辑;具体的可以根据实际情况进行确定,本申请实施例对此不作限定。In the embodiment of the present application, the multiple event rules and multiple event determination logics can be rules and logic defined using Aviator expressions; the multiple event rules and multiple event determination logics can also be rules and logic defined in other ways. Logic; the details can be determined according to the actual situation, and the embodiments of this application do not limit this.
在本申请实施例中,复杂事件检测装置接收配置的多个事件规则与多个事件确定逻辑之后,复杂事件检测装置就可以将多个事件规则与多个事件确定逻辑存储至数据库中。In the embodiment of the present application, after the complex event detection device receives the configured multiple event rules and multiple event determination logics, the complex event detection device can store the multiple event rules and multiple event determination logics in the database.
需要说明的是,多个事件规则与多个事件确定逻辑包括:规则号、规则是否启用、创建时间、最后更新时间、产品号、指标大类、指标名、指标存储到数据库的字段名、复杂事件大类、复杂事件子类、规则开始条件、规则中间条件、规则结束条件、计算逻辑等信息。It should be noted that multiple event rules and multiple event determination logic include: rule number, whether the rule is enabled, creation time, last update time, product number, indicator category, indicator name, field name where the indicator is stored in the database, complex Event categories, complex event subcategories, rule start conditions, rule intermediate conditions, rule end conditions, calculation logic and other information.
在本申请实施例中,复杂事件检测装置可以利用Flink每隔n秒读取数据库中存储的Aviator表达式作为多个事件规则与多个事件确定逻辑。In the embodiment of this application, the complex event detection device can use Flink to read the Aviator expression stored in the database every n seconds as multiple event rules and multiple event determination logic.
在本申请实施例中,以DCP为例,采用Aviator表达式定义多个事件规则与多个事件确定逻辑,Flink每隔n秒读取数据库中存储的Aviator表达式形成“多个事件规则与多个事件确定逻辑”:In the embodiment of this application, taking DCP as an example, Aviator expressions are used to define multiple event rules and multiple event determination logics. Flink reads the Aviator expressions stored in the database every n seconds to form "multiple event rules and multiple event determination logics". Each event determines the logic":
Figure PCTCN2022123107-appb-000005
Figure PCTCN2022123107-appb-000005
Figure PCTCN2022123107-appb-000006
Figure PCTCN2022123107-appb-000006
在本申请实施例中,复杂事件检测装置可以采用Flink广播算子对多个事件规则与多个事件确定逻辑进行广播,复杂事件检测装置也可以利用其他的广播方式对多个事件规则与多个事件确定逻辑进行广播;具体的复杂事件检测装置向计算引擎广播多个事件规则与多个事件确定逻辑的方式,可以根据实际情况进行确定,本申请实施例对此不作限定。In the embodiment of this application, the complex event detection device can use the Flink broadcast operator to broadcast multiple event rules and multiple event determination logics. The complex event detection device can also use other broadcast methods to broadcast multiple event rules and multiple event determination logics. The event determination logic is broadcast; the specific method of broadcasting multiple event rules and multiple event determination logics to the computing engine by the complex event detection device can be determined according to the actual situation, and is not limited in the embodiments of the present application.
在本申请实施例中,以DCP为例,采用广播算子将“规则跟计算逻辑流”广播出去形成广播流。In the embodiment of this application, taking DCP as an example, a broadcast operator is used to broadcast the "rules and calculation logic flow" to form a broadcast stream.
S103、利用计算引擎确定操作事件流与绑定的多个事件规则之间的匹配性。S103. Use the calculation engine to determine the matching between the operation event stream and the multiple bound event rules.
在本申请实施例中,复杂事件检测装置对操作事件流中的每一个事件绑定多个事件规则与多个事件确定逻辑之后,复杂事件检测装置就可以利用计算引擎确定操作事件流与绑定的多个事件规则之间的匹配性。In the embodiment of the present application, after the complex event detection device binds multiple event rules and multiple event determination logics to each event in the operation event stream, the complex event detection device can use the computing engine to determine the operation event flow and binding Matching between multiple event rules.
在本申请实施例中,计算引擎可以为Aviator表达式引擎;计算引擎也可以为其他的用于计算功能的引擎;具体的可以根据实际情况进行确定, 本申请实施例对此不作限定。In the embodiment of the present application, the calculation engine may be the Aviator expression engine; the calculation engine may also be other engines used for calculation functions; the details may be determined according to the actual situation, which is not limited in the embodiment of the present application.
在本申请实施例中,可以在stateFunc中调用Aviator表达式引擎,利用Aviator表达式引擎来确定操作事件流与绑定的多个事件规则之间的匹配性。In the embodiment of this application, the Aviator expression engine can be called in stateFunc, and the Aviator expression engine can be used to determine the match between the operation event stream and the multiple bound event rules.
在本申请实施例中,复杂事件检测装置利用计算引擎确定操作事件流与绑定的多个事件规则之间的匹配性的过程,包括:复杂事件检测装置在操作事件流中获取预设字段,得到多个字段信息;根据多个字段信息对操作事件流进行分组,得到多组操作事件;确定多组操作事件中的每一组操作事件与绑定的多个事件规则之间的匹配性,直至确定出多组操作事件与绑定的多个事件规则之间的匹配性。In the embodiment of the present application, the process of the complex event detection device using the computing engine to determine the matching between the operation event stream and the multiple bound event rules includes: the complex event detection device obtains the preset fields in the operation event stream, Obtain multiple field information; group the operation event stream according to the multiple field information to obtain multiple groups of operation events; determine the matching between each group of operation events in the multiple groups of operation events and the multiple bound event rules, Until the matching between multiple sets of operation events and multiple bound event rules is determined.
在本申请实施例中,预设字段可以为复杂事件检测装置中配置的字段;预设字段也可以为其他装置传输至复杂事件检测装置中的字段;预设字段还可以为复杂事件检测装置以其他的方式得到的字段;具体的复杂事件检测装置得到预设字段的方式可以根据实际情况进行确定,本申请号实施例对此不作限定。In the embodiment of the present application, the preset field can be a field configured in the complex event detection device; the preset field can also be a field transmitted to the complex event detection device by other devices; the preset field can also be a field configured by the complex event detection device. Fields obtained in other ways; the specific way in which the complex event detection device obtains the preset fields can be determined according to the actual situation, and this is not limited in the embodiment of this application number.
需要说明的是,预设字段可以为用户id,预设字段也可以为设备id,预设字段还可以为其他的字段信息;具体的预设字段可以根据实际情况进行确定,本申请实施例对此不作限定。It should be noted that the preset field can be user id, the preset field can also be device id, and the preset field can also be other field information; the specific preset field can be determined according to the actual situation. The embodiments of this application are This is not a limitation.
还需要说明的是,操作事件流中的每一个操作事件中都携带有预设字段对应的字段信息。It should also be noted that each operation event in the operation event stream carries field information corresponding to the preset field.
在本申请实施例中,复杂事件检测装置可以采用Flink的map算子自定义一个状态计算函数stateFunc,以利用stateFunc对多组操作事件中的每一组操作事件遍历自身绑定的多个事件规则与多个事件确定逻辑。以DCP为例,对绑定多个事件规则与多个事件确定逻辑的多组操作事件中的每个操作事件遍历自身绑定的多个事件规则与多个事件确定逻辑。In the embodiment of this application, the complex event detection device can use Flink's map operator to customize a state calculation function stateFunc, so that stateFunc can be used to traverse multiple event rules bound to itself for each group of operating events in multiple groups. Determine logic with multiple events. Taking DCP as an example, each operation event in multiple groups of operation events that are bound to multiple event rules and multiple event determination logics traverses the multiple event rules and multiple event determination logics bound to itself.
在本申请实施例中,复杂事件检测装置根据多个字段信息对操作事件流进行分组,得到多组操作事件的过程,包括:复杂事件检测装置对多个 字段信息分别进行校验,得到多个校验值;复杂事件检测装置对多个校验值进行哈希处理,得到多个哈希信息;复杂事件检测装置根据多个哈希信息对操作事件流进行分组,得到多组操作事件。In the embodiment of the present application, the complex event detection device groups the operation event stream according to multiple field information, and the process of obtaining multiple groups of operation events includes: the complex event detection device separately verifies the multiple field information, and obtains multiple Check value; the complex event detection device performs hash processing on multiple check values to obtain multiple hash information; the complex event detection device groups the operation event stream according to the multiple hash information to obtain multiple groups of operation events.
在本申请实施例中,复杂事件检测装置对多个校验值进行哈希处理,得到多个哈希信息的方式,包括复杂事件检测装置根据多个校验值对算子并行度进行取模处理,得到多个哈希信息;还可以为复杂事件检测装置以其他的方式,根据多个校验值,得到多个哈希信息;具体的可以根据实际情况进行确定,本申请实施例对此不作限定。In the embodiment of the present application, the complex event detection device performs hash processing on multiple check values to obtain multiple hash information, including the complex event detection device modulo operator parallelism based on multiple check values. Process to obtain multiple hash information; the complex event detection device can also obtain multiple hash information based on multiple check values in other ways; the specific determination can be based on the actual situation, and the embodiment of the present application is Not limited.
需要说明的是,算子并行度可以为复杂事件检测装置中的中央处理器(Central Processing Unit,CPU)的数量。示例性的,算子并行度可以为200核的中央处理器。It should be noted that the operator parallelism can be the number of central processing units (Central Processing Unit, CPU) in the complex event detection device. For example, the operator parallelism may be a 200-core central processing unit.
在本申请实施例中,复杂事件检测装置对多个字段信息分别进行校验,得到多个校验值的方式,可以为复杂事件检测装置利用CRC32校验方式对多个字段信息分别进行校验,得到多个校验值;也可以为复杂事件检测装置利用其他的校验方式对多个字段信息分别进行校验,得到多个校验值;具体的可以根据实际情况进行确定,本申请实施例对此不作限定。In the embodiment of the present application, the complex event detection device separately verifies multiple field information to obtain multiple check values. The complex event detection device can use the CRC32 verification method to separately verify multiple field information. , to obtain multiple check values; the complex event detection device can also use other verification methods to separately verify multiple field information and obtain multiple check values; the specifics can be determined according to the actual situation, and this application implements This example does not limit this.
需要说明的是,多个字段信息与多个校验值一一对应,即一个字段信息对应一个校验值。It should be noted that multiple field information corresponds to multiple check values one-to-one, that is, one field information corresponds to one check value.
在本申请实施例中,哈希信息为hashId。多个哈希信息与多个校验值一一对应,即一个哈希信息对应一个校验值。In the embodiment of this application, the hash information is hashId. Multiple hash information corresponds to multiple check values one-to-one, that is, one hash information corresponds to one check value.
在本申请实施例中,以DCP为例,抽取user_id字段的CRC32校验值对算子的并行度100进行模运算,即hashId=mod(crc32('xxxxxxxxxxxxxxxxx001'),100)+1,得到值hashId=91。In the embodiment of this application, taking DCP as an example, extract the CRC32 check value of the user_id field and perform modulo operation on the parallelism degree of the operator 100, that is, hashId=mod(crc32('xxxxxxxxxxxxxxxxx001'),100)+1 to obtain the value hashId=91.
在本申请实施例中,复杂事件检测装置可以将多个哈希信息作为Flink的keyBy算子的入参,生成多组操作事件。In the embodiment of this application, the complex event detection device can use multiple hash information as input parameters of Flink's keyBy operator to generate multiple sets of operation events.
在本申请实施例中,以DCP为例,通过keyBy算子将绑定多个事件规 则的操作事件流根据hashId分组并生成按key分组的多组操作事件,如,用户信息为user_id=xxxxxxxxxxxxxxxxx00操作事件和用户信息为user_id=simulator_dcp_delta4_sit631的操作事件有相同的hashId,即这两个用户的操作事件会分到同一组中,这样即使user_id=xxxxxxxxxxxxxxxxx001的用户没有后续的操作事件,只要其他hashId=91的用户有后续的操作事件就可以触发当前分组的水位线提升,从而触发user_id=xxxxxxxxxxxxxxxxx001的用户的操作事件数据的计算。In the embodiment of this application, taking DCP as an example, the keyBy operator is used to group the operation event streams bound to multiple event rules according to hashId and generate multiple groups of operation events grouped by key. For example, the user information is user_id=xxxxxxxxxxxxxxxxx00 operation The event and the operation event with user information user_id=simulator_dcp_delta4_sit631 have the same hashId, that is, the operation events of these two users will be grouped into the same group, so even if the user with user_id=xxxxxxxxxxxxxxxxx001 has no subsequent operation events, as long as the other hashId=91 If the user has subsequent operation events, the water level of the current group can be raised, thereby triggering the calculation of the operation event data of the user with user_id=xxxxxxxxxxxxxxxxx001.
S104、在匹配的情况下,从操作事件流中筛选事件操作时间小于目标水位线的目标事件;目标水位线为根据操作事件流对应的多个事件操作时间确定的时间。S104. In the case of matching, filter target events whose event operation time is less than the target water level from the operation event stream; the target water level is a time determined based on multiple event operation times corresponding to the operation event stream.
在本申请实施例中,复杂事件检测装置利用计算引擎确定操作事件流与绑定的多个事件规则之间的匹配性之后,复杂事件检测装置在确定出匹配的情况下,就从操作事件流中筛选事件操作时间小于目标水位线的目标事件。In the embodiment of the present application, after the complex event detection device uses the calculation engine to determine the match between the operation event stream and the multiple bound event rules, the complex event detection device determines the match from the operation event stream. Filter the target events whose event operation time is less than the target water level.
在本申请实施例中,在匹配的情况下,复杂事件检测装置就将该操作事件写入状态列表,在不匹配的情况下,复杂事件检测装置就将该操作事件删除。In the embodiment of the present application, if there is a match, the complex event detection device writes the operation event into the status list; if there is no match, the complex event detection device deletes the operation event.
在本申请实施例中,复杂事件检测装置从操作事件流中筛选事件操作时间小于目标水位线的目标事件的过程,可以为复杂事件检测装置获取状态列表中的第一操作事件,复杂事件检测装置从第一操作事件中筛选事件操作时间小于目标水位线的目标事件。In the embodiment of the present application, the complex event detection device selects target events whose operation time is less than the target water level from the operation event stream, and can obtain the first operation event in the status list for the complex event detection device. The complex event detection device Target events whose event operation time is less than the target water level are filtered from the first operation events.
需要说明的是,第一操作事件为添加至状态列表中的所有的操作事件。It should be noted that the first operation event is all operation events added to the status list.
在本申请实施例中,以DCP为例,即判断规则开始条件、规则中间条件、规则结束条件是否满足,对于以下“绑定规则跟计算逻辑的事件流”中的begin事件跟end事件,Aviator表达式引擎会判定RULE_BEGIN跟RULE_END的结果为true,并将这两个事件写入状态中。In the embodiment of this application, taking DCP as an example, that is, determining whether the rule start condition, rule intermediate condition, and rule end condition are met. For the begin event and end event in the following "event flow of binding rules and calculation logic", Aviator The expression engine will determine that the results of RULE_BEGIN and RULE_END are true and write these two events into the state.
begin事件:begin event:
Figure PCTCN2022123107-appb-000007
Figure PCTCN2022123107-appb-000007
end事件:end event:
Figure PCTCN2022123107-appb-000008
Figure PCTCN2022123107-appb-000008
在本申请实施例中,复杂事件检测装置从操作事件流中筛选事件操作时间小于目标水位线的目标事件之前,复杂事件检测装置还会获取操作事件流对应的多个事件操作时间,并根据多个事件操作时间生成多个水位线;复杂事件检测装置对多个水位线进行合并处理,得到合并水位线;复杂事件检测装置从合并水位线和预设水位线中,筛选水位线值最小的目标水位线。In the embodiment of the present application, the complex event detection device filters the event operation time from the operation event stream before the target event that is smaller than the target water level. The complex event detection device also obtains multiple event operation times corresponding to the operation event stream, and based on the multiple event operation times, Each event operation time generates multiple water levels; the complex event detection device merges multiple water levels to obtain a merged water level; the complex event detection device selects the target with the smallest water level value from the merged water level and the preset water level Water level.
在本申请实施例中,Flink抽取操作事件流中的事件操作时间字段生成对应的水位线。In the embodiment of this application, Flink extracts the event operation time field in the operation event stream to generate the corresponding water mark.
在本申请实施例中,复杂事件检测装置根据多个事件操作时间生成多个水位线的方式,可以为复杂事件检测装置利用容忍乱序预设时长作为水位线的生成策略,生成多个水位线;也可以为复杂事件检测装置将多个事件操作时间作为多个水位线;具体的复杂事件检测装置根据多个事件操作时间生成多个水位线的方式可以根据实际情况进行确定,本申请实施例对此不作限定。In the embodiment of the present application, the complex event detection device generates multiple watermarks based on multiple event operation times. The complex event detection device can generate multiple watermarks by using the preset duration of tolerating disorder as a watermark generation strategy. ; It is also possible for the complex event detection device to use multiple event operation times as multiple water levels; the specific way in which the complex event detection device generates multiple water levels according to the multiple event operation times can be determined according to the actual situation. Embodiments of the present application There is no limit to this.
在本申请实施例中,预设时长可以为复杂事件检测装置中配置的时长;预设时长也可以为其他装置传输至复杂事件检测装置中的时长;具体的复杂事件检测装置得到预设时长的方式可以根据实际情况进行确定,本申请实施例对此不作限定。In the embodiment of the present application, the preset duration can be the duration configured in the complex event detection device; the preset duration can also be the duration transmitted to the complex event detection device by other devices; the specific complex event detection device obtains the preset duration The method can be determined according to actual conditions, and is not limited in the embodiments of this application.
需要说明的是,预设时长可以为5秒,预设时长也可以为3秒,预设时长还可以为1秒,具体的预设时长可以根据实际情况进行确定,本申请实施例对此不作限定。It should be noted that the preset duration can be 5 seconds, the preset duration can also be 3 seconds, and the preset duration can also be 1 second. The specific preset duration can be determined according to the actual situation, and this is not the case in the embodiments of this application. limited.
在本申请实施例中,以DCP为例,Flink抽取实时事件流中的timestamp字段作为水位线生成器的入参,用容忍乱序5秒作为水位线生成策略,生成事件流水位线,In the embodiment of this application, taking DCP as an example, Flink extracts the timestamp field in the real-time event stream as the input parameter of the watermark generator, and uses the tolerance of disorder for 5 seconds as the watermark generation strategy to generate the event pipeline watermark.
水位线形态如下:The water level line shape is as follows:
Watermark:1646877595000Watermark: 1646877595000
对应的事件数据形态如下:The corresponding event data format is as follows:
Figure PCTCN2022123107-appb-000009
Figure PCTCN2022123107-appb-000009
在本申请实施例中,预设水位线可以为复杂事件检测装置中配置的水位线;预设水位线也可以为其他装置传输至复杂事件检测装置中水位线;具体的复杂事件检测装置得到预设水位线的方式可以根据实际情况进行确定,本申请实施例对此不作限定。In the embodiment of the present application, the preset water level can be the water level configured in the complex event detection device; the preset water level can also be the water level transmitted to the complex event detection device by other devices; the specific complex event detection device is preset The method of setting the water level can be determined according to actual conditions, and is not limited in the embodiments of the present application.
需要说明的是,预设水位线可以为Long类型的最大值,预设水位线也可以为其他的值;具体的预设水位线可以根据实际情况进行确定,本申请实施例对此不作限定。It should be noted that the preset water level can be the maximum value of the Long type, and the preset water level can also be other values; the specific preset water level can be determined according to the actual situation, and this is not limited in the embodiments of the present application.
在本申请实施例中,以DCP为例,采用2的63次方-1作为水位线生成器的入参来生成预设水位线,预设水位线可以为:watermark:0x7fffffffffffffffL。In the embodiment of this application, taking DCP as an example, 2 raised to the power of 63 -1 is used as the input parameter of the water level generator to generate a preset water level. The preset water level can be: watermark:0x7fffffffffffffffL.
在本申请实施例中,以DCP为例,通过connect算子连接操作事件流和多个事件规则与多个事件确定逻辑,生成绑定多个事件规则与多个事件确定逻辑的操作事件流,抽取操作事件流中的用户id字段并计算CRC32校验值然后对算子并行度进行模运算生成hashId,取事件流的水位线(件操作时间)和规则流的水位线(预设水位线)二者较小的值作为目标水位线。In the embodiment of this application, taking DCP as an example, the operation event stream and multiple event rules and multiple event determination logics are connected through the connect operator to generate an operation event stream that binds multiple event rules and multiple event determination logics. Extract the user id field in the operation event stream and calculate the CRC32 check value, then perform a modular operation on the operator parallelism to generate a hashId, and take the water level of the event stream (piece operation time) and the water level of the rule flow (preset water level) The smaller value of the two is used as the target water level.
在本申请实施例中,复杂事件检测装置对多个水位线进行合并处理,得到合并水位线的过程,包括:复杂事件检测装置从多个水位线中获取水位线值最大的第一水位线;复杂事件检测装置将第一水位线作为合并水位线。In the embodiment of the present application, the complex event detection device merges multiple water levels to obtain the merged water level, which includes: the complex event detection device obtains the first water level with the largest water level value from the multiple water levels; The complex event detection device uses the first water level as the merged water level.
S105、根据多个事件确定逻辑确定目标事件的确定结果,以根据确定结果确定目标事件为复杂事件。S105. Determine the determination result of the target event according to multiple event determination logics, so as to determine the target event as a complex event according to the determination result.
在本申请实施例中,复杂事件检测装置从操作事件流中筛选事件操作时间小于目标水位线的目标事件之后,复杂事件检测装置就可以根据多个事件确定逻辑确定目标事件的确定结果,以根据确定结果确定目标事件为复杂事件。In the embodiment of the present application, after the complex event detection device filters target events whose event operation time is less than the target water level from the operation event stream, the complex event detection device can determine the determination result of the target event based on multiple event determination logics. The determination result determines that the target event is a complex event.
在本申请实施例中,复杂事件检测装置根据多个事件确定逻辑确定目标事件的确定结果的过程,可以为复杂事件检测装置调用Aviator表达式引擎根据多个事件确定逻辑确定目标事件的确定结果。In the embodiment of the present application, the complex event detection device determines the determination result of the target event based on multiple event determination logics. The complex event detection device may call the Aviator expression engine to determine the determination result of the target event based on multiple event determination logics.
在本申请实施例中,复杂事件检测装置在stateFunc中读取当前hashId(相同hashId对应的)所有的状态数据,该状态数据对应操作事件即为第一操作事件,复杂事件检测装置从第一操作事件中筛选事件操作时间小于目标水位线的目标事件,并对该目标事件进行复杂事件检测,并调用Aviator表达式引擎解析并执行计算逻辑,生成目标事件的确定结果。In the embodiment of this application, the complex event detection device reads all the status data of the current hashId (corresponding to the same hashId) in stateFunc. The operation event corresponding to the status data is the first operation event. The complex event detection device starts from the first operation event. The events are screened for target events whose event operation time is less than the target water level, and complex event detection is performed on the target event, and the Aviator expression engine is called to parse and execute the calculation logic to generate the final result of the target event.
在本申请实施例中,以DCP为例,即读取当前hashId=91的分组所有的状态数据,再在该状态数据对应的第一操作事件中筛选事件操作时间小于目标水位线的目标事件,再将具有相同user_id并且相同RULE_ID的事件放在一起进行计算,事件规则根据复杂事件大类、复杂事件子类、事件确定逻辑而定,比如CEP_TYPE=deltaTime并且CEP_SUBTYPE=1且CEP_CALC_EXPRESS=END.timestamp-BEGIN.timestamp,表示非严格连续的两个事件的时间差,复杂事件检测后的事件确定逻辑=结束事件的事件时间-开始事件的事件时间,调用Aviator表达式引擎解析并执行事件确定逻辑, 即calc_grant_delta_time=1646877700000-1646877600000=1000000毫秒。In the embodiment of this application, taking DCP as an example, that is, reading all the status data of the current group with hashId = 91, and then filtering the target events whose event operation time is less than the target water level in the first operation event corresponding to the status data. Events with the same user_id and the same RULE_ID are then put together for calculation. The event rules are determined according to the complex event category, complex event subcategory, and event determination logic, such as CEP_TYPE=deltaTime and CEP_SUBTYPE=1 and CEP_CALC_EXPRESS=END.timestamp- BEGIN.timestamp, represents the time difference between two non-strictly continuous events. The event determination logic after complex event detection = the event time of the end event - the event time of the start event. Call the Aviator expression engine to parse and execute the event determination logic, that is, calc_grant_delta_time =1646877700000-1646877600000=1000000 milliseconds.
在本申请实施例中,复杂事件检测装置在stateFunc中清除已经计算过的复杂事件对应的操作事件的状态,以及未匹配到事件规则的操作事件的状态。以DCP为例,即删除已经计算过的复杂事件对应的操作事件的状态,以及未匹配到事件规则的操作事件的状态。In the embodiment of the present application, the complex event detection device clears the status of the operation events corresponding to the calculated complex events in the stateFunc, as well as the status of the operation events that do not match the event rules. Taking DCP as an example, that is, the status of the operation events corresponding to the calculated complex events is deleted, as well as the status of the operation events that do not match the event rules.
在本申请实施例中,一种示例性的复杂事件检测方法如图3所示:In this embodiment of the present application, an exemplary complex event detection method is shown in Figure 3:
S30、复杂事件检测装置接收配置的多个事件规则与多个事件确定逻辑,并向计算引擎广播多个事件规则与多个事件确定逻辑。S30. The complex event detection device receives the configured multiple event rules and multiple event determination logics, and broadcasts the multiple event rules and multiple event determination logics to the computing engine.
S31、复杂事件检测装置获取操作事件流对应的多个事件操作时间,并根据多个事件操作时间生成多个水位线。S31. The complex event detection device obtains multiple event operation times corresponding to the operation event stream, and generates multiple watermarks based on the multiple event operation times.
S32、复杂事件检测装置对多个水位线进行合并处理,得到合并水位线。S32. The complex event detection device merges multiple water levels to obtain a merged water level.
S33、复杂事件检测装置从合并水位线和预设水位线中,筛选水位线值最小的目标水位线。S33. The complex event detection device selects the target water level with the smallest water level value from the combined water level and the preset water level.
S34、复杂事件检测装置获取操作事件流,并对操作事件流中的每一个事件绑定多个事件规则与多个事件确定逻辑。S34. The complex event detection device obtains the operation event stream, and binds multiple event rules and multiple event determination logics to each event in the operation event stream.
需要说明的是,操作事件流中的事件数量为多个。It should be noted that the number of events in the operation event stream is multiple.
S35、复杂事件检测装置在操作事件流中获取预设字段,得到多个字段信息;并对多个字段信息分别进行校验,得到多个校验值。S35. The complex event detection device obtains preset fields in the operation event stream and obtains multiple field information; and performs verification on the multiple field information respectively to obtain multiple verification values.
S36、复杂事件检测装置对多个校验值进行哈希处理,得到多个哈希信息;并根据多个哈希信息对操作事件流进行分组,得到多组操作事件。S36. The complex event detection device performs hash processing on multiple check values to obtain multiple hash information; and groups the operation event streams according to the multiple hash information to obtain multiple groups of operation events.
S37、复杂事件检测装置确定多组操作事件中的每一组操作事件与绑定的多个事件规则之间的匹配性,直至确定出多组操作事件与绑定的多个事件规则之间的匹配性。S37. The complex event detection device determines the matching between each group of operation events in the multiple groups of operation events and the multiple bound event rules until the matching between the multiple groups of operation events and the multiple bound event rules is determined. Matchability.
S38、在匹配的情况下,复杂事件检测装置从操作事件流中筛选事件操作时间小于目标水位线的目标事件。S38. In the case of matching, the complex event detection device filters target events whose event operation time is less than the target water level from the operation event stream.
需要说明的是,目标水位线为根据操作事件流对应的多个事件操作时 间确定的时间。It should be noted that the target water level is a time determined based on multiple event operation times corresponding to the operation event stream.
S39、复杂事件检测装置根据多个事件确定逻辑确定目标事件的确定结果,以根据确定结果确定目标事件为复杂事件。S39. The complex event detection device determines the determination result of the target event based on multiple event determination logics, and determines the target event as a complex event based on the determination result.
示例性的,如图4所示:以DCP为例,复杂事件检测装置检测“DCP用户授权行为耗时”的操作事件检测过程:埋点系统将操作事件实时上报至kafka消息队列,Flink实时消费kafka中的实时的操作事件形成埋点事件实时的操作事件流。Flink抽取实时事件流中的timestamp字段作为水位线生成器的入参,用容忍乱序5秒作为水位线生成策略,生成事件流水对应的位线。采用Aviator表达式定义多个事件规则与多个事件确定逻辑,Flink每隔n秒读取数据库中存储的Aviator表达式形成“多个事件规则与多个事件确定逻辑”。采用2的63次方-1作为水位线生成器的入参来生成预设水位线。采用广播算子将“多个事件规则与多个事件确定逻辑(规则和计算逻辑流)”广播出去形成广播流。抽取user_id字段的CRC32校验值对算子的并行度100进行模运算,得到hashId=91。通过connect算子连接(绑定)操作事件流和多个事件规则与多个事件确定逻辑,生成绑定多个事件规则与多个事件确定逻辑的操作事件流(绑定操作事件流与规则和计算逻辑流),抽取操作事件流中的用户id字段并计算CRC32校验值然后对算子并行度进行模运算生成hashId,取事件流的水位线(件操作时间)和规则流的水位线(预设水位线)二者较小的值作为目标水位线。通过keyBy算子将绑定多个事件规则的操作事件流根据hashId分组并生成按key分组的多组操作事件,如,用户信息为user_id=xxxxxxxxxxxxxxxxx00操作事件和用户信息为user_id=simulator_dcp_delta4_sit631的操作事件有相同的hashId,即这两个用户的操作事件会分到同一组中,这样即使user_id=xxxxxxxxxxxxxxxxx001的用户没有后续的操作事件,只要其他hashId=91的用户有后续的操作事件就可以触发当前分组的水位线提升,从而触发user_id=xxxxxxxxxxxxxxxxx001的用户的操作事件数据的计算。对 绑定多个事件规则与多个事件确定逻辑的多组操作事件中的每个操作事件遍历自身绑定的多个事件规则与多个事件确定逻辑。以DCP为例,即判断规则开始条件、规则中间条件、规则结束条件是否满足,对于以下“绑定规则跟计算逻辑的事件流”中的begin事件跟end事件,Aviator表达式引擎会判定RULE_BEGIN跟RULE_END的结果为true,并将这两个事件写入状态中。读取当前hashId=91的分组所有的状态数据,再在该状态数据对应的第一操作事件中筛选事件操作时间小于目标水位线的目标事件,再将具有相同user_id并且相同RULE_ID的事件放在一起进行计算,事件规则根据复杂事件大类、复杂事件子类、事件确定逻辑而定,比如CEP_TYPE=deltaTime并且CEP_SUBTYPE=1且CEP_CALC_EXPRESS=END.timestamp-BEGIN.timestamp,表示非严格连续的两个事件的时间差,复杂事件检测后的事件确定逻辑=结束事件的事件时间-开始事件的事件时间,调用Aviator表达式引擎解析并执行事件确定逻辑(得到目标事件的确定结果)。删除已经计算过的复杂事件对应的操作事件的状态,以及未匹配到事件规则的操作事件的状态。Illustratively, as shown in Figure 4: Taking DCP as an example, the complex event detection device detects the operation event detection process of "DCP user authorization behavior is time-consuming": the hidden system reports the operation event to the kafka message queue in real time, and Flink consumes it in real time The real-time operation events in Kafka form a real-time operation event stream of hidden events. Flink extracts the timestamp field in the real-time event stream as the input parameter of the watermark generator, and uses the tolerance of disorder for 5 seconds as the watermark generation strategy to generate the bitlines corresponding to the event pipeline. Aviator expressions are used to define multiple event rules and multiple event determination logic. Flink reads the Aviator expression stored in the database every n seconds to form "multiple event rules and multiple event determination logic". Use 2 to the power of 63 -1 as the input parameter of the water level generator to generate a preset water level. The broadcast operator is used to broadcast "multiple event rules and multiple event determination logic (rules and calculation logic flow)" to form a broadcast stream. Extract the CRC32 check value of the user_id field and perform modulo operation on the operator's parallelism degree of 100 to obtain hashId=91. The connect operator connects (binds) the operation event stream and multiple event rules with multiple event determination logic to generate an operation event stream that binds multiple event rules and multiple event determination logic (binds the operation event stream with the rules and Calculate the logical flow), extract the user id field in the operation event stream and calculate the CRC32 check value, then perform a modular operation on the operator parallelism to generate a hashId, and take the watermark of the event stream (piece operation time) and the watermark of the rule stream ( The smaller of the two values (default water level) is used as the target water level. The keyBy operator is used to group the operation event streams bound to multiple event rules according to hashId and generate multiple groups of operation events grouped by key. For example, the operation event with user information = user_id = xxxxxxxxxxxxxxxxx00 and the operation event with user information = user_id = simulator_dcp_delta4_sit631 are With the same hashId, that is, the operation events of these two users will be grouped into the same group. In this way, even if the user with user_id=xxxxxxxxxxxxxxxxx001 has no subsequent operation events, as long as other users with hashId=91 have subsequent operation events, the current group can be triggered. The water level is raised, thereby triggering the calculation of the operation event data of the user with user_id=xxxxxxxxxxxxxxxxx001. For each operation event in multiple groups of operation events bound to multiple event rules and multiple event determination logics, each operation event traverses the multiple event rules and multiple event determination logics bound to itself. Taking DCP as an example, it determines whether the rule start condition, rule intermediate condition, and rule end condition are met. For the begin event and end event in the following "Event Flow of Binding Rules and Calculation Logic", the Aviator expression engine will determine whether RULE_BEGIN and RULE_END evaluates to true and writes both events to the state. Read all the status data of the current group with hashId = 91, then filter the target events whose event operation time is less than the target water level in the first operation event corresponding to the status data, and then put the events with the same user_id and the same RULE_ID together. Calculation is performed, and the event rules are determined according to the complex event category, complex event subcategory, and event determination logic. For example, CEP_TYPE=deltaTime and CEP_SUBTYPE=1 and CEP_CALC_EXPRESS=END.timestamp-BEGIN.timestamp, indicating two non-strictly consecutive events. Time difference, event determination logic after complex event detection = event time of the end event - event time of the start event, call the Aviator expression engine to parse and execute the event determination logic (get the determination result of the target event). Delete the status of the operation events corresponding to the calculated complex events, as well as the status of the operation events that do not match the event rules.
可以理解的是,复杂事件检测装置由于多个事件规则与多个事件确定逻辑为表达式形式的规则与逻辑,在新增复杂事件检测规则和事件确定逻辑的情况下,可以直接将新增的复杂事件检测规则和事件确定逻辑广播至计算引擎,以利用计算引擎对表达式形式的新增规则进行解析、运算,不需要再新增规则计算单元的代码,也不需要在对代码进行编译运行,提高了增加复杂事件检测规则时的速度。It can be understood that the complex event detection device has multiple event rules and multiple event determination logics in the form of expressions. When complex event detection rules and event determination logic are added, the newly added event detection rules and event determination logic can be directly added. Complex event detection rules and event determination logic are broadcast to the calculation engine, so that the calculation engine can be used to parse and calculate new rules in the form of expressions. There is no need to add code for the rule calculation unit, nor to compile and run the code. , improves the speed when adding complex event detection rules.
基于与上述复杂事件检测方法的同一发明构思,本申请实施例提供了一种复杂事件检测装置1,对应于一种复杂事件检测方法;图5为本申请实施例提供的一种复杂事件检测装置的组成结构示意图一,该复杂事件检测装置1可以包括:Based on the same inventive concept as the above complex event detection method, the embodiment of the present application provides a complex event detection device 1, corresponding to a complex event detection method; Figure 5 is a complex event detection device provided by the embodiment of the present application. Schematic diagram 1 of the composition structure of the complex event detection device 1 may include:
获取部分11,配置为获取操作事件流,所述操作事件流中的事件数量为多个;The acquisition part 11 is configured to acquire an operation event stream, where the number of events in the operation event stream is multiple;
绑定部分12,配置为对所述操作事件流中的每一个事件绑定多个事件规则与多个事件确定逻辑;The binding part 12 is configured to bind multiple event rules and multiple event determination logic to each event in the operation event stream;
确定部分13,配置为利用计算引擎确定所述操作事件流与绑定的多个事件规则之间的匹配性;根据所述多个事件确定逻辑确定目标事件的确定结果,以根据所述确定结果确定所述目标事件为复杂事件;The determination part 13 is configured to use the calculation engine to determine the matching between the operation event stream and the multiple bound event rules; determine the determination result of the target event according to the multiple event determination logic, so as to determine the result of the target event according to the determination result. Determine that the target event is a complex event;
筛选部分14,配置为在匹配的情况下,从所述操作事件流中筛选事件操作时间小于目标水位线的所述目标事件;所述目标水位线为根据所述操作事件流对应的多个事件操作时间确定的时间。The filtering part 14 is configured to filter the target events whose event operation time is less than the target water level from the operation event stream in the case of matching; the target water level is a plurality of events corresponding to the operation event stream. The operating time is determined by the time.
在本申请的一些实施例中,所述装置还包括接收部分和广播部分;In some embodiments of the present application, the device further includes a receiving part and a broadcasting part;
所述接收部分,配置为接收配置的多个事件规则与多个事件确定逻辑;The receiving part is configured to receive multiple configured event rules and multiple event determination logics;
所述广播部分,配置为向所述计算引擎广播所述多个事件规则与多个事件确定逻辑。The broadcast part is configured to broadcast the plurality of event rules and the plurality of event determination logic to the computing engine.
在本申请的一些实施例中,所述装置还包括分组部分;In some embodiments of the present application, the device further includes a grouping part;
所述获取部分11,配置为在所述操作事件流中获取预设字段,得到多个字段信息;The acquisition part 11 is configured to acquire preset fields in the operation event stream and obtain multiple field information;
所述分组部分,配置为根据所述多个字段信息对所述操作事件流进行分组,得到多组操作事件;The grouping part is configured to group the operation event stream according to the plurality of field information to obtain multiple groups of operation events;
所述确定部分13,配置为确定所述多组操作事件中的每一组操作事件与绑定的多个事件规则之间的匹配性,直至确定出所述多组操作事件与绑定的多个事件规则之间的匹配性。The determination part 13 is configured to determine the matching between each group of operation events in the plurality of groups of operation events and a plurality of bound event rules, until it is determined that the plurality of groups of operation events and the plurality of bound event rules are matched. Matching between event rules.
在本申请的一些实施例中,所述装置还包括校验部分和处理部分;In some embodiments of the present application, the device further includes a verification part and a processing part;
所述校验部分,配置为对所述多个字段信息分别进行校验,得到多个校验值;The verification part is configured to verify the plurality of field information respectively and obtain multiple verification values;
所述处理部分,配置为对所述多个校验值进行哈希处理,得到多个哈 希信息;The processing part is configured to perform hash processing on the multiple check values to obtain multiple hash information;
所述分组部分,配置为根据所述多个哈希信息对所述操作事件流进行分组,得到所述多组操作事件。The grouping part is configured to group the operation event stream according to the plurality of hash information to obtain the plurality of groups of operation events.
在本申请的一些实施例中,所述获取部分11,配置为获取所述操作事件流对应的多个事件操作时间,并根据所述多个事件操作时间生成多个水位线;In some embodiments of the present application, the acquisition part 11 is configured to acquire multiple event operation times corresponding to the operation event stream, and generate multiple watermarks based on the multiple event operation times;
所述处理部分,配置为对所述多个水位线进行合并处理,得到合并水位线;The processing part is configured to merge the plurality of water levels to obtain a merged water level;
所述筛选部分14,配置为从所述合并水位线和预设水位线中,筛选水位线值最小的目标水位线。The screening part 14 is configured to screen the target water level with the smallest water level value from the merged water level and the preset water level.
在本申请的一些实施例中,所述获取部分11,配置为从所述多个水位线中获取水位线值最大的第一水位线;将所述第一水位线作为所述合并水位线。In some embodiments of the present application, the acquisition part 11 is configured to acquire the first water level with the largest water level value from the multiple water levels; and use the first water level as the merged water level.
需要说明的是,在实际应用中,上述获取部分11、绑定部分12、确定部分13和筛选部分14可由复杂事件检测装置1上的处理器15实现,具体为CPU(Central Processing Unit,中央处理器)、MPU(Microprocessor Unit,微处理器)、DSP(Digital Signal Processing,数字信号处理器)或现场可编程门阵列(FPGA,Field Programmable Gate Array)等实现;上述数据存储可由复杂事件检测装置1上的存储器16实现。It should be noted that in practical applications, the above-mentioned acquisition part 11, binding part 12, determination part 13 and filtering part 14 can be implemented by the processor 15 on the complex event detection device 1, specifically a CPU (Central Processing Unit, central processing unit). processor), MPU (Microprocessor Unit, microprocessor), DSP (Digital Signal Processing, digital signal processor) or field programmable gate array (FPGA, Field Programmable Gate Array), etc.; the above data storage can be implemented by a complex event detection device 1 implemented on the memory 16.
本申请实施例还提供了一种复杂事件检测装置1,如图6所示,所述复杂事件检测装置1包括:处理器15、存储器16和通信总线17,所述存储器16通过所述通信总线17与所述处理器15进行通信,所述存储器16存储所述处理器15可执行的程序,当所述程序被执行时,通过所述处理器15执行如上述所述的复杂事件检测方法。The embodiment of the present application also provides a complex event detection device 1. As shown in Figure 6, the complex event detection device 1 includes: a processor 15, a memory 16 and a communication bus 17. The memory 16 passes through the communication bus. 17 communicates with the processor 15, and the memory 16 stores a program executable by the processor 15. When the program is executed, the complex event detection method as described above is executed by the processor 15.
在实际应用中,上述存储器16可以是易失性存储器(volatile memory),例如随机存取存储器(Random-Access Memory,RAM);或者非易失性存 储器(non-volatile memory),例如只读存储器(Read-Only Memory,ROM),快闪存储器(flash memory),硬盘(Hard Disk Drive,HDD)或固态硬盘(Solid-State Drive,SSD);或者上述种类的存储器的组合,并向处理器15提供指令和数据。In practical applications, the above-mentioned memory 16 can be a volatile memory (volatile memory), such as a random access memory (Random-Access Memory, RAM); or a non-volatile memory (non-volatile memory), such as a read-only memory (Read-Only Memory, ROM), flash memory (flash memory), hard disk (Hard Disk Drive, HDD) or solid-state drive (Solid-State Drive, SSD); or a combination of the above types of memory, and to the processor 15 Provide instructions and data.
本申请实施例提供了一种计算机可读存储介质,其上有计算机程序,所述程序被处理器15执行时实现如上述所述的复杂事件检测方法。The embodiment of the present application provides a computer-readable storage medium with a computer program on it. When the program is executed by the processor 15, the complex event detection method as described above is implemented.
可以理解的是,复杂事件检测装置由于多个事件规则与多个事件确定逻辑为表达式形式的规则与逻辑,在新增复杂事件检测规则和事件确定逻辑的情况下,可以直接将新增的复杂事件检测规则和事件确定逻辑广播至计算引擎,以利用计算引擎对表达式形式的新增规则进行解析、运算,不需要再新增规则计算单元的代码,也不需要在对代码进行编译运行,提高了增加复杂事件检测规则时的速度。It can be understood that the complex event detection device has multiple event rules and multiple event determination logics in the form of expressions. When complex event detection rules and event determination logic are added, the newly added event detection rules and event determination logic can be directly added. Complex event detection rules and event determination logic are broadcast to the calculation engine, so that the calculation engine can be used to parse and calculate the new rules in the form of expressions. There is no need to add code for the rule calculation unit, and there is no need to compile and run the code. , improves the speed when adding complex event detection rules.
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will understand that embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product implemented on one or more computer-usable storage media (including, but not limited to, magnetic disk storage and optical storage, etc.) embodying computer-usable program code therein.
本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine, such that the instructions executed by the processor of the computer or other programmable data processing device produce a use A device for realizing the functions specified in one process or multiple processes of the flowchart and/or one block or multiple blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理 设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that causes a computer or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction means, the instructions The device implements the functions specified in a process or processes of the flowchart and/or a block or blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device, causing a series of operating steps to be performed on the computer or other programmable device to produce computer-implemented processing, thereby executing on the computer or other programmable device. Instructions provide steps for implementing the functions specified in a process or processes of a flowchart diagram and/or a block or blocks of a block diagram.
以上所述,仅为本申请的较佳实施例而已,并非用于限定本申请的保护范围。The above descriptions are only preferred embodiments of the present application and are not intended to limit the protection scope of the present application.
工业实用性Industrial applicability
本申请实施例提供了一种复杂事件检测方法及装置、存储介质,复杂事件检测方法包括:获取操作事件流,操作事件流中的事件数量为多个;对操作事件流中的每一个事件绑定多个事件规则与多个事件确定逻辑;利用计算引擎确定操作事件流与绑定的多个事件规则之间的匹配性;在匹配的情况下,从操作事件流中筛选事件操作时间小于目标水位线的目标事件;目标水位线为根据操作事件流对应的多个事件操作时间确定的时间;根据多个事件确定逻辑确定目标事件的确定结果,以根据确定结果确定目标事件为复杂事件。采用上述方法实现方案,复杂事件检测装置由于多个事件规则与多个事件确定逻辑为表达式形式的规则与逻辑,在新增复杂事件检测规则和事件确定逻辑的情况下,可以直接将新增的复杂事件检测规则和事件确定逻辑广播至计算引擎,以利用计算引擎对表达式形式的新增规则进行解析、运算,不需要再新增规则计算单元的代码,也不需要在对代码进行编译运行,提高了增加复杂事件检测规则时的速度。Embodiments of the present application provide a complex event detection method, device, and storage medium. The complex event detection method includes: obtaining an operation event stream. The number of events in the operation event stream is multiple; binding each event in the operation event stream. Define multiple event rules and multiple event determination logic; use the calculation engine to determine the match between the operation event stream and the bound multiple event rules; in the case of matching, filter events from the operation event stream whose operation time is less than the target The target event of the water level; the target water level is a time determined based on the operation time of multiple events corresponding to the operation event stream; the determination result of the target event is determined based on the multiple event determination logic, and the target event is determined to be a complex event based on the determination result. Using the above method to implement the solution, the complex event detection device has multiple event rules and multiple event determination logics in the form of expressions. When adding complex event detection rules and event determination logic, the newly added complex event detection rules and event determination logic can be directly added. The complex event detection rules and event determination logic are broadcast to the calculation engine, so that the calculation engine can be used to parse and calculate the new rules in the form of expressions. There is no need to add code for the rule calculation unit, and there is no need to compile the code. Run, which improves the speed when adding complex event detection rules.

Claims (10)

  1. 一种复杂事件检测方法,所述方法包括:A complex event detection method, the method includes:
    获取操作事件流,所述操作事件流中的事件数量为多个;Obtain an operation event stream, where the number of events in the operation event stream is multiple;
    对所述操作事件流中的每一个事件绑定多个事件规则与多个事件确定逻辑;Bind multiple event rules and multiple event determination logic to each event in the operation event stream;
    利用计算引擎确定所述操作事件流与绑定的多个事件规则之间的匹配性;Using a calculation engine to determine the match between the operation event stream and the multiple bound event rules;
    在匹配的情况下,从所述操作事件流中筛选事件操作时间小于目标水位线的目标事件;所述目标水位线为根据所述操作事件流对应的多个事件操作时间确定的时间;In the case of matching, target events whose event operation time is less than a target water level are screened from the operation event stream; the target water level is a time determined based on multiple event operation times corresponding to the operation event stream;
    根据所述多个事件确定逻辑确定所述目标事件的确定结果,以根据所述确定结果确定所述目标事件为复杂事件。The determination result of the target event is determined according to the plurality of event determination logics, so that the target event is determined to be a complex event according to the determination result.
  2. 根据权利要求1所述的方法,其中,所述对所述操作事件流中的每一个事件绑定多个事件规则与多个事件确定逻辑之前,所述方法还包括:The method according to claim 1, wherein before binding multiple event rules and multiple event determination logics to each event in the operation event stream, the method further includes:
    接收配置的多个事件规则与多个事件确定逻辑;Receive configured multiple event rules and multiple event determination logic;
    向所述计算引擎广播所述多个事件规则与多个事件确定逻辑。The plurality of event rules and the plurality of event determination logic are broadcast to the computing engine.
  3. 根据权利要求1所述的方法,其中,所述利用计算引擎确定所述操作事件流与绑定的多个事件规则之间的匹配性,包括:The method according to claim 1, wherein the utilizing a computing engine to determine the matching between the operation event stream and a plurality of bound event rules includes:
    在所述操作事件流中获取预设字段,得到多个字段信息;Obtain preset fields in the operation event stream and obtain multiple field information;
    根据所述多个字段信息对所述操作事件流进行分组,得到多组操作事件;Group the operation event stream according to the plurality of field information to obtain multiple groups of operation events;
    确定所述多组操作事件中的每一组操作事件与绑定的多个事件规则之间的匹配性,直至确定出所述多组操作事件与绑定的多个事件规则之间的匹配性。Determine the matching between each group of operation events in the plurality of groups of operation events and the plurality of bound event rules until the matching between the plurality of groups of operation events and the plurality of bound event rules is determined. .
  4. 根据权利要求3所述的方法,其中,所述根据所述多个字段信息对 所述操作事件流进行分组,得到多组操作事件,包括:The method according to claim 3, wherein the operation event stream is grouped according to the plurality of field information to obtain multiple groups of operation events, including:
    对所述多个字段信息分别进行校验,得到多个校验值;Perform verification on the multiple field information respectively to obtain multiple verification values;
    对所述多个校验值进行哈希处理,得到多个哈希信息;Perform hash processing on the multiple check values to obtain multiple hash information;
    根据所述多个哈希信息对所述操作事件流进行分组,得到所述多组操作事件。The operation event stream is grouped according to the plurality of hash information to obtain the plurality of groups of operation events.
  5. 根据权利要求1所述的方法,其中,所述从所述操作事件流中筛选事件操作时间小于目标水位线的目标事件之前,所述方法还包括:The method according to claim 1, wherein filtering the event operation time from the operation event stream before the target event that is less than the target water level, the method further includes:
    获取所述操作事件流对应的多个事件操作时间,并根据所述多个事件操作时间生成多个水位线;Obtain multiple event operation times corresponding to the operation event stream, and generate multiple water levels based on the multiple event operation times;
    对所述多个水位线进行合并处理,得到合并水位线;Merge the plurality of water levels to obtain a merged water level;
    从所述合并水位线和预设水位线中,筛选水位线值最小的目标水位线。From the combined water level and the preset water level, a target water level with the smallest water level value is selected.
  6. 根据权利要求5所述的方法,其中,所述对所述多个水位线进行合并处理,得到合并水位线,包括:The method according to claim 5, wherein said merging the plurality of water levels to obtain a merged water level includes:
    从所述多个水位线中获取水位线值最大的第一水位线;Obtain the first water level with the largest water level value from the plurality of water levels;
    将所述第一水位线作为所述合并水位线。The first water level is regarded as the merged water level.
  7. 一种复杂事件检测装置,所述装置包括:A complex event detection device, the device includes:
    获取部分,配置为获取操作事件流,所述操作事件流中的事件数量为多个;The acquisition part is configured to acquire an operation event stream, where the number of events in the operation event stream is multiple;
    绑定部分,配置为对所述操作事件流中的每一个事件绑定多个事件规则与多个事件确定逻辑;The binding part is configured to bind multiple event rules and multiple event determination logic to each event in the operation event stream;
    确定部分,配置为利用计算引擎确定所述操作事件流与绑定的多个事件规则之间的匹配性;根据所述多个事件确定逻辑确定目标事件的确定结果,以根据所述确定结果确定所述目标事件为复杂事件;The determination part is configured to use the calculation engine to determine the matching between the operation event stream and the multiple bound event rules; determine the determination result of the target event according to the multiple event determination logic, so as to determine the determination result according to the determination result. The target event is a complex event;
    筛选部分,配置为在匹配的情况下,从所述操作事件流中筛选事件操作时间小于目标水位线的所述目标事件;所述目标水位线为根据所述操作事件流对应的多个事件操作时间确定的时间。The filtering part is configured to, in the case of matching, filter the target events whose event operation time is less than the target water level from the operation event stream; the target water level is a plurality of event operations corresponding to the operation event stream. Time determined time.
  8. 根据权利要求7所述的装置,其中,所述装置还包括接收部分和广播部分;The device according to claim 7, wherein the device further includes a receiving part and a broadcasting part;
    所述接收部分,配置为接收配置的多个事件规则与多个事件确定逻辑;The receiving part is configured to receive multiple configured event rules and multiple event determination logics;
    所述广播部分,配置为向所述计算引擎广播所述多个事件规则与多个事件确定逻辑。The broadcast part is configured to broadcast the plurality of event rules and the plurality of event determination logic to the computing engine.
  9. 一种复杂事件检测装置,所述装置包括:A complex event detection device, the device includes:
    存储器、处理器和通信总线,所述存储器通过所述通信总线与所述处理器进行通信,所述存储器存储所述处理器可执行的复杂事件检测的程序,当所述复杂事件检测的程序被执行时,通过所述处理器执行如权利要求1至7任一项所述的方法。A memory, a processor and a communication bus. The memory communicates with the processor through the communication bus. The memory stores a complex event detection program executable by the processor. When the complex event detection program is When executed, the method according to any one of claims 1 to 7 is executed by the processor.
  10. 一种存储介质,其上存储有计算机程序,应用于复杂事件检测装置,该计算机程序被处理器执行时实现权利要求1至7任一项所述的方法。A storage medium with a computer program stored thereon, which is used in a complex event detection device. When the computer program is executed by a processor, the method of any one of claims 1 to 7 is implemented.
PCT/CN2022/123107 2022-06-24 2022-09-30 Complex event detection method and apparatus and storage medium WO2023245911A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210739018.8A CN115048146A (en) 2022-06-24 2022-06-24 Complex event detection method and device and storage medium
CN202210739018.8 2022-06-24

Publications (1)

Publication Number Publication Date
WO2023245911A1 true WO2023245911A1 (en) 2023-12-28

Family

ID=83164044

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/123107 WO2023245911A1 (en) 2022-06-24 2022-09-30 Complex event detection method and apparatus and storage medium

Country Status (2)

Country Link
CN (1) CN115048146A (en)
WO (1) WO2023245911A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115048146A (en) * 2022-06-24 2022-09-13 深圳前海微众银行股份有限公司 Complex event detection method and device and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090252175A1 (en) * 2008-04-03 2009-10-08 Hiroshi Dempo System, method and program for distributed event detection
CN102012918A (en) * 2010-11-26 2011-04-13 中金金融认证中心有限公司 System and method for excavating and executing rule
CN104700055A (en) * 2014-11-28 2015-06-10 广东工业大学 Method for detecting complex events on multi-probability RFID event flows
US9992269B1 (en) * 2013-02-25 2018-06-05 EMC IP Holding Company LLC Distributed complex event processing
CN113296933A (en) * 2020-08-14 2021-08-24 阿里巴巴集团控股有限公司 Event processing method, device, equipment and machine-readable storage medium
CN114610978A (en) * 2022-03-07 2022-06-10 沈阳航空航天大学 Complex event matching method and device based on ordered event list and storage medium
CN115048146A (en) * 2022-06-24 2022-09-13 深圳前海微众银行股份有限公司 Complex event detection method and device and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090252175A1 (en) * 2008-04-03 2009-10-08 Hiroshi Dempo System, method and program for distributed event detection
CN102012918A (en) * 2010-11-26 2011-04-13 中金金融认证中心有限公司 System and method for excavating and executing rule
US9992269B1 (en) * 2013-02-25 2018-06-05 EMC IP Holding Company LLC Distributed complex event processing
CN104700055A (en) * 2014-11-28 2015-06-10 广东工业大学 Method for detecting complex events on multi-probability RFID event flows
CN113296933A (en) * 2020-08-14 2021-08-24 阿里巴巴集团控股有限公司 Event processing method, device, equipment and machine-readable storage medium
CN114610978A (en) * 2022-03-07 2022-06-10 沈阳航空航天大学 Complex event matching method and device based on ordered event list and storage medium
CN115048146A (en) * 2022-06-24 2022-09-13 深圳前海微众银行股份有限公司 Complex event detection method and device and storage medium

Also Published As

Publication number Publication date
CN115048146A (en) 2022-09-13

Similar Documents

Publication Publication Date Title
CN109885311B (en) Application program generation method and device
Herodotou Hadoop performance models
US10185650B1 (en) Testing service with control testing
WO2023245911A1 (en) Complex event detection method and apparatus and storage medium
CN101127061B (en) Device preventing and treating computer virus capable of pre-estimating schedule and schedule pre-estimation method
JP7003995B2 (en) Blockchain management device, blockchain management method and program
Bartoletti et al. A journey into bitcoin metadata
CN110704438B (en) Method and device for generating bloom filter in blockchain
WO2024027328A1 (en) Data processing method based on zero-trust data access control system
CN114127771A (en) System and method for proof of viewing via blockchain
Mondal et al. Casqd: continuous detection of activity-based subgraph pattern queries on dynamic graphs
CN115794393A (en) Method, device, server and storage medium for executing business model
CN112584199A (en) Method and device for generating cover motion picture of multimedia file
CN104636397B (en) Resource allocation methods, calculating accelerated method and device for Distributed Calculation
US9256503B2 (en) Data verification
WO2018177286A1 (en) Static resource request processing method and device
CN111143463B (en) Construction method and device of bank data warehouse based on topic model
WO2018082320A1 (en) Data stream join method and device
Karantias Enabling NIPoPoW applications on bitcoin cash
CN104794129A (en) Data processing method and system based on query logs
CN111104384A (en) Data preprocessing method, device, equipment and storage medium
US20200034406A1 (en) Real-time data aggregation
US20220253524A1 (en) Malware Detection System
CN109389271B (en) Application performance management method and system
US8495542B2 (en) Automated management of verification waivers

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22947651

Country of ref document: EP

Kind code of ref document: A1