CN113110973A - Host log association and prediction method and device, electronic equipment and storage medium - Google Patents

Host log association and prediction method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN113110973A
CN113110973A CN202110416971.4A CN202110416971A CN113110973A CN 113110973 A CN113110973 A CN 113110973A CN 202110416971 A CN202110416971 A CN 202110416971A CN 113110973 A CN113110973 A CN 113110973A
Authority
CN
China
Prior art keywords
message
time
sequence
time sequence
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110416971.4A
Other languages
Chinese (zh)
Other versions
CN113110973B (en
Inventor
黄凤春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202110416971.4A priority Critical patent/CN113110973B/en
Publication of CN113110973A publication Critical patent/CN113110973A/en
Application granted granted Critical
Publication of CN113110973B publication Critical patent/CN113110973B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • G06F17/18Complex mathematical operations for evaluating statistical data, e.g. average values, frequency distributions, probability functions, regression analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computational Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Evolutionary Biology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Operations Research (AREA)
  • Probability & Statistics with Applications (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Algebra (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The disclosure provides a host log association and prediction method, a host log association and prediction device, electronic equipment and a computer-readable storage medium, which can be used in the financial field, the communication field or other fields. The method comprises the following steps: analyzing the log data to obtain first information and second information; the log data comprises a plurality of messages, first information is used for indicating the types of the messages, and second information is used for indicating the generation time of the messages; acquiring a time sequence array of the first message and the second message based on the first information and the second information; normalizing the time sequence series of the first message and the second message; judging the correlation between the first message and the second message according to the time sequence of the first message and the second message after normalization processing; if the two are correlated, the message with the later time sequence is predicted according to the message with the earlier time sequence.

Description

Host log association and prediction method and device, electronic equipment and storage medium
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method and an apparatus for associating and predicting a host log, an electronic device, and a storage medium.
Background
The monitoring of the state of the large host is an important part of system operation and maintenance, how to quickly and accurately predict the state trend of the system, and actively attack and avoid the system before an abnormality occurs, and the method has important significance for controlling the risk of the host system. The traditional monitoring scheme monitors based on the existence of specific messages in the log or a quantitative threshold value, so that the state of a host system can be monitored to a certain extent, but the relevance between multiple types of messages in the log is insufficient, and the prediction effect of one type of message on another type of message cannot be realized.
Disclosure of Invention
In view of the above, an aspect of the present disclosure provides a method, an apparatus, an electronic device, and a storage medium for associating and predicting a host log.
One aspect of the present disclosure provides a host log association and prediction method, including:
analyzing the log data to obtain first information and second information; wherein the log data comprises a plurality of messages, the first information is used for indicating the types of the messages, and the second information is used for indicating the generation time of the messages;
acquiring a time sequence array of the first message and the second message based on the first information and the second information;
normalizing the time sequence series of the first message and the second message;
judging the correlation between the first message and the second message according to the time sequence of the first message and the second message after normalization processing;
if the two are correlated, the message with the later time sequence is predicted according to the message with the earlier time sequence.
According to an embodiment of the present disclosure, the determining, according to the time sequence number sequence of the first message and the second message after the normalization processing, a correlation between the first message and the second message includes:
calculating the offset distance between the first message and the second message according to the time sequence of the first message and the second message after the normalization processing;
and judging the correlation between the first message and the second message according to the offset distance.
According to an embodiment of the present disclosure, an offset distance between the first message and the second message satisfies the following relationship:
Figure BDA0003024295610000021
wherein, when d > 0,
Figure BDA0003024295610000022
when d is less than 0, the reaction solution,
Figure BDA0003024295610000023
wherein D isXYIs the offset distance between the first message and the second message, d is the time offset of the second message relative to the first message, F1(X) is the sequence of the time series of the first message after the normalization process, F1(Y + D) is the sequence of the normalized time series of the second message, D' (F)1(X),F1(Y + d)) is the Euclidean distance, N, between the sequence of the time series of the first message and the sequence of the time series of the second message after normalization processingx1,…,NxmRespectively being the number of each item in the time sequence number sequence of the first message after the normalization processing, Ny1,…,NymRespectively, the number of each item in the time sequence number sequence of the second message after the normalization processing, and m is the number of items in the time sequence number sequence of the first message or the second message after the normalization processing.
According to an embodiment of the present disclosure, the determining a correlation between the first message and the second message according to the offset distance includes:
comparing the offset distance with a preset threshold value, and when the offset distance is smaller than the preset threshold value, regarding that the first message is related to the second message;
and when the offset distance is not smaller than the preset threshold value, the first message and the second message are considered to be irrelevant.
According to an embodiment of the present disclosure, if the first message is related to the second message, the predicting a message with a later timing according to a message with a earlier timing comprises:
judging the time sequence of the first message and the second message according to the time offset, wherein: when the time offset is larger than zero, the time sequence of the first message is ahead, and the second message is predicted according to the first message; and when the time offset is less than zero, predicting the first message according to the second message when the time sequence of the second message is ahead.
According to an embodiment of the present disclosure, the normalizing the time series of the first message and the second message includes:
mapping the time series of the first message and the second message to an interval [0, 1 ];
and extracting the change trend rule of the time sequence number series of the first message and the second message, eliminating the quantization difference, and acquiring the time sequence number series of the first message and the second message after normalization processing.
According to the embodiment of the disclosure, the time sequence number sequence of the first message and the second message after the normalization process satisfies the following relationship:
Figure BDA0003024295610000031
wherein F (I) is a time sequence of the I (I ═ 1, 2) th message, F1(I) In order to normalize the sequence of the I-th message after the processing, min (f (I)) is the minimum value in the sequence of the I-th message, and max (f (I)) is the maximum value in the sequence of the I-th message.
According to the embodiment of the disclosure, if the timing sequence of the first message or the second message after the normalization processing causes a timing gap due to the offset, the timing gap is compensated with zero.
According to an embodiment of the present disclosure, the obtaining a time sequence number sequence of a first message and a second message based on the first information and the second information includes:
dividing a preset time window into a plurality of time intervals according to the second information;
respectively acquiring the message quantity of the first message and the second message in each time interval according to the first information;
and respectively serializing the message quantity of the first message and the second message in each time interval into a time sequence of the first message and the second message.
Another aspect of the present disclosure provides a host log associating and predicting apparatus, including:
the analysis module is used for analyzing the log data to acquire first information and second information; wherein the log data comprises a plurality of messages, the first information is used for indicating the types of the messages, and the second information is used for indicating the generation time of the messages;
the acquisition module is used for acquiring a time sequence array of the first message and the second message based on the first information and the second information;
the processing module is used for carrying out normalization processing on the time sequence series of the first message and the second message;
the judging module is used for judging the correlation between the first message and the second message according to the time sequence number sequence of the first message and the second message after normalization processing;
and the prediction module is used for predicting the message with the later time sequence according to the message with the earlier time sequence if the first message is related to the second message.
According to an embodiment of the present disclosure, the determining module includes:
the first judgment module is used for calculating the offset distance between the first message and the second message according to the time sequence of the first message and the second message after the normalization processing;
and the second judging module is used for judging the correlation between the first message and the second message according to the offset distance.
According to an embodiment of the present disclosure, the second determining module is further configured to compare the offset distance with a preset threshold to determine a correlation between the first message and the second message, wherein:
when the offset distance is smaller than the preset threshold value, the first message and the second message are considered to be related;
and when the offset distance is not smaller than the preset threshold value, the first message and the second message are considered to be irrelevant.
According to an embodiment of the present disclosure, the first determination module calculates the offset distance between the first message and the second message according to the following relationship:
Figure BDA0003024295610000041
wherein, when d > 0,
Figure BDA0003024295610000042
when d is less than 0, the reaction solution,
Figure BDA0003024295610000051
wherein D isXYIs the offset distance between the first message and the second message, d is the time offset of the second message relative to the first message, F1(X) is the sequence of the time series of the first message after the normalization process, F1(Y + D) is the sequence of the normalized time series of the second message, D' (F)1(X),F1(Y + d)) is the Euclidean distance, N, between the sequence of the time series of the first message and the sequence of the time series of the second message after normalization processingx1,…,NxmRespectively being the number of each item in the time sequence number sequence of the first message after the normalization processing, Ny1,…,NymRespectively, the number of each item in the time sequence number sequence of the second message after the normalization processing, and m is the number of items in the time sequence number sequence of the first message or the second message after the normalization processing.
According to an embodiment of the present disclosure, if the first message is related to the second message, the prediction module is configured to determine a time sequence order of the first message and the second message according to the time offset, and predict a message with a later time sequence according to a message with a earlier time sequence, where:
when the time offset is larger than zero, the time sequence of the first message is prior, and the prediction module predicts the second message according to the first message;
when the time offset is less than zero, the time sequence of the second message is prior, and the prediction module predicts the first message according to the second message.
According to an embodiment of the present disclosure, the processing module includes:
a first processing module, configured to map a time series of the first message and the second message to an interval [0, 1 ];
and the second processing module extracts the variation trend rule of the time sequence number series of the first message and the second message, eliminates the quantization difference and acquires the time sequence number series of the first message and the second message after the normalization processing.
According to the embodiment of the disclosure, the time sequence number sequence of the first message and the second message after the normalization process satisfies the following relationship:
Figure BDA0003024295610000052
wherein F (I) is a time sequence of the I (I ═ 1, 2) th message, F1(I) In order to normalize the sequence of the I-th message after the processing, min (f (I)) is the minimum value in the sequence of the I-th message, and max (f (I)) is the maximum value in the sequence of the I-th message.
According to an embodiment of the present disclosure, the processing module further comprises:
and the third processing module is used for compensating the time sequence vacancy with zero when the time sequence vacancy is caused by the deviation of the time sequence array of the first message or the second message after the normalization processing.
According to an embodiment of the present disclosure, the obtaining module is further configured to:
dividing a preset time window into a plurality of time intervals according to the second information;
respectively acquiring the message quantity of the first message and the second message in each time interval according to the first information;
and respectively serializing the message quantity of the first message and the second message in each time interval into a time sequence of the first message and the second message.
Another aspect of the present disclosure provides an electronic device comprising a processor and a memory, the memory having stored therein at least one instruction, which when executed by the processor, implements a method as described above.
Yet another aspect of the present disclosure provides a computer-readable storage medium having stored therein at least one instruction, which when executed by the processor, implements a method as described above.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario of a host log association and prediction method according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow diagram of a host log association and prediction method according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow diagram of a host log association and prediction method according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of a host log association and prediction method according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow diagram of a host log association and prediction method according to an embodiment of the present disclosure;
FIG. 6 schematically illustrates a block diagram of a host log association and prediction apparatus according to an embodiment of the present disclosure;
FIG. 7 schematically illustrates a block diagram of a host log association and prediction apparatus according to an embodiment of the present disclosure;
FIG. 8 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Some block diagrams and/or flow diagrams are shown in the figures. It will be understood that some blocks of the block diagrams and/or flowchart illustrations, or combinations thereof, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the instructions, which execute via the processor, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks. The techniques of this disclosure may be implemented in hardware and/or software (including firmware, microcode, etc.). In addition, the techniques of this disclosure may take the form of a computer program product on a computer-readable storage medium having instructions stored thereon for use by or in connection with an instruction execution system.
The embodiment of the disclosure provides a host log association and prediction method and device. From the perspective of regularity of the host log, the corresponding message types are obtained by analyzing the host log, the message quantity of the two types of messages is extracted in a preset time interval to be used as a time sequence number sequence, the time sequence number sequence is formed in a preset time window and is subjected to normalization processing, and then the offset correlation of the two types of messages is calculated, so that correlation analysis between log messages and accurate prediction of messages at a certain future time are realized, and operation and maintenance of a system are assisted.
FIG. 1 schematically illustrates an exemplary system architecture 100 that may be applied to the host log association and prediction method according to an embodiment of the disclosure. It should be noted that the apparatus shown in fig. 1 is an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, but does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, the system architecture 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104 and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have installed thereon various communication client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing and the like, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers and the like.
The server 105 may be a server providing various services, such as a background management server (for example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that the host log association and prediction method provided by the embodiments of the present disclosure may be generally performed by the server 105. Accordingly, the host log association and prediction apparatus provided by the embodiments of the present disclosure may be generally disposed in the server 105. The host log association and prediction method provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the host log association and prediction apparatus provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster different from the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
FIG. 2 schematically illustrates a flow diagram of a host log association and prediction method according to an embodiment of the disclosure. As shown in FIG. 2, the master log association and prediction method may include operations S210-S250, for example.
In operation S210, the log data is parsed to obtain first information and second information. The log data comprises a plurality of messages, first information is used for indicating the types of the messages, and second information is used for indicating the generation time of the messages.
It will be understood that the acquired historical log data contains a plurality of messages, and the messages can reflect all the access situations of the user in a certain time period, and the access behaviors are regularly circulated to a certain extent. For example, on weekdays, user A may access certain specific web pages due to work needs, while on weekends, user A may choose to view e-books, and so on. It can be seen that, within a certain period of time, the access behavior of the user is relevant and regular, and therefore, the relevance and regularity of the access behavior can be utilized to accurately predict the message at a future moment.
In the embodiment of the present disclosure, after obtaining the historical log data, the historical log data may be subjected to text parsing according to regularity of existence of the host log data, for example, regularity of time or regularity of access behavior, so as to obtain the first information and the second information. The first information may be represented as a message header MSG _ ID, for example, to indicate the type of the message. The second information may be represented, for example, as a message timestamp MSG _ TIMESTAMP to indicate the time of generation of the message. Based on the first information and the second information, the type of the message and the generation time of the message can be easily confirmed, so that the regularity among different types of messages can be easily acquired, the data processing amount is greatly reduced, and the processing efficiency is improved.
In operation S220, a time series of the first message and the second message is acquired based on the first information and the second information.
Wherein the preset time window may be divided into a plurality of time intervals according to the second information (e.g., the message timestamp MSG _ TIMESTAMP). In this way, the first message (denoted as message) can be obtained based on the first information (e.g. message header MSG _ ID) respectivelyMSG _ ID _ X) and the second message (denoted as message MSG _ ID _ Y) in each time interval as a time sequence characteristic of the first message and the second message, and then the time sequence characteristic of the first message and the second message is serialized into a time sequence in a preset time window. For example, the number of messages MSG _ ID _ X in the I hour is NiThen, in m hours, the message MSG _ ID _ X may be represented by a time series of f (X) ═ Nx1,Nx2,...,Nxm}. Similarly, message MSG _ ID _ Y may be represented by a sequence of time sequences as f (Y) { N }y1,Ny2,...,Nym}. In the embodiment of the present disclosure, the preset time window and the time interval may be set according to actual needs, and are not limited herein.
In operation S230, a normalization process is performed on the time-series of the first message and the second message.
The time sequence numbers f (X) and f (Y) of the first message (message MSG _ ID _ X) and the second message (message MSG _ ID _ Y) may have different dimensions and dimension units, which may affect the result of data analysis. In order to eliminate the quantization difference, the sequence f (X) of the first message (message MSG _ ID _ X) and the sequence f (Y) of the second message (message MSG _ ID _ Y) are normalized to solve the comparability between the data.
In operation S240, a correlation between the first message and the second message is determined according to the time sequence number sequence of the first message and the second message after the normalization process.
For the first message (message MSG _ ID _ X) and the second message (message MSG _ ID _ Y), the following assumptions can be made: if the sequence of the first message and the second message have a certain similarity, the first message (message MSG _ ID _ X) and the second message (message MSG _ ID _ Y) are considered to be related. Further, if the time sequence series F (X) and F (Y) corresponding to the first message and the second message have certain similarity, then the time sequence series F after normalization processing1(X) and F1(Y) also have certain similarities. Therefore, in the embodiment of the present disclosure, the sequence F may be determined according to the time sequence after the normalization process1(X) and F1(Y) to determine a correlation between the first message and the second message.
In operation S250, if the first message and the second message are related, a later message is predicted from a earlier message.
Wherein the first message (message MSG _ ID _ X) and the second message (message MSG _ ID _ Y), if correlated, can predict a later message from a earlier message. For example, if the first message (message MSG _ ID _ X) and the second message (message MSG _ ID _ Y) are related and the first message (message MSG _ ID _ X) is sequenced earlier, then the condition of the second message (message MSG _ ID _ Y) at some future time can be predicted from the first message (message MSG _ ID _ X).
According to an embodiment of the present disclosure, if the first message and the second message are not related, it is stated that the second message (message MSG _ ID _ Y) cannot be predicted with the first message (message MSG _ ID _ X) or the first message (message MSG _ ID _ X) with the second message (message MSG _ ID _ Y).
In this embodiment, the present disclosure provides a method for associating and predicting a host log, which is implemented from the perspective of regularity of the host log, by analyzing the host log to obtain a corresponding message type, extracting the number of messages of two types of messages as a time sequence within a preset time interval, serializing the messages into the time sequence in a preset time window, performing normalization processing, and then calculating the correlation between the time sequence and the time sequence, thereby implementing association analysis between log messages and accurate prediction of messages at a future time to assist system operation and maintenance.
FIG. 3 schematically illustrates a flow diagram of a host log association and prediction method according to another embodiment of the present disclosure.
As shown in fig. 3, according to the embodiment of the disclosure, in operation S230, the normalizing process is performed on the time-series sequence of the first message and the second message, and operations S310 to S320 are further included. Wherein:
in operation S310, a time series of the first message and the second message is mapped to an interval [0, 1 ].
In operation S320, the variation trend rule of the time sequence number series of the first message and the second message is extracted, the quantization difference is removed, and the time sequence number series of the first message and the second message after the normalization processing is obtained.
Respectively mapping the time sequence number series F (X) of the first message (message MSG _ ID _ X) and the time sequence number series F (Y) of the second message (message MSG _ ID _ Y) to a (0, 1) interval, then extracting the variation trend rule of the number series, and eliminating the quantization difference to obtain the time sequence number series F (X) of the first message after the normalization processing1(X) and a time series F of second messages1(Y)。
According to the embodiment of the present disclosure, the time sequence number sequence of the first message and the second message after the normalization process satisfies the following relationship:
Figure BDA0003024295610000121
wherein F (I) is a time sequence of the I (I ═ 1, 2) th message, F1(I) In order to normalize the sequence of the I-th message after the processing, min (f (I)) is the minimum value in the sequence of the I-th message, and max (f (I)) is the maximum value in the sequence of the I-th message.
FIG. 4 schematically illustrates a flow diagram of a host log association and prediction method according to another embodiment of the present disclosure.
As shown in fig. 4, according to the embodiment of the present disclosure, in the operation S240, the determining the correlation between the first message and the second message according to the time sequence number sequence of the first message and the second message after the normalization process specifically includes operations S410 to S440. Wherein:
in operation S410, an offset distance between the first message and the second message is calculated according to the sequence of the normalized time series of the first message and the second message.
Based on the hysteresis effect of the first message and the second message in timing, the present disclosure represents a correlation between two timing sequences by calculating an offset distance of the two timing sequences. Specifically, the sequence F is determined according to the time sequence of the first message after the normalization processing1(X) and a time series F of second messages1(Y) calculating an offset distance D between the first message and the second messageXYWherein the offset distance between the first message (message MSG _ ID _ X) and the second message (message MSG _ ID _ Y) satisfies the following relationship:
Figure BDA0003024295610000122
wherein, when d > 0,
Figure BDA0003024295610000123
when d is less than 0, the reaction solution,
Figure BDA0003024295610000131
wherein D isXYIs the offset distance between the first message and the second message, d is the time offset of the second message relative to the first message, F1(X) is the sequence of the time series of the first message after the normalization process, F1(Y + D) is the sequence of the normalized time series of the second message, D' (F)1(X),F1(Y + d)) is the Euclidean distance, N, between the sequence of the time series of the first message and the sequence of the time series of the second message after normalization processingx1,…,NxmRespectively, the number of each item in the time sequence number sequence of the first message after normalization processing, Ny1,…,NymRespectively, the number of each item in the time sequence number sequence of the second message after the normalization processing, and m is the number of items in the time sequence number sequence of the first message or the second message after the normalization processing.
According to the embodiment of the disclosure, if the time sequence of the first message or the second message after the normalization processing causes the time sequence vacancy due to the offset, the time sequence vacancy is compensated with zero.
The first message (message MSG _ ID _ X) and the second message (message MSG _ ID _ Y) may have a certain time lag effect, for example, the second message lags behind the first message by 1 hour. Because within the same preset time window (e.g., m hours) and time interval (e.g., m hours)1 hour interval) and the hysteresis effect of the second message may cause a gap in the time sequence of the second message (message MSG _ ID _ Y) and thus a gap in the time sequence after the normalization processing, in which case "0" is required to fill the time sequence gap of the second message to correct the time sequence of the second message. For example, if the time offset d is 1, the corrected sequence of the timing numbers of the first message and the second message may be represented as F1′(X)={0,Nx1,Nx2,...,NxmAnd F1′(Y)={Ny1,Ny2,...,Nym,0}。
In the embodiment of the present disclosure, the time offset d may be selected according to the granularity of a preset time window, for example, the time offset d may be set as a multiple of the time granularity, or may be set according to actual needs, which is not limited herein.
It should be noted that the above-mentioned calculation of the offset distance between two time sequence arrays by using the euclidean distance is only an example, so that those skilled in the art can understand the technical solution of the present disclosure, and is not intended to limit the protection scope of the present disclosure. In some embodiments of the present disclosure, the offset distance between the two time sequence arrays may also be calculated by a method other than the euclidean distance, which is not limited herein.
In operation S420, a correlation between the first message and the second message is determined according to the offset distance.
Wherein the offset distance is compared with a preset threshold value to determine the correlation between the first message and the second message. Specifically, when the distance D is shiftedXYIf the threshold is less than the preset threshold, operation S430 is performed, otherwise, operation S440 is performed.
In operation S430, when the distance D is shiftedXYAnd when the first message is smaller than the preset threshold value, judging that the first message is related to the second message.
In operation S440, when the distance D is shiftedXYAnd when the first message is not less than the preset threshold value, judging that the first message is not related to the second message.
In the embodiment of the present disclosure, the preset threshold may be, for example, a preset value or one or more preset ranges, and may be specifically set according to actual needs, which is not limited herein.
According to the embodiment of the disclosure, the similarity between the message time sequence characteristics is calculated based on the offset distance and is used as a message correlation analysis method, so that a real application scene of message correlation lag is well fitted.
FIG. 5 schematically illustrates a flow diagram of a host log association and prediction method according to another embodiment of the present disclosure.
As shown in fig. 5, according to the embodiment of the present disclosure, in operation S250, if the first message and the second message are related, predicting a later-in-time message according to a earlier-in-time message includes operations S510 to S560. Wherein:
in operation S510, a correlation between the first message and the second message is determined.
In operation S520, it is determined whether the time offset d is greater than 0 to determine a timing order of the first message and the second message. If the time offset d is greater than zero, operation S530 is performed, otherwise operation S540 is performed.
In operation S530, a second message is predicted from the first message.
When the time offset d > 0, it means that the second message MSG _ ID _ Y lags behind the first message MSG _ ID _ X, i.e. the first message MSG _ ID _ X results in the second message MSG _ ID _ Y, which can be predicted by the first message MSG _ ID _ X.
In operation S540, it is determined whether the time offset is less than 0, if so, operation S550 is performed, otherwise, operation S560 is performed.
In operation S550, a first message is predicted from a second message.
When the time offset d is less than 0, the first message MSG _ ID _ X lags behind the second message MSG _ ID _ Y, and the first message MSG _ ID _ X can be predicted by using the second message MSG _ ID _ Y.
In operation S560, the operation ends.
If the time offset d is 0, that is, if no offset occurs between the first message and the second message, the predicted effect cannot be achieved, and the operation is ended.
According to the embodiment of the disclosure, the relevance prediction of the two messages is carried out based on the message relevance and the time offset, so that the accurate prediction of the messages at a certain future time can be realized.
FIG. 6 schematically shows a block diagram of a host log association and prediction apparatus according to an embodiment of the present disclosure.
As shown in fig. 6, the host log associating and predicting apparatus 600 in the embodiment of the present disclosure includes: the system comprises an analysis module 610, an acquisition module 620, a processing module 630, a judgment module 640 and a prediction module 650, wherein:
the parsing module 610 is configured to parse the log data to obtain the first information and the second information. The first information is used for indicating the type of the message, and the second information is used for indicating the generation time of the message.
The obtaining module 620 is configured to obtain a time sequence of the first message and the second message based on the first information and the second information.
The processing module 630 is configured to normalize the time series of the first message and the second message.
The judging module 640 is configured to judge a correlation between the first message and the second message according to the time sequence of the first message and the second message after the normalization processing.
The prediction module 650 predicts a later message from a earlier message if the first message is related to the second message.
In an embodiment of the disclosure, the obtaining module 620 is further configured to: dividing a preset time window into a plurality of time intervals according to the second information; respectively acquiring the message quantity of the first message and the second message in each time interval according to the first information; and respectively serializing the message number of the first message and the second message in each time interval into a time sequence of the first message and the second message.
In an embodiment of the disclosure, if the first message and the second message are related, the prediction module 650 is further configured to determine a time sequence order of the first message and the second message according to the time offset, and predict a message with a later time sequence according to a message with a earlier time sequence. Wherein: when the time offset is greater than zero, the time sequence of the first message is ahead, and the prediction module predicts the second message according to the first message; when the time offset is less than zero, the time sequence of the second message is prior, and the prediction module predicts the first message according to the second message.
FIG. 7 schematically illustrates a block diagram of a host log association and prediction apparatus according to another embodiment of the present disclosure.
As shown in fig. 7, the host log associating and predicting apparatus 700 includes: parsing module 710, obtaining module 720, processing module 730, determining module 740, and predicting module 750. The parsing module 710, the obtaining module 720 and the predicting module 750 have the same corresponding functions as the parsing module 610, the obtaining module 620 and the predicting module 650, and the repeated parts are not repeated.
In the disclosed embodiment, the processing module 730 includes a first processing module 731 and a second processing module 732. Wherein:
the first processing module 731 is configured to map the time series of the first message and the second message to an interval [0, 1 ].
The second processing module 732 is configured to extract a variation trend rule of the time sequence number series of the first message and the second message, remove quantization differences, and obtain the time sequence number series of the first message and the second message after the normalization processing.
According to the embodiment of the disclosure, the time sequence number sequence of the first message and the second message after normalization processing satisfies the following relationship:
Figure BDA0003024295610000161
wherein F (I) is a time sequence of the I (I ═ 1, 2) th message, F1(I) In order to normalize the sequence of the I-th message after the processing, min (f (I)) is the minimum value in the sequence of the I-th message, and max (f (I)) is the maximum value in the sequence of the I-th message.
In an embodiment of the present disclosure, the processing module 730 further includes a third processing module 733.
The third processing module 733 is configured to complete the time sequence vacancy with zero when the time sequence of the normalized first message or the normalized second message is a time sequence vacancy due to an offset.
In an embodiment of the present disclosure, the determining module 740 includes: a first decision module 741 and a second decision module 742. Wherein:
the first determining module 741 is configured to calculate an offset distance between the first message and the second message according to the time sequence of the first message and the second message after the normalization processing.
The second determining module 742 is configured to determine a correlation between the first message and the second message according to the offset distance.
In one embodiment of the present disclosure, the first judging module 741 calculates the offset distance between the first message and the second message according to the following relationship:
Figure BDA0003024295610000171
wherein, when d > 0,
Figure BDA0003024295610000172
when d is less than 0, the reaction solution,
Figure BDA0003024295610000173
wherein D isXYIs the offset distance between the first message and the second message, d is the time offset of the second message relative to the first message, F1(X) is the sequence of the time series of the first message after the normalization process, F1(Y + D) is the sequence of the normalized time series of the second message, D' (F)1(X),F1(Y + d)) is the Euclidean distance, N, between the sequence of the time series of the first message and the sequence of the time series of the second message after normalization processingx1,…,NxmRespectively, the number of each item in the time sequence number sequence of the first message after normalization processing, Ny1,…,NymRespectively, the number of each item in the time sequence number sequence of the second message after the normalization processing, and m is the number of items in the time sequence number sequence of the first message or the second message after the normalization processing.
In an embodiment of the present disclosure, the second determining module 742 is further configured to compare the offset distance with a preset threshold to determine a correlation between the first message and the second message, wherein: when the offset distance is smaller than a preset threshold value, the first message and the second message are considered to be related; and when the offset distance is not less than the preset threshold value, the first message and the second message are considered to be irrelevant.
It should be noted that the implementation, solved technical problems, implemented functions, and achieved technical effects of each module/unit/subunit and the like in the apparatus part embodiment are respectively the same as or similar to the implementation, solved technical problems, implemented functions, and achieved technical effects of each corresponding step in the method part embodiment, and are not described herein again.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any of the parsing module 710, the obtaining module 720, the processing module 730, the determining module 740, and the predicting module 750 may be combined into one module to be implemented, or any one of the modules may be split into multiple modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the parsing module 710, the obtaining module 720, the processing module 730, the determining module 740, and the predicting module 750 may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware, and firmware, or implemented by a suitable combination of any several of them. Alternatively, at least one of the parsing module 710, the obtaining module 720, the processing module 730, the determining module 740, and the predicting module 750 may be at least partially implemented as a computer program module that, when executed, may perform a corresponding function.
Fig. 8 schematically shows a block diagram of an electronic device adapted to implement the above described method according to an embodiment of the present disclosure. The electronic device shown in fig. 8 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 8, electronic device 800 includes a processor 810, a computer-readable storage medium 820. The electronic device 800 may perform a method according to an embodiment of the disclosure.
In particular, processor 810 may include, for example, a general purpose microprocessor, an instruction set processor and/or related chip set and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), and/or the like. The processor 810 may also include on-board memory for caching purposes. Processor 810 may be a single processing unit or a plurality of processing units for performing different actions of a method flow according to embodiments of the disclosure.
Computer-readable storage medium 820, for example, may be a non-volatile computer-readable storage medium, specific examples including, but not limited to: magnetic storage devices, such as magnetic tape or Hard Disk Drives (HDDs); optical storage devices, such as compact disks (CD-ROMs); a memory, such as a Random Access Memory (RAM) or a flash memory; and so on.
The computer-readable storage medium 820 may include a computer program 821, which computer program 821 may include code/computer-executable instructions that, when executed by the processor 810, cause the processor 810 to perform a method according to an embodiment of the present disclosure, or any variation thereof.
The computer program 821 may be configured with, for example, computer program code comprising computer program modules. For example, in an example embodiment, code in computer program 821 may include one or more program modules, including, for example, module 821A, module 821B, … …. It should be noted that the division and number of modules are not fixed, and those skilled in the art may use suitable program modules or program module combinations according to actual situations, and when the program modules are executed by the processor 810, the processor 810 may execute the method according to the embodiment of the present disclosure or any variation thereof.
According to an embodiment of the present invention, at least one of the parsing module 710, the obtaining module 720, the processing module 730, the judging module 740, and the predicting module 750 may be implemented as a computer program module described with reference to fig. 8, which, when executed by the processor 810, may implement the corresponding operations described above.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
While the disclosure has been shown and described with reference to certain exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the disclosure as defined by the appended claims and their equivalents. Accordingly, the scope of the present disclosure should not be limited to the above-described embodiments, but should be defined not only by the appended claims, but also by equivalents thereof.

Claims (19)

1. A host log correlation and prediction method, comprising:
analyzing the log data to obtain first information and second information; wherein the log data comprises a plurality of messages, the first information is used for indicating the types of the messages, and the second information is used for indicating the generation time of the messages;
acquiring a time sequence array of the first message and the second message based on the first information and the second information;
normalizing the time sequence series of the first message and the second message;
judging the correlation between the first message and the second message according to the time sequence of the first message and the second message after normalization processing;
if the two are correlated, the message with the later time sequence is predicted according to the message with the earlier time sequence.
2. The method of claim 1, wherein the determining the correlation between the first message and the second message according to the normalized time sequence number of the first message and the second message comprises:
calculating the offset distance between the first message and the second message according to the time sequence of the first message and the second message after the normalization processing;
and judging the correlation between the first message and the second message according to the offset distance.
3. The method of claim 2, wherein the offset distance between the first message and the second message satisfies the following relationship:
Figure FDA0003024295600000011
wherein, when d > 0,
Figure FDA0003024295600000012
when d is less than 0, the reaction solution,
Figure FDA0003024295600000013
wherein D isXYIs the offset distance between the first message and the second message, d is the time offset of the second message relative to the first message, F1(X) is the sequence of the time series of the first message after the normalization process, F1(Y + D) is the sequence of the normalized time series of the second message, D' (F)1(X),F1(Y + d)) is the Euclidean distance, N, between the sequence of the time series of the first message and the sequence of the time series of the second message after normalization processingx1,…,NxmRespectively being the number of each item in the time sequence number sequence of the first message after the normalization processing, Ny1,…,NymRespectively, the number of each item in the time sequence number sequence of the second message after the normalization processing, and m is the number of items in the time sequence number sequence of the first message or the second message after the normalization processing.
4. The method of claim 2, wherein said determining a correlation between the first message and the second message based on the offset distance comprises:
comparing the offset distance with a preset threshold value, and when the offset distance is smaller than the preset threshold value, regarding that the first message is related to the second message; and when the offset distance is not smaller than the preset threshold value, the first message and the second message are considered to be irrelevant.
5. The method of claim 3, wherein predicting a later message from a earlier message if the first message is related to the second message comprises:
judging the time sequence of the first message and the second message according to the time offset, wherein:
when the time offset is larger than zero, the time sequence of the first message is ahead, and the second message is predicted according to the first message;
and when the time offset is less than zero, predicting the first message according to the second message when the time sequence of the second message is ahead.
6. The method of claim 1, wherein the normalizing the time series of the first and second messages comprises:
mapping the time series of the first message and the second message to an interval [0, 1 ];
and extracting the change trend rule of the time sequence number series of the first message and the second message, eliminating the quantization difference, and acquiring the time sequence number series of the first message and the second message after normalization processing.
7. The method of claim 6, wherein the normalized time series of the first message and the second message satisfies the following relationship:
Figure FDA0003024295600000021
wherein F (I) is a time sequence of the I (I ═ 1, 2) th message, F1(I) In order to normalize the sequence of the I message after the processing, min (F (I)) is the minimum value in the sequence of the I message, max (F (I)) is the sequence of the I messageMaximum value in the array.
8. The method of claim 1, wherein if the sequence of the normalized first message or the normalized second message results in a timing gap due to an offset, the timing gap is filled with zeros.
9. The method of claim 1, wherein the obtaining a time series of first and second messages based on the first and second information comprises:
dividing a preset time window into a plurality of time intervals according to the second information;
respectively acquiring the message quantity of the first message and the second message in each time interval according to the first information;
and respectively serializing the message quantity of the first message and the second message in each time interval into a time sequence of the first message and the second message.
10. A host log correlation and prediction apparatus, comprising:
the analysis module is used for analyzing the log data to acquire first information and second information; wherein the log data comprises a plurality of messages, the first information is used for indicating the types of the messages, and the second information is used for indicating the generation time of the messages;
the acquisition module is used for acquiring a time sequence array of the first message and the second message based on the first information and the second information;
the processing module is used for carrying out normalization processing on the time sequence series of the first message and the second message;
the judging module is used for judging the correlation between the first message and the second message according to the time sequence number sequence of the first message and the second message after normalization processing;
and the prediction module is used for predicting the message with the later time sequence according to the message with the earlier time sequence if the first message is related to the second message.
11. The apparatus of claim 10, wherein the means for determining comprises:
the first judgment module is used for calculating the offset distance between the first message and the second message according to the time sequence of the first message and the second message after the normalization processing;
and the second judging module is used for judging the correlation between the first message and the second message according to the offset distance.
12. The apparatus of claim 11, wherein the second determining module is further configured to compare the offset distance with a preset threshold to determine a correlation between the first message and the second message, wherein:
when the offset distance is smaller than the preset threshold value, the first message and the second message are considered to be related;
and when the offset distance is not smaller than the preset threshold value, the first message and the second message are considered to be irrelevant.
13. The apparatus of claim 11, wherein the first determining module calculates the offset distance between the first message and the second message according to the relationship:
Figure FDA0003024295600000041
wherein, when d > 0,
Figure FDA0003024295600000042
when d is less than 0, the reaction solution,
Figure FDA0003024295600000043
wherein D isXYIs the offset distance between the first message and the second message, d is the time offset of the second message relative to the first message, F1(X) is the sequence of the time series of the first message after the normalization process, F1(Y + D) is the sequence of the normalized time series of the second message, D' (F)1(X),F1(Y + d)) is the Euclidean distance, N, between the sequence of the time series of the first message and the sequence of the time series of the second message after normalization processingx1,…,NxmRespectively being the number of each item in the time sequence number sequence of the first message after the normalization processing, Ny1,…,NymRespectively, the number of each item in the time sequence number sequence of the second message after the normalization processing, and m is the number of items in the time sequence number sequence of the first message or the second message after the normalization processing.
14. The apparatus of claim 13, wherein if the first message and the second message are related, the prediction module is configured to determine a timing sequence of the first message and the second message according to the time offset, and predict a message with a later timing sequence according to a message with a earlier timing sequence, wherein:
when the time offset is larger than zero, the time sequence of the first message is prior, and the prediction module predicts the second message according to the first message;
when the time offset is less than zero, the time sequence of the second message is prior, and the prediction module predicts the first message according to the second message.
15. The apparatus of claim 10, wherein the processing module comprises:
a first processing module, configured to map a time series of the first message and the second message to an interval [0, 1 ];
and the second processing module extracts the variation trend rule of the time sequence number series of the first message and the second message, eliminates the quantization difference and acquires the time sequence number series of the first message and the second message after the normalization processing.
16. The apparatus of claim 10, wherein the normalized time series of the first message and the second message satisfies the following relationship:
Figure FDA0003024295600000051
wherein F (I) is a time sequence of the I (I ═ 1, 2) th message, F1(I) In order to normalize the sequence of the I-th message after the processing, min (f (I)) is the minimum value in the sequence of the I-th message, and max (f (I)) is the maximum value in the sequence of the I-th message.
17. The apparatus of claim 10, wherein the processing module further comprises:
and the third processing module is used for compensating the time sequence vacancy with zero when the time sequence vacancy is caused by the deviation of the time sequence array of the first message or the second message after the normalization processing.
18. An electronic device comprising a processor and a memory, the memory having stored therein at least one instruction that is loaded and executed by the processor to perform operations performed by the method of any of claims 1-9.
19. A computer-readable storage medium having stored therein at least one instruction, which is loaded and executed by a processor to perform operations performed by the method of any one of claims 1-9.
CN202110416971.4A 2021-04-16 2021-04-16 Host log association and prediction method and device, electronic equipment and storage medium Active CN113110973B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110416971.4A CN113110973B (en) 2021-04-16 2021-04-16 Host log association and prediction method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110416971.4A CN113110973B (en) 2021-04-16 2021-04-16 Host log association and prediction method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113110973A true CN113110973A (en) 2021-07-13
CN113110973B CN113110973B (en) 2024-07-12

Family

ID=76718734

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110416971.4A Active CN113110973B (en) 2021-04-16 2021-04-16 Host log association and prediction method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113110973B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060104333A1 (en) * 2004-11-18 2006-05-18 Motorola, Inc. Acknowledgment for a time division channel
CN110826648A (en) * 2020-01-09 2020-02-21 浙江鹏信信息科技股份有限公司 Method for realizing fault detection by utilizing time sequence clustering algorithm

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060104333A1 (en) * 2004-11-18 2006-05-18 Motorola, Inc. Acknowledgment for a time division channel
CN110826648A (en) * 2020-01-09 2020-02-21 浙江鹏信信息科技股份有限公司 Method for realizing fault detection by utilizing time sequence clustering algorithm

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
付晓毓;任睿;詹剑锋;孙凝晖;: "一种基于日志结合分析的集群系统失效预测方法", 高技术通讯, no. 06, 15 June 2016 (2016-06-15), pages 519 - 527 *

Also Published As

Publication number Publication date
CN113110973B (en) 2024-07-12

Similar Documents

Publication Publication Date Title
US10560465B2 (en) Real time anomaly detection for data streams
CN101794359B (en) Methods and systems for enabling community-tested security features for legacy applications
US10248910B2 (en) Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform
US10210036B2 (en) Time series metric data modeling and prediction
US10592666B2 (en) Detecting anomalous entities
CN109543891B (en) Method and apparatus for establishing capacity prediction model, and computer-readable storage medium
CN110855648A (en) Early warning control method and device for network attack
CN114844810B (en) Heartbeat data processing method, device, equipment and medium
Jeong et al. Anomaly teletraffic intrusion detection systems on hadoop-based platforms: A survey of some problems and solutions
CN110717597B (en) Method and device for acquiring time sequence characteristics by using machine learning model
CN111651524B (en) Auxiliary implementation method and device for on-line prediction by using machine learning model
CN110941823B (en) Threat information acquisition method and device
US20150180990A1 (en) Methods and systems for determining user online time
CN108809943B (en) Website monitoring method and device
US10205767B2 (en) Management system and method for a big data processing device
CN109218024B (en) Method and device for controlling authority
CN113110973B (en) Host log association and prediction method and device, electronic equipment and storage medium
CN111865576B (en) Method and device for synchronizing URL classification data
Lee et al. Detecting anomaly teletraffic using stochastic self-similarity based on Hadoop
US9678982B2 (en) Accessibility advisement system for digital assets
CN114721882B (en) Data backup method and device, electronic equipment and storage medium
US10970341B2 (en) Predictive modeling in event processing systems for big data processing in cloud
CN117130563A (en) Solid state disk capacity sharing method and device, electronic equipment and medium
CN116401319A (en) Data synchronization method and device, electronic equipment and computer readable storage medium
CN114237856A (en) Operation type identification method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant