Log aggregation method, log aggregation equipment and computer program product
1. A log aggregation method is applied to a log aggregation system, and comprises the following steps:
collecting log information and generating a log ID corresponding to the log information, wherein a corresponding tracking ID is injected into the log information;
when the log information contains a pre-configured key field, establishing an index relationship between the key field and the log ID;
and aggregating and displaying the log information based on the corresponding relation between the tracking ID and the log information and/or the index relation.
2. The log aggregation method of claim 1, wherein the collecting log information step comprises:
intercepting and acquiring a node request and response log of the service system aiming at the service system butted by the log aggregation system by using a JAVA byte code enhancement mode, wherein the node request and response log is generated based on a full link tracking ID (identity) embedded point;
packaging the node request and response logs into a character string format to serve as log main body information;
acquiring a current tracking ID in a current acquisition thread as the tracking ID, and acquiring related parameter information of the main log information;
and packaging the log main body information, the related parameter information and the tracking ID into log information according to a preset format, and putting the log information into a log message queue to read the log information from the log message queue.
3. The log aggregation method according to claim 2, wherein before the step of establishing an index relationship between the key field and the log ID when the log information includes a preconfigured key field, the method further comprises:
judging whether the log information contains the key fields, wherein the key fields are single key fields or a plurality of key fields corresponding to different dimensions;
and if so, executing the step of establishing the index relationship between the key field and the log ID.
4. The log aggregation method of claim 3, wherein the determining whether the key field is included in the log information comprises:
judging whether the log main body information contains at least one key field by using a character string matching mode;
if the log main body information contains at least one key field, judging that the log information contains the key field;
and if the log main body information does not contain any key field, judging that the log information does not contain the key field.
5. The log aggregation method of claim 2, wherein the step of collecting log information is followed by further comprising:
judging whether the information type in the related parameter information is an abnormal type;
if yes, determining the log information as abnormal information, and generating an abnormal alarm based on the abnormal information so as to push the abnormal alarm to a corresponding handler terminal;
and if not, executing the step of generating the log ID corresponding to the log information.
6. The log aggregation method as claimed in claim 1, wherein the step of basing the correspondence between the tracking ID and the log information and/or the indexing relationship is preceded by further comprising:
when a log retrieval instruction is received, determining a retrieval word based on the log retrieval instruction, wherein the retrieval word comprises the key field, the log ID and/or the tracking ID;
when the search term is the key field, the step of displaying the log information in an aggregation manner based on the corresponding relationship between the tracking ID and the log information and/or the index relationship comprises:
determining all log IDs associated with the key fields in the full life cycle range of the services corresponding to the key fields according to the index relation;
and acquiring the log information corresponding to all the log IDs associated with the key fields so as to display the log information corresponding to all the log IDs in an aggregation manner.
7. The log aggregation method of claim 1, wherein the step of establishing an indexed relationship between the key field and the log ID comprises:
and establishing an index according to the key field, and storing the association relation between the key field and the log ID into a database according to a data structure of a key value pair.
8. The log aggregation method of any one of claims 1-7, wherein the step of basing the correspondence between the tracking ID and the log information and/or the indexing relationship is preceded by:
and storing the log information to a specified storage engine according to the log ID.
9. A log aggregation device, characterized in that the log aggregation device comprises: memory, a processor and a log aggregation program stored on the memory and executable on the processor, the log aggregation program when executed by the processor implementing the steps of the log aggregation method as claimed in any one of claims 1 to 8.
10. A computer program product, characterized in that the computer program product comprises a computer program which, when being executed by a processor, realizes the steps of the log aggregation method according to any one of claims 1 to 8.
Background
With the rapid development of internet information technology, more and more log files are generated in the daily operation process of a business system. The existing technical solutions for managing logs mainly include ELK (elastic search, logstack, kibana) and full link monitoring. The ELK is mainly used for realizing log collection and log display functions in a distributed scene, and the full-link monitoring scheme is mainly used for realizing a monitoring function of a call chain of a next request in the distributed scene.
However, the ELK is only a log collection system, and does not have a full link monitoring function, nor does it support log aggregation, but the current full link monitoring scheme aggregates logs by tracking IDs, so that it can only be guaranteed that logs of one request are aggregated according to tracking IDs, that is, it is limited to aggregating logs of one request, for the case that multiple requests contain the same service, such as order flow similar to e-commerce platform and the job order lifecycle log monitoring scene based on job order scheduling scene, one order or job order will go through process request nodes such as production, scheduling, dispatching, auditing, etc. many times, only the log of one of the process nodes can be seen through one tracking ID, and all logs of the full lifecycle cannot be queried, thus reflecting: the existing log aggregation mode has the problem that the aggregation capability is not high enough and the log search query requirement is difficult to meet.
Disclosure of Invention
The invention mainly aims to provide a log aggregation method, log aggregation equipment and a computer program product, and aims to solve the technical problems that the aggregation capability of the existing log aggregation mode is not high enough and the log search query requirements are difficult to meet.
In order to achieve the above object, the present invention provides a log aggregation method, where the log aggregation method is applied to a log aggregation system, and the log aggregation method includes:
the log aggregation method is applied to a log aggregation system, and comprises the following steps:
collecting log information and generating a log ID corresponding to the log information, wherein a corresponding tracking ID is injected into the log information;
when the log information contains a pre-configured key field, establishing an index relationship between the key field and the log ID;
and aggregating and displaying the log information based on the corresponding relation between the tracking ID and the log information and/or the index relation.
Optionally, the step of collecting log information includes:
intercepting and acquiring a node request and response log of the service system aiming at the service system butted by the log aggregation system by using a JAVA byte code enhancement mode, wherein the node request and response log is generated based on a full link tracking ID (identity) embedded point;
packaging the node request and response logs into a character string format to serve as log main body information;
acquiring a current tracking ID in a current acquisition thread as the tracking ID, and acquiring related parameter information of the main log information;
and packaging the log main body information, the related parameter information and the tracking ID into log information according to a preset format, and putting the log information into a log message queue to read the log information from the log message queue.
Optionally, when the log information includes a preconfigured key field, before the step of establishing an index relationship between the key field and the log ID, the method further includes:
judging whether the log information contains the key fields, wherein the key fields are single key fields or a plurality of key fields corresponding to different dimensions;
and if so, executing the step of establishing the index relationship between the key field and the log ID.
Optionally, the step of determining whether the log information includes the key field includes:
judging whether the log main body information contains at least one key field by using a character string matching mode;
if the log main body information contains at least one key field, judging that the log information contains the key field;
and if the log main body information does not contain any key field, judging that the log information does not contain the key field.
Optionally, after the step of collecting log information, the method further includes:
judging whether the information type in the related parameter information is an abnormal type;
if yes, determining the log information as abnormal information, and generating an abnormal alarm based on the abnormal information so as to push the abnormal alarm to a corresponding handler terminal;
and if not, executing the step of generating the log ID corresponding to the log information.
Optionally, before the step of based on the correspondence between the tracking ID and the log information and/or the indexing relationship, the method further includes:
when a log retrieval instruction is received, determining a retrieval word based on the log retrieval instruction, wherein the retrieval word comprises the key field, the log ID and/or the tracking ID;
when the search term is the key field, the step of displaying the log information in an aggregation manner based on the corresponding relationship between the tracking ID and the log information and/or the index relationship comprises:
determining all log IDs associated with the key fields in the full life cycle range of the services corresponding to the key fields according to the index relation;
and acquiring the log information corresponding to all the log IDs associated with the key fields so as to display the log information corresponding to all the log IDs in an aggregation manner.
Optionally, the step of establishing an index relationship between the key field and the log ID includes:
and establishing an index according to the key field, and storing the association relation between the key field and the log ID into a database according to a data structure of a key value pair.
Optionally, before the step of based on the correspondence between the tracking ID and the log information and/or the indexing relationship, the method further includes:
and storing the log information to a specified storage engine according to the log ID.
In addition, to achieve the above object, the present invention further provides a log aggregation system, including:
the log information acquisition module is used for acquiring log information and generating a log ID corresponding to the log information, wherein a corresponding tracking ID is injected into the log information;
the index relation establishing module is used for establishing the index relation between the key field and the log ID when the log information contains the pre-configured key field;
and the log aggregation display module is used for aggregating and displaying the log information based on the corresponding relation between the tracking ID and the log information and/or the index relation.
In addition, to achieve the above object, the present invention further provides a log aggregation device, including: a memory, a processor and a log aggregation program stored on the memory and executable on the processor, the log aggregation program when executed by the processor implementing the steps of the log aggregation method as described above.
Further, to achieve the above object, the present invention also provides a computer readable storage medium having stored thereon a log aggregation program, which when executed by a processor, implements the steps of the log aggregation method as described above.
Furthermore, to achieve the above object, the present invention also provides a computer program product comprising a computer program which, when being executed by a processor, realizes the steps of the log aggregation method as described above.
According to the invention, by pre-configuring the key field and establishing the index between the key field and the log ID when the log information injected with the tracking ID contains the key field, the system can cross service and cross request, and supports wider index establishment in time dimension and space dimension; the log information containing the tracking ID is stored through the corresponding log ID, so that when subsequent searching and querying are needed, the log information can be directly queried according to the log ID, multiple pieces of related log information can be queried according to the tracking ID, meanwhile, the system can also associate the key fields with the tracking ID through the log ID, log retrieval and display with higher level and wider dimension are realized, even under the situation that multiple participants carry out multiple service requests for the same service, the system can also display the related log information of the same service on multiple process nodes based on the key fields by only configuring the appropriate key fields in advance to associate the same key fields with multiple requests in a distributed scene, thereby greatly improving the log aggregation capability and solving the problem that the aggregation capability of the existing log aggregation mode is not high enough, the technical problem that the requirement of log search query is difficult to meet is solved.
Drawings
FIG. 1 is a schematic diagram of an apparatus architecture of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a log aggregation method according to a first embodiment of the present invention;
FIG. 3 is a system architecture diagram illustrating a log aggregation method according to a second embodiment of the present invention;
fig. 4 is a functional block diagram of the log aggregation system according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
With the rapid development of internet information technology, more and more log files are generated in the daily operation process of a business system. The existing technical solutions for managing logs mainly include ELK (elastic search, logstack, kibana) and full link monitoring. The ELK is mainly used for realizing log collection and log display functions in a distributed scene, and the full-link monitoring scheme is mainly used for realizing a monitoring function of a call chain of a next request in the distributed scene.
However, the ELK is only a log collection system, and does not have a full link monitoring function, nor does it support log aggregation, but the current full link monitoring scheme aggregates logs by tracking IDs, so that it can only be guaranteed that logs of one request are aggregated according to tracking IDs, that is, it is limited to aggregating logs of one request, for the case that multiple requests contain the same service, such as order flow similar to e-commerce platform and the job order lifecycle log monitoring scene based on job order scheduling scene, one order or job order will go through process request nodes such as production, scheduling, dispatching, auditing, etc. many times, only the log of one of the process nodes can be seen through one tracking ID, and all logs of the full lifecycle cannot be queried, thus reflecting: the existing log aggregation mode has the problem that the aggregation capability is not high enough and the log search query requirement is difficult to meet.
In order to solve the technical problem, the invention configures the key field in advance, and establishes the index between the key field and the log ID when the log information injected with the tracking ID contains the key field, so that the system can cross-service and cross-request, and support wider index establishment in time dimension and space dimension; the log information containing the tracking ID is stored through the corresponding log ID, so that when subsequent searching and querying are needed, the log information can be directly queried according to the log ID, multiple pieces of related log information can be queried according to the tracking ID, meanwhile, the system can also associate the key fields with the tracking ID through the log ID, log retrieval and display with higher level and wider dimensionality are realized, even under the situation that multiple participants make multiple requests for the same service, the system can also display the related log information of the same service on multiple process nodes based on the key fields by only configuring the appropriate key fields in advance to associate the same key fields with the multiple requests in a distributed scene, thereby greatly improving the log aggregation capability and solving the problem that the aggregation capability of the existing log aggregation mode is not high enough, the technical problem that the requirement of log search query is difficult to meet is solved.
As shown in fig. 1, fig. 1 is a schematic device structure diagram of a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the log aggregation system may include: a processor 1001, such as a CPU, a user interface 1003, a network interface 1004, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration of the apparatus shown in fig. 1 is not intended to be limiting of the apparatus and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a log aggregation program.
In the device shown in fig. 1, the network interface 1004 is mainly used for connecting to a backend server and performing data communication with the backend server; the user interface 1003 is mainly used for connecting a client (programmer's end) and performing data communication with the client; and the processor 1001 may be configured to call a log aggregation program stored in the memory 1005 and perform operations in the log aggregation method described below.
Based on the above hardware structure, the embodiment of the log aggregation method of the present invention is provided.
Referring to fig. 2, fig. 2 is a flowchart illustrating a log aggregation method according to a first embodiment of the present invention. The log aggregation method is applied to a log aggregation system and comprises the following steps of;
step S10, collecting log information and generating a log ID corresponding to the log information, wherein a corresponding tracking ID is injected into the log information;
in this embodiment, a service platform generally generates a large amount of log data every day, and the log information refers to log data generated by a service system daily collected by the log aggregation system (hereinafter referred to as system) from one or more service systems. The log information can be collected in various ways, and a non-intrusive collection way for a native business system is generally adopted. The log ID refers to an identity corresponding to the log information, and specifically may be an identity uniquely corresponding to each log information, and is generated by the system for each log information after the log information is collected.
The log ID may be generated by generating a random string of a certain length, and then combining the random string with the current timestamp (random string + current timestamp), or combining the random string with a log type (the log type may be a request type, a return type, an exception type, or the like) corresponding to the log information (random string + log type), or combining the random string with a corresponding log type and a current timestamp (random string + log type + current timestamp) as a log ID uniquely corresponding to the log information.
The trace ID is also the traceId, which is typically generated by the first server through which the request is received, and the generation rule is: server IP + time of ID generation + self-increment sequence + current process number. It should be noted that, in the process of collecting log information, the system needs to first determine whether a traceId exists in the current thread, and if the traceId exists in the current thread, the existing traceId is used to package the log; if the current thread does not have a traceId, the system generates a traceId (specifically, the traceId can be generated by a universally unique identifier UUID), writes the traceId into a diagnosis context Map (MDC) of a payload (an open source log component), and then passes the diagnosis context Map (MDC) to the current thread to ensure that each request in the distributed system is marked by a globally unique traceId.
Step S20, when the log information contains a pre-configured key field, establishing an index relationship between the key field and the log ID;
in this embodiment, the key field refers to a field that has been configured in advance, and the user may configure any key field according to actual requirements, for example, an order number and a work order number may be defined as the key field. The key fields can be configured in one or more number, can be configured based on one dimension, and can be configured based on a plurality of different dimensions. The index relationship refers to the association relationship between the log ID and the key fields, one log ID can be associated with one or more key fields, and one key field can also be associated with one or more different log IDs.
Specifically, after collecting certain log information, the system analyzes the certain log information, and calls one or more pre-configured key fields to determine whether the log information contains the pre-configured key fields. For example, if the key field is a specific work order number, the system determines whether the log information contains the work order number. If the system judges that the log information contains the work order number, the log information is the log information related to the work order corresponding to the work order number, and the preset condition is met, the association relationship between the work order number and the log ID corresponding to the log information is established, if other log information containing the work order number is collected in other requests after the request, other corresponding log IDs are also associated with the work order number, and therefore one work order number is associated with the log ID of the log information corresponding to the whole process node, such as generation, scheduling, dispatching, returning, checking, finishing and the like of the same work order. If the system judges that the log information does not contain the work order number, the log information is the log information irrelevant to the work order, and the next log is continuously judged without establishing the corresponding relation between the corresponding ID of the log information and the work order number.
Step S30, aggregating and displaying the log information based on the corresponding relationship between the tracking ID and the log information and/or the index relationship.
In this embodiment, after the system stores the log information and the index relationship, the user may search the log information through the log ID, the traceId, or the key field. For example, if the user inputs a specific log ID, the system finds the log information corresponding to the log ID as a search result according to the log ID; if the user inputs the preconfigured key field, the system finds all log IDs associated with the currently input key field of the user according to the index relationship between the key field and the log IDs, and then calls log information corresponding to all the log IDs as a retrieval result; of course, the user may also search for multiple log information of the same thread according to the traceId, and the search result obtained by the system according to the traceId may also include log information unrelated to the service only because the traceId is an identifier unrelated to the service.
It should be noted that the system can establish an index between the key field and the log ID through the above steps, has strong expansibility, occupies less storage space, and can improve the log retrieval efficiency, and further associates the key field and the traceId through the log ID, so that the log retrieval and display with higher level and wider dimension can be realized, and the system has better user experience and problem solving capability for research and development, operation and maintenance, operation, products and tests.
The embodiment provides a log aggregation method. The log aggregation method comprises the steps of collecting log information and generating a log ID corresponding to the log information, wherein a corresponding tracking ID is injected into the log information; when the log information contains a pre-configured key field, establishing an index relationship between the key field and the log ID; and aggregating and displaying the log information based on the corresponding relation between the tracking ID and the log information and/or the index relation. In the embodiment, by configuring the key field in advance and establishing the index between the key field and the log ID when the log information injected with the tracking ID contains the key field, the system can cross services and cross requests and support wider index establishment in time dimension and space dimension; the log information containing the tracking ID is stored through the corresponding log ID, so that when subsequent searching and querying are needed, the log information can be directly queried according to the log ID, multiple pieces of related log information can be queried according to the tracking ID, meanwhile, the system can also associate the key fields with the tracking ID through the log ID, log retrieval and display with higher level and wider dimensionality are realized, even under the situation that multiple participants make multiple requests for the same service, the system can also display the related log information of the same service on multiple process nodes based on the key fields by only configuring the appropriate key fields in advance to associate the same key fields with the multiple requests in a distributed scene, thereby greatly improving the log aggregation capability and solving the problem that the aggregation capability of the existing log aggregation mode is not high enough, the technical problem that the requirement of log search query is difficult to meet is solved.
Further, based on the first embodiment shown in fig. 2, a second embodiment of the log aggregation method of the present invention is proposed. In this embodiment, the step of collecting log information includes:
step S11, intercepting and acquiring a node request and response log of the service system aiming at the service system butted by the log aggregation system by using a JAVA bytecode-enhanced mode, wherein the node request and response log is generated based on a full link tracking ID (identity) embedded point;
step S12, packaging the node request and response logs into a character string format as log main body information;
step S13, acquiring the current tracking ID in the current acquisition thread as the tracking ID, and acquiring the related parameter information of the main log information;
step S14, packaging the log body information, the relevant parameter information, and the tracking ID into the log information according to a preset format, and placing the log information into a log message queue to read the log information from the log message queue.
In this embodiment, the system is fully compatible and covers the core function of full link log monitoring, which is equivalent to the superset and extension thereof, and integrates the functions of non-intrusive log collection and traceId burial point in full link log monitoring. As a specific embodiment, the system comprises a log collection agent module, a real-time monitoring module, an index module and a storage module. As shown in figure 3 of the drawings,
the log collection agent module is realized by using a java byte code enhancement technology, and the spring aop technology is used for compiling the section class. The business system interface and method are intercepted through the configuration expression, the input parameters and the return results (namely the node request and response logs) of the interface and method are obtained, and the input parameters and the return results are packaged into a character string format to be used as log main body information without a log copying process. And simultaneously acquiring the current server IP address, the system timestamp, the interface URL, the method name and the current operation type as the relevant parameter information, adding a traceId for packaging, and compiling into an agent. Specifically, the JSON format is as in table 1:
name of field
Type of field
Remarks for note
type
Int
1 request, 2 Return, 3 Exception
msg
String
Log information
url
String
Interface url
method
String
Interface method name
serverIp
String
IP address of server
traceId
String
Tracking id
timestamp
Long
System current time stamp
TABLE 1
And the log collection agent module asynchronously sends the agent. jar files of each service to a message queue of kafka (a distributed, high-throughput and high-expansibility message queue system) so as to ensure that the influence on the performance of the native business system is minimum.
The real-time monitoring module reads the log information from the kafka message queue, analyzes the log information, calls the log storage module after analyzing the log information in the json format to store the log information, and can be specifically stored by adopting an open source scheme, wherein the storage engine of the elastic search supports distributed cluster deployment and functions of accurate retrieval according to id, full-text retrieval and the like. An interface is directly called to inquire certain log information through a specific log id, and a plurality of pieces of related log information can be inquired according to the traceId. When storing, the corresponding log id is generated first, and then whether the current log information contains the key field is judged according to the configured key field name. If the index is contained, establishing the index and storing the index relation in the Redis system, otherwise, ending the process.
When a log query request is received, the system realizes query index and return index through a key-value storage system of Redis, and then queries log information of the whole life cycle according to the index so as to display the log information meeting the retrieval condition in an aggregation manner. In addition, the system can also comprise an offline analysis and statistics module Hive for realizing the offline analysis and statistics function of the log information. Hive uses a hadoop distributed file system HDFS, and a Hive data warehouse tool can map a structured data file into a database table, provide an SQL query function and convert an SQL statement into a MapReduce task to execute. Hive has the advantages of low learning cost and capability of realizing rapid MapReduce statistics through similar SQL sentences.
It should be noted that the present invention collects the log not at the gateway layer but locally at the specific application node.
In the prior art, most of the implementations of either ELK or full link log monitoring collect log files and system logs, and a large amount of invalid logs are contained in the system. Such as the logs of the open source framework spring used and the servlet logs of javaEE, which occupy a large amount of storage and computing resources of the service system. Still another problem is that different module developers in a distributed environment may come from different teams, or different developers in a team, and the format and specification of the logs printed by these people may be different, which may cause redundancy or loss of part of the key business logs. In the embodiment, a java byte code technology is used for intercepting the request and the response of the interface and the method, outputting the request parameter and the response text as the main log (namely, the log source is the request parameter and the response information of the interface and the method), and adding the server IP, the interface address, the method name, the timestamp and the log type instead of modifying or reading the application system log. All log formats can be standardized and unified, the pertinence of information collection is strong, computing and storage resources are not wasted, and all key service information is contained in the requests and the responses.
Further, before step S20, the method further includes:
step A1, judging whether the log information contains the key fields, wherein the key fields are single key fields or a plurality of key fields corresponding to different dimensions;
step a2, if yes, executing the step of establishing the index relationship between the key field and the log ID.
In this embodiment, the key field may refer to a key field with a single dimension, or may refer to a plurality of key fields with different dimensions. After the system collects the log information, the log information needs to be analyzed, and then whether the log information contains the pre-configured key fields or not is judged. If the system judges that the log information contains key fields, the subsequent index establishing step is further executed; if the system judges that the log information does not contain the key field, the system continues to judge the next log information.
In the embodiment, the index is established based on the key field, instead of using the service-independent identification de-aggregation log such as the traceId, the generation rule and the use rule of the traceId do not need to be considered, the ambiguity caused by aggregating the unrelated service logs together due to improper use is avoided, meanwhile, the key field supports multiple fields, the establishment of the multi-dimensional index can be supported, and the contribution to specific services is the support of the multi-dimensional search log.
Further, the step a1 includes:
step A11, judging whether the main log information contains at least one key field by using a character string matching mode;
step A12, if the main log information contains at least one key field, determining that the main log information contains the key field;
step a13, if the log body information does not include any of the key fields, determining that the log information does not include the key fields.
In this embodiment, the system performs key field matching in a character string matching manner for the log details in the log information. Taking the key fields as a plurality of fields as an example, the system judges whether the current log information contains one or more fields; if the log information contains one or more fields, the system judges that the log information contains key fields, and then establishes an association relation between the contained key fields and the log ID corresponding to the log information; if the log information does not contain any field in the fields, the system judges that the log information does not contain the key field.
The embodiment realizes the log details in the formatted log by a character string matching mode, and the matching mode is simpler and easier than other modes based on regular expressions and the like.
Further, after the step of collecting log information, the method further includes:
step B1, judging whether the information type in the related parameter information is an abnormal type;
step B2, if yes, determining the log information as abnormal information, and generating an abnormal alarm based on the abnormal information so as to push the abnormal alarm to a corresponding handler terminal;
in step B3, if not, a step of generating a log ID corresponding to the log information is performed.
In this embodiment, while performing string matching on the log body, the system may also check the log type field in the log information to determine whether the log information type is an abnormal type (for example, if it is detected that type is 3, it indicates that the log information is an abnormal type). If the system judges that the current log information is of an abnormal type, a mail function or a short message function can be called to inform the interface person to process; and if the system judges that the current log information is not in the abnormal type, continuing to execute the subsequent steps.
In this embodiment, by setting the real-time alarm function, the system can notify the corresponding processing personnel of the log information of the abnormal type in time, so that the processing personnel can process the log information in time.
Further, based on the first embodiment shown in fig. 2, a third embodiment of the log aggregation method of the present invention is proposed. In this embodiment, before step S30, the method further includes:
step C1, when a log retrieval instruction is received, determining a retrieval word based on the log retrieval instruction, wherein the retrieval word comprises the key field, the log ID and/or the tracking ID;
when the search term is the key field, step S40 includes:
step S31, determining all log IDs associated with the key fields in the full life cycle range of the services corresponding to the key fields according to the index relationship;
step S32, acquiring the log information corresponding to all the log IDs associated with the key field, so as to perform aggregate display on the log information corresponding to all the log IDs.
In this embodiment, when a user performs a log search through the system, a search term is usually input first. The term may be one or more of a key field, a log ID, and a tracking ID. If the key field is input, the system can display one or more pieces of log information associated with the key field in an aggregation manner based on the index relation; if the traceId is input, the system can search and display a plurality of pieces of log information related to the traceId; if the log ID is input, the system can directly determine the log information corresponding to the log ID; if the key field and the traceId are input, the system can determine one or more pieces of log information containing the key field from a plurality of pieces of log information associated with the traceId, and the log information is displayed to the user as a final retrieval result.
The embodiment does not just add one trace id by aggregating key fields. The trace id can only trace the log of one request, and the key field can index the logs of different time and different space, that is, the aggregation can span the time and space dimensions, and is not limited to one request or multiple requests.
Further, the step of establishing an index relationship between the key field and the log ID includes:
and step S21, establishing an index according to the key field, and storing the association relation between the key field and the log ID into a database according to a data structure of a key value pair.
In this embodiment, the system stores the association relationship between the key field and the log ID by using a key value pair structure, where key is the key field and value is an array in which log IDs are sorted in ascending order of time. That is, the last aggregated data structure is a key-value pair. The indexes between the key fields and the log id have strong expansibility and occupy less storage space, so that the log retrieval efficiency can be further improved. Typically the system will store key-value pair data in a Redis database.
Further, before step S30, the method further includes:
and storing the log information to a specified storage engine according to the log ID.
In this embodiment, an open source scheme, namely, an elastic search, can be used to store log information, the system stores the log information into a storage engine, namely, the elastic search, according to a log ID, and the elastic search supports functions of distributed cluster deployment, accurate search according to an ID, full-text search, and the like. The user can directly call an interface to inquire certain log information through a specific log ID, and also can inquire a plurality of pieces of related log information according to the traceId.
As shown in fig. 4, the present invention further provides a log aggregation system, which includes:
the log information acquisition module 10 is configured to acquire log information and generate a log ID corresponding to the log information, where a corresponding tracking ID is injected into the log information;
an index relationship establishing module 20, configured to establish an index relationship between the key field and the log ID when the log information includes a preconfigured key field;
and a log aggregation display module 30, configured to display the log information in an aggregation manner based on the corresponding relationship between the tracking ID and the log information and/or the index relationship.
Optionally, the log information collecting module 10 includes:
a service system intercepting unit, configured to intercept, by using a JAVA bytecode-enhanced manner, a node request and response log that is obtained from the service system for a service system to which the log aggregation system is docked, where the node request and response log is generated based on a full-link tracking ID embedding point;
a main body information acquisition unit, configured to encapsulate the node request and response logs into a string format to serve as log main body information;
an ID parameter obtaining unit, configured to obtain a current tracking ID in a current acquisition thread as the tracking ID, and obtain parameter information related to the log main information;
and the log information reading unit is used for packaging the log main body information, the related parameter information and the tracking ID into the log information according to a preset format, and putting the log information into a log message queue so as to read the log information from the log message queue.
Optionally, the log aggregation system further includes:
a key field determining unit, configured to determine whether the log information includes the key field, where the key field is a single key field or multiple key fields corresponding to different dimensions;
and the key field judging unit is used for executing the step of establishing the index relationship between the key field and the log ID if the key field is judged to be the key field.
Optionally, the key field determining unit is further configured to:
judging whether the log main body information contains at least one key field by using a character string matching mode;
if the log main body information contains at least one key field, judging that the log information contains the key field;
and if the log main body information does not contain any key field, judging that the log information does not contain the key field.
Optionally, the log aggregation system further includes:
the abnormal type judging module is used for judging whether the information type in the related parameter information is an abnormal type;
the abnormal alarm pushing module is used for determining the log information as abnormal information if the log information is abnormal, and generating an abnormal alarm based on the abnormal information so as to push the abnormal alarm to a corresponding handler terminal;
and the abnormal type eliminating module is used for executing the step of generating the log ID corresponding to the log information if the abnormal type eliminating module does not exist.
Optionally, the log aggregation system further includes:
the log retrieval determining module is used for determining a retrieval word based on a log retrieval instruction when the log retrieval instruction is received, wherein the retrieval word comprises the key field, the log ID and/or the tracking ID;
when the search term is the key field, the log aggregation display module 30 includes:
the log ID determining unit is used for determining all log IDs associated with the key fields in the full life cycle range of the services corresponding to the key fields according to the index relationship;
and the log aggregation display unit is used for acquiring the log information corresponding to all the log IDs associated with the key fields so as to perform aggregation display on the log information corresponding to all the log IDs.
Optionally, the index relationship establishing module 20 includes:
and the index establishing and storing unit is used for establishing an index according to the key field and storing the association relation between the key field and the log ID into a database according to a data structure of a key value pair.
Optionally, the log aggregation system further includes:
and the log information storage module is used for storing the log information to a specified storage engine according to the log ID.
The invention also provides log aggregation equipment.
The log aggregation device comprises a processor, a memory and a log aggregation program stored on the memory and capable of running on the processor, wherein the log aggregation program realizes the steps of the log aggregation method when being executed by the processor.
The method implemented when the log aggregation program is executed may refer to each embodiment of the log aggregation method of the present invention, and details are not described here.
The invention also provides a computer readable storage medium.
The computer readable storage medium of the present invention has stored thereon a log aggregation program, which when executed by a processor implements the steps of the log aggregation method as described above.
The method implemented when the log aggregation program is executed may refer to each embodiment of the log aggregation method of the present invention, and details are not described here.
The invention also provides a computer program product comprising a computer program which, when executed by a processor, performs the steps of the log aggregation method as described above.
The method implemented when the computer program is executed may refer to each embodiment of the log aggregation method of the present invention, and details are not described here.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.