A data processing system for obtaining log analysis results

By automating the generation of log analysis rules through the data processing system, the problems of high workload and low accuracy in manual log analysis have been solved, achieving efficient and accurate log analysis.

CN115589357BActive Publication Date: 2026-06-30HANGZHOU GUYI NETWORK TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
HANGZHOU GUYI NETWORK TECH CO LTD
Filing Date
2022-10-10
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Existing log analysis methods suffer from high workload, low accuracy, and low efficiency when dealing with large volumes of logs.

Method used

A data processing system is used to automatically generate log analysis rules through a database and processor, including a list of preset log rule IDs and computer programs, to achieve comparison and analysis of log rules.

Benefits of technology

It improves the accuracy and efficiency of log analysis and reduces the error rate of manual analysis.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115589357B_ABST
    Figure CN115589357B_ABST
Patent Text Reader

Abstract

This invention provides a data processing system for obtaining log analysis results. The system includes a database, a processor, and a memory storing a computer program. When the computer program is executed by the processor, it performs the following steps: obtaining a first log rule identifier list and a first log rule corresponding to each first log rule identifier; obtaining a target log rule identifier and a target log rule corresponding to the target log rule identifier; comparing the target log rule with the first log rule to determine a final log rule list; and analyzing the target log based on the final log rule list to obtain the analysis results of the target log. Therefore, this invention can automatically generate log analysis rules for log analysis, thereby improving the accuracy and efficiency of the analysis.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of log analysis technology, and in particular to a data processing system for obtaining log analysis results. Background Technology

[0002] Most existing log analysis methods are manual. Nowadays, with the rapid development of IoT technology, various industries can apply IoT technology. When a device malfunctions, logs are uploaded to a server via IoT, and technicians retrieve the logs from the server and analyze them manually.

[0003] However, the above methods also have the following technical problems:

[0004] When there are a large number of logs, manual analysis is relatively labor-intensive, and errors can occur, resulting in low accuracy and efficiency in log analysis. Summary of the Invention

[0005] To address the aforementioned technical problems, the technical solution adopted by this invention is as follows:

[0006] A data processing system for obtaining log analysis results includes a database, a processor, and a memory storing computer programs. The database includes a list of preset log rule IDs and preset log rules corresponding to those IDs. When the computer program is executed by the processor, the following steps are performed:

[0007] S100. Obtain the list of first log rule IDs and the first log rule corresponding to each first log rule ID.

[0008] S200. Obtain the target log rule ID and the target log rule corresponding to the target log rule ID. The target log rule ID is different from each of the first log rule IDs in the first log rule ID list.

[0009] S300. Compare the target log rule with the first log rule to determine the final log rule list.

[0010] S400. Analyze the target log according to the final log rule list to obtain the analysis results of the target log.

[0011] The present invention has at least the following beneficial effects:

[0012] This invention provides a data processing system for obtaining log analysis results. The system includes a database, a processor, and a memory storing a computer program. When the computer program is executed by the processor, it performs the following steps: obtaining a first log rule ID list and a first log rule corresponding to each first log rule ID; obtaining a target log rule ID and a target log rule corresponding to the target log rule ID; comparing the target log rule with the first log rule to determine a final log rule list; and analyzing the target log based on the final log rule list to obtain the analysis results of the target log. Therefore, this invention can automatically generate log analysis rules for log analysis, thereby improving the accuracy and efficiency of the analysis. Attached Figure Description

[0013] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0014] Figure 1 This is a flowchart illustrating the execution of a computer program in a data processing system for obtaining log analysis results, as provided in an embodiment of the present invention. Detailed Implementation

[0015] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0016] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this invention are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of the invention described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or server that includes a series of steps or modules is not necessarily limited to those explicitly listed, but may include other steps or modules not explicitly listed or inherent to such processes, methods, products, or devices.

[0017] This invention provides a data processing system for obtaining log analysis results. The system includes a database, a processor, and a memory storing a computer program. The database includes a list of preset log rule IDs and preset log rules corresponding to the preset log rule IDs. When the computer program is executed by the processor, it performs the following steps: Figure 1 As shown:

[0018] S100. Obtain the list of first log rule IDs and the first log rule corresponding to each first log rule ID.

[0019] Specifically, the first log rule ID is the unique identifier of the first analysis rule.

[0020] Specifically, step S100 also includes the following steps:

[0021] S101, obtain the list of preset log rule IDs and the preset log rule corresponding to each preset log rule ID.

[0022] Specifically, the preset log rule ID is a unique identifier for the preset log rule; for example, the preset log rule ID is the name corresponding to the preset log rule.

[0023] Furthermore, the preset log rules are characterized as pre-set analysis rules for analyzing device logs.

[0024] S103, according to the preset log rule ID list, obtain the first intermediate log rule ID and the second intermediate log rule ID list corresponding to the first intermediate log rule ID, wherein the second intermediate log rule ID list includes a plurality of second intermediate log rule IDs.

[0025] Specifically, any preset log rule ID is randomly selected from the preset log rule ID list as the first intermediate log rule ID.

[0026] Specifically, any preset log rule ID other than the first intermediate log rule ID in the preset log rule ID list is used as the second intermediate log rule ID.

[0027] S105, Based on the first intermediate log rule ID, obtain the first intermediate log rule corresponding to the first intermediate log rule ID;

[0028] S107, Based on the second intermediate log rule ID list, obtain the second intermediate log rule list corresponding to the second intermediate log rule ID list;

[0029] S109, Obtain the first log rule ID list based on the first intermediate log rule and the second intermediate log rule list.

[0030] The above-mentioned method can identify duplicate rules by using the first intermediate log rule list and the second intermediate log rule list, thereby avoiding duplicate statistics on the same abnormal situation in the logs and improving efficiency.

[0031] Specifically, step S109 also includes the following steps:

[0032] S1091. Based on the first intermediate log rule, obtain the first sub-rule ID list A = {A1, A2, ..., A...} corresponding to the first intermediate log rule. i , ..., A m The first sub-rule vector list A corresponding to A. 0 ={A 0 1, A 0 2, ..., A 0 i , ..., A 0 m}, A i Let A be the ID of the i-th first sub-rule. 0 i For A i The corresponding first rule vector, i = 1, 2, ..., m, where m is the number of first sub-rule IDs.

[0033] Specifically, the first sub-rule ID is the unique identifier of the first sub-rule.

[0034] Furthermore, the first rule vector is characterized as a vector used to describe any first sub-rule in the first intermediate log rule.

[0035] Preferably, the first sub-rule is an event matching rule or a statistical rule.

[0036] S1092, Based on the second intermediate log rule list, obtain the second sub-rule ID set B = {B1, B2, ..., B...} corresponding to the second intermediate log rule list. j , ..., B n}, B j ={B j1 B j2 , ..., B ji , ..., B jm}, B ji Let be the ID of the i-th second sub-rule corresponding to the j-th second intermediate log rule.

[0037] S1093, Based on B, obtain the second sub-rule vector set B corresponding to B. 0 ={B 0 1, B 0 2, ..., B 0j , ..., B 0 n}, B 0 j ={B 0 j1 B 0 j2 , ..., B 0 ji , ..., B 0 jm}, B 0 ji For B ji The corresponding second rule vector.

[0038] Specifically, the second sub-rule ID is the unique identifier of the second sub-rule.

[0039] Furthermore, the second rule vector is characterized as a vector used to describe any second sub-rule in the second intermediate log rule.

[0040] Specifically, the first sub-rule ID of A is sorted with any B. j The first sub-rule IDs are ordered in the same way, so I won't go into detail here.

[0041] S1094, iterate through A and if A i When =A', obtain A. 0 i and B'={B 0 1i B 0 2i , ..., B 0 ji , ..., B 0 ni}; where A' is a preset sub-rule ID; those skilled in the art will know that any method in the prior art for determining that two IDs are equal is within the protection scope of this embodiment, and will not be described further here.

[0042] Specifically, the preset sub-rule ID is the preset rule name of the event matching rule.

[0043] S1095, according to A 0 i And B', obtain A 0 i The corresponding first similarity set F i ={F i1 F i2 , ..., F ij , ..., F in}, F ij For A 0 iand B 0 ji The first similarity between them; where F ij Meets the following conditions:

[0044] Among them, GA 0μ i For A 0 i The μ-th bit in the corresponding rule vector

[0045] Value, GA 0μ ji For B 0 ji The corresponding bit value of the μ-th position in the rule vector, μ = 1...φ, where φ is the number of bits in the rule vector; those skilled in the art will know that any method of obtaining the rule vector in the prior art is within the protection scope of this embodiment, and will not be described in detail here.

[0046] S1096, when F ij When K = K0, delete A from the preset log rule ID list and obtain the first log rule ID list; where K0 is the preset similarity threshold.

[0047] The above method, based on matching rules in the rules, removes duplicate rules to avoid repeated statistics on the same abnormal situation in the logs, thereby improving efficiency.

[0048] S200. Obtain the target log rule ID and the target log rule corresponding to the target log rule ID. The target log rule ID is different from each first log rule ID in the first log rule ID list.

[0049] S300. Compare the target log rule with the first log rule to determine the final log rule list.

[0050] Specifically, step S300 includes the following steps:

[0051] S301, Obtain the target sub-rule ID list V = {V1, V2, ..., V...} corresponding to the target log rule. i , ..., V m The list of target sub-rule vectors V corresponding to} and V 0 ={V 0 1, V 0 2, ..., V 0 i , ..., V 0 m}, V i Let V be the ID of the i-th target sub-rule. 0 i For Vi The corresponding target sub-rule vector.

[0052] S303, when V i When =A', V 0 i The i-th rule vector in the key log rule corresponding to the first log rule is compared.

[0053] Specifically, step S303 includes the following steps:

[0054] S3031. Based on the first log rule ID list, obtain the second log rule ID list and the third log rule ID list.

[0055] Step S3031 includes the following steps:

[0056] S30311, when F ij When =K0, B j Used as the second intermediate log rule ID.

[0057] S30313, when F ij When A is not equal to K0, use A as the first intermediate log rule ID and use it as the third log rule ID.

[0058] S3033. Based on the second log rule ID list, obtain the key log rule corresponding to the second log rule from the second log rule ID list.

[0059] S3033 includes the following steps to obtain critical log rules:

[0060] S30331, within a preset time period, obtain the initial log set D = {D1, D2, ..., D...} corresponding to the second log rule ID. r , ..., D s}, D r ={D r1 D r2 , ..., D rg , ..., D rz(r)}, D rg Let g be the g-th initial log corresponding to the r-th target device of the second log rule ID, where r = 1, 2, ..., s, s is the number of target device types, and g = 1, 2, ..., z(r), z(r) is the number of initial logs corresponding to the r-th target device.

[0061] Specifically, the target device refers to the network device being monitored, used to upload the logs corresponding to the second log rule ID.

[0062] Specifically, the initial log is the log after normalization processing of the log corresponding to the second log rule ID uploaded by the target device; those skilled in the art will know that any log normalization method in the prior art is within the protection scope of this embodiment, and will not be described in detail here.

[0063] S30333, Based on the preset time period, obtain the first time list T = {T1, T2, ..., T...} corresponding to the preset time period. x , ..., T p}, T x Let x be the first time slice within a preset time period, where x = 1, 2, ..., p, and p is the number of first time slices within the preset time period.

[0064] S30335, within a preset time period, retrieve the log retrieval time list TD = {TD1, TD2, ..., TD} corresponding to D. r , ..., TD s}, TD r ={TD r1 TD r2 , ..., TD rg , ..., TD rz(r)}, TD rg D rg The corresponding log retrieval time.

[0065] S30337, Based on T and TD, obtain the first log count list SL = {SL1, SL2, ..., SL...} corresponding to T. r , ...,SL s}, SL r ={SL r1 SL r2 , ...,SL rx , ...,SL rp}, SL rx D r The number of initial logs within the xth time slice.

[0066] Specifically, p = t0 / t.

[0067] Furthermore, t0 is the length of a preset time period, and the value of t0 ranges from 1 to 2 days. Preferably, the value of t0 is 1 day.

[0068] Specifically, t is the length of the first time slice, and the value of t ranges from 5 to 10 minutes. Preferably, the value of t is 5 minutes.

[0069] S30339, Based on SL, obtain the key log rule corresponding to the second log rule.

[0070] As mentioned above, setting the time for statistical rules in the logs based on device anomalies can improve the rationality and accuracy of the time settings in the statistical rules. On the other hand, it can also adjust the time of the statistical rules according to new similar rules, making the time settings in the statistical rules more efficient.

[0071] Specifically, step S30339 includes the following steps:

[0072] S1, traverse SL r And SL r Compare with SL0, where SL0 is a preset first log quantity threshold; those skilled in the art can set it according to actual needs, which will not be elaborated here; preferably, SL0 = 0.

[0073] S2, when SL r When =SL0, obtain SL r The corresponding target time interval ΔT r , where ΔT r Meets the following conditions:

[0074]

[0075] Furthermore, when g = 1, TD g-1 =0.

[0076] S3, according to ΔT r Obtain ΔT r The corresponding intermediate time interval list ΔT 0 r ={ΔT 1 ΔT 2 , ..., ΔT h , ..., ΔT u}, h = 1, 2, ..., u, where u is the number of intermediate time intervals.

[0077] S4, according to ΔT 0 Obtain ΔT 0 The corresponding second log count set SL 0 r ={SL 1 r SL 2 r , ...,SL h r , ...,SL u r}, SL h r ={SL h r1 SL h r2, ...,SL h ry , ...,SL h rq(h)}, SL h rry D r The number of initial logs within the corresponding y-th second time slice, y = 1, 2, ..., q(h), where q(h) is the number of second time slices, and the value of the second time slice is ΔT. i .

[0078] ΔT i Meets the following conditions:

[0079] ΔT h =t + h × ΔT r .

[0080] q(h) satisfies the following conditions:

[0081]

[0082] S5, when h = u and SL h ry When ≠SL0, ΔT h It is inserted as an intermediate time slice into the intermediate time slice list.

[0083] S6, traverse the intermediate time slice list and take the largest intermediate time slice in the intermediate time slice list as the target time slice.

[0084] S7 generates a target statistical rule vector by taking the target time slice and the number of final logs corresponding to the target time slice.

[0085] Specifically, step S7 includes the following steps:

[0086] S71, when SL r When ≠SL0, according to the target time slice and D r , obtain D r The corresponding third event log count list SL' r ={SL' r1 ,SL' r2 , ...,SL' rξ , ...,SL' rε}, SL' rξ D r The corresponding number ξ The number of initial logs within each target time slice, ξ = 1, 2, ..., ε, where ε is the number of target time slices.

[0087] S73, iterate through SL' r And when SL' rξTo minimize the initial log count, SL' rξ The number of final logs corresponding to the target time slice.

[0088] S75, when SL r =SL0 and when SL h ry When setting the minimum initial log size, SL h ry The number of final logs corresponding to the target time slice.

[0089] S8, replace the statistical rule vector in the second log rule with the target statistical rule vector to generate the key log rule corresponding to the second log rule.

[0090] The above describes how the time intervals of device anomalies reported in historical logs are used to set the time for statistical rules in the logs, ensuring both rationality and accuracy, thereby improving the efficiency of the time settings in the statistical rules.

[0091] S3035. Based on the third log rule ID list, obtain the list of key log rules corresponding to the third log rule.

[0092] Specifically, step S3035 also includes the following steps:

[0093] S30351, Obtain the third log rule ID list C = {C1, C2, ..., C...} a , ..., C b}, C a ={C a1 C a2 , ..., C ai , ..., C am}, C ai Let be the ID of the i-th third sub-rule in the third log rule corresponding to the a-th third log rule ID, where a = 1, 2, ..., b, and b is the number of third log rule IDs.

[0094] S30353, according to C a , get C a The corresponding sub-rule vector list C 0 a ={C 0 a1 C 0 a2 , ..., C 0 ai , ..., C 0 am}, C 0 ai C aiThe corresponding first sub-rule vector.

[0095] S30355, when C ai When =A', C 0 ai Compare with a preset character; for example, the preset character is "or".

[0096] S30357, when C 0 ai When a preset character exists, C is set according to the preset character. 0 ai Divide into a specified list of sub-rule vectors G 0 ai ={G 01 ai G 02 ai , ..., G 0β ai , ..., G 0δ ai}, G 0β ai C 0 ai The corresponding β-th specified sub-rule vector, β = 1, 2, ..., δ, where δ is the number of specified sub-rule vectors, or δ can be understood as: δ is C 0 ai The preset number of characters exists.

[0097] S30359, according to G 0 ai Generate C a The corresponding critical log rule list GL = {GL 0 a GL 01 ai GL 02 ai , ..., GL 0β ai , ..., GL 0δ ai}, where GL 0 a C 0 a The corresponding third logging rule, GL 0β ai For G-based 0β ai The corresponding specified sub-rule vector list GL β ai ={C 0 a1 C 0 a2 , ..., C0 ai -1, G 0β ai C 0 ai+1 , ..., C 0 am Generate key rules.

[0098] S3037. Construct a critical log rule list based on the critical log rule list corresponding to the second log rule and the critical log rule list corresponding to the third log rule.

[0099] As mentioned above, splitting the same rule into multiple rules is beneficial for refining the rules, thereby improving the accuracy of log analysis results.

[0100] S305, when V 0 i When the i-th rule vector in the key log rule corresponding to the first log rule is consistent, the target time slice in the key log rule corresponding to the first log rule is processed according to the non-initial log set and D corresponding to the target log rule to obtain the update time slice. Based on the update time slice and the number of logs corresponding to the update time slice, a more statistical rule vector is generated and inserted into the key log rule corresponding to the first log rule.

[0101] Specifically, the steps for generating the updated time slice can be found in the steps for the target time slice, and will not be repeated here.

[0102] S307, when V 0 i When the i-th rule vector in the key log rule corresponding to the first log rule is inconsistent, V will be... 0 i As key log rules and corresponding key log rules for all the first log rules, a final log rule list is generated.

[0103] As described above, matching new log rules with preset rules can quickly and accurately recommend statistical rules suitable for the new log rules, thus improving the accuracy and efficiency of log analysis.

[0104] S400. Analyze the target log according to the final log rule list to obtain the analysis results of the target log.

[0105] This invention provides a data processing system for obtaining log analysis results. The system includes a database, a processor, and a memory storing a computer program. When the computer program is executed by the processor, it performs the following steps: obtaining a first log rule ID list and a first log rule corresponding to each first log rule ID; obtaining a target log rule ID and a target log rule corresponding to the target log rule ID; comparing the target log rule with the first log rule to determine a final log rule list; and analyzing the target log based on the final log rule list to obtain the analysis results of the target log. Therefore, this invention can automatically generate log analysis rules for log analysis, thereby improving the accuracy and efficiency of the analysis.

[0106] While specific embodiments of the invention have been described in detail by way of example, those skilled in the art should understand that the above examples are for illustrative purposes only and are not intended to limit the scope of the invention. Those skilled in the art should also understand that various modifications can be made to the embodiments without departing from the scope and spirit of the invention. The scope of the invention is defined by the appended claims.

Claims

1. A data processing system for acquiring log analysis results, characterized in that, The system includes a database, a processor, and a memory storing computer programs. The database includes a list of preset log rule IDs and preset log rules corresponding to those IDs. When the computer program is executed by the processor, the following steps are performed: S100: Obtain the list of first log rule IDs and the first log rule corresponding to each first log rule ID; S200: Obtain the target log rule ID and the target log rule corresponding to the target log rule ID, wherein the target log rule ID is different from each first log rule ID in the first log rule ID list; S300. Compare the target log rule with the first log rule to determine the final log rule list, including: S301, Obtain the target sub-rule ID list V={V1, V2, ..., V...} corresponding to the target log rule. i , ..., V m The list of target sub-rule vectors V corresponding to} and V 0 ={V 0 1, V 0 2, ..., V 0 i , ..., V 0 m }, V i Let V be the ID of the i-th target sub-rule. 0 i For V i The corresponding target sub-rule vector; S303, when V i When =A', V 0 i The i-th rule vector in the key log rule corresponding to the first log rule is compared; where A' is a preset sub-rule ID; S305, when V 0 i When the i-th rule vector in the key log rule corresponding to the first log rule is consistent, the target time slice in the key log rule corresponding to the first log rule is processed according to the non-initial log set and the initial log set corresponding to the target log rule to obtain the update time slice. Based on the update time slice and the number of logs corresponding to the update time slice, an update statistics rule vector is generated and inserted into the key log rule corresponding to the first log rule. S307, when V 0 i When the i-th rule vector in the key log rule corresponding to the first log rule is inconsistent, V will be... 0 i As key log rules and corresponding to all the first log rules, a final log rule list is generated; S400. Analyze the target log according to the final log rule list to obtain the analysis results of the target log.

2. The data processing system for obtaining log analysis results according to claim 1, characterized in that, Step S100 includes the following steps: S101, Obtain the list of preset log rule IDs and the preset log rule corresponding to each preset log rule ID; S103, according to the preset log rule ID list, obtain the first intermediate log rule ID and the second intermediate log rule ID list corresponding to the first intermediate log rule ID, wherein the second intermediate log rule ID list includes a plurality of second intermediate log rule IDs; S105, Based on the first intermediate log rule ID, obtain the first intermediate log rule corresponding to the first intermediate log rule ID; S107, Based on the second intermediate log rule ID list, obtain the second intermediate log rule list corresponding to the second intermediate log rule ID list; S109, Obtain the first log rule ID list based on the first intermediate log rule and the second intermediate log rule list.

3. The data processing system for obtaining log analysis results according to claim 2, characterized in that, Step S109 includes the following steps: S1091. Based on the first intermediate log rule, obtain the first sub-rule ID list A={A1, A2, ..., A...} corresponding to the first intermediate log rule. i , ..., A m The first sub-rule vector list A corresponding to A. 0 ={A 0 1, A 0 2, ..., A 0 i , ..., A 0 m }, A i Let A be the ID of the i-th first sub-rule. 0 i For A i The corresponding first rule vector, i=1, 2, ..., m, where m is the number of first sub-rule IDs; S1092, Based on the second intermediate log rule list, obtain the second sub-rule ID set B={B1, B2, ..., B...} corresponding to the second intermediate log rule list. j , ..., B n }, B j ={B j1 B j2 , ..., B ji , ..., B jm }, B ji The ID of the i-th second sub-rule corresponding to the j-th second intermediate log rule; S1093, Based on B, obtain the second sub-rule vector set B corresponding to B. 0 ={B 0 1, B 0 2, ..., B 0 j , ..., B 0 n }, B 0 j ={B 0 j1 B 0 j2 , ..., B 0 ji , ..., B 0 jm }, B 0 ji For B ji The corresponding second rule vector; S1094, iterate through A and if A i When =A', obtain A 0 i and B'={B 0 1i B 0 2i , ..., B 0 ji , ..., B 0 ni }; S1095, according to A 0 i And B', obtain A 0 i The corresponding first similarity set F i ={F i1 F i2 , ..., F ij , ..., F in }, F ij For A 0 i and B 0 ji The first similarity between them; where F ij Meets the following conditions: , among which, GA 0μ i For A 0 i The μ-th bit in the corresponding rule vector Value, GB 0μ ji For B 0 ji The bit value of the μ-th position in the corresponding rule vector, where μ = 1...φ, and φ is the number of bits in the rule vector; S1096, when F ij When K0 = K0, delete A from the preset log rule ID list and obtain the first log rule ID list; where K0 is the preset similarity threshold.

4. The data processing system for obtaining log analysis results according to claim 3, characterized in that, Step S303 includes the following steps to obtain critical log rules: S3031. Based on the first log rule ID list, obtain the second log rule ID list and the third log rule ID list; S3033. Based on the second log rule ID list, obtain the key log rule corresponding to the second log rule; S3035. Based on the third log rule ID list, obtain the list of key log rules corresponding to the third log rule; S3037. Construct a critical log rule list based on the critical log rule list corresponding to the second log rule and the critical log rule list corresponding to the third log rule.

5. The data processing system for obtaining log analysis results according to claim 4, characterized in that, Step S3031 includes the following steps: S30311, when F ij When =K0, B j As the second intermediate log rule ID; S30313, when F ij When A is not equal to K0, use A as the first intermediate log rule ID and use it as the third log rule ID.

6. The data processing system for obtaining log analysis results according to claim 4, characterized in that, Step S3033 includes the following steps: S30331, within a preset time period, obtain the initial log set D={D1, D2, ..., D...} corresponding to the second log rule ID. r , ..., D s }, D r ={D r1 D r2 , ..., D rg , ..., D rz(r) }, D rg Let g be the g-th initial log corresponding to the r-th target device of the second log rule ID, where r = 1, 2, ..., s, s is the number of target device types, g = 1, 2, ..., z(r), and z(r) is the number of initial logs corresponding to the r-th target device. Here, the target device refers to the network device that is being monitored and used to upload the logs corresponding to the second log rule ID. S30333, Based on the preset time period, obtain the first time list T={T1, T2, ..., T...} corresponding to the preset time period. x , ..., T p }, T x Let x be the first time slice within a preset time period, where x = 1, 2, ..., p, and p is the number of first time slices within the preset time period. Here, p = t0 / t, t0 is the length of the preset time period, and t ranges from 1 to 2 days. t is the length of the first time slice, and t ranges from 5 to 10 minutes. S30335, within a preset time period, retrieve the log retrieval time list TD={TD1, TD2, ..., TD...} corresponding to D. r , ..., TD s }, TD r ={TD r1 TD r2 , ..., TD rg , ..., TD rz(r) }, TD rg D rg The corresponding log retrieval time; S30337, Based on T and TD, obtain the first log count list SL={SL1, SL2, ..., SL...} corresponding to T. r , ...,SL s }, SL r ={SL r1 SL r2 , ...,SL rx , ...,SL rp }, SL rx D r The corresponding number of initial logs within the x-th time slice; S30339, Based on SL, obtain the key log rule corresponding to the second log rule.

7. The data processing system for obtaining log analysis results according to claim 6, characterized in that, Step S30339 includes the following steps: S1, traverse SL r And SL r Compare with SL0, where SL0 is a preset first log quantity threshold; S2, when SL r When =SL0, obtain SL r The corresponding target time interval ΔT r , where ΔT r Meets the following conditions: ; S3, according to ΔT r Obtain ΔT r The corresponding intermediate time interval list ΔT 0 r ={ΔT 1 ΔT 2 , ..., ΔT h , ..., ΔT u }, h=1,2,...,u, where u is the number of intermediate time intervals; S4, according to ΔT 0 Obtain ΔT 0 The corresponding second log count set SL 0 r ={SL 1 r SL 2 r , ...,SL h r , ...,SL u r }, SL h r ={SL h r1 SL h r2 , ...,SL h ry , ...,SL h rq(h) }, SL h rry D r The number of initial logs within the corresponding y-th second time slice, y=1,2,...,q(h), where q(h) is the number of second time slices, and the value of the second time slice is ΔT. i ; ΔT i Meets the following conditions: ΔT h =t+h×ΔT r ; q(h) satisfies the following conditions: ; S5, when h=u and SL h ry When ≠SL0, ΔT h Insert it as an intermediate time slice into the intermediate time slice list; S6, traverse the intermediate time slice list and take the largest intermediate time slice in the intermediate time slice list as the target time slice; S7, generate the target time slice and the number of final logs corresponding to the target time slice as the target statistical rule vector; S8, replace the statistical rule vector in the second log rule with the target statistical rule vector to generate the key log rule corresponding to the second log rule.

8. The data processing system for obtaining log analysis results according to claim 7, characterized in that, Step S7 includes the following steps: S71, when SL r When ≠SL0, according to the target time slice and D r , obtain D r The corresponding third event log count list SL' r ={SL' r1 ,SL' r2 , ...,SL' rξ , ...,SL' rε }, SL' rξ D r The corresponding number ξ The number of initial logs within each target time slice, ξ=1,2,...,ε, where ε is the number of target time slices; S73, iterate through SL' r And when SL' rξ To minimize the initial log count, SL' rξ The number of final logs corresponding to the target time slice; S75, when SL r =SL0 and when SL h ry When setting the minimum initial log size, SL h ry The number of final logs corresponding to the target time slice.

9. The data processing system for obtaining log analysis results according to claim 4, characterized in that, S3035 includes the following steps: S30351, Obtain the third log rule ID list C={C1, C2, ..., C...} a , ..., C b }, C a ={C a1 C a2 , ..., C ai , ..., C am }, C ai Let be the ID of the i-th third sub-rule in the third log rule corresponding to the a-th third log rule ID, where a = 1, 2, ..., b, and b is the number of third log rule IDs; S30353, according to C a , get C a The corresponding sub-rule vector list C 0 a ={C 0 a1 C 0 a2 , ..., C 0 ai , ..., C 0 am }, C 0 ai C ai The corresponding first sub-rule vector; S30355, when C ai When =A', C 0 ai Compare with preset characters; S30357, when C 0 ai When a preset character exists, C is set according to the preset character. 0 ai Divide into a specified list of sub-rule vectors G 0 ai ={G 01 ai G 02 ai , ..., G 0β ai , ..., G 0δ ai }, G 0β ai C 0 ai The corresponding β-th specified sub-rule vector, β=1,2,...,δ, where δ is the number of specified sub-rule vectors; S30359, according to G 0 ai Generate C a The corresponding critical log rule list GL={GL 0 a GL 01 ai GL 02 ai , ..., GL 0 β ai , ..., GL 0δ ai }, where GL 0 a C 0 a The corresponding third logging rule, GL 0β ai For G-based 0β ai The corresponding specified sub-rule vector list GL β ai ={C 0 a1 C 0 a2 , ..., C 0 ai-1 G 0β ai C 0 ai+1 , ..., C 0 am Generate key rules.