CN115292065A - Event confirmation method, system and device based on stream architecture - Google Patents
Event confirmation method, system and device based on stream architecture Download PDFInfo
- Publication number
- CN115292065A CN115292065A CN202210911856.9A CN202210911856A CN115292065A CN 115292065 A CN115292065 A CN 115292065A CN 202210911856 A CN202210911856 A CN 202210911856A CN 115292065 A CN115292065 A CN 115292065A
- Authority
- CN
- China
- Prior art keywords
- rule
- internet
- logs
- event
- matching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/546—Message passing systems or structures, e.g. queues
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2209/00—Indexing scheme relating to G06F9/00
- G06F2209/54—Indexing scheme relating to G06F9/54
- G06F2209/547—Messaging middleware
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses an event confirmation method, a system and a device based on a stream architecture, comprising the following steps: receiving logs reported by a plurality of internet of things devices of different products from message middleware, and screening the logs of the plurality of internet of things devices of the same product from the logs; loading a rule set corresponding to the logs of the multiple internet of things devices of the same product to serve as a rule system to be executed at this time, and executing the rule system to be executed at this time based on the logs to obtain a matching result message, wherein the rule system is used for event confirmation of the multiple internet of things devices of the same product; and returning the matching result message to the message middleware. The invention adopts a technical framework (stream processing framework, message middleware and CEP) which is more consistent with the scene of the internet of things equipment. The method has the advantages that a database is not adopted, the data link is shorter, the processing time is shorter, the problem of misinformation caused by simple rules can be avoided in use, and meanwhile, more complex rules can be realized.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an event confirmation method, system and device based on a stream architecture.
Background
At present, the reliability of most of the Internet of things equipment is not high, so that the reported logs are unreliable. The problem of false alarm is easily caused by carrying out regular judgment on an unreliable single log to generate an event, so that the relation between logs of the internet of things equipment in a continuous period of time needs to be considered. According to the data, if a specific event (fire) occurs, a plurality of internet of things devices (smoke detectors, temperature sensors and the like) in the same area can continuously alarm for a period of time. And the alarm information is continuously reported by the equipment in the same area by reflecting the alarm information to the logs, namely, the logs of the equipment in the same area have a certain relation.
In the prior art, most of things are based on a log of an internet of things device (with low reliability) to judge the relationship between a certain attribute and a threshold value, or the logical combination of the relationships between several attributes and the threshold value to generate an (alarm) event, and for the internet of things device with low reliability, the generated event does not conform to the logic, and the problem of false alarm is easily caused.
Disclosure of Invention
The invention aims to provide an event confirmation method, a system and a device based on a stream framework, wherein a stream processing framework (Flink) is used for reading logs and rules from a message middleware (Kafka), the rules are preprocessed, the rules are generated into a rule engine by using a CEP (Siddhi) technology, the log information is processed by using the rule engine, the generated events are returned to the stream processing framework, and the stream processing framework sends the generated events to the message middleware, so that a more complex rule is realized, the false alarm rate is reduced, and the event confirmation method of a plurality of internet of things devices of the same product is realized.
An event confirmation method based on a stream architecture comprises the following steps:
receiving logs reported by a plurality of internet-of-things devices of different products from message middleware, and screening the logs of the plurality of internet-of-things devices of the same product from the logs;
loading a rule set corresponding to the logs of the multiple internet of things devices of the same product to serve as a rule system to be executed at this time, and executing the rule system to be executed at this time based on the logs to obtain a matching result message, wherein the rule system is used for event confirmation of the multiple internet of things devices of the same product;
and returning the matching result message to the message middleware.
Further, the event confirmation is the same emergency confirmation of a plurality of internet of things devices of the same product, the log has event attributes, and the same emergency confirmation is that: matching logs of a plurality of internet of things devices of the same product obtained each time with the same rule expression, wherein the rule system specifically executes the following steps:
s1: and screening the Internet of things equipment meeting the matching conditions from the log, and recording the Internet of things equipment as a recently-matched Internet of things equipment set, wherein the matching conditions are as follows: satisfying a rule expression in the rule set corresponding to the event;
s2: receiving logs reported by the recently matched internet of things device set, continuously screening the logs reported by the recently matched internet of things device set, refreshing the internet of things devices meeting matching conditions into the recently matched internet of things device set, and repeating the step S2 within a preset time range;
and S3, generating an alarm event, and determining the alarm event as a matching result message.
Further, the event confirmation is different event cooperative confirmation of a plurality of internet of things devices of the same product, the log has an event attribute, and the different event cooperative confirmation is as follows: matching logs of a plurality of internet of things devices of the same product obtained each time with a rule expression of an event needing to be confirmed at this time, wherein the rule system specifically executes the following steps:
s1: screening the Internet of things equipment meeting the matching conditions from the log, and recording the Internet of things equipment as a latest matching Internet of things equipment set, wherein the matching conditions are as follows: the rule expression corresponding to the event in the rule set meeting the event to be confirmed at this time is satisfied;
s2: receiving logs reported by the recently matched internet of things device set, continuously screening the logs reported by the recently matched internet of things device set, refreshing the internet of things devices meeting matching conditions into the recently matched internet of things device set, and repeating the step S2 within a preset time range;
and S3, generating an alarm event, and determining the alarm event as a matching result message.
Further, the event confirmation is a cooperative confirmation of different events of a plurality of internet of things devices of the same product, the log has an event attribute, the cooperative confirmation of different events is that the log is sequentially matched with at least partially different rule expressions, and the rule system specifically executes the following steps:
s1: screening the Internet of things equipment meeting the matching conditions from the log, and recording the Internet of things equipment as a latest matching Internet of things equipment set, wherein the matching conditions are as follows: sequentially satisfying the rule expressions corresponding to the events in the rule set according to different events;
s2: receiving logs reported by the recently matched Internet of things equipment set, continuously screening the logs reported by the recently matched Internet of things equipment set, refreshing the Internet of things equipment meeting the matching condition into the recently matched Internet of things equipment set, and repeating the step S2 within a preset time range;
and S3, generating an alarm event, and determining the alarm event as a matching result message.
Further, the rule set includes at least one base regular expression, which is a base regular expression corresponding to a relationship between an attribute of the device and an attribute threshold.
Further, the rule set further comprises at least one combined rule expression formed by logically combining a plurality of basic rule expressions, wherein the logical combination comprises an or and; the "or" relationship: when the log conforms to any one of the combined regular expressions, the log is regarded as satisfying the combined regular expression; the "and" relationship: and when the log conforms to all the regular expressions in the combined regular expression, the log is regarded as meeting the combined regular expression.
Further, after receiving logs reported by a plurality of internet of things devices of different products, analyzing and marking the logs to generate logs with rule IDs, specifically, the method comprises the following steps:
extracting product codes corresponding to the logs one by one from the logs, and acquiring at least one rule corresponding to the same product code according to the product codes, wherein each rule has a rule ID corresponding to one by one;
analyzing and generating a plurality of matched fields from the log according to the rules, and marking the corresponding rule IDs on the fields respectively;
and taking the matched fields and the corresponding rule IDs as logs carrying the rule IDs.
Further, the rule system to be executed at this time is obtained by the following steps:
extracting the rule ID in the log carrying the rule ID;
acquiring corresponding regular expressions according to the rule IDs, and generating a rule set, wherein each regular expression in the rule set corresponds to a rule ID one by one;
and loading the rule set according to a specific sequence to generate the rule system to be executed at this time.
Further, the method also comprises the following steps: receiving a rule reported by a service system, performing rule adaptation on the rule, obtaining a rule expression and a rule ID corresponding to the rule expression, generating an analysis rule after the rule is analyzed, and judging the rule, wherein the method specifically comprises the following steps:
determining whether the parsing rule is an enabling rule;
if so, performing rule translation on the analysis rule, wherein the rule translation is used for generating a corresponding rule expression according to the analysis rule;
determining whether the parsing rule is a forbidden rule;
and if so, stopping the rule system corresponding to the running analysis rule.
A rule engine system of a stream architecture, comprising a Flink stream processing system for executing said event validation method based on a stream architecture, said Flink stream processing system continuously reading logs and rules from Kafka, said Flink stream processing system comprising:
ParsedRule Module: the system is used for parsing the log into a rule ParsedRule which can be identified by the system;
EnabledRule module: the rule matching module is used for judging whether the analyzed rule ParsedRule is an enabling rule or not, and if so, the rule ParsedRule is subjected to rule matching;
disabledRule Module: the rule generation module is used for judging whether the parsed rule ParsedRule is a forbidden rule or not, and if so, stopping the rule corresponding to the running rule ParsedRule;
siddhiapplule module: the rule matching module is used for generating a corresponding rule expression according to the result of rule matching;
siddihmanager rule system: the system is used for matching the logs to generate RuleResult;
InputHandle Module: the system is used for sending the log to the SiddhiAppRuntime module;
SiddhiAppRuntime module: rule instances and runtime environments created from corresponding rule expressions.
A control apparatus based on a streaming architecture, comprising:
one or more processors;
a storage unit configured to store one or more programs, which when executed by the one or more processors, enable the one or more processors to implement the method for event validation based on a stream architecture.
The invention has the following beneficial effects:
1. the method comprises the steps of reading logs and rules from a message middleware (Kafka) by using a stream processing framework (Flink), preprocessing the rules, generating a rule engine for the rules by using a CEP technology (Siddhi), processing log information by using the rule engine, generating events and returning the events to the stream processing framework, and sending the generated events to the message middleware by the stream processing framework. Although the Flink CEP can also implement complex rules, one Flink CEP program needs to be started in terms of resource consumption, and if there are multiple rules, multiple Flink programs need to be started. The excessive rules easily exhaust the computing resources, and in combination with the Flink and Siddhi, theoretically, one Flink program can process all the rules, so that the resource consumption is reduced, and practically, some resources are distributed to the Flink program for processing the rules, so that all the rules can be smoothly processed. (ii) a
2. And adopting a technical framework (a flow processing framework, message middleware and CEP) which is more consistent with the scene of the internet of things equipment. The method has the advantages that a database is not adopted, the data link is shorter, the processing time is shorter, the problem of misinformation caused by simple rules can be avoided in use, and meanwhile, more complex rules can be realized.
Drawings
FIG. 1 is a schematic diagram of a rule system workflow of the present invention;
FIG. 2 is a schematic flow chart of a correlation analysis method according to the present invention;
FIG. 3 is a schematic diagram of rule adaptation according to the present invention;
FIG. 4 is a schematic diagram of a stream processing framework of the present invention;
FIG. 5 is a schematic diagram of the basic rules of the present invention;
FIG. 6 is a schematic diagram of the assembly rule of the present invention;
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the invention, its application, or uses. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The relative arrangement of the components and steps, the numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
In addition, descriptions of well-known structures, functions, and configurations may be omitted for clarity and conciseness. Those of ordinary skill in the art will recognize that various changes and modifications of the examples described herein can be made without departing from the spirit and scope of the disclosure.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
Example 1
The present embodiment is directed to providing an event confirmation method based on a stream architecture.
And (4) reporting logs at a certain moment by the Internet of things equipment. The method comprises the unique identification of the equipment, the reporting time, the specific attribute and the data corresponding to the attribute.
And log and equipment data are acquired from Kafka, the log and the rules are analyzed through Flink, and the preprocessed data are sent to Siddhi for rule processing to generate events. The generated event is sent to Kafka.
In fig. 4, the meaning of each node:
log: and the log reported by the Internet of things equipment, in json format, is stored in Kafka.
2, rule: rules generated by the business system, json format, storage and Kafka.
Flink: and the stream processing system continuously receives the logs and the rules.
4, parsedRule: the Rule engine obtains Rule from Kafka and resolves the Rule into Rule ParsedRule which can be identified by the Rule engine.
EnabledRule: after the rule is analyzed, the rule engine identifies that the rule needs to be started, and rule matching is carried out.
disabledRule: after parsing the rule, the rule engine identifies that the rule needs to be stopped, at which point the corresponding rule that is running is stopped.
Siddhiapple: regular expressions (SQL-like language) generated according to EnabledRule.
Siddi manager: and the rule system is used for log matching.
9.InputHandle: and the rule input module is responsible for sending the log to the rule instance.
10.SiddhiApprRuntime: rule instances and runtime environments created from the strings.
Ruleresult: and matching the result according to the log.
12.LogMixRule:
a) Each rule has two attributes, dataCode and ruleId. Before executing the rule, multiple rules can set the same dataCode by knowing which device log under the dataCode (product code) needs to be parsed through the rule, that is, the device log under one dataCode can be processed by multiple rules. The device log has only the dataCode field before it is sent to the rules engine, in other words, the device log does not know which rule will be processed by before it is sent to the rules engine.
b) Through the description of a), it can be known that the rule and the log are in a many-to-one (n: 1) relationship, i.e. one log can be processed by a plurality of rules.
c) Through the dataCode field of the rule and the log, the log can obtain the ruleId of the rule, and the rule can be associated through the ruleId. Namely: the rules engine knows which rule the log with ruleId should be processed by.
By log and rule generation, the log is provided with rule labels, each rule also has a label, and the log can be associated with the rule through the label. Namely: the rule engine knows to which rule instance the tagged log should be sent.
1. Flow path
The preconditions are as follows:
1) There is log data of the internet of things equipment reported continuously in topic (log) of kafka.
2) The rule needs to be started first, and the rule should be stopped when the rule is not needed, so that the consumption of computing resources is reduced.
3) Rule updates require stopping the rule first and then regenerating a new rule.
As shown in fig. 2-1:
1) The business system generates rules and sends them to topic (rule) specified by Kafka.
2) Flink obtains logs (Log) continuously from topic (logA, logB, etc.) of Kafka.
3) Flink obtains rules (Rule) from topic (Rule) from Kafka without interruption.
4) Flink parses the rule expression into rules (ParsedRule) that can be used.
5) In Flink:
a) If the rule is enabled:
i. and analyzing a field needing to be matched with the log according to the rule, attaching the rule ID, and converting the field into a new format (LogMixRule).
Generating the SiddiManager corresponding to the rule ID.
Generating a string of a SQL like language conforming to the Siddhi grammar, and creating Siddhi appruntime by the Siddhi manager according to the string of the SQL like language.
Create a Callback function of SiddhiAppRuntime for receiving the generated event and define the format of the event (RuleResult).
Get the InputHandle of SiddhiAppRuntim.
Start SiddhiAppRuntime.
Send the log of step i to siddhi appruntime through InputHandle.
Sending the result (RuleResult) obtained by Callback to Flink
Flink sends the result (RuleResult) to topic (RuleResult) of kafka.
b) If the rule is a stop rule:
i. the Log (Log) of the corresponding rule stops parsing.
Stop siddimanager.
Delete SiddhiManager.
2.Rule definition
The json defined by the rule is as follows:
the meaning of each field is as follows:
eventid: rule Id, used to distinguish between different rules.
2.Groupid: and the method has no meaning in rule judgment and is used by a business system.
Ruletype: the types of rules.
4.duration: the duration of the cep rule.
5, fields: the set of fields required by the rule.
6, count: the number of occurrences.
Product A: product information, which can be repeated, repeated with product b, product c, etc.
a) dataCode: and (6) product numbering.
b) sensorIds: the device number.
c) Row1: product attribute conditions, repeatable using Row1, row2, etc
i 'fieldA': an attribute name.
Match: the conditions were compared.
Type: the type when a comparison with value is required.
Value: the value of the comparison.
Wherein, ruleType inside the rule needs to be calculated:
1. if duration is a default value, ruleType =1.
2. If count is not the default, ruleType =5.
3. If the product is more than one, the ruleType =4.
4. If duration is not default and Row is more than one, ruleType =2.
5. If duration is not the default value and Row is one, ruleType =3.
Illustratively, one basic rule expression (rule 1) is:
according to logs reported by a plurality of internet of things devices in the same product (type), screening out device logs meeting any one of the following two conditions, and generating an alarm event, wherein the basic rule expression meets the following requirements:
condition 1: the relation between one attribute of the Internet of things equipment and the corresponding threshold value (e.g: fieldA > 0), wherein fieldA is attribute A.
Condition 2: conditional 1 logical combinations (e.g: fieldA >0and filtered b <8).
As shown in fig. 5, the different shapes represent devices of different products; different colors of the same shape represent different devices of the same product; the light dashed triangles represent eligible equipment.
A combined rule expression (rule 2) is:
according to logs reported by a plurality of internet of things devices under a product, device logs which sequentially accord with the following 4 conditions are screened out, an alarm event is generated, and a combined rule expression meets the following requirements for the same device:
condition 1: a group of devices satisfies a base rule expression.
Condition 2: on the basis of the above condition, the group of devices satisfies a basic rule expression.
Condition 3: condition 2 may be repeated a plurality of times.
Condition 4: the 3 conditions described above need to be completed within a specific time frame (e.g: 180 s).
As shown in fig. 6, the different shapes represent different product devices; different colors of the same shape represent different devices under the consent product; a light-colored dashed triangle represents a device that meets condition a; within a certain time frame, the light-colored dashed triangle continues to satisfy condition c.
In an exemplary different event collaborative confirmation, in a preset time range of 180s, screening an internet of things device which is started for 60s from logs reported by a plurality of internet of things devices, screening an internet of things device which is started for 30s from the internet of things device which is started for 60s, screening an internet of things device which is started for 15s from the internet of things device which is started for 30s, and so on, when the screening of the event is completed or reaches the preset time range, triggering to generate an alarm event.
In an exemplary same emergency confirmation, in a preset time range of 180s, screening an internet of things device for high temperature alarm from logs reported by a plurality of internet of things devices, screening an internet of things device for high temperature alarm again from the internet of things device for high temperature alarm again, screening an internet of things device for high temperature alarm for the third time from the internet of things device for high temperature alarm again, and so on, when the screening of the event is finished or the preset time range is reached, triggering to generate an alarm event.
Example 2
An object of this embodiment is to provide a control apparatus based on a stream architecture, including:
one or more processors;
a storage unit configured to store one or more programs, which when executed by the one or more processors, enable the one or more processors to implement the method for event validation based on a stream architecture.
Embodiment 3, a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, is capable of implementing a method for event validation based on a stream architecture as described. .
The foregoing is only a preferred embodiment of the present invention, and the present invention is not limited thereto in any way, and any simple modification, equivalent replacement and improvement made to the above embodiment within the spirit and principle of the present invention still fall within the protection scope of the present invention.
Claims (10)
1. An event confirmation method based on a stream architecture is characterized by comprising the following steps:
receiving logs reported by a plurality of internet of things devices of different products from message middleware, and screening the logs of the plurality of internet of things devices of the same product from the logs;
loading a rule set corresponding to the logs of the multiple internet of things devices of the same product to serve as a rule system to be executed at this time, and executing the rule system to be executed at this time based on the logs to obtain a matching result message, wherein the rule system is used for event confirmation of the multiple internet of things devices of the same product;
and returning the matching result message to the message middleware.
2. The stream architecture-based event confirmation method according to claim 1, wherein the event confirmation is the same emergency confirmation of a plurality of internet-of-things devices of the same product, the log has an event attribute, and the same emergency confirmation is: matching logs of a plurality of internet of things devices of the same product obtained each time with the same rule expression, wherein the rule system specifically executes the following steps:
s1: screening the Internet of things equipment meeting the matching conditions from the log, and recording the Internet of things equipment as a latest matching Internet of things equipment set, wherein the matching conditions are as follows: satisfying regular expressions in the rule set corresponding to the same event;
s2: receiving logs reported by the recently matched Internet of things equipment set, continuously screening the logs reported by the recently matched Internet of things equipment set, refreshing the Internet of things equipment meeting the matching condition into the recently matched Internet of things equipment set, and repeating the step S2 within a preset time range;
and S3, generating an alarm event, and determining the alarm event as a matching result message.
3. The event confirmation method based on the stream architecture as claimed in claim 1, wherein the event confirmation is a collaborative confirmation of different events of a plurality of internet-of-things devices of the same product, the log has an event attribute, and the collaborative confirmation of different events comprises: matching logs of a plurality of internet of things devices of the same product obtained each time with a rule expression of an event needing to be confirmed at this time, wherein the rule system specifically executes the following steps:
s1: screening the Internet of things equipment meeting the matching conditions from the log, and recording the Internet of things equipment as a latest matching Internet of things equipment set, wherein the matching conditions are as follows: the rule expression of the event needing to be confirmed at this time in the rule set is satisfied;
s2: receiving logs reported by the recently matched Internet of things equipment set, continuously screening the logs reported by the recently matched Internet of things equipment set, refreshing the Internet of things equipment meeting the matching condition into the recently matched Internet of things equipment set, and repeating the step S2 within a preset time range;
and S3, generating an alarm event, and determining the alarm event as a matching result message.
4. The event validation method according to claim 1, wherein the rule set includes at least one basic regular expression, and the basic regular expression is a basic regular expression corresponding to a relationship between an attribute of a device and an attribute threshold.
5. The event validation method based on stream architecture as claimed in claim 4, wherein said rule set further comprises at least one combined rule expression formed by logically combining a plurality of basic rule expressions, said logical combination comprising "or" and "; the "or" relationship: when the log conforms to any one of the combined regular expressions, the log is regarded as meeting the combined regular expression; the "and" relationship: and when the log conforms to all the regular expressions in the combined regular expression, the log is regarded as meeting the combined regular expression.
6. The event confirmation method based on the stream architecture as claimed in claim 1, wherein after receiving logs reported by a plurality of internet of things devices of different products, the logs are analyzed and marked to generate logs carrying rule IDs, and the method specifically includes the following steps:
extracting product codes corresponding to the logs one by one from the logs, and acquiring at least one rule corresponding to the same product code according to the product codes, wherein each rule has a rule ID corresponding to one by one;
analyzing and generating a plurality of matched fields from the log according to the rules, and marking the corresponding rule IDs on the fields respectively;
and taking the matched fields and the corresponding rule IDs as logs carrying the rule IDs.
7. The method according to claim 6, wherein the rule system to be executed at this time is obtained by:
extracting the rule ID in the log carrying the rule ID;
acquiring corresponding rule expressions according to the rule ID, and generating a rule set, wherein each rule expression in the rule set corresponds to the rule ID one by one;
and loading the rule set according to a specific sequence to generate the rule system to be executed at this time.
8. The event confirmation method based on the stream architecture as claimed in claim 1, further comprising: receiving a rule reported by a service system, performing rule adaptation on the rule, obtaining a rule expression and a rule ID corresponding to the rule expression, generating an analysis rule after the rule is analyzed, and judging the rule, wherein the method specifically comprises the following steps:
determining whether the parsing rule is an enabling rule;
if so, performing rule translation on the analysis rule, wherein the rule translation is used for generating a corresponding rule expression according to the analysis rule;
determining whether the parsing rule is a forbidden rule;
and if so, stopping the rule system corresponding to the running analysis rule.
9. A rules engine system of a stream architecture, comprising a Flink stream processing system, said Flink stream processing system executing a stream architecture based event validation method of any of claims 1 to 8, said Flink stream processing system reading logs and rules from Kafka without interruption, said Flink stream processing system comprising:
ParsedRule Module: the system is used for analyzing the log into a rule ParsedRule which can be recognized by the system;
EnabldRule Module: the rule matching module is used for judging whether the analyzed rule ParsedRule is an enabling rule or not, and if so, the rule ParsedRule is subjected to rule matching;
disabledRule module: the rule judging module is used for judging whether the analyzed rule ParsedRule is a forbidden rule or not, and if so, stopping the rule corresponding to the running rule ParsedRule;
siddhiapplule module: the rule matching module is used for generating a corresponding rule expression according to the result of rule matching;
siddihmanager rule system: the log matching device is used for matching logs to generate RuleResult;
InputHandle Module: the system is used for sending the log to the SiddhiAppRuntime module;
SiddhiAppRuntime module: rule instances and runtime environments for creation from corresponding rule expressions.
10. A control apparatus based on a flow architecture, comprising:
one or more processors;
a storage unit for storing one or more programs which, when executed by the one or more processors, enable the one or more processors to implement a method for event validation based on a stream architecture according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210911856.9A CN115292065B (en) | 2022-07-29 | 2022-07-29 | Event confirmation method, system and device based on stream architecture |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210911856.9A CN115292065B (en) | 2022-07-29 | 2022-07-29 | Event confirmation method, system and device based on stream architecture |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115292065A true CN115292065A (en) | 2022-11-04 |
| CN115292065B CN115292065B (en) | 2023-05-26 |
Family
ID=83826108
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210911856.9A Active CN115292065B (en) | 2022-07-29 | 2022-07-29 | Event confirmation method, system and device based on stream architecture |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115292065B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016000454A1 (en) * | 2014-06-30 | 2016-01-07 | 华为技术有限公司 | Event processing method in stream processing system and stream processing system |
| US20190007511A1 (en) * | 2017-06-22 | 2019-01-03 | Aeris Communications, Inc. | ISSUING ALERTS FOR IoT DEVICES |
| CN111917877A (en) * | 2020-08-03 | 2020-11-10 | 上海浦东东方有线网络有限公司 | Data processing method and device for Internet of things equipment, electronic equipment and storage medium |
| CN113778776A (en) * | 2020-06-23 | 2021-12-10 | 北京沃东天骏信息技术有限公司 | Method and device for early warning task abnormity and storage medium |
| CN113806191A (en) * | 2021-08-10 | 2021-12-17 | 浙江吉利控股集团有限公司 | Data processing method, device, equipment and storage medium |
| CN114595126A (en) * | 2022-03-24 | 2022-06-07 | 山西合力创新科技股份有限公司 | Rule engine based alarm method, system, storage device and terminal |
-
2022
- 2022-07-29 CN CN202210911856.9A patent/CN115292065B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016000454A1 (en) * | 2014-06-30 | 2016-01-07 | 华为技术有限公司 | Event processing method in stream processing system and stream processing system |
| US20190007511A1 (en) * | 2017-06-22 | 2019-01-03 | Aeris Communications, Inc. | ISSUING ALERTS FOR IoT DEVICES |
| CN113778776A (en) * | 2020-06-23 | 2021-12-10 | 北京沃东天骏信息技术有限公司 | Method and device for early warning task abnormity and storage medium |
| CN111917877A (en) * | 2020-08-03 | 2020-11-10 | 上海浦东东方有线网络有限公司 | Data processing method and device for Internet of things equipment, electronic equipment and storage medium |
| CN113806191A (en) * | 2021-08-10 | 2021-12-17 | 浙江吉利控股集团有限公司 | Data processing method, device, equipment and storage medium |
| CN114595126A (en) * | 2022-03-24 | 2022-06-07 | 山西合力创新科技股份有限公司 | Rule engine based alarm method, system, storage device and terminal |
Non-Patent Citations (1)
| Title |
|---|
| 樊春美等: "基于Flink实时计算的自动化流控制算法", 《计算机技术与发展》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115292065B (en) | 2023-05-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10630614B2 (en) | Opaque message parsing | |
| US20190370615A1 (en) | State machine methods and apparatus comprising work unit transitions that execute acitons relating to natural language communication, and artifical intelligence agents to monitor state machine status and generate events to trigger state machine transitions | |
| CN112507330A (en) | Malicious software detection system based on distributed sandbox | |
| CN111814192B (en) | Training sample generation method and device and sensitive information detection method and device | |
| CN114338746A (en) | Analysis early warning method and system for data collection of Internet of things equipment | |
| WO2022053163A1 (en) | Distributed trace anomaly detection with self-attention based deep learning | |
| US10897368B2 (en) | Integrating an interactive virtual assistant into a meeting environment | |
| CN115292063A (en) | Method, system and device for realizing accumulative Internet of things equipment based on stream architecture | |
| US11677703B2 (en) | Systems and methods for automatically identifying spam in social media comments based on context | |
| CN115292065B (en) | Event confirmation method, system and device based on stream architecture | |
| Campanile et al. | Adaptable parsing of real-time data streams | |
| CN116346961B (en) | Financial message processing method and device, electronic equipment and storage medium | |
| CN115292062A (en) | Method, system and device for realizing product sequence confirmation based on stream architecture | |
| CN115292064A (en) | Method, system and device for realizing sequential confirmation of Internet of things equipment based on flow architecture | |
| CN116450471A (en) | Alarm method and device for abnormal log, storage medium and computer equipment | |
| CN113032586B (en) | Method and device for extracting time information in text and electronic equipment | |
| CN115297166A (en) | Rule engine architecture, system and method of flow architecture | |
| CN110210215A (en) | A kind of method and relevant apparatus of viral diagnosis | |
| CN114157553A (en) | Data processing method, device, equipment and storage medium | |
| CN112214669A (en) | Home decoration material formaldehyde release data processing method and device and monitoring server | |
| CN111931184B (en) | Anti-serialization vulnerability detection method and device | |
| CN114760188B (en) | Abnormal node determination method and device | |
| CN113536080B (en) | Data uploading method and device and electronic equipment | |
| CN118276875A (en) | Dynamic form linkage configuration method and system | |
| CN117785620A (en) | Task early warning method, system, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |