JP6471468B2 - Data storage method and information processing apparatus - Google Patents

Description

  The present invention relates to a data storage method and an information processing apparatus.

  2. Description of the Related Art Conventionally, there is a technique for storing a log, which is data recording processing contents output by software or hardware such as an application program or OS (Operating System), or data communicated by software or hardware. In addition, since a large amount of logs are output, there is a technique for deleting logs in order from the oldest log. Software and hardware maintainers can view logs stored as investigations of the causes of software anomalies. As a related prior art, for example, when the same error log as the error log information is recorded within a certain time, the occurrence time of the error log information in which the same error log is recorded is the same as the error log in the order of occurrence of the error log information. Some of them are recorded together with a number that identifies them.

Japanese Patent Laid-Open No. 11-306050

  However, according to the prior art, it is difficult to leave without deleting a log when a software abnormality occurs, which is likely to describe a direct cause of software or hardware abnormality. For example, even if an attempt is made to specify a log in which an abnormality has occurred from the frequency of occurrence of logs having the same contents and leave the specified log, the log contains the same part because the log includes a variable part such as an IP (Internet Protocol) address. The log that should be retained may be deleted together with other logs without being able to determine that it is the contents of.

  In one aspect, an object of the present invention is to provide a data storage method and an information processing apparatus that can suppress deletion of a log when an abnormality occurs.

  According to one aspect of the present invention, data written to the first storage unit in response to the storage amount of the first storage unit to which a series of logs are sequentially written reaching a predetermined size being stored in the second storage unit When transferring to the storage unit, the arrival time until the storage amount of the first storage unit reaches a predetermined size is acquired, and other data written in the first storage unit before the data is transferred A data storage method and an information processing apparatus for saving data in a third storage unit different from the second storage unit according to the arrival time when transferring acquired data based on the arrival time at the time are proposed The

  According to one aspect of the present invention, it is possible to suppress the deletion of a log when an abnormality has occurred.

FIG. 1 is an explanatory diagram illustrating an operation example of the information processing apparatus 101 according to the present embodiment. FIG. 2 is an explanatory diagram illustrating an example of the log storage system 200. FIG. 3 is a block diagram illustrating a hardware configuration example of the information processing apparatus 101. FIG. 4 is an explanatory diagram illustrating an example of log storage in the log storage system 200. FIG. 5 is a block diagram illustrating a functional configuration example of the information processing apparatus 101. FIG. 6 is an explanatory diagram showing an example of the stored contents of the log rotation execution time table 511. FIG. 7 is a flowchart illustrating an example of a log collection processing procedure. FIG. 8 is a flowchart illustrating an example of a significance determination processing procedure.

  Embodiments of a disclosed data storage method and information processing apparatus will be described in detail below with reference to the drawings.

  FIG. 1 is an explanatory diagram illustrating an operation example of the information processing apparatus 101 according to the present embodiment. The information processing apparatus 101 is a computer that stores a log. The information processing apparatus 101 is a server, for example. Here, the log is a record of processing contents output by software and hardware such as an application program and OS, and a record of data communicated by the software and hardware. In the following description and the description of the drawings, “application program” is referred to as “application”. The application may operate on the information processing apparatus 101 or may operate on another computer.

  As a log storage method, the information processing apparatus 101 writes a series of logs sequentially output from the application 102 in the first storage unit 103. When the first storage unit 103 becomes full, that is, in response to the storage amount of the first storage unit 103 reaching a predetermined size, the information processing apparatus 101 performs the first storage unit 103. The data written in is transferred to the second storage unit 104. The first storage unit 103 and the second storage unit 104 may be storage areas included in the same storage device or may be different storage devices. For example, the first storage unit 103 and the second storage unit 104 may be files realized by a file system or folders.

  Here, as a method of writing to the first storage unit 103, the information processing apparatus 101 may write the log into a single file included in the first storage unit 103, or log one by one. The file may be written in the first storage unit 103 as a file. In conjunction with the above description, the storage amount of the first storage unit 103 may be the data size of a single file, or the data size of a folder storing a log for each file. Then, the information processing apparatus 101 moves the data to the second storage unit 104 and writes the log again to the first storage unit 103 that has become empty. When the number of data transferred to the second storage unit 104 reaches a predetermined number, the information processing apparatus 101 deletes the oldest data.

  Below, it demonstrates using the example which writes a log in a certain one file. A file to which logs are written is referred to as a “log file”. The storage amount of the first storage unit 103 is the data size of the log file. The log file may be described as “log” in the following description and drawings. Further, the log file in the first storage unit may be referred to as “current“ log ””. In addition, a file that has been transferred to the second storage unit 104 immediately before the current “log” may be referred to as a “log file one generation before”. Similarly, a file migrated x times in the past may be referred to as a “log file before x generations”. The log file before the x generation may be described as “log.x” in the following description and drawings. Here, x is an integer of 1 or more. In the following description, migrating log files may be referred to as “rotation”. The predetermined size may be referred to as a “rotation threshold”. In addition, a predetermined number that triggers deletion of the oldest data may be referred to as a “predetermined number of generations”.

  As a method for migrating log file data, the information processing apparatus 101 may migrate log file data by moving the log file from the first storage unit 103 to the second storage unit 104. Alternatively, the information processing apparatus 101 reads data from the log file, writes the read data to the created file in the second storage unit 104, and then deletes the log file data in the first storage unit 103. Then, log file data may be migrated.

  In addition, the log may indicate, for example, that it has been processed normally, or may indicate that it cannot be processed normally and indicates an error. Hereinafter, a log describing that it has been successfully processed may be referred to as a “normal log”. Similarly, a log that cannot be processed normally and that indicates an error is sometimes referred to as an “error log”.

  By storing the log, when an abnormality occurs in the software or hardware, the software or hardware maintainer can view the stored log as an investigation of the cause of the abnormality. For example, abnormalities with respect to software include abnormalities that occur due to problems with programs in the software, abnormalities that occur due to a large amount of access to software by third parties, abnormalities that occur due to access aimed at security holes, and the like.

  Here, when an abnormality occurs, the application 102 may output a large amount of error logs. For example, when a program defect in the software occurs in the loop processing, the software outputs an error log every time the loop is made one round. Also, due to a large amount of access by a third party, for example, if the buffer that holds access once becomes full, the software will output an error log with the buffer full each time it is accessed, and the error log will be output. A lot of output. Also, if the location where an error log generated by an access aimed at a security hole is output during loop processing, the software will output an error log every time the loop is completed.

  If a large number of error logs are output, the storage amount of the log file may reach the rotation threshold earlier than usual. And when the maintenance person notices the occurrence of an abnormality, the direct cause of the software abnormality is likely to be described, and the log file that saves the log when the abnormality occurs will be deleted There is.

  In such a state, the maintenance person cannot confirm a log when an abnormality occurs. For example, in the case of a bug in a program in software, if a loop process is performed using invalid data created due to an abnormality, a large amount of error logs will be output in the loop process, which is the direct cause of the abnormality. The log where the data was created is deleted. If a log when an abnormality occurs is saved, there is no practical problem even if a large number of logs output after that are deleted.

  As a method of saving the log when an abnormality occurs, for example, the log file size and the frequency of rotation are planned in consideration of the time lag between when the maintainer notices a software abnormality and collects the log. There is a way to do it. However, when an abnormality occurs, if a larger amount of logs than expected is generated, no logs are left when the abnormality occurs.

  There is also a method of determining whether or not a log file includes a log including a defect when the log file is deleted. However, in order to determine that the log includes a defect, a log format, a character string that is included in the log, and the like are grasped. In addition to the company's products, the logs include other company's equipment and middleware logs, so what kind of format the logs containing defects are, and what character strings are considered defects It is difficult to specify in advance.

  In addition, when the same error log is recorded within a certain period of time, the time when the same error log was recorded is recorded in the order of occurrence of the error log together with a number identifying that it is the same as the recorded error log. is there. However, in order to determine that the error logs are the same or the importance level, a format for determining that the error logs are the same error level or the importance level is specified. And since there are variable parts such as IP address, time, user name, etc. in the error log, it is difficult to specify the format, and it is not possible to determine that the log has the same contents, and other logs to be left Will be deleted together with the log.

  Therefore, when the time until the current “log” is full is faster than the time until the other “log” is full, the information processing apparatus 101 according to the present embodiment stores the current file as the second file. Is stored in a third storage unit 105 different from the storage unit 104. In this way, the information processing apparatus 101 can leave a log when an abnormality occurs without analyzing the log by using the fact that a large amount of logs are output when the abnormality occurs.

  Specific processing contents will be described with reference to FIG. As shown in FIG. 1, it is assumed that all the logs have the same data size, and the data size for four logs is the rotation threshold. Further, the predetermined number of generations is 2. Further, it is assumed that the application 102 sequentially generates and outputs normal logs 111-1 to 13 and error logs 111-14 to 19 as a series of logs.

  FIG. 1A shows a state where the application 102 is outputting a normal log. The second storage unit 104 stores “log.1” that is a log file of the previous generation and “log.2” that is a log file of the second generation. In “log.2”, normal logs 111-1 to 111-4 are written. In addition, normal logs 111-5 to 8 are written in “log.1”. Further, in FIG. 1A, the information processing apparatus 101 has written the normal logs 111-9 to 12 in “log”. Moreover, in (a) of FIG. 1, the application 102 is the state which produced | generated normal log 111-13.

  The information processing apparatus 101 acquires the arrival time until the storage amount of “log” reaches the rotation threshold when the current “log” data is transferred to the second storage unit 104. Here, the information processing apparatus 101 may set the measurement start time of the arrival time to the time when the data of “log” of the previous generation has been transferred, or from the state where there is no log written in “log”. It may be the time of the first writing.

  Then, the information processing apparatus 101 determines the current “log” according to the arrival time when the current “log” data is transferred, based on the arrival time when the other “log” data is transferred. Data is stored in a third storage unit 105 different from the second storage unit 104. Here, the other “log” data is written in the first storage unit 103 before the current “log”.

  For example, when the information processing apparatus 101 has a longer arrival time when the “log” data is transferred than the time when the predetermined time is added to the arrival time when the “log” data of the previous generation is transferred The current “log” data is stored in the third storage unit 105. As another example, the information processing apparatus 101 obtains the current “log” data from the average value of the arrival times when other “log” data is transferred and the time obtained by adding a predetermined time. When the arrival time at the time of transfer is large, the third storage unit 105 may store the arrival time.

  In the example of (a) of FIG. 1, since the arrival time when migrating the current “log” data is later than the arrival time when migrating other “log” data, the information processing apparatus 101 The current “log” data is not stored in the third storage unit 105.

  FIG. 1B shows a state where the application 102 is outputting an error log. The second storage unit 104 stores “log.1” that is a log file of the previous generation and “log.2” that is a log file of the second generation. In “log.2”, normal logs 111-5 to 8 are written. In addition, normal logs 111-9 to 12 are written in “log.1”. In FIG. 1B, the log file in which the normal logs 111-1 to 111-4 are written is in a deleted state.

  In FIG. 1B, the information processing apparatus 101 has written the normal log 111-13 and the error logs 111-14 to 16 in “log”. Further, in FIG. 1B, the application 102 has generated error logs 111-17 to 19-19.

  In the example of FIG. 1B, since the arrival time when the current “log” data is migrated is faster than the arrival time when other “log” data is migrated, the information processing apparatus 101 The current “log” data is stored in the third storage unit 105. In the example of FIG. 1B, the information processing apparatus 101 assumes that the current “log” includes a log when an abnormality has occurred, and converts the current “log” data to “logx. 1 ”is saved. Thereby, the maintainer of the application 102 can browse “logx.1”, which is stored in the third storage unit 105 and includes a log when an abnormality occurs. Next, referring to FIG. 2, the log storage system 200 including the information processing apparatus 101 will be described.

  FIG. 2 is an explanatory diagram illustrating an example of the log storage system 200. The log storage system 200 includes an information processing apparatus 101 and business systems 201 and 202. The information processing apparatus 101 and the business systems 201 and 202 are connected to the network 203 through gateways gw0, 1, and 2, respectively.

  The business systems 201 and 202 are systems that provide business services. Specifically, the business system 201 includes a server 211 and a disk 212. The business system 202 includes a server 221 and a disk 222.

(Hardware of information processing apparatus 101)
FIG. 3 is a block diagram illustrating a hardware configuration example of the information processing apparatus 101. In FIG. 3, the information processing apparatus 101 includes a CPU 301, a ROM 302, and a RAM 303. Further, the information processing apparatus 101 includes a disk drive 304 and a disk 305, and a communication interface 306. The CPU 301 to the disk drive 304 and the communication interface 306 are connected by a bus 307, respectively.

  The CPU 301 is an arithmetic processing device that controls the entire information processing apparatus 101. The ROM 302 is a nonvolatile memory that stores programs such as a boot program. A RAM 303 is a volatile memory used as a work area for the CPU 301.

  The disk drive 304 is a control device that controls reading and writing of data with respect to the disk 305 according to the control of the CPU 301. As the disk drive 304, for example, a magnetic disk drive, an optical disk drive, a solid state drive, or the like can be adopted. The disk 305 is a nonvolatile memory that stores data written under the control of the disk drive 304. For example, when the disk drive 304 is a magnetic disk drive, a magnetic disk can be adopted as the disk 305. Further, when the disk drive 304 is an optical disk drive, an optical disk can be adopted as the disk 305. When the disk drive 304 is a solid state drive, a semiconductor memory formed by a semiconductor element, that is, a so-called semiconductor disk can be used as the disk 305.

  A communication interface 306 controls a network and an internal interface, and is a control device that controls input / output of data from other devices. Specifically, the communication interface 306 is connected to another device via a network through a communication line. As the communication interface 306, for example, a modem or a LAN adapter can be employed.

  When the administrator of the log storage system 200 directly operates the information processing apparatus 101, the information processing apparatus 101 may include hardware such as a display, a keyboard, and a mouse.

  FIG. 4 is an explanatory diagram illustrating an example of log storage in the log storage system 200. The information processing apparatus 101 includes a log collection processing unit 411 and a log rotation execution unit 412. 4 are software executed by the servers 211, 221 and the like.

  The log collection processing unit 411 writes the log output by the applications 401-1 to 401-3 into “log”. For example, the log collection processing unit 411 corresponds to syslogd in the UNIX (registered trademark) environment. The log rotation execution unit 412 transfers the current “log” data to the second storage unit 104. Further, in the example of FIG.

  Further, when the arrival time in the current “log” becomes faster, the log rotation execution unit 412 considers that the current “log” includes a log when an abnormality occurs, and the current “log” log "is saved as" logx.1 ".

  Furthermore, in FIG. 4, when the log rotation execution unit 412 assumes that the current “log” includes a log when an abnormality occurs, the “log” one generation before the current “log” Is stored in the third storage unit 105 as “logx.2”. The reason why the “log” data of the previous generation is stored in the third storage unit 105 is that an error may occur in the software by the last writing of the “log” of the previous generation. is there. In this case, the arrival time in the “log” one generation before is almost the same as the arrival time in the “log” of the previous generation, and the information processing apparatus 101 cannot be regarded as having an abnormality. It will be. Therefore, the log rotation execution unit 412 stores the data of “log” one generation before migrated to the second storage unit 104 in the third storage unit 105. Next, details of the operation of the log rotation execution unit 412 included in the functional configuration of the information processing apparatus 101 will be described with reference to FIG.

(Functional configuration example of information processing apparatus 101)
FIG. 5 is a block diagram illustrating a functional configuration example of the information processing apparatus 101. The information processing apparatus 101 includes a control unit 500. The control unit 500 includes an acquisition unit 501, a specification unit 502, and a storage unit 503. The control unit 500 realizes the functions of the respective units when the CPU 301 executes a program stored in the storage device. Specifically, the storage device is, for example, the ROM 302, the RAM 303, the disk 305, etc. shown in FIG. In addition, the processing result of each unit is stored in a register of the CPU 301, a cache memory of the CPU 301, or the like.

  Further, the information processing apparatus 101 can access the log rotation execution time table 511. The log rotation execution time table 511 is stored in a storage device such as the RAM 303. The RAM 303 stores a log collection abnormality threshold 512, an average value μ, a standard deviation σ, and a status flag sf. The log collection abnormality threshold 512 is a threshold regarded as an abnormal range, and is a value read from the disk 305. The average value μ is an average value of arrival times. The standard deviation σ is a standard deviation of arrival time. The status flag sf is a flag indicating whether the current log is normal or abnormal. Specifically, the status flag sf stores a value of either “normal state” indicating that the current log is normal or “abnormal state” indicating that the current log is abnormal. The

  Further, the information processing apparatus 101 can access the log collection abnormality threshold value 521, the rotation threshold value 522, the first storage unit 103, the second storage unit 104, and the third storage unit 105. The log collection abnormality threshold value 521 and the rotation threshold value 522 are stored in the disk 305. The first storage unit 103, the second storage unit 104, and the third storage unit 105 are part of the storage area of the disk 305. The log collection abnormality threshold 521 is a threshold that regards the arrival time as an abnormal range. The rotation threshold 522 is the rotation threshold described with reference to FIG. 1 and is a threshold used when migrating log file data from the first storage unit 103 to the second storage unit 104.

  The acquisition unit 501 acquires the arrival time until the storage amount of the first storage unit 103 reaches the rotation threshold when the current “log” data is transferred to the second storage unit 104.

  The specifying unit 502 arrives at the time when the data written in the first storage unit 103 is transferred to the second storage unit 104 based on the arrival time when the other “log” data is transferred. Specify the probability distribution of. Further, the specifying unit 502 may specify the probability distribution including the arrival time when shifting to the current “log” data. Here, if the probability distribution described above follows a normal distribution, the specifying unit 502 specifies the probability distribution by calculating an average value μ and a standard deviation σ as parameters of the normal distribution. The specifying unit 502 may calculate a standard deviation obtained from unbiased variance and use the calculated value as the standard deviation σ.

  The storage unit 503 stores the current “log” data according to the arrival time when the current “log” data is transferred, based on the arrival time when the other “log” data is transferred. 3 storage unit 105. Further, the storage unit 503 may be based on the arrival time when other “log” data is transferred and the arrival time when transferring to the current “log” data.

  Further, the storage unit 503 stores the current “log” data as the third data if the confidence interval of the probability distribution specified by the specifying unit 502 does not include the arrival time when the current “log” data is transferred. May be stored in the storage unit 105. Here, the confidence interval is a range in which the arrival time is regarded as a normal range, and is a value derived from the significance level.

  Further, the storage unit 503 determines whether the current “log” data and the current “log” data are transferred according to the arrival time when the current “log” data is transferred, based on the arrival time when the other “log” data is transferred. The data of “log” one generation before may be stored in the third storage unit 105.

  FIG. 6 is an explanatory diagram showing an example of the stored contents of the log rotation execution time table 511. The log rotation execution time table 511 is a table that stores the time when the rotation is executed. The log rotation execution time table 511 shown in FIG. 6 includes records 601-0 to n, and the rotation is performed n times before the past indicated by the record 601-n from the time when the current rotation indicated by the record 601-0 is executed. The time until execution is stored. n is an integer of 1 or more.

  The log rotation execution time table 511 includes fields for the number of rotations and the rotation time. Information for identifying each rotation is stored in the rotation count field. In this embodiment, in order to make it easy to understand, values of “current time”, “past once in the past”,... Are stored in the rotation number field. In another example, for example, a number assigned each time rotation is performed may be stored in the rotation count field. In the rotation time field, time information when the rotation is executed is stored.

  For example, the record 601-0 indicates that the time when the current rotation is executed is “x0 hour y0 minute z0 second”. Further, the record 601-1 indicates that the time when the previous rotation was executed is “x1 hour y1 minute z1 second”. Further, the record 601-n indicates that the time when the rotation n times before is executed is “xn hour yn minute zn second”.

  Next, a flowchart showing the operation of the information processing apparatus 101 will be described with reference to FIGS.

  FIG. 7 is a flowchart illustrating an example of a log collection processing procedure. The log collection process is a process for collecting logs. In addition, the log collection process is periodically started at regular intervals.

  The information processing apparatus 101 determines whether the data size of the current “log” has exceeded the rotation threshold (step S701). If the data size of the current “log” exceeds the rotation threshold (step S701: Yes), the information processing apparatus 101 executes log rotation (step S702). Next, the information processing apparatus 101 acquires the time when the log rotation is executed and stores it in the log rotation execution time table 511 (step S703).

  Next, the information processing apparatus 101 executes significance determination processing (step S704). Details of the significance determination process will be described with reference to FIG. Then, the information processing apparatus 101 determines which of the following results matches the determination result of the significance determination process (step S705). The following results are a normal range and an abnormal range. When the determination result of the significance determination process is in the normal range (step S705: normal range), the information processing apparatus 101 sets the state flag to “normal state” (step S706).

  On the other hand, when the determination result of the significance determination process is the abnormal range (step S705: abnormal range), the information processing apparatus 101 determines which of the following identifiers the status flag sf matches (step S707). The following identifiers are a normal state and an abnormal state. When the status flag sf is in the normal state (step S707: normal state), the information processing apparatus 101 stores the current “log” data in the third storage unit 105 (step S708). Next, the information processing apparatus 101 sets the state flag to “abnormal state” (step S709). On the other hand, if the status flag sf is in an abnormal state (step S707: abnormal state), the abnormal state is continued, and the information processing apparatus 101 proceeds to the process of step S710 as it is.

  After the processing of steps S706 and S709 is completed, or when step S707 is in an abnormal state, the information processing apparatus 101 determines whether or not the number of log file generations exceeds a predetermined number of generations (step S710). When the number of log file generations exceeds the predetermined number of generations (step S710: Yes), the information processing apparatus 101 deletes the oldest log file (step S711). After the processing in step S711, or when the number of log file generations does not exceed the predetermined generation number (step S710: No), or when the data size of the current “log” does not exceed the rotation threshold (step S701: No), the information processing apparatus 101 ends the log collection process. By executing the log collection processing, the information processing apparatus 101 collects the log, and when the current “log” is considered to include a log when an abnormality occurs, the current “log” Can be stored in the third storage unit 105.

  FIG. 8 is a flowchart illustrating an example of a significance determination processing procedure. The significance determination process shown in FIG. 8 is a process for determining whether the current arrival time is in a normal range or an abnormal range by testing with a significance level of 5 [%]. Other than the significance level 5 [%], for example, the information processing apparatus 101 may test at the significance level 1 [%].

  The information processing apparatus 101 reads the rotation time from the log rotation execution time table 511 (step S801). Next, the information processing apparatus 101 calculates n arrival times from the read rotation time (step S802). For example, using FIG. 6, the information processing apparatus 101 obtains a value obtained by subtracting the rotation time indicated in the record 601-1 from the rotation time indicated in the record 601-0 as the first elapsed time. And Similarly, the information processing apparatus 101 sets a value obtained by subtracting the rotation time indicated in the record 601-n from the rotation time indicated in the record 601-n-1 as the nth elapsed time.

  Then, the information processing apparatus 101 calculates the average value μ of the n arrival times (step S803). Next, the information processing apparatus 101 calculates the standard deviation σ of n arrival times (step S804). Specifically, the information processing apparatus 101 calculates the standard deviation σ using the following equation (1).

X _k represents the k-th arrival time. The information processing apparatus 101 determines whether or not μ−1.96σ ² <current arrival time <μ + 1.96σ ^{2 as} the current arrival time is included in the confidence interval (step S805). ). Here, the value of 1.96 is a value derived from the significance level of 5 [%], and is an example of a specific value of the log collection abnormality threshold value 512.

When μ−1.96σ ² <current arrival time <μ + 1.96σ ² (step S805: Yes), the information processing apparatus 101 outputs the determination result as a normal range (step S806).

On the other hand, if μ−1.96σ ² <current arrival time <μ + 1.96σ ² is not satisfied (step S805: No), the information processing apparatus 101 outputs the determination result as an abnormal range (step S807). In the processing of steps S805 to S807, the information processing apparatus 101 may output the determination result as a normal range when μ−1.96σ ² <current arrival time is satisfied. Note that the case where the current arrival time <μ + 1.96σ ² is not satisfied is, for example, when the log cannot be written for some reason and the frequency of log output decreases. Possible reasons for writing are, for example, when one of the application programs that output the log is forcibly terminated, or when the information processing apparatus 101 is performing other processing and is overloaded, and some log collection fails This is the case.

  After the process in either step S806 or step S807, the information processing apparatus 101 ends the significance determination process. By executing the significance determination process, the information processing apparatus 101 can determine whether the current arrival time is in the normal range or the abnormal range.

  As described above, according to the information processing apparatus 101, when the time until the current “log” is full is faster than the time until the other “log” is full, the current file is stored in the second file. Is stored in a third storage unit 105 different from the storage unit 104. As described above, the information processing apparatus 101 can store a log when an abnormality occurs without analyzing the log by using the fact that a large amount of logs are output when the abnormality occurs.

  Further, according to the information processing apparatus 101, if the arrival time when the current “log” data is transferred is not included in the probability distribution of the arrival time when the “log” data is transferred, The “log” data may be stored in the third storage unit 105. Thereby, the information processing apparatus 101 can preserve | save the log when abnormality generate | occur | produces according to the probability distribution of arrival time. Specifically, when the arrival times vary, the standard deviation σ becomes a large value, so that the information processing apparatus 101 has a value slightly different from the average arrival time when the current “log” data is transferred. Even so, it can be regarded as possible in the normal range. Further, when the arrival times are aggregated, the standard deviation σ is a small value, and thus the information processing apparatus 101 has a value slightly different from the average arrival time when the current “log” data is transferred. Then, it can be regarded as an abnormal range.

  Further, according to the information processing apparatus 101, when the current “log” data is stored in the third storage unit 105, the “log” data of the previous generation is stored in the third storage unit 105. Also good. As described in FIG. 4, there is a possibility that a log when an abnormality occurs is included in “log” one generation before “log” whose arrival time has become faster. Therefore, the information processing apparatus 101 stores the “log” data of the previous generation in the third storage unit 105, thereby suppressing the risk of losing the log when an abnormality occurs. Can do.

  Further, the data storage method according to the present embodiment can store a log when an abnormality occurs without analyzing the contents of the log. Therefore, even if there are servers where many other companies' products and free software are operating in the log storage system 200, it is not clear what kind of log is generated, and the log format cannot be unified, The data storage method according to this embodiment can be used. Further, in the data storage method according to the present embodiment, it is also useful from the viewpoint of failure investigation that the log status before and after the occurrence can be recorded as it is.

  The data storage method described in this embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. The data storage program is recorded on a computer-readable recording medium such as a hard disk, a flexible disk, a CD-ROM (Compact Disc-Read Only Memory), or a DVD (Digital Versatile Disk), and read from the recording medium by the computer. Executed by. The data storage program may be distributed through a network such as the Internet.

  The following additional notes are disclosed with respect to the embodiment described above.

(Supplementary note 1)
When transferring the data written in the first storage unit to the second storage unit in response to the storage amount of the first storage unit in which a series of logs are sequentially written reaching a predetermined size, Obtaining an arrival time until the storage amount of the first storage unit reaches the predetermined size;
Based on the arrival time when the other data written in the first storage unit is transferred before the data, the second data is transferred according to the arrival time when the acquired data is transferred. Storing in a third storage unit different from the storage unit of
A data storage method characterized by executing processing.

(Appendix 2) The computer
Based on the arrival time when the other data is transferred, the probability distribution of the arrival time when the data written in the first storage unit is transferred to the second storage unit is identified,
The data storage method according to appendix 1, wherein the data is stored in the third storage unit when the arrival time when the data is transferred is not included in the identified confidence interval of the probability distribution .

(Supplementary note 3)
Based on the arrival time when the other data is migrated, the data and the first storage unit written before the data according to the arrival time when the data is migrated The data storage method according to appendix 1 or 2, wherein the data is stored in the third storage unit.

(Additional remark 4) The data written in the said 1st memory | storage part is transferred to a 2nd memory | storage part according to the memory | storage amount of the 1st memory | storage part in which a series of logs are written sequentially reaching the predetermined size In this case, the arrival time until the storage amount of the first storage unit reaches the predetermined size is acquired,
Based on the arrival time when the other data written in the first storage unit is transferred before the data, the second data is transferred according to the arrival time when the acquired data is transferred. Storing in a third storage unit different from the storage unit of
An information processing apparatus having a control unit.

(Appendix 5)
When transferring the data written in the first storage unit to the second storage unit in response to the storage amount of the first storage unit in which a series of logs are sequentially written reaching a predetermined size, Obtaining an arrival time until the storage amount of the first storage unit reaches the predetermined size;
Based on the arrival time when the other data written in the first storage unit is transferred before the data, the second data is transferred according to the arrival time when the acquired data is transferred. Storing in a third storage unit different from the storage unit of
A data storage program for executing a process.

DESCRIPTION OF SYMBOLS 101 Information processing apparatus 102 Application 103 1st memory | storage part 104 2nd memory | storage part 105 3rd memory | storage part 111-1-13 Normal log 111-14-19 Error log 500 Control part 501 Acquisition part 502 Specification part 503 Storage part

Claims (4)

Computer
When transferring the data written in the first storage unit to the second storage unit in response to the storage amount of the first storage unit in which a series of logs are sequentially written reaching a predetermined size, Obtaining an arrival time until the storage amount of the first storage unit reaches the predetermined size;
Whether the arrival time when transferring the acquired data is within the normal range or the abnormal range based on the arrival time when the other data written in the first storage unit is transferred before the data Execute significance determination processing to determine
A flag indicating whether the log written in the first storage unit is normal or abnormal is set to indicate normality in response to being determined to be a normal range in the significance determination process. The data is stored in a third storage unit different from the second storage unit in response to the fact that the significant determination process determines that the range is abnormal and the flag is normal. Set the flag to indicate abnormal ,
A data storage method characterized by executing processing. The computer is
Based on the arrival time when the other data is transferred, the probability distribution of the arrival time when the data written in the first storage unit is transferred to the second storage unit is identified,
2. The data storage according to claim 1, wherein the data is stored in the third storage unit when an arrival time when the data is transferred is not included in the identified confidence interval of the probability distribution. Method. The storing process is as follows.
Based on the arrival time when the other data is migrated, the data and the second data from the first storage unit one before the data according to the arrival time when the data is migrated . 3. The data storage method according to claim 1, wherein the data transferred to the storage unit is stored in the third storage unit. When transferring the data written in the first storage unit to the second storage unit in response to the storage amount of the first storage unit in which a series of logs are sequentially written reaching a predetermined size, Obtaining an arrival time until the storage amount of the first storage unit reaches the predetermined size;
Whether the arrival time when transferring the acquired data is within the normal range or the abnormal range based on the arrival time when the other data written in the first storage unit is transferred before the data Execute significance determination processing to determine
A flag indicating whether the log written in the first storage unit is normal or abnormal is set to indicate normality in response to being determined to be a normal range in the significance determination process. The data is stored in a third storage unit different from the second storage unit in response to the fact that the significant determination process determines that the range is abnormal and the flag is normal. Set the flag to indicate abnormal ,
An information processing apparatus having a control unit.

Images