Logger System 0.1.3
High-performance C++20 thread-safe logging system with asynchronous capabilities
Loading...
Searching...
No Matches
realtime_log_analyzer.h
Go to the documentation of this file.
1// BSD 3-Clause License
2// Copyright (c) 2021-2025, 🍀☀🌕🌥 🌊
3// See the LICENSE file in the project root for full license information.
4
42#pragma once
43
44#include <kcenon/common/interfaces/logger_interface.h>
45#include <kcenon/logger/analysis/log_analyzer.h>
46
47#include <atomic>
48#include <chrono>
49#include <cstdint>
50#include <deque>
51#include <functional>
52#include <memory>
53#include <mutex>
54#include <regex>
55#include <shared_mutex>
56#include <string>
57#include <unordered_set>
58#include <vector>
59
60namespace kcenon::logger::analysis {
61
62// Type alias for log_level
63using log_level = common::interfaces::log_level;
64
69struct anomaly_event {
73 enum class type : std::uint8_t {
74 error_spike,
75 pattern_match,
76 rate_anomaly,
77 new_error_type
78 };
79
80 type anomaly_type = type::error_spike;
81 std::chrono::system_clock::time_point detected_at;
82 std::string description;
83 std::vector<analyzed_log_entry> related_entries;
84 std::string pattern;
85 size_t current_count = 0;
86 size_t threshold = 0;
87};
88
93struct realtime_analysis_config {
94 size_t error_spike_threshold = 100;
95 size_t rate_anomaly_high_threshold = 1000;
96 size_t rate_anomaly_low_threshold = 0;
97 std::chrono::seconds window_duration{60};
98 std::chrono::seconds baseline_duration{300};
99 bool track_new_errors = true;
100 bool enable_rate_anomaly_detection = true;
101 double rate_deviation_factor = 2.0;
102 size_t max_related_entries = 10;
103};
104
109struct pattern_alert {
110 std::string pattern;
111 log_level min_level;
112 std::regex compiled_pattern;
113
114 pattern_alert(const std::string& p, log_level level)
115 : pattern(p), min_level(level), compiled_pattern(p, std::regex::optimize) {}
116};
117
138class realtime_log_analyzer {
139public:
143 using anomaly_callback = std::function<void(const anomaly_event&)>;
144
148 realtime_log_analyzer() = default;
149
154 explicit realtime_log_analyzer(const realtime_analysis_config& config)
155 : config_(config) {}
156
164 void set_anomaly_callback(anomaly_callback cb) {
165 std::unique_lock lock(callback_mutex_);
166 callback_ = std::move(cb);
167 }
168
178 void analyze(const analyzed_log_entry& entry) {
179 auto now = std::chrono::system_clock::now();
180
181 // Add to sliding window
182 add_to_window(entry, now);
183
184 // Check for error spike
185 if (entry.level == log_level::error ||
186 entry.level == log_level::fatal) {
187 check_error_spike(entry, now);
188 }
189
190 // Check pattern alerts
191 check_pattern_alerts(entry, now);
192
193 // Check rate anomaly
194 if (config_.enable_rate_anomaly_detection) {
195 check_rate_anomaly(now);
196 }
197
198 // Track new error types
199 if (config_.track_new_errors &&
200 (entry.level == log_level::error ||
201 entry.level == log_level::fatal)) {
202 check_new_error_type(entry, now);
203 }
204 }
205
210 void set_error_spike_threshold(size_t errors_per_minute) {
211 config_.error_spike_threshold = errors_per_minute;
212 }
213
219 void add_pattern_alert(const std::string& pattern, log_level min_level) {
220 std::unique_lock lock(patterns_mutex_);
221 patterns_.emplace_back(pattern, min_level);
222 }
223
229 bool remove_pattern_alert(const std::string& pattern) {
230 std::unique_lock lock(patterns_mutex_);
231 auto it = std::remove_if(patterns_.begin(), patterns_.end(),
232 [&pattern](const pattern_alert& alert) {
233 return alert.pattern == pattern;
234 });
235 if (it != patterns_.end()) {
236 patterns_.erase(it, patterns_.end());
237 return true;
238 }
239 return false;
240 }
241
245 void clear_pattern_alerts() {
246 std::unique_lock lock(patterns_mutex_);
247 patterns_.clear();
248 }
249
255 void set_rate_thresholds(size_t high_threshold, size_t low_threshold = 0) {
256 config_.rate_anomaly_high_threshold = high_threshold;
257 config_.rate_anomaly_low_threshold = low_threshold;
258 }
259
264 void set_track_new_errors(bool enable) {
265 config_.track_new_errors = enable;
266 }
267
272 double get_error_rate() const {
273 std::shared_lock lock(window_mutex_);
274 return calculate_rate(error_window_);
275 }
276
281 double get_log_rate() const {
282 std::shared_lock lock(window_mutex_);
283 return calculate_rate(log_window_);
284 }
285
290 struct statistics {
291 size_t total_analyzed = 0;
292 size_t total_errors = 0;
293 size_t anomalies_detected = 0;
294 size_t error_spikes = 0;
295 size_t pattern_matches = 0;
296 size_t rate_anomalies = 0;
297 size_t new_error_types = 0;
298 double current_log_rate = 0.0;
299 double current_error_rate = 0.0;
300 };
301
302 statistics get_statistics() const {
303 std::shared_lock lock(stats_mutex_);
304 statistics stats;
305 stats.total_analyzed = total_analyzed_.load();
306 stats.total_errors = total_errors_.load();
307 stats.anomalies_detected = anomalies_detected_.load();
308 stats.error_spikes = error_spikes_.load();
309 stats.pattern_matches = pattern_matches_.load();
310 stats.rate_anomalies = rate_anomalies_.load();
311 stats.new_error_types = new_error_types_.load();
312 stats.current_log_rate = get_log_rate();
313 stats.current_error_rate = get_error_rate();
314 return stats;
315 }
316
320 void reset() {
321 {
322 std::unique_lock lock(window_mutex_);
323 log_window_.clear();
324 error_window_.clear();
325 baseline_rates_.clear();
326 }
327 {
328 std::unique_lock lock(errors_mutex_);
329 known_errors_.clear();
330 }
331 {
332 std::unique_lock lock(stats_mutex_);
333 total_analyzed_ = 0;
334 total_errors_ = 0;
335 anomalies_detected_ = 0;
336 error_spikes_ = 0;
337 pattern_matches_ = 0;
338 rate_anomalies_ = 0;
339 new_error_types_ = 0;
340 }
341 last_rate_check_ = std::chrono::system_clock::time_point{};
342 last_spike_alert_ = std::chrono::system_clock::time_point{};
343 }
344
349 const realtime_analysis_config& get_config() const {
350 return config_;
351 }
352
357 void set_config(const realtime_analysis_config& config) {
358 config_ = config;
359 }
360
361private:
362 struct timestamped_entry {
363 std::chrono::system_clock::time_point timestamp;
364 analyzed_log_entry entry;
365 };
366
367 void add_to_window(const analyzed_log_entry& entry,
368 std::chrono::system_clock::time_point now) {
369 std::unique_lock lock(window_mutex_);
370
371 // Add to log window
372 log_window_.push_back({now, entry});
373
374 // Add to error window if error/fatal
375 if (entry.level == log_level::error ||
376 entry.level == log_level::fatal) {
377 error_window_.push_back({now, entry});
378 }
379
380 // Clean up old entries
381 auto cutoff = now - config_.window_duration;
382 cleanup_window(log_window_, cutoff);
383 cleanup_window(error_window_, cutoff);
384
385 // Update statistics
386 total_analyzed_.fetch_add(1, std::memory_order_relaxed);
387 if (entry.level == log_level::error ||
388 entry.level == log_level::fatal) {
389 total_errors_.fetch_add(1, std::memory_order_relaxed);
390 }
391 }
392
393 static void cleanup_window(std::deque<timestamped_entry>& window,
394 std::chrono::system_clock::time_point cutoff) {
395 while (!window.empty() && window.front().timestamp < cutoff) {
396 window.pop_front();
397 }
398 }
399
400 double calculate_rate(const std::deque<timestamped_entry>& window) const {
401 if (window.empty()) return 0.0;
402
403 auto duration = std::chrono::duration_cast<std::chrono::seconds>(
404 config_.window_duration).count();
405 if (duration == 0) duration = 60;
406
407 return static_cast<double>(window.size()) * 60.0 / duration;
408 }
409
410 void check_error_spike(const analyzed_log_entry& entry,
411 std::chrono::system_clock::time_point now) {
412 std::shared_lock lock(window_mutex_);
413
414 double current_rate = calculate_rate(error_window_);
415
416 if (current_rate >= static_cast<double>(config_.error_spike_threshold)) {
417 // Rate limit: don't alert more than once per minute
418 {
419 std::shared_lock rate_lock(rate_limit_mutex_);
420 if (now - last_spike_alert_ < std::chrono::minutes(1)) {
421 return;
422 }
423 }
424
425 lock.unlock(); // Release before callback
426
427 // Update last alert time
428 {
429 std::unique_lock rate_lock(rate_limit_mutex_);
430 last_spike_alert_ = now;
431 }
432
433 anomaly_event event;
434 event.anomaly_type = anomaly_event::type::error_spike;
435 event.detected_at = now;
436 event.description = "Error spike detected: " +
437 std::to_string(static_cast<size_t>(current_rate)) +
438 " errors/minute (threshold: " +
439 std::to_string(config_.error_spike_threshold) + ")";
440 event.current_count = static_cast<size_t>(current_rate);
441 event.threshold = config_.error_spike_threshold;
442
443 // Collect related entries
444 {
445 std::shared_lock entries_lock(window_mutex_);
446 collect_related_entries(event, error_window_);
447 }
448
449 notify_anomaly(event);
450 error_spikes_.fetch_add(1, std::memory_order_relaxed);
451 }
452 }
453
454 void check_pattern_alerts(const analyzed_log_entry& entry,
455 std::chrono::system_clock::time_point now) {
456 std::shared_lock lock(patterns_mutex_);
457
458 for (const auto& alert : patterns_) {
459 // Check level threshold
460 if (static_cast<int>(entry.level) < static_cast<int>(alert.min_level)) {
461 continue;
462 }
463
464 // Check pattern match
465 if (std::regex_search(entry.message, alert.compiled_pattern)) {
466 lock.unlock(); // Release before callback
467
468 anomaly_event event;
469 event.anomaly_type = anomaly_event::type::pattern_match;
470 event.detected_at = now;
471 event.pattern = alert.pattern;
472 event.description = "Pattern '" + alert.pattern +
473 "' matched in log message: " + entry.message;
474 event.related_entries.push_back(entry);
475
476 notify_anomaly(event);
477 pattern_matches_.fetch_add(1, std::memory_order_relaxed);
478 return; // Only report first match per entry
479 }
480 }
481 }
482
483 void check_rate_anomaly(std::chrono::system_clock::time_point now) {
484 // Rate limit rate anomaly checks to once per 10 seconds
485 {
486 std::shared_lock rate_lock(rate_limit_mutex_);
487 if (now - last_rate_check_ < std::chrono::seconds(10)) {
488 return;
489 }
490 }
491 {
492 std::unique_lock rate_lock(rate_limit_mutex_);
493 last_rate_check_ = now;
494 }
495
496 std::shared_lock lock(window_mutex_);
497 double current_rate = calculate_rate(log_window_);
498 lock.unlock();
499
500 // Check high rate
501 if (current_rate >= static_cast<double>(config_.rate_anomaly_high_threshold)) {
502 anomaly_event event;
503 event.anomaly_type = anomaly_event::type::rate_anomaly;
504 event.detected_at = now;
505 event.description = "High log rate detected: " +
506 std::to_string(static_cast<size_t>(current_rate)) +
507 " logs/minute (threshold: " +
508 std::to_string(config_.rate_anomaly_high_threshold) + ")";
509 event.current_count = static_cast<size_t>(current_rate);
510 event.threshold = config_.rate_anomaly_high_threshold;
511
512 notify_anomaly(event);
513 rate_anomalies_.fetch_add(1, std::memory_order_relaxed);
514 }
515 // Check low rate (if enabled)
516 else if (config_.rate_anomaly_low_threshold > 0 &&
517 current_rate < static_cast<double>(config_.rate_anomaly_low_threshold) &&
518 total_analyzed_.load() > 100) { // Only after enough data
519 anomaly_event event;
520 event.anomaly_type = anomaly_event::type::rate_anomaly;
521 event.detected_at = now;
522 event.description = "Low log rate detected: " +
523 std::to_string(static_cast<size_t>(current_rate)) +
524 " logs/minute (threshold: " +
525 std::to_string(config_.rate_anomaly_low_threshold) + ")";
526 event.current_count = static_cast<size_t>(current_rate);
527 event.threshold = config_.rate_anomaly_low_threshold;
528
529 notify_anomaly(event);
530 rate_anomalies_.fetch_add(1, std::memory_order_relaxed);
531 }
532 }
533
534 void check_new_error_type(const analyzed_log_entry& entry,
535 std::chrono::system_clock::time_point now) {
536 // Normalize error message (remove numbers, timestamps, etc.)
537 std::string normalized = normalize_error_message(entry.message);
538
539 {
540 std::shared_lock lock(errors_mutex_);
541 if (known_errors_.contains(normalized)) {
542 return; // Already seen this error type
543 }
544 }
545
546 // New error type detected
547 {
548 std::unique_lock lock(errors_mutex_);
549 known_errors_.insert(normalized);
550 }
551
552 anomaly_event event;
553 event.anomaly_type = anomaly_event::type::new_error_type;
554 event.detected_at = now;
555 event.description = "New error type detected: " + entry.message;
556 event.related_entries.push_back(entry);
557
558 notify_anomaly(event);
559 new_error_types_.fetch_add(1, std::memory_order_relaxed);
560 }
561
562 static std::string normalize_error_message(const std::string& message) {
563 // Remove numbers (IDs, timestamps, etc.)
564 std::string normalized = std::regex_replace(message,
565 std::regex(R"(\d+)"), "N");
566
567 // Remove hex values
568 normalized = std::regex_replace(normalized,
569 std::regex(R"(0x[0-9a-fA-F]+)"), "HEX");
570
571 // Remove UUIDs
572 normalized = std::regex_replace(normalized,
573 std::regex(R"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})"),
574 "UUID");
575
576 return normalized;
577 }
578
579 void collect_related_entries(anomaly_event& event,
580 const std::deque<timestamped_entry>& window) const {
581 size_t count = 0;
582 for (auto it = window.rbegin();
583 it != window.rend() && count < config_.max_related_entries;
584 ++it, ++count) {
585 event.related_entries.push_back(it->entry);
586 }
587 }
588
589 void notify_anomaly(const anomaly_event& event) {
590 anomalies_detected_.fetch_add(1, std::memory_order_relaxed);
591
592 std::shared_lock lock(callback_mutex_);
593 if (callback_) {
594 callback_(event);
595 }
596 }
597
598 // Configuration
599 realtime_analysis_config config_;
600
601 // Callback
602 anomaly_callback callback_;
603 mutable std::shared_mutex callback_mutex_;
604
605 // Sliding windows
606 std::deque<timestamped_entry> log_window_;
607 std::deque<timestamped_entry> error_window_;
608 std::deque<double> baseline_rates_;
609 mutable std::shared_mutex window_mutex_;
610
611 // Pattern alerts
612 std::vector<pattern_alert> patterns_;
613 mutable std::shared_mutex patterns_mutex_;
614
615 // Known error types for new error detection
616 std::unordered_set<std::string> known_errors_;
617 mutable std::shared_mutex errors_mutex_;
618
619 // Rate limiting
620 std::chrono::system_clock::time_point last_rate_check_;
621 std::chrono::system_clock::time_point last_spike_alert_;
622 mutable std::shared_mutex rate_limit_mutex_;
623
624 // Statistics (atomic for lock-free reads)
625 std::atomic<size_t> total_analyzed_{0};
626 std::atomic<size_t> total_errors_{0};
627 std::atomic<size_t> anomalies_detected_{0};
628 std::atomic<size_t> error_spikes_{0};
629 std::atomic<size_t> pattern_matches_{0};
630 std::atomic<size_t> rate_anomalies_{0};
631 std::atomic<size_t> new_error_types_{0};
632 mutable std::shared_mutex stats_mutex_;
633};
634
639class realtime_analyzer_factory {
640public:
644 static std::unique_ptr<realtime_log_analyzer> create_basic() {
645 return std::make_unique<realtime_log_analyzer>();
646 }
647
652 static std::unique_ptr<realtime_log_analyzer> create(
653 const realtime_analysis_config& config) {
654 return std::make_unique<realtime_log_analyzer>(config);
655 }
656
662 static std::unique_ptr<realtime_log_analyzer> create_production(
663 size_t error_threshold = 50,
664 realtime_log_analyzer::anomaly_callback callback = nullptr) {
665
666 realtime_analysis_config config;
667 config.error_spike_threshold = error_threshold;
668 config.rate_anomaly_high_threshold = 1000;
669 config.rate_anomaly_low_threshold = 10;
670 config.track_new_errors = true;
671 config.enable_rate_anomaly_detection = true;
672
673 auto analyzer = std::make_unique<realtime_log_analyzer>(config);
674 if (callback) {
675 analyzer->set_anomaly_callback(std::move(callback));
676 }
677 return analyzer;
678 }
679};
680
681} // namespace kcenon::logger::analysis
kcenon::logger::analysis::realtime_analyzer_factory
Factory for creating configured realtime log analyzers.
Definition realtime_log_analyzer.h:639
kcenon::logger::analysis::realtime_analyzer_factory::create
static std::unique_ptr< realtime_log_analyzer > create(const realtime_analysis_config &config)
Create a realtime analyzer with custom configuration.
Definition realtime_log_analyzer.h:652
kcenon::logger::analysis::realtime_analyzer_factory::create_production
static std::unique_ptr< realtime_log_analyzer > create_production(size_t error_threshold=50, realtime_log_analyzer::anomaly_callback callback=nullptr)
Create a production-ready analyzer with sensible defaults.
Definition realtime_log_analyzer.h:662
kcenon::logger::analysis::realtime_analyzer_factory::create_basic
static std::unique_ptr< realtime_log_analyzer > create_basic()
Create a basic realtime analyzer with default settings.
Definition realtime_log_analyzer.h:644
kcenon::logger::analysis::realtime_log_analyzer
Real-time log analyzer with anomaly detection.
Definition realtime_log_analyzer.h:138
kcenon::logger::analysis::realtime_log_analyzer::remove_pattern_alert
bool remove_pattern_alert(const std::string &pattern)
Remove a pattern alert.
Definition realtime_log_analyzer.h:229
kcenon::logger::analysis::realtime_log_analyzer::collect_related_entries
void collect_related_entries(anomaly_event &event, const std::deque< timestamped_entry > &window) const
Definition realtime_log_analyzer.h:579
kcenon::logger::analysis::realtime_log_analyzer::error_window_
std::deque< timestamped_entry > error_window_
Definition realtime_log_analyzer.h:607
kcenon::logger::analysis::realtime_log_analyzer::last_rate_check_
std::chrono::system_clock::time_point last_rate_check_
Definition realtime_log_analyzer.h:620
kcenon::logger::analysis::realtime_log_analyzer::get_log_rate
double get_log_rate() const
Get current log rate (logs per minute)
Definition realtime_log_analyzer.h:281
kcenon::logger::analysis::realtime_log_analyzer::total_errors_
std::atomic< size_t > total_errors_
Definition realtime_log_analyzer.h:626
kcenon::logger::analysis::realtime_log_analyzer::log_window_
std::deque< timestamped_entry > log_window_
Definition realtime_log_analyzer.h:606
kcenon::logger::analysis::realtime_log_analyzer::reset
void reset()
Reset all statistics and tracked state.
Definition realtime_log_analyzer.h:320
kcenon::logger::analysis::realtime_log_analyzer::check_rate_anomaly
void check_rate_anomaly(std::chrono::system_clock::time_point now)
Definition realtime_log_analyzer.h:483
kcenon::logger::analysis::realtime_log_analyzer::set_config
void set_config(const realtime_analysis_config &config)
Set the configuration.
Definition realtime_log_analyzer.h:357
kcenon::logger::analysis::realtime_log_analyzer::calculate_rate
double calculate_rate(const std::deque< timestamped_entry > &window) const
Definition realtime_log_analyzer.h:400
kcenon::logger::analysis::realtime_log_analyzer::error_spikes_
std::atomic< size_t > error_spikes_
Definition realtime_log_analyzer.h:628
kcenon::logger::analysis::realtime_log_analyzer::get_error_rate
double get_error_rate() const
Get current error rate (errors per minute)
Definition realtime_log_analyzer.h:272
kcenon::logger::analysis::realtime_log_analyzer::realtime_log_analyzer
realtime_log_analyzer(const realtime_analysis_config &config)
Constructor with configuration.
Definition realtime_log_analyzer.h:154
kcenon::logger::analysis::realtime_log_analyzer::get_statistics
statistics get_statistics() const
Definition realtime_log_analyzer.h:302
kcenon::logger::analysis::realtime_log_analyzer::window_mutex_
std::shared_mutex window_mutex_
Definition realtime_log_analyzer.h:609
kcenon::logger::analysis::realtime_log_analyzer::set_error_spike_threshold
void set_error_spike_threshold(size_t errors_per_minute)
Set error spike threshold.
Definition realtime_log_analyzer.h:210
kcenon::logger::analysis::realtime_log_analyzer::rate_limit_mutex_
std::shared_mutex rate_limit_mutex_
Definition realtime_log_analyzer.h:622
kcenon::logger::analysis::realtime_log_analyzer::known_errors_
std::unordered_set< std::string > known_errors_
Definition realtime_log_analyzer.h:616
kcenon::logger::analysis::realtime_log_analyzer::stats_mutex_
std::shared_mutex stats_mutex_
Definition realtime_log_analyzer.h:632
kcenon::logger::analysis::realtime_log_analyzer::anomalies_detected_
std::atomic< size_t > anomalies_detected_
Definition realtime_log_analyzer.h:627
kcenon::logger::analysis::realtime_log_analyzer::clear_pattern_alerts
void clear_pattern_alerts()
Clear all pattern alerts.
Definition realtime_log_analyzer.h:245
kcenon::logger::analysis::realtime_log_analyzer::add_to_window
void add_to_window(const analyzed_log_entry &entry, std::chrono::system_clock::time_point now)
Definition realtime_log_analyzer.h:367
kcenon::logger::analysis::realtime_log_analyzer::set_track_new_errors
void set_track_new_errors(bool enable)
Enable or disable new error tracking.
Definition realtime_log_analyzer.h:264
kcenon::logger::analysis::realtime_log_analyzer::get_config
const realtime_analysis_config & get_config() const
Get the configuration.
Definition realtime_log_analyzer.h:349
kcenon::logger::analysis::realtime_log_analyzer::pattern_matches_
std::atomic< size_t > pattern_matches_
Definition realtime_log_analyzer.h:629
kcenon::logger::analysis::realtime_log_analyzer::total_analyzed_
std::atomic< size_t > total_analyzed_
Definition realtime_log_analyzer.h:625
kcenon::logger::analysis::realtime_log_analyzer::callback_
anomaly_callback callback_
Definition realtime_log_analyzer.h:602
kcenon::logger::analysis::realtime_log_analyzer::check_pattern_alerts
void check_pattern_alerts(const analyzed_log_entry &entry, std::chrono::system_clock::time_point now)
Definition realtime_log_analyzer.h:454
kcenon::logger::analysis::realtime_log_analyzer::rate_anomalies_
std::atomic< size_t > rate_anomalies_
Definition realtime_log_analyzer.h:630
kcenon::logger::analysis::realtime_log_analyzer::normalize_error_message
static std::string normalize_error_message(const std::string &message)
Definition realtime_log_analyzer.h:562
kcenon::logger::analysis::realtime_log_analyzer::config_
realtime_analysis_config config_
Definition realtime_log_analyzer.h:599
kcenon::logger::analysis::realtime_log_analyzer::add_pattern_alert
void add_pattern_alert(const std::string &pattern, log_level min_level)
Add a pattern-based alert.
Definition realtime_log_analyzer.h:219
kcenon::logger::analysis::realtime_log_analyzer::baseline_rates_
std::deque< double > baseline_rates_
Definition realtime_log_analyzer.h:608
kcenon::logger::analysis::realtime_log_analyzer::new_error_types_
std::atomic< size_t > new_error_types_
Definition realtime_log_analyzer.h:631
kcenon::logger::analysis::realtime_log_analyzer::callback_mutex_
std::shared_mutex callback_mutex_
Definition realtime_log_analyzer.h:603
kcenon::logger::analysis::realtime_log_analyzer::patterns_mutex_
std::shared_mutex patterns_mutex_
Definition realtime_log_analyzer.h:613
kcenon::logger::analysis::realtime_log_analyzer::check_new_error_type
void check_new_error_type(const analyzed_log_entry &entry, std::chrono::system_clock::time_point now)
Definition realtime_log_analyzer.h:534
kcenon::logger::analysis::realtime_log_analyzer::realtime_log_analyzer
realtime_log_analyzer()=default
Default constructor.
kcenon::logger::analysis::realtime_log_analyzer::check_error_spike
void check_error_spike(const analyzed_log_entry &entry, std::chrono::system_clock::time_point now)
Definition realtime_log_analyzer.h:410
kcenon::logger::analysis::realtime_log_analyzer::notify_anomaly
void notify_anomaly(const anomaly_event &event)
Definition realtime_log_analyzer.h:589
kcenon::logger::analysis::realtime_log_analyzer::analyze
void analyze(const analyzed_log_entry &entry)
Analyze a log entry in real-time.
Definition realtime_log_analyzer.h:178
kcenon::logger::analysis::realtime_log_analyzer::anomaly_callback
std::function< void(const anomaly_event &)> anomaly_callback
Callback type for anomaly notifications.
Definition realtime_log_analyzer.h:143
kcenon::logger::analysis::realtime_log_analyzer::errors_mutex_
std::shared_mutex errors_mutex_
Definition realtime_log_analyzer.h:617
kcenon::logger::analysis::realtime_log_analyzer::set_anomaly_callback
void set_anomaly_callback(anomaly_callback cb)
Set the anomaly callback.
Definition realtime_log_analyzer.h:164
kcenon::logger::analysis::realtime_log_analyzer::last_spike_alert_
std::chrono::system_clock::time_point last_spike_alert_
Definition realtime_log_analyzer.h:621
kcenon::logger::analysis::realtime_log_analyzer::patterns_
std::vector< pattern_alert > patterns_
Definition realtime_log_analyzer.h:612
kcenon::logger::analysis::realtime_log_analyzer::set_rate_thresholds
void set_rate_thresholds(size_t high_threshold, size_t low_threshold=0)
Set rate anomaly thresholds.
Definition realtime_log_analyzer.h:255
kcenon::logger::analysis::realtime_log_analyzer::cleanup_window
static void cleanup_window(std::deque< timestamped_entry > &window, std::chrono::system_clock::time_point cutoff)
Definition realtime_log_analyzer.h:393
log_analyzer.h
Log analysis and metrics functionality.
kcenon::logger::adapters::log_level
common::interfaces::log_level log_level
Definition logger_adapter.h:26
kcenon::logger::analysis::analyzed_log_entry
Log entry for analysis.
Definition analysis.cppm:43
kcenon::logger::analysis::analyzed_log_entry::level
log_level level
Definition log_analyzer.h:28
kcenon::logger::analysis::analyzed_log_entry::message
std::string message
Definition log_analyzer.h:29
kcenon::logger::analysis::anomaly_event
Represents an anomaly event detected during real-time analysis.
Definition realtime_log_analyzer.h:69
kcenon::logger::analysis::anomaly_event::related_entries
std::vector< analyzed_log_entry > related_entries
Log entries related to this anomaly.
Definition realtime_log_analyzer.h:83
kcenon::logger::analysis::anomaly_event::detected_at
std::chrono::system_clock::time_point detected_at
When the anomaly was detected.
Definition realtime_log_analyzer.h:81
kcenon::logger::analysis::anomaly_event::description
std::string description
Human-readable description.
Definition realtime_log_analyzer.h:82
kcenon::logger::analysis::anomaly_event::type
type
Type of anomaly detected.
Definition realtime_log_analyzer.h:73
kcenon::logger::analysis::anomaly_event::type::rate_anomaly
@ rate_anomaly
Unusual log rate (too high or too low)
kcenon::logger::analysis::anomaly_event::type::error_spike
@ error_spike
Sudden increase in errors.
kcenon::logger::analysis::anomaly_event::type::pattern_match
@ pattern_match
Configured pattern detected.
kcenon::logger::analysis::anomaly_event::type::new_error_type
@ new_error_type
Previously unseen error message.
kcenon::logger::analysis::anomaly_event::threshold
size_t threshold
Threshold that was exceeded.
Definition realtime_log_analyzer.h:86
kcenon::logger::analysis::anomaly_event::current_count
size_t current_count
Current count (for spike/rate anomalies)
Definition realtime_log_analyzer.h:85
kcenon::logger::analysis::anomaly_event::pattern
std::string pattern
Pattern that triggered (for pattern_match)
Definition realtime_log_analyzer.h:84
kcenon::logger::analysis::anomaly_event::anomaly_type
type anomaly_type
Type of the anomaly.
Definition realtime_log_analyzer.h:80
kcenon::logger::analysis::pattern_alert
Pattern alert configuration.
Definition realtime_log_analyzer.h:109
kcenon::logger::analysis::pattern_alert::min_level
log_level min_level
Minimum log level to trigger.
Definition realtime_log_analyzer.h:111
kcenon::logger::analysis::pattern_alert::compiled_pattern
std::regex compiled_pattern
Pre-compiled regex for efficiency.
Definition realtime_log_analyzer.h:112
kcenon::logger::analysis::pattern_alert::pattern
std::string pattern
Regex pattern to match.
Definition realtime_log_analyzer.h:110
kcenon::logger::analysis::pattern_alert::pattern_alert
pattern_alert(const std::string &p, log_level level)
Definition realtime_log_analyzer.h:114
kcenon::logger::analysis::realtime_analysis_config
Configuration for real-time log analysis.
Definition realtime_log_analyzer.h:93
kcenon::logger::analysis::realtime_analysis_config::enable_rate_anomaly_detection
bool enable_rate_anomaly_detection
Enable rate anomaly detection.
Definition realtime_log_analyzer.h:100
kcenon::logger::analysis::realtime_analysis_config::error_spike_threshold
size_t error_spike_threshold
Errors per minute to trigger spike alert.
Definition realtime_log_analyzer.h:94
kcenon::logger::analysis::realtime_analysis_config::max_related_entries
size_t max_related_entries
Max entries to store per anomaly.
Definition realtime_log_analyzer.h:102
kcenon::logger::analysis::realtime_analysis_config::rate_anomaly_low_threshold
size_t rate_anomaly_low_threshold
Logs per minute considered low (0 = disabled)
Definition realtime_log_analyzer.h:96
kcenon::logger::analysis::realtime_analysis_config::rate_deviation_factor
double rate_deviation_factor
Factor for dynamic rate anomaly detection.
Definition realtime_log_analyzer.h:101
kcenon::logger::analysis::realtime_analysis_config::baseline_duration
std::chrono::seconds baseline_duration
Duration for baseline rate calculation.
Definition realtime_log_analyzer.h:98
kcenon::logger::analysis::realtime_analysis_config::rate_anomaly_high_threshold
size_t rate_anomaly_high_threshold
Logs per minute considered high.
Definition realtime_log_analyzer.h:95
kcenon::logger::analysis::realtime_analysis_config::track_new_errors
bool track_new_errors
Enable new error type detection.
Definition realtime_log_analyzer.h:99
kcenon::logger::analysis::realtime_analysis_config::window_duration
std::chrono::seconds window_duration
Sliding window duration for rate calculation.
Definition realtime_log_analyzer.h:97
kcenon::logger::analysis::realtime_log_analyzer::statistics
Get current statistics.
Definition realtime_log_analyzer.h:290
kcenon::logger::analysis::realtime_log_analyzer::statistics::current_log_rate
double current_log_rate
Definition realtime_log_analyzer.h:298
kcenon::logger::analysis::realtime_log_analyzer::statistics::current_error_rate
double current_error_rate
Definition realtime_log_analyzer.h:299
kcenon::logger::analysis::realtime_log_analyzer::statistics::new_error_types
size_t new_error_types
Definition realtime_log_analyzer.h:297
kcenon::logger::analysis::realtime_log_analyzer::statistics::total_errors
size_t total_errors
Definition realtime_log_analyzer.h:292
kcenon::logger::analysis::realtime_log_analyzer::statistics::anomalies_detected
size_t anomalies_detected
Definition realtime_log_analyzer.h:293
kcenon::logger::analysis::realtime_log_analyzer::statistics::total_analyzed
size_t total_analyzed
Definition realtime_log_analyzer.h:291
kcenon::logger::analysis::realtime_log_analyzer::statistics::error_spikes
size_t error_spikes
Definition realtime_log_analyzer.h:294
kcenon::logger::analysis::realtime_log_analyzer::statistics::pattern_matches
size_t pattern_matches
Definition realtime_log_analyzer.h:295
kcenon::logger::analysis::realtime_log_analyzer::statistics::rate_anomalies
size_t rate_anomalies
Definition realtime_log_analyzer.h:296
kcenon::logger::analysis::realtime_log_analyzer::timestamped_entry
Definition realtime_log_analyzer.h:362
kcenon::logger::analysis::realtime_log_analyzer::timestamped_entry::entry
analyzed_log_entry entry
Definition realtime_log_analyzer.h:364
kcenon::logger::analysis::realtime_log_analyzer::timestamped_entry::timestamp
std::chrono::system_clock::time_point timestamp
Definition realtime_log_analyzer.h:363