对用户登录IP进行检测,检测前后两次ip地址不一致,输出警告信息
模拟用户登录行为数据,数据从netcat 输入,使用nc -l -p 9999 打开9999端口,编写JAVA程序监听9999端口的数据。 数据为:
192.168.0.1
192.168.0.1
192.168.0.2
实现方式通过flink cep 实现 * 两个模式 * pattern1,获取第一个ip 做为第一步step1 * pattern2 获取第一个ip 做为第二步step2 与前一个ip做比较,不一致告警 * where IterativeCondition 方法
package flink.cep;
import org.apache.flink.api.java.functions.KeySelector;
import org.apache.flink.cep.CEP;
import org.apache.flink.cep.PatternSelectFunction;
import org.apache.flink.cep.pattern.Pattern;
import org.apache.flink.cep.pattern.conditions.IterativeCondition;
import org.apache.flink.cep.pattern.conditions.SimpleCondition;
import org.apache.flink.streaming.api.datastream.DataStream;
import org.apache.flink.streaming.api.datastream.DataStreamSource;
import org.apache.flink.streaming.api.datastream.KeyedStream;
import org.apache.flink.streaming.api.environment.StreamExecutionEnvironment;
import org.apache.flink.streaming.api.windowing.time.Time;
import java.util.List;
import java.util.Map;
/**
* 检测登录IP如果前后两次不同,告警
* 实现方式通过flink cep 实现
* 两个模式
* pattern1,获取第一个ip 做为第一步step1
* pattern2 获取第一个ip 做为第二步step2 与前一个ip做比较,不一致告警
* where IterativeCondition 方法
*/
public class FlinkCEPExample02 {
public static void main(String[] args) throws Exception {
StreamExecutionEnvironment env = StreamExecutionEnvironment.getExecutionEnvironment();
DataStreamSource<String> input = env.socketTextStream("127.0.0.1",9999);
Pattern<String,String> pt1 = Pattern.<String>begin("step-1").next("step-2").where(new IterativeCondition<String>() {
@Override
public boolean filter(String value, Context<String> context) throws Exception {
String step1ip =context.getEventsForPattern("step-1").iterator().next().toString();
String step2ip =value;
return !step1ip.equals(step2ip);
}
});
DataStream<String> result = CEP.pattern(input,pt1).inProcessingTime().select(new PatternSelectFunction<String, String>() {
int count = 0;
public String select(Map<String, List<String>> map) throws Exception {
/**
* 只要select 被调用,异常情况发生
*/
return "检测到IP地址异常:第一个IP:"+map.get("step-1")+"第二个IP:"+map.get("step-2");
}
});
result.print().setParallelism(1);
env.execute();
}
}
例子2,数据为
* user01,192.168.0.1 * user02,192.168.0.2 * user02,192.168.0.3
需要先使用keyBy分组
package flink.cep;
import org.apache.flink.api.java.functions.KeySelector;
import org.apache.flink.cep.CEP;
import org.apache.flink.cep.PatternSelectFunction;
import org.apache.flink.cep.pattern.Pattern;
import org.apache.flink.cep.pattern.conditions.IterativeCondition;
import org.apache.flink.streaming.api.datastream.DataStream;
import org.apache.flink.streaming.api.datastream.DataStreamSource;
import org.apache.flink.streaming.api.datastream.KeyedStream;
import org.apache.flink.streaming.api.environment.StreamExecutionEnvironment;
import java.util.List;
import java.util.Map;
/**
*
* 检测登录IP如果前后两次不同,告警
* 数据为
* user01,192.168.0.1
* user02,192.168.0.2
* user02,192.168.0.3
* 实现方式通过flink cep 实现
* 两个模式
* pattern1,获取第一个ip 做为第一步step1
* pattern2 获取第一个ip 做为第二步step2 与前一个ip做比较,不一致告警
* where IterativeCondition 方法
*/
public class FlinkCEPExample03 {
public static void main(String[] args) throws Exception {
StreamExecutionEnvironment env = StreamExecutionEnvironment.getExecutionEnvironment();
DataStreamSource<String> input = env.socketTextStream("127.0.0.1",9999);
KeyedStream<String,String> keyedStream = input.keyBy(new KeySelector<String, String>() {
@Override
public String getKey(String s) throws Exception {
/**
* 按用户id分组
*/
String key = s.split(",")[0];
return key;
}
});
Pattern<String,String> pt1 = Pattern.<String>begin("step-1").next("step-2").where(new IterativeCondition<String>() {
@Override
public boolean filter(String value, Context<String> context) throws Exception {
String step1ip =context.getEventsForPattern("step-1").iterator().next().toString().split(",")[1];
String step2ip =value.split(",")[1];
return !step1ip.equals(step2ip);
}
});
DataStream<String> result = CEP.pattern(keyedStream,pt1).inProcessingTime().select(new PatternSelectFunction<String, String>() {
int count = 0;
public String select(Map<String, List<String>> map) throws Exception {
/**
* 只要select 被调用,异常情况发生
*/
return "检测用户ID为:"+map.get("step-1").get(0).split(",")[0]+" 的IP地址异常:第一个IP:"+map.get("step-1").get(0).toString().split(",")[1]+"第二个IP:"+map.get("step-2").get(0).toString().split(",")[1];
}
});
result.print().setParallelism(1);
env.execute();
}
}