Nginx+Flume+Hadoop日志分析，Ngram+AutoComplete

配置Nginx

yum install nginx （在host99和host101）
service nginx start开启服务
ps -ef |grep nginx看一下进程

ps -ef |grep nginx
root     28230     1  0 14:54 ?        00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nginx    28231 28230  0 14:54 ?        00:00:00 nginx: worker process                   
nginx    28232 28230  0 14:54 ?        00:00:00 nginx: worker process                   
nginx    28234 28230  0 14:54 ?        00:00:00 nginx: worker process                   
nginx    28235 28230  0 14:54 ?        00:00:00 nginx: worker process 
....

View Code

在本机浏览器也可以通过ip + port(默认80端口)访问

HTML

很简单的网页配置，在/root/html下放了一个index.html文件
先test一下是否正常，在browser里面输入ip地址就可以看到了。
下一步配置一个输入框，模拟搜索数据。
index.html是特别简单的代码，（我是前端渣- -

<!DOCTYPE html>
<html>
    <body>

        <form action="/result.html" method="GET">
            Please Input:<br>
            <input type="text" name="Input" value="Mickey">
            <br>
            <br>
            <input type="submit" value="Submit">
        </form> 

    </body>
</html>

View Code

跳转到的页面result.html就随便写一句话啦

log日志

log日志放在/var/log/nginx目录的access.log中。
```
tail -f access.log
```
在输入框输入数据，提交之后会看到log刷新，比如我输入“test”提交后log会刷新一条：

10.109.255.90 - - [11/May/2017:14:24:16 +0800] "GET /action_page.php?Input=test HTTP/1.1" 404 169 "http://10.3.242.101/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8"

配置Flume

安装：（在host101）

wget http://mirrors.tuna.tsinghua.edu.cn/apache/flume/1.7.0/apache-flume-1.7.0-bin.tar.gz
tar -xvf apache-flume-1.7.0-bin.tar.gz

测试：

在conf文件夹下新建一个test.conf文件如下：

# Name the components on this agent
a1.sources = r1
a1.sinks = k1
a1.channels = c1

# Describe/configure the source
a1.sources.r1.type = netcat
a1.sources.r1.bind = localhost
a1.sources.r1.port = 44444

# Describe the sink
a1.sinks.k1.type = logger

# Use a channel which buffers events in memory
a1.channels.c1.type = memory
a1.channels.c1.capacity = 1000
a1.channels.c1.transactionCapacity = 100

# Bind the source and sink to the channel
a1.sources.r1.channels = c1
a1.sinks.k1.channel = c1

View Code

然后，运行

bin/flume-ng agent -n a1 -c conf -f conf/test.conf

然后在logs文件夹下运行如下，刷新log
```
tail -f flume.log
```
然后telnet localhost 44444。随便输入一些数据。log刷新显示出

11 May 2017 15:26:55,372 INFO  [SinkRunner-PollingRunner-DefaultSinkProcessor] (org.apache.flume.sink.LoggerSink.process:95)  - Event: { headers:{} body: 64 61 6B 6A 64 63 0D                            dakjdc. }

就没问题啦

Nginx(WebServer)端

Nginx端配置source-side flume agent来收集访问日志流数据

WebAccLog.sources = NginxAccess
WebAccLog.sinks = AvroSink
WebAccLog.channels = MemChannel

WebAccLog.sources.NginxAccess.type = exec

WebAccLog.sources.NginxAccess.command = tail -f /var/log/nginx/access.log
WebAccLog.sources.NginxAccess.batchSize = 10

WebAccLog.sources.NginxAccess.interceptors = itime
WebAccLog.sources.NginxAccess.interceptors.itime.type = timestamp

WebAccLog.sinks.AvroSink.type = avro
WebAccLog.sinks.AvroSink.hostname = 10.3.242.99
WebAccLog.sinks.AvroSink.port = 4545

WebAccLog.channels.MemChannel.type = memory
WebAccLog.sinks.AvroSink.channel = MemChannel
WebAccLog.sources.NginxAccess.channels = MemChannel

注意到我们在这里配置对source配置了一下interceptor拦截器。flume中source采集的日志首先会传入ChannelProcessor，在其内首先会通过interceptors进行过滤加工，然后通过ChannelSelector选择channel。
这里配置了一个时间戳拦截器，后面会在指定hdfs.path的时候用到(根据时间戳来指定存放路径)。
关于拦截器：flume内部实现了很多拦截器，同时还是先虑InterceptorChain用来链式处理event。
- HostInterceptor：在所有拦截的events的header中上加上本机的host name或IP
- TimestampInterceptor：在所有拦截的events的header中上加上它处理该时间的时间(in millis)。
这里之前写的时候source忘记加s了，然后查一下log才发现的问题，说实话这个conf文件好容易眼花，要改的东西太多- -。

Hadoop/Spark cluster端

Hadoop/Spark cluster端配置receiver- side flume agent来接收数据.
首先使用logger sink来测试下是否一切正常
- 启动cluster端的flume，然后在web server端运行
- ```
bin/flume-ng avro-client -c ./conf -H 10.3.242.99 -p 4545 -F /var/log/nginx/access.log
```
- 然后cluster端的flume会在log里面打出一堆数据，说明可以了。
接下来，把两边连通
下面是一个HDFS sink的例子，其他需求可以通过修改sink部分实现。

# clusterLogAgent

# Naming the components of the current agent.
clusterLogAgent.sources = AvroSource
clusterLogAgent.sinks = HDFS
clusterLogAgent.channels = MemChannel

# Source configuration
clusterLogAgent.sources.AvroSource.type = avro
# hostname or IP address to listen on
clusterLogAgent.sources.AvroSource.bind = 0.0.0.0
clusterLogAgent.sources.AvroSource.port = 4545

# sink configuration(write to HDFS)
clusterLogAgent.sinks.HDFS.type = hdfs
clusterLogAgent.sinks.HDFS.hdfs.path = /logFlume/nginx/accesslog
# File format: currently SequenceFile, DataStream or CompressedStream
clusterLogAgent.sinks.HDFS.hdfs.fileType = DataStream
# Number of events written to file before it rolled (0 = never roll based on number of events)
clusterLogAgent.sinks.HDFS.hdfs.rollCount = 0

clusterLogAgent.channels.MemChannel.type = memory

clusterLogAgent.sources.AvroSource.channels = MemChannel
clusterLogAgent.sinks.HDFS.channel = MemChannel

启动

首先开启cluster上的flume服务(这里要注意开启顺序

./bin/flume-ng agent -n clusterLogAgent -c conf -f conf/flume-hdfsSink.conf

开启Nginx端的flume服务

bin/flume-ng agent -n WebAccLog -c conf -f conf/flume-avro.conf

check HDFS来验证流访问log events是否成功写入

[root@host99 /home/hhh/apache-flume-1.7.0-bin/conf]$hadoop fs -ls /logFlume/nginx/accesslog
17/05/11 17:25:47 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
Found 3 items
-rw-r--r--   2 root supergroup       1146 2017-05-11 17:15 /logFlume/nginx/accesslog/FlumeData.1494494113448
-rw-r--r--   2 root supergroup       1190 2017-05-11 17:15 /logFlume/nginx/accesslog/FlumeData.1494494113449
-rw-r--r--   2 root supergroup        952 2017-05-11 17:16 /logFlume/nginx/accesslog/FlumeData.1494494113450

[root@host101 /home/hhh/apache-flume-1.7.0-bin/conf]$hadoop fs -cat /logFlume/nginx/accesslog/FlumeData.1494494113448
17/05/11 17:19:59 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
10.109.255.90 - - [11/May/2017:16:56:35 +0800] "GET /result.html?Input=ttt HTTP/1.1" 200 23 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8"
10.109.255.90 - - [11/May/2017:16:56:45 +0800] "GET /result.html?Input=ttt HTTP/1.1" 200 23 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8"
10.109.255.90 - - [11/May/2017:16:57:04 +0800] "GET /result.html?Input=hhhhhh HTTP/1.1" 200 23 "http://10.3.242.101/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8"
10.109.255.90 - - [11/May/2017:16:57:07 +0800] "GET /result.html?Input=hhhhhh HTTP/1.1" 200 23 "http://10.3.242.101/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8"

Flume conf调优

可优化的配置：

Avro Sink：
- batch-size: 一次发送多少数据，默认是10
- compression-type：压缩类型，默认不压缩。
- compression-level: 压缩等级
- maxIoWorkers：最大的I/O worker线程个数，默认2*机器最大可用处理器数目

Avro Source：
- threads：最大worker线程数
HDFS sink：

HDFS sink支持创建text和sequence文件；支持压缩；
文件可以被rolled。rolled基于elapse time或数据size或events数量
可以根据events的属性(比如时间戳或机器)来划分数据(buckets/partitions data)
HDFS路径可以包含格式化转移序列(formatiting escape sequences)，HDFS可以据其产生一个目录/文件名来存储events。如下：

Alias	Description
%{host}	Substitute value of event header named “host”. Arbitrary header names are supported.
%t	Unix time in milliseconds
%a	locale’s short weekday name (Mon, Tue, ...)
%A	locale’s full weekday name (Monday, Tuesday, ...)
%b	locale’s short month name (Jan, Feb, ...)
%B	locale’s long month name (January, February, ...)
%c	locale’s date and time (Thu Mar 3 23:05:25 2005)
%d	day of month (01)
%e	day of month without padding (1)
%D	date; same as %m/%d/%y
%H	hour (00..23)
%I	hour (01..12)
%j	day of year (001..366)
%k	hour ( 0..23)
%m	month (01..12)
%n	month without padding (1..12)
%M	minute (00..59)
%p	locale’s equivalent of am or pm
%s	seconds since 1970-01-01 00:00:00 UTC
%S	second (00..59)
%y	last two digits of year (00..99)
%Y	year (2010)
%z	+hhmm numeric timezone (for example, -0400)
%[localhost]	Substitute the hostname of the host where the agent is running
%[IP]	Substitute the IP address of the host where the agent is running
%[FQDN]	Substitute the canonical hostname of the host where the agent is running

- 一些可能的优化配置：
  - hdfs.rollSize:触发roll的文件大小，in bytes，默认是1024
  - hdfs.rollCount: 在roll之前写入文件的events数目，默认是10。设置为0的话就不会根据events数量roll了。
  - hdfs.rollInterval:roll当前文件所等待的秒数，默认是9=30。设置为0的话就不会根据时间间隔roll了。
  - hdfs.batchSize: 在flushed到HDFS之前写入到文件的events数目
  - hdfs.threadsPoolSize:每个HDFS sink中HDFS IO操作的线程数目，默认10

已完成的优化

hdfs文件目录：按日期分目录
```
# flume-hdfs.sink
```
clusterLogAgent.sinks.HDFS.hdfs.path = /logFlume/nginx/%y.%m.%d/
然后就变成啦酱紫：

配置滚动文件的大小，避免产生一堆小文件

#clusterLogAgent.sinks.HDFS.hdfs.rollSize =64*1024*1024

clusterLogAgent.sinks.HDFS.hdfs.rollSize = 67108864

clusterLogAgent.sinks.HDFS.hdfs.rollCount = 0

clusterLogAgent.sinks.HDFS.hdfs.rollInterval = 0

TBD

压缩
线程、worker数目
...
flume内部是可以做一些过滤的。基于当前场景的话，是要用到正则的，主要是考虑这样的话会不会很影响效率。因为flume内部也不适合做复杂的过滤。

Log Analyse

搜索词分析-Ngram

提取搜索词：正则。

10.109.255.90 - - [12/May/2017:14:31:46 +0800] "GET /result.html?Input=Mickey HTTP/1.1" 304 0 "http://10.3.242.101/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8"
10.30.146.74 - - [12/May/2017:14:33:55 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"

可以看到就是要提取 "?Input=Mickey"这一部分。用正则“?Input=[^s]*s”来匹配这段。

　　　还有一点就是看到有的log是没有input，状态是304的。这种请求是因为用了浏览器缓存。考虑到搜索结果不能是固定的，所以在conf里面加了一句add_header Cache-Control no-store;来禁用缓存。

在mapper的中建Pattern，而不是在map()函数中每次初始化。
用搜索词做Ngram，这里直接假设搜索词已经是'+'-split(在搜索框space分隔的数据会在log里变成+分隔的)。【TODO：后续可以实现切分】
MapReduce实现：
- Job1: SplitNgram --> 正则匹配搜索词，切分搜索词，统计ngram出现次数；
- Job2： GetNgram --> 过滤count小于指定threshold的ngram，同时得到每个origin词联想到的topK。

模拟搜索

nili小可爱真是可怜又坚强什么也没有零数据支持
模拟的方式简单，就写一个程序(python or java or scala or whatever)，就好啦
但是要稍微有点意义的搜索词，目前想到的方法就是找一堆数据，脚本一边读一边向nginx请求。

模拟http请求的demo如下：

import httplib

coon = httplib.HTTPConnection('host101')
word = 'test'
conn.request('GET', 'result.html?input=' + word)

以及搜索数据目前能找到的方式就是，我在kaggle上看到的一个quora的比赛，可以拿到一些quora的问题，这在某种程度上也是搜索数据了吧。hhh自我满足ing...[所以其实后续想再扩展的话可以考虑爬quora呀23333]

def get_search_word(file_name):
    # id, qid1, qid2, question1, question2, is_duplicate
    with open(file_name) as fi:
        for line in fi:
            splited = line.split(",")
            if len(splited) < 6:
                continue
            conn = httplib.HTTPConnection('10.3.242.101')
            conn.request('GET', 'result.html?input=' + splited[3])
            # time.sleep(5)
            conn = httplib.HTTPConnection('10.3.242.101')
            conn.request('GET', 'result.html?input=' + splited[4])
            time.sleep(5)

满地都是六便士，她却抬头看见了月亮。