实战项目 on DuckDB 实验室https://duckdblab.org/zh/categories/%E5%AE%9E%E6%88%98%E9%A1%B9%E7%9B%AE/Recent content in 实战项目 on DuckDB 实验室Hugo -- gohugo.iozh-CNWed, 13 May 2026 00:00:00 +0000DuckDB + Streamlit 构建日志异常检测仪表板:5 分钟定位 API 异常https://duckdblab.org/zh/post/duckdb-streamlit-log-anomaly/Wed, 13 May 2026 00:00:00 +0000https://duckdblab.org/zh/post/duckdb-streamlit-log-anomaly/<h2 id="一痛点日志查询还在用-grep">一、痛点:日志查询还在用 grep? </h2><p>凌晨 2 点,线上告警响了。</p> <p>你 SSH 上服务器,先 <code>tail -n 1000 access.log</code> 看一眼最后几条请求,然后 <code>grep 500</code> 找 5xx 错误,再 <code>awk '{print $7}'</code> 列一下请求路径,最后手动统计哪个 API 挂了最多次。</p> <p>整个过程耗时 15-30 分钟。如果日志文件达到 GB 级别,<code>grep</code> 和 <code>awk</code> 会越来越慢,服务器 CPU 被拉满,影响线上服务。更糟糕的是:</p> <ul> <li><strong>跨时间段对比困难</strong>:想知道今天和昨天同一时段对比?</li> <li><strong>多维分析全靠脑补</strong>:哪个用户触发了最多错误?哪个 API 平均响应最慢?</li> <li><strong>没有历史记录</strong>:查完就完了,下次遇到同样问题重来一遍</li> </ul> <p>传统方式(grep/awk)的痛点:</p> <table> <thead> <tr> <th>场景</th> <th style="text-align: center">痛点</th> <th style="text-align: center">后果</th> </tr> </thead> <tbody> <tr> <td>GB 级日志</td> <td style="text-align: center">grep 卡死服务器</td> <td style="text-align: center">线上服务受影响</td> </tr> <tr> <td>多维度分析</td> <td style="text-align: center">需要组合 awk/sed/cut</td> <td style="text-align: center">命令写半小时</td> </tr> <tr> <td>趋势分析</td> <td style="text-align: center">跨文件对比靠手工</td> <td style="text-align: center">发现不了模式</td> </tr> <tr> <td>报表输出</td> <td style="text-align: center">无报表功能</td> <td style="text-align: center">来了就查,查完就忘</td> </tr> <tr> <td>协作分享</td> <td style="text-align: center">截图 + 文字描述</td> <td style="text-align: center">效率低、易误解</td> </tr> </tbody> </table> <p><strong>DuckDB 的方案</strong>:把日志当数据库表来查。</p> <p>Nginx 日志可以转为结构化数据(JSON 或 CSV),然后用 SQL 进行任意维度的聚合分析——响应码分布、API 延迟排名、时间趋势、用户行为模式……一条 SQL 搞定,而且 DuckDB 的向量化执行引擎处理 GB 级日志仍然游刃有余。</p> <hr> <h2 id="二duckdb-解析-nginx-日志">二、DuckDB 解析 Nginx 日志 </h2><h3 id="21-nginx-日志格式">2.1 Nginx 日志格式 </h3><p>一个典型的 Nginx access log(combined 格式):</p> <pre tabindex="0"><code>192.168.1.1 - - [13/May/2026:10:15:30 +0800] &#34;GET /api/users HTTP/1.1&#34; 200 1234 &#34;-&#34; &#34;Mozilla/5.0&#34; 192.168.1.2 - - [13/May/2026:10:15:31 +0800] &#34;POST /api/orders HTTP/1.1&#34; 500 56 &#34;-&#34; &#34;curl/7.68&#34; 192.168.1.1 - - [13/May/2026:10:15:32 +0800] &#34;GET /api/products HTTP/1.1&#34; 200 8901 &#34;-&#34; &#34;Mozilla/5.0&#34; 192.168.1.3 - - [13/May/2026:10:15:33 +0800] &#34;POST /api/orders HTTP/1.1&#34; 502 0 &#34;-&#34; &#34;python-requests/2.25&#34; </code></pre><h3 id="22-用-duckdb-的正则解析">2.2 用 DuckDB 的正则解析 </h3><p>DuckDB 内置了 <code>regexp_extract</code> 函数,可以像 <code>sed</code> 一样提取日志中的字段:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">WITH</span><span class="w"> </span><span class="n">parsed</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">regexp_extract</span><span class="p">(</span><span class="n">log_line</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;^([^ ]+)&#39;</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">ip</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">regexp_extract</span><span class="p">(</span><span class="n">log_line</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;\[([^\]]+)\]&#39;</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">timestamp_raw</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">regexp_extract</span><span class="p">(</span><span class="n">log_line</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;&#34;([^&#34;]+)&#34;&#39;</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">request</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">regexp_extract</span><span class="p">(</span><span class="n">log_line</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39; (\d{3}) &#39;</span><span class="p">)::</span><span class="nb">INT</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">status_code</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">regexp_extract</span><span class="p">(</span><span class="n">log_line</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39; (\d+) &#34;&#39;</span><span class="p">)::</span><span class="nb">INT</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">body_bytes</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">regexp_extract</span><span class="p">(</span><span class="n">log_line</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;&#34;([^&#34;]*)&#34;$&#39;</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">user_agent</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">read_text</span><span class="p">(</span><span class="s1">&#39;access.log&#39;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span><span class="n">status_code</span><span class="p">,</span><span class="w"> </span><span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">cnt</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="n">parsed</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">GROUP</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="n">status_code</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">ORDER</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="n">cnt</span><span class="w"> </span><span class="k">DESC</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><p>输出示例:</p> <table> <thead> <tr> <th style="text-align: center">status_code</th> <th style="text-align: center">cnt</th> </tr> </thead> <tbody> <tr> <td style="text-align: center">200</td> <td style="text-align: center">8452</td> </tr> <tr> <td style="text-align: center">404</td> <td style="text-align: center">123</td> </tr> <tr> <td style="text-align: center">500</td> <td style="text-align: center">45</td> </tr> <tr> <td style="text-align: center">502</td> <td style="text-align: center">12</td> </tr> <tr> <td style="text-align: center">503</td> <td style="text-align: center">8</td> </tr> </tbody> </table> <p>这比 <code>grep 500 | wc -l</code> 强在哪?<strong>所有状态码分布一目了然</strong>,而且可以继续往下做任意分析。</p> <h3 id="23-进阶解析请求方法和路径">2.3 进阶:解析请求方法和路径 </h3><p>Nginx 的 request 行格式是 <code>&quot;GET /api/users HTTP/1.1&quot;</code>,我们可以进一步拆分:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">WITH</span><span class="w"> </span><span class="n">parsed</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">regexp_extract</span><span class="p">(</span><span class="n">log_line</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;^([^ ]+)&#39;</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">ip</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">regexp_extract</span><span class="p">(</span><span class="n">log_line</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;&#34;([^&#34;]+)&#34;&#39;</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">request</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">regexp_extract</span><span class="p">(</span><span class="n">log_line</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39; (\d{3}) &#39;</span><span class="p">)::</span><span class="nb">INT</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">status_code</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">regexp_extract</span><span class="p">(</span><span class="n">log_line</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39; (\d+) &#34;&#39;</span><span class="p">)::</span><span class="nb">INT</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">body_bytes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">read_text</span><span class="p">(</span><span class="s1">&#39;access.log&#39;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">regexp_extract</span><span class="p">(</span><span class="n">request</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;^([^ ]+)&#39;</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">http_method</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">regexp_extract</span><span class="p">(</span><span class="n">request</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39; ([^ ]+) &#39;</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">path</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">status_code</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">cnt</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="n">parsed</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">GROUP</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="n">http_method</span><span class="p">,</span><span class="w"> </span><span class="n">path</span><span class="p">,</span><span class="w"> </span><span class="n">status_code</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">ORDER</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="n">cnt</span><span class="w"> </span><span class="k">DESC</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">LIMIT</span><span class="w"> </span><span class="mi">10</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><p>这样你就可以一眼看到:<strong><code>POST /api/orders</code> 的 500 错误有 23 次,<code>GET /api/users</code> 完全正常</strong>。</p> <hr> <h2 id="三完整项目日志异常检测仪表板">三、完整项目:日志异常检测仪表板 </h2><p>下面是一个完整的 Python 脚本,生成模拟日志 → DuckDB 分析 → Streamlit 看板,复制就能跑。</p> <h3 id="前置条件">前置条件 </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">pip install duckdb streamlit pandas openpyxl </span></span></code></pre></div><h3 id="完整代码">完整代码 </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="ch">#!/usr/bin/env python3</span> </span></span><span class="line"><span class="cl"><span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2">DuckDB 掘金实战 | 日志异常检测仪表板 </span></span></span><span class="line"><span class="cl"><span class="s2">一键生成模拟 Nginx 日志 → DuckDB 分析 → Streamlit 交互看板 → Excel 导出 </span></span></span><span class="line"><span class="cl"><span class="s2">&#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">duckdb</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">pandas</span> <span class="k">as</span> <span class="nn">pd</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">random</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">datetime</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">os</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">json</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># ============================================================</span> </span></span><span class="line"><span class="cl"><span class="c1"># 第1步:生成模拟 Nginx 访问日志</span> </span></span><span class="line"><span class="cl"><span class="c1"># ============================================================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">generate_nginx_logs</span><span class="p">(</span><span class="n">num_lines</span><span class="o">=</span><span class="mi">10000</span><span class="p">,</span> <span class="n">output_file</span><span class="o">=</span><span class="s2">&#34;nginx_access.log&#34;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34;生成模拟 Nginx access log,包含正常和异常请求&#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">ips</span> <span class="o">=</span> <span class="p">[</span><span class="sa">f</span><span class="s2">&#34;192.168.1.</span><span class="si">{</span><span class="n">i</span><span class="si">}</span><span class="s2">&#34;</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">21</span><span class="p">)]</span> </span></span><span class="line"><span class="cl"> <span class="n">paths</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/api/users&#34;</span><span class="p">,</span> <span class="s2">&#34;/api/products&#34;</span><span class="p">,</span> <span class="s2">&#34;/api/orders&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/api/payments&#34;</span><span class="p">,</span> <span class="s2">&#34;/api/auth/login&#34;</span><span class="p">,</span> <span class="s2">&#34;/api/auth/logout&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/api/search&#34;</span><span class="p">,</span> <span class="s2">&#34;/api/recommend&#34;</span><span class="p">,</span> <span class="s2">&#34;/api/cart&#34;</span><span class="p">,</span> <span class="s2">&#34;/api/checkout&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">methods</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;GET&#34;</span><span class="p">,</span> <span class="s2">&#34;POST&#34;</span><span class="p">,</span> <span class="s2">&#34;PUT&#34;</span><span class="p">,</span> <span class="s2">&#34;DELETE&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">user_agents</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Mozilla/5.0 (Windows NT 10.0; Win64; x64)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;curl/7.68.0&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;python-requests/2.25.1&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;PostmanRuntime/7.28.4&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">base_time</span> <span class="o">=</span> <span class="n">datetime</span><span class="o">.</span><span class="n">datetime</span><span class="p">(</span><span class="mi">2026</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">output_file</span><span class="p">,</span> <span class="s2">&#34;w&#34;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">num_lines</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 时间递增(随机间隔 0.1-5 秒)</span> </span></span><span class="line"><span class="cl"> <span class="n">base_time</span> <span class="o">+=</span> <span class="n">datetime</span><span class="o">.</span><span class="n">timedelta</span><span class="p">(</span><span class="n">seconds</span><span class="o">=</span><span class="n">random</span><span class="o">.</span><span class="n">uniform</span><span class="p">(</span><span class="mf">0.1</span><span class="p">,</span> <span class="mi">5</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">timestamp</span> <span class="o">=</span> <span class="n">base_time</span><span class="o">.</span><span class="n">strftime</span><span class="p">(</span><span class="s2">&#34;</span><span class="si">%d</span><span class="s2">/%b/%Y:%H:%M:%S +0800&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">ip</span> <span class="o">=</span> <span class="n">random</span><span class="o">.</span><span class="n">choice</span><span class="p">(</span><span class="n">ips</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">method</span> <span class="o">=</span> <span class="n">random</span><span class="o">.</span><span class="n">choice</span><span class="p">(</span><span class="n">methods</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">path</span> <span class="o">=</span> <span class="n">random</span><span class="o">.</span><span class="n">choice</span><span class="p">(</span><span class="n">paths</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 制造 5% 的异常</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">random</span><span class="o">.</span><span class="n">random</span><span class="p">()</span> <span class="o">&lt;</span> <span class="mf">0.05</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 高延迟 + 错误状态码</span> </span></span><span class="line"><span class="cl"> <span class="n">status</span> <span class="o">=</span> <span class="n">random</span><span class="o">.</span><span class="n">choice</span><span class="p">([</span><span class="mi">500</span><span class="p">,</span> <span class="mi">502</span><span class="p">,</span> <span class="mi">503</span><span class="p">,</span> <span class="mi">504</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="n">bytes_sent</span> <span class="o">=</span> <span class="n">random</span><span class="o">.</span><span class="n">randint</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">200</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">response_time</span> <span class="o">=</span> <span class="n">random</span><span class="o">.</span><span class="n">uniform</span><span class="p">(</span><span class="mi">3</span><span class="p">,</span> <span class="mi">15</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="n">random</span><span class="o">.</span><span class="n">random</span><span class="p">()</span> <span class="o">&lt;</span> <span class="mf">0.10</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 4xx 客户端错误</span> </span></span><span class="line"><span class="cl"> <span class="n">status</span> <span class="o">=</span> <span class="n">random</span><span class="o">.</span><span class="n">choice</span><span class="p">([</span><span class="mi">400</span><span class="p">,</span> <span class="mi">401</span><span class="p">,</span> <span class="mi">403</span><span class="p">,</span> <span class="mi">404</span><span class="p">,</span> <span class="mi">429</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="n">bytes_sent</span> <span class="o">=</span> <span class="n">random</span><span class="o">.</span><span class="n">randint</span><span class="p">(</span><span class="mi">50</span><span class="p">,</span> <span class="mi">500</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">response_time</span> <span class="o">=</span> <span class="n">random</span><span class="o">.</span><span class="n">uniform</span><span class="p">(</span><span class="mf">0.1</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 正常请求</span> </span></span><span class="line"><span class="cl"> <span class="n">status</span> <span class="o">=</span> <span class="n">random</span><span class="o">.</span><span class="n">choice</span><span class="p">([</span><span class="mi">200</span><span class="p">,</span> <span class="mi">201</span><span class="p">,</span> <span class="mi">204</span><span class="p">,</span> <span class="mi">301</span><span class="p">,</span> <span class="mi">302</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="n">bytes_sent</span> <span class="o">=</span> <span class="n">random</span><span class="o">.</span><span class="n">randint</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="mi">15000</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">response_time</span> <span class="o">=</span> <span class="n">random</span><span class="o">.</span><span class="n">uniform</span><span class="p">(</span><span class="mf">0.01</span><span class="p">,</span> <span class="mf">1.5</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">ua</span> <span class="o">=</span> <span class="n">random</span><span class="o">.</span><span class="n">choice</span><span class="p">(</span><span class="n">user_agents</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">log_line</span> <span class="o">=</span> <span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="sa">f</span><span class="s1">&#39;</span><span class="si">{</span><span class="n">ip</span><span class="si">}</span><span class="s1"> - - [</span><span class="si">{</span><span class="n">timestamp</span><span class="si">}</span><span class="s1">] &#39;</span> </span></span><span class="line"><span class="cl"> <span class="sa">f</span><span class="s1">&#39;&#34;</span><span class="si">{</span><span class="n">method</span><span class="si">}</span><span class="s1"> </span><span class="si">{</span><span class="n">path</span><span class="si">}</span><span class="s1"> HTTP/1.1&#34; </span><span class="si">{</span><span class="n">status</span><span class="si">}</span><span class="s1"> </span><span class="si">{</span><span class="n">bytes_sent</span><span class="si">}</span><span class="s1"> &#39;</span> </span></span><span class="line"><span class="cl"> <span class="sa">f</span><span class="s1">&#39;&#34;</span><span class="si">{</span><span class="n">random</span><span class="o">.</span><span class="n">choice</span><span class="p">([</span><span class="s2">&#34;-&#34;</span><span class="p">,</span> <span class="s2">&#34;https://example.com&#34;</span><span class="p">])</span><span class="si">}</span><span class="s1">&#34; &#39;</span> </span></span><span class="line"><span class="cl"> <span class="sa">f</span><span class="s1">&#39;&#34;</span><span class="si">{</span><span class="n">ua</span><span class="si">}</span><span class="s1">&#34; </span><span class="si">{</span><span class="n">response_time</span><span class="si">:</span><span class="s1">.3f</span><span class="si">}</span><span class="se">\n</span><span class="s1">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">log_line</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;✅ 生成 </span><span class="si">{</span><span class="n">num_lines</span><span class="si">}</span><span class="s2"> 条模拟日志 → </span><span class="si">{</span><span class="n">output_file</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">output_file</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># ============================================================</span> </span></span><span class="line"><span class="cl"><span class="c1"># 第2步:DuckDB 日志分析引擎</span> </span></span><span class="line"><span class="cl"><span class="c1"># ============================================================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">LogAnalyzer</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34;基于 DuckDB 的日志分析引擎&#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">log_file</span><span class="o">=</span><span class="s2">&#34;nginx_access.log&#34;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">con</span> <span class="o">=</span> <span class="n">duckdb</span><span class="o">.</span><span class="n">connect</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">log_file</span> <span class="o">=</span> <span class="n">log_file</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">_load_and_parse</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">_load_and_parse</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34;加载日志文件并用 SQL 解析结构化字段&#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">con</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> CREATE TABLE logs AS </span></span></span><span class="line"><span class="cl"><span class="s2"> SELECT </span></span></span><span class="line"><span class="cl"><span class="s2"> -- IP 地址 </span></span></span><span class="line"><span class="cl"><span class="s2"> regexp_extract(line, &#39;^([^ ]+)&#39;) AS ip, </span></span></span><span class="line"><span class="cl"><span class="s2"> -- 时间戳 </span></span></span><span class="line"><span class="cl"><span class="s2"> regexp_extract(line, &#39;</span><span class="se">\\</span><span class="s2">[([^</span><span class="se">\\</span><span class="s2">]]+)</span><span class="se">\\</span><span class="s2">]&#39;) AS timestamp_raw, </span></span></span><span class="line"><span class="cl"><span class="s2"> -- 请求方法 + 路径 </span></span></span><span class="line"><span class="cl"><span class="s2"> regexp_extract(line, &#39;&#34;([^&#34;]+)&#34;&#39;) AS request, </span></span></span><span class="line"><span class="cl"><span class="s2"> -- 状态码 </span></span></span><span class="line"><span class="cl"><span class="s2"> regexp_extract(line, &#39; (</span><span class="se">\\</span><span class="s2">d</span><span class="se">{{</span><span class="s2">3</span><span class="se">}}</span><span class="s2">) &#39;)::INT AS status_code, </span></span></span><span class="line"><span class="cl"><span class="s2"> -- 响应字节数 </span></span></span><span class="line"><span class="cl"><span class="s2"> regexp_extract(line, &#39; (</span><span class="se">\\</span><span class="s2">d+) &#34;&#39;)::INT AS body_bytes, </span></span></span><span class="line"><span class="cl"><span class="s2"> -- User-Agent </span></span></span><span class="line"><span class="cl"><span class="s2"> regexp_extract(line, &#39;&#34;([^&#34;]*)&#34;$&#39;) AS user_agent, </span></span></span><span class="line"><span class="cl"><span class="s2"> -- 响应时间(额外的字段,如果日志包含) </span></span></span><span class="line"><span class="cl"><span class="s2"> regexp_extract(line, &#39; (</span><span class="se">\\</span><span class="s2">d+</span><span class="se">\\</span><span class="s2">.</span><span class="se">\\</span><span class="s2">d+)$&#39;)::DOUBLE AS response_time </span></span></span><span class="line"><span class="cl"><span class="s2"> FROM read_text(&#39;</span><span class="si">{</span><span class="bp">self</span><span class="o">.</span><span class="n">log_file</span><span class="si">}</span><span class="s2">&#39;) </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 解析请求方法和路径</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">con</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> ALTER TABLE logs ADD COLUMN http_method VARCHAR; </span></span></span><span class="line"><span class="cl"><span class="s2"> ALTER TABLE logs ADD COLUMN path VARCHAR; </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">con</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> UPDATE logs SET </span></span></span><span class="line"><span class="cl"><span class="s2"> http_method = regexp_extract(request, &#39;^([^ ]+)&#39;), </span></span></span><span class="line"><span class="cl"><span class="s2"> path = regexp_extract(request, &#39; ([^ ]+) &#39;) </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 解析时间戳为 datetime</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">con</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> ALTER TABLE logs ADD COLUMN request_time TIMESTAMP; </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">con</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> UPDATE logs SET </span></span></span><span class="line"><span class="cl"><span class="s2"> request_time = strptime( </span></span></span><span class="line"><span class="cl"><span class="s2"> regexp_replace(timestamp_raw, &#39;:&#39;, &#39; &#39;, 1, 1), </span></span></span><span class="line"><span class="cl"><span class="s2"> &#39;</span><span class="si">%d</span><span class="s2">/%b/%Y %H:%M:%S&#39; </span></span></span><span class="line"><span class="cl"><span class="s2"> ) </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">row_count</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">con</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;SELECT count(*) FROM logs&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">fetchone</span><span class="p">()[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;✅ DuckDB 解析完成:共 </span><span class="si">{</span><span class="n">row_count</span><span class="si">}</span><span class="s2"> 条日志记录&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">status_distribution</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34;分析 1:状态码分布&#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">con</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> SELECT status_code, count(*) AS cnt, </span></span></span><span class="line"><span class="cl"><span class="s2"> round(count(*) * 100.0 / sum(count(*)) OVER (), 2) AS pct </span></span></span><span class="line"><span class="cl"><span class="s2"> FROM logs </span></span></span><span class="line"><span class="cl"><span class="s2"> GROUP BY status_code </span></span></span><span class="line"><span class="cl"><span class="s2"> ORDER BY cnt DESC </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">fetchdf</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">error_paths</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">top_n</span><span class="o">=</span><span class="mi">10</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34;分析 2:错误最多的 API 路径&#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">con</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> SELECT path, http_method, </span></span></span><span class="line"><span class="cl"><span class="s2"> count(*) AS total_requests, </span></span></span><span class="line"><span class="cl"><span class="s2"> sum(CASE WHEN status_code &gt;= 500 THEN 1 ELSE 0 END) AS server_errors, </span></span></span><span class="line"><span class="cl"><span class="s2"> sum(CASE WHEN status_code &gt;= 400 AND status_code &lt; 500 THEN 1 ELSE 0 END) AS client_errors, </span></span></span><span class="line"><span class="cl"><span class="s2"> round(AVG(response_time), 3) AS avg_response_time, </span></span></span><span class="line"><span class="cl"><span class="s2"> round(MAX(response_time), 3) AS max_response_time </span></span></span><span class="line"><span class="cl"><span class="s2"> FROM logs </span></span></span><span class="line"><span class="cl"><span class="s2"> GROUP BY path, http_method </span></span></span><span class="line"><span class="cl"><span class="s2"> HAVING server_errors &gt; 0 OR client_errors &gt; 0 </span></span></span><span class="line"><span class="cl"><span class="s2"> ORDER BY server_errors DESC </span></span></span><span class="line"><span class="cl"><span class="s2"> LIMIT </span><span class="si">{</span><span class="n">top_n</span><span class="si">}</span><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">fetchdf</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">slowest_apis</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">top_n</span><span class="o">=</span><span class="mi">10</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34;分析 3:最慢的 API Top N&#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">con</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> SELECT path, http_method, </span></span></span><span class="line"><span class="cl"><span class="s2"> count(*) AS cnt, </span></span></span><span class="line"><span class="cl"><span class="s2"> round(AVG(response_time), 3) AS avg_ms, </span></span></span><span class="line"><span class="cl"><span class="s2"> round(PERCENTILE_CONT(0.95) WITHIN GROUP (ORDER BY response_time), 3) AS p95_ms, </span></span></span><span class="line"><span class="cl"><span class="s2"> round(MAX(response_time), 3) AS max_ms </span></span></span><span class="line"><span class="cl"><span class="s2"> FROM logs </span></span></span><span class="line"><span class="cl"><span class="s2"> GROUP BY path, http_method </span></span></span><span class="line"><span class="cl"><span class="s2"> HAVING cnt &gt; 5 </span></span></span><span class="line"><span class="cl"><span class="s2"> ORDER BY avg_ms DESC </span></span></span><span class="line"><span class="cl"><span class="s2"> LIMIT </span><span class="si">{</span><span class="n">top_n</span><span class="si">}</span><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">fetchdf</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">time_series</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">interval</span><span class="o">=</span><span class="s1">&#39;5 minutes&#39;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34;分析 4:时间序列趋势&#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">con</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> SELECT date_trunc(&#39;</span><span class="si">{</span><span class="n">interval</span><span class="si">}</span><span class="s2">&#39;, request_time) AS bucket, </span></span></span><span class="line"><span class="cl"><span class="s2"> count(*) AS total_requests, </span></span></span><span class="line"><span class="cl"><span class="s2"> sum(CASE WHEN status_code &gt;= 500 THEN 1 ELSE 0 END) AS errors, </span></span></span><span class="line"><span class="cl"><span class="s2"> round(AVG(response_time), 3) AS avg_response_time </span></span></span><span class="line"><span class="cl"><span class="s2"> FROM logs </span></span></span><span class="line"><span class="cl"><span class="s2"> GROUP BY bucket </span></span></span><span class="line"><span class="cl"><span class="s2"> ORDER BY bucket </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">fetchdf</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">top_error_users</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">top_n</span><span class="o">=</span><span class="mi">5</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34;分析 5:触发错误最多的 IP&#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">con</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> SELECT ip, </span></span></span><span class="line"><span class="cl"><span class="s2"> count(*) AS total_requests, </span></span></span><span class="line"><span class="cl"><span class="s2"> sum(CASE WHEN status_code &gt;= 500 THEN 1 ELSE 0 END) AS server_errors, </span></span></span><span class="line"><span class="cl"><span class="s2"> round(AVG(response_time), 3) AS avg_response_time </span></span></span><span class="line"><span class="cl"><span class="s2"> FROM logs </span></span></span><span class="line"><span class="cl"><span class="s2"> GROUP BY ip </span></span></span><span class="line"><span class="cl"><span class="s2"> HAVING server_errors &gt; 0 </span></span></span><span class="line"><span class="cl"><span class="s2"> ORDER BY server_errors DESC </span></span></span><span class="line"><span class="cl"><span class="s2"> LIMIT </span><span class="si">{</span><span class="n">top_n</span><span class="si">}</span><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">fetchdf</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">export_excel</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">output_file</span><span class="o">=</span><span class="s2">&#34;log_analysis_report.xlsx&#34;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34;导出完整分析报告为 Excel&#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="n">pd</span><span class="o">.</span><span class="n">ExcelWriter</span><span class="p">(</span><span class="n">output_file</span><span class="p">,</span> <span class="n">engine</span><span class="o">=</span><span class="s1">&#39;openpyxl&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">writer</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">status_distribution</span><span class="p">()</span><span class="o">.</span><span class="n">to_excel</span><span class="p">(</span><span class="n">writer</span><span class="p">,</span> <span class="n">sheet_name</span><span class="o">=</span><span class="s1">&#39;状态码分布&#39;</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="kc">False</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">error_paths</span><span class="p">()</span><span class="o">.</span><span class="n">to_excel</span><span class="p">(</span><span class="n">writer</span><span class="p">,</span> <span class="n">sheet_name</span><span class="o">=</span><span class="s1">&#39;错误API分析&#39;</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="kc">False</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">slowest_apis</span><span class="p">()</span><span class="o">.</span><span class="n">to_excel</span><span class="p">(</span><span class="n">writer</span><span class="p">,</span> <span class="n">sheet_name</span><span class="o">=</span><span class="s1">&#39;慢API分析&#39;</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="kc">False</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">time_series</span><span class="p">()</span><span class="o">.</span><span class="n">to_excel</span><span class="p">(</span><span class="n">writer</span><span class="p">,</span> <span class="n">sheet_name</span><span class="o">=</span><span class="s1">&#39;时间趋势&#39;</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="kc">False</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">top_error_users</span><span class="p">()</span><span class="o">.</span><span class="n">to_excel</span><span class="p">(</span><span class="n">writer</span><span class="p">,</span> <span class="n">sheet_name</span><span class="o">=</span><span class="s1">&#39;问题用户&#39;</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="kc">False</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;✅ 报告已导出 → </span><span class="si">{</span><span class="n">output_file</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">output_file</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># ============================================================</span> </span></span><span class="line"><span class="cl"><span class="c1"># 第3步:Streamlit 交互看板(仅在 streamlit run 时执行)</span> </span></span><span class="line"><span class="cl"><span class="c1"># ============================================================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">run_dashboard</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34;启动 Streamlit 交互看板&#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="kn">import</span> <span class="nn">streamlit</span> <span class="k">as</span> <span class="nn">st</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">set_page_config</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">page_title</span><span class="o">=</span><span class="s2">&#34;日志异常检测仪表板&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">page_icon</span><span class="o">=</span><span class="s2">&#34;📊&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">layout</span><span class="o">=</span><span class="s2">&#34;wide&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">title</span><span class="p">(</span><span class="s2">&#34;📊 日志异常检测仪表板&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">markdown</span><span class="p">(</span><span class="s2">&#34;基于 DuckDB 驱动的 Nginx 访问日志分析引擎&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 初始化分析引擎</span> </span></span><span class="line"><span class="cl"> <span class="n">log_file</span> <span class="o">=</span> <span class="s2">&#34;nginx_access.log&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">exists</span><span class="p">(</span><span class="n">log_file</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s2">&#34;正在生成模拟日志数据...&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">generate_nginx_logs</span><span class="p">(</span><span class="mi">10000</span><span class="p">,</span> <span class="n">log_file</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">analyzer</span> <span class="o">=</span> <span class="n">LogAnalyzer</span><span class="p">(</span><span class="n">log_file</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># ---- 概览指标 ----</span> </span></span><span class="line"><span class="cl"> <span class="n">col1</span><span class="p">,</span> <span class="n">col2</span><span class="p">,</span> <span class="n">col3</span><span class="p">,</span> <span class="n">col4</span> <span class="o">=</span> <span class="n">st</span><span class="o">.</span><span class="n">columns</span><span class="p">(</span><span class="mi">4</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="n">col1</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">total</span> <span class="o">=</span> <span class="n">analyzer</span><span class="o">.</span><span class="n">con</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;SELECT count(*) FROM logs&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">fetchone</span><span class="p">()[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">metric</span><span class="p">(</span><span class="s2">&#34;总请求数&#34;</span><span class="p">,</span> <span class="sa">f</span><span class="s2">&#34;</span><span class="si">{</span><span class="n">total</span><span class="si">:</span><span class="s2">,</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="n">col2</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">errors</span> <span class="o">=</span> <span class="n">analyzer</span><span class="o">.</span><span class="n">con</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;SELECT count(*) FROM logs WHERE status_code &gt;= 500&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span><span class="o">.</span><span class="n">fetchone</span><span class="p">()[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">metric</span><span class="p">(</span><span class="s2">&#34;服务端错误&#34;</span><span class="p">,</span> <span class="n">errors</span><span class="p">,</span> <span class="n">delta</span><span class="o">=</span><span class="s2">&#34;-⚠️&#34;</span> <span class="k">if</span> <span class="n">errors</span> <span class="o">&gt;</span> <span class="mi">10</span> <span class="k">else</span> <span class="s2">&#34;✅&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="n">col3</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">client_errors</span> <span class="o">=</span> <span class="n">analyzer</span><span class="o">.</span><span class="n">con</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;SELECT count(*) FROM logs WHERE status_code &gt;= 400 AND status_code &lt; 500&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span><span class="o">.</span><span class="n">fetchone</span><span class="p">()[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">metric</span><span class="p">(</span><span class="s2">&#34;客户端错误&#34;</span><span class="p">,</span> <span class="n">client_errors</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="n">col4</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">avg_resp</span> <span class="o">=</span> <span class="n">analyzer</span><span class="o">.</span><span class="n">con</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;SELECT round(AVG(response_time), 3) FROM logs&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span><span class="o">.</span><span class="n">fetchone</span><span class="p">()[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">metric</span><span class="p">(</span><span class="s2">&#34;平均响应时间&#34;</span><span class="p">,</span> <span class="sa">f</span><span class="s2">&#34;</span><span class="si">{</span><span class="n">avg_resp</span><span class="si">:</span><span class="s2">.2f</span><span class="si">}</span><span class="s2">s&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># ---- 标签页 ----</span> </span></span><span class="line"><span class="cl"> <span class="n">tab1</span><span class="p">,</span> <span class="n">tab2</span><span class="p">,</span> <span class="n">tab3</span><span class="p">,</span> <span class="n">tab4</span><span class="p">,</span> <span class="n">tab5</span> <span class="o">=</span> <span class="n">st</span><span class="o">.</span><span class="n">tabs</span><span class="p">([</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;🔴 错误分析&#34;</span><span class="p">,</span> <span class="s2">&#34;🐢 慢 API&#34;</span><span class="p">,</span> <span class="s2">&#34;📈 时间趋势&#34;</span><span class="p">,</span> <span class="s2">&#34;👤 用户分析&#34;</span><span class="p">,</span> <span class="s2">&#34;📋 状态码分布&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="n">tab1</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">subheader</span><span class="p">(</span><span class="s2">&#34;错误最多的 API 路径&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">df_errors</span> <span class="o">=</span> <span class="n">analyzer</span><span class="o">.</span><span class="n">error_paths</span><span class="p">(</span><span class="mi">15</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">dataframe</span><span class="p">(</span><span class="n">df_errors</span><span class="p">,</span> <span class="n">use_container_width</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">bar_chart</span><span class="p">(</span><span class="n">df_errors</span><span class="o">.</span><span class="n">set_index</span><span class="p">(</span><span class="s2">&#34;path&#34;</span><span class="p">)[</span><span class="s2">&#34;server_errors&#34;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="n">tab2</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">subheader</span><span class="p">(</span><span class="s2">&#34;响应最慢的 API(P95 延迟)&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">df_slow</span> <span class="o">=</span> <span class="n">analyzer</span><span class="o">.</span><span class="n">slowest_apis</span><span class="p">(</span><span class="mi">15</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">dataframe</span><span class="p">(</span><span class="n">df_slow</span><span class="p">,</span> <span class="n">use_container_width</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">bar_chart</span><span class="p">(</span><span class="n">df_slow</span><span class="o">.</span><span class="n">set_index</span><span class="p">(</span><span class="s2">&#34;path&#34;</span><span class="p">)[</span><span class="s2">&#34;p95_ms&#34;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="n">tab3</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">subheader</span><span class="p">(</span><span class="s2">&#34;请求量 &amp; 错误趋势&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">df_ts</span> <span class="o">=</span> <span class="n">analyzer</span><span class="o">.</span><span class="n">time_interval</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">line_chart</span><span class="p">(</span><span class="n">df_ts</span><span class="o">.</span><span class="n">set_index</span><span class="p">(</span><span class="s2">&#34;bucket&#34;</span><span class="p">)[[</span><span class="s2">&#34;total_requests&#34;</span><span class="p">,</span> <span class="s2">&#34;errors&#34;</span><span class="p">]])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="n">tab4</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">subheader</span><span class="p">(</span><span class="s2">&#34;触发错误最多的客户端 IP&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">df_users</span> <span class="o">=</span> <span class="n">analyzer</span><span class="o">.</span><span class="n">top_error_users</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">dataframe</span><span class="p">(</span><span class="n">df_users</span><span class="p">,</span> <span class="n">use_container_width</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="n">tab5</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">subheader</span><span class="p">(</span><span class="s2">&#34;HTTP 状态码分布&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">df_status</span> <span class="o">=</span> <span class="n">analyzer</span><span class="o">.</span><span class="n">status_distribution</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">dataframe</span><span class="p">(</span><span class="n">df_status</span><span class="p">,</span> <span class="n">use_container_width</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">bar_chart</span><span class="p">(</span><span class="n">df_status</span><span class="o">.</span><span class="n">set_index</span><span class="p">(</span><span class="s2">&#34;status_code&#34;</span><span class="p">)[</span><span class="s2">&#34;cnt&#34;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># ---- 导出 ----</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">st</span><span class="o">.</span><span class="n">button</span><span class="p">(</span><span class="s2">&#34;📥 导出完整报告 (Excel)&#34;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">filepath</span> <span class="o">=</span> <span class="n">analyzer</span><span class="o">.</span><span class="n">export_excel</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">filepath</span><span class="p">,</span> <span class="s2">&#34;rb&#34;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">download_button</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;点击下载 Excel 报告&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">f</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">file_name</span><span class="o">=</span><span class="s2">&#34;log_analysis_report.xlsx&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">mime</span><span class="o">=</span><span class="s2">&#34;application/vnd.openxmlformats-officedocument.spreadsheetml.sheet&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">markdown</span><span class="p">(</span><span class="s2">&#34;---&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">st</span><span class="o">.</span><span class="n">caption</span><span class="p">(</span><span class="s2">&#34;Powered by DuckDB 🦆 + Streamlit&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># ============================================================</span> </span></span><span class="line"><span class="cl"><span class="c1"># 入口:CLI 模式(直接运行) vs 看板模式(streamlit run)</span> </span></span><span class="line"><span class="cl"><span class="c1"># ============================================================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="kn">import</span> <span class="nn">sys</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 检测是否通过 streamlit run 启动</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="s2">&#34;streamlit&#34;</span> <span class="ow">in</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="ow">or</span> <span class="s2">&#34;STREAMLIT_SCRIPT&#34;</span> <span class="ow">in</span> <span class="n">os</span><span class="o">.</span><span class="n">environ</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">run_dashboard</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># CLI 模式:生成日志 → 分析 → 导出 Excel</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;=&#34;</span> <span class="o">*</span> <span class="mi">50</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;🦆 DuckDB 日志分析引擎 (CLI 模式)&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;=&#34;</span> <span class="o">*</span> <span class="mi">50</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 1. 生成模拟日志</span> </span></span><span class="line"><span class="cl"> <span class="n">log_file</span> <span class="o">=</span> <span class="n">generate_nginx_logs</span><span class="p">(</span><span class="mi">10000</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 2. DuckDB 分析</span> </span></span><span class="line"><span class="cl"> <span class="n">analyzer</span> <span class="o">=</span> <span class="n">LogAnalyzer</span><span class="p">(</span><span class="n">log_file</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 3. 输出分析结果</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;</span><span class="se">\n</span><span class="s2">📊 状态码分布:&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">analyzer</span><span class="o">.</span><span class="n">status_distribution</span><span class="p">()</span><span class="o">.</span><span class="n">to_string</span><span class="p">(</span><span class="n">index</span><span class="o">=</span><span class="kc">False</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;</span><span class="se">\n</span><span class="s2">🔴 错误最多的 API:&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">analyzer</span><span class="o">.</span><span class="n">error_paths</span><span class="p">()</span><span class="o">.</span><span class="n">to_string</span><span class="p">(</span><span class="n">index</span><span class="o">=</span><span class="kc">False</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;</span><span class="se">\n</span><span class="s2">🐢 最慢的 API:&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">analyzer</span><span class="o">.</span><span class="n">slowest_apis</span><span class="p">()</span><span class="o">.</span><span class="n">to_string</span><span class="p">(</span><span class="n">index</span><span class="o">=</span><span class="kc">False</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;</span><span class="se">\n</span><span class="s2">👤 问题用户 IP:&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">analyzer</span><span class="o">.</span><span class="n">top_error_users</span><span class="p">()</span><span class="o">.</span><span class="n">to_string</span><span class="p">(</span><span class="n">index</span><span class="o">=</span><span class="kc">False</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 4. 导出 Excel</span> </span></span><span class="line"><span class="cl"> <span class="n">analyzer</span><span class="o">.</span><span class="n">export_excel</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;</span><span class="se">\n</span><span class="s2">✅ 分析完成!&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;💡 提示:运行 `streamlit run this_script.py` 启动交互看板&#34;</span><span class="p">)</span> </span></span></code></pre></div><h3 id="运行方式">运行方式 </h3><p><strong>CLI 模式</strong>(快速分析 + Excel 导出):</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">python3 log_analyzer.py </span></span></code></pre></div><p><strong>交互看板模式</strong>(Streamlit Web 界面):</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">streamlit run log_analyzer.py </span></span></code></pre></div><hr> <h2 id="四效果对比">四、效果对比 </h2><table> <thead> <tr> <th>分析维度</th> <th style="text-align: center">传统方式 (grep/awk)</th> <th style="text-align: center">DuckDB + Streamlit</th> <th style="text-align: center">提升</th> </tr> </thead> <tbody> <tr> <td>1GB 日志分析</td> <td style="text-align: center">3-5 分钟,CPU 100%</td> <td style="text-align: center">5-10 秒</td> <td style="text-align: center"><strong>30x</strong></td> </tr> <tr> <td>多维度交叉分析</td> <td style="text-align: center">组合多个管道命令</td> <td style="text-align: center">一条 SQL</td> <td style="text-align: center"><strong>∞</strong></td> </tr> <tr> <td>交互式探索</td> <td style="text-align: center">不支持</td> <td style="text-align: center">实时筛选/排序</td> <td style="text-align: center"><strong>新能力</strong></td> </tr> <tr> <td>报表输出</td> <td style="text-align: center">手动截图拼凑</td> <td style="text-align: center">一键 Excel</td> <td style="text-align: center"><strong>省 30 分钟</strong></td> </tr> <tr> <td>历史趋势</td> <td style="text-align: center">每天单独存储,手动对比</td> <td style="text-align: center">聚合时间序列</td> <td style="text-align: center"><strong>新能力</strong></td> </tr> <tr> <td>多人协作</td> <td style="text-align: center">截图 + 消息</td> <td style="text-align: center">分享看板链接</td> <td style="text-align: center"><strong>新能力</strong></td> </tr> </tbody> </table> <hr> <h2 id="五变现方案">五、变现方案 </h2><h3 id="目标客户">目标客户 </h3><table> <thead> <tr> <th>客户类型</th> <th style="text-align: center">痛点</th> <th style="text-align: center">报价</th> </tr> </thead> <tbody> <tr> <td>创业公司 (10-50 人)</td> <td style="text-align: center">没有运维日志系统,全靠 SSH</td> <td style="text-align: center">¥3,000-5,000/套</td> </tr> <tr> <td>中型电商</td> <td style="text-align: center">Nginx 日志量大,需定期分析</td> <td style="text-align: center">¥5,000-8,000/套</td> </tr> <tr> <td>小程序/APP 团队</td> <td style="text-align: center">需要 API 质量监控看板</td> <td style="text-align: center">¥4,000-6,000/套</td> </tr> <tr> <td>云服务代理商</td> <td style="text-align: center">给下游客户提供日志分析服务</td> <td style="text-align: center">¥8,000-15,000/项目</td> </tr> </tbody> </table> <h3 id="交付清单">交付清单 </h3><ul> <li><input disabled="" type="checkbox"> 部署脚本(Docker 一键启动)</li> <li><input disabled="" type="checkbox"> Nginx 日志格式适配(支持自定义 log_format)</li> <li><input disabled="" type="checkbox"> 分析看板(5 个核心维度)</li> <li><input disabled="" type="checkbox"> 定时报告(每日自动发送)</li> <li><input disabled="" type="checkbox"> 告警配置(错误率超过阈值通知)</li> </ul> <h3 id="竞品对比">竞品对比 </h3><table> <thead> <tr> <th>方案</th> <th style="text-align: center">价格</th> <th style="text-align: center">部署复杂度</th> <th style="text-align: center">适用场景</th> </tr> </thead> <tbody> <tr> <td>ELK Stack (Elasticsearch + Logstash + Kibana)</td> <td style="text-align: center">免费但运维成本高</td> <td style="text-align: center">⭐⭐⭐⭐⭐</td> <td style="text-align: center">大规模日志平台</td> </tr> <tr> <td>Datadog / New Relic</td> <td style="text-align: center">$15-30/主机/月</td> <td style="text-align: center">⭐⭐</td> <td style="text-align: center">云原生团队</td> </tr> <tr> <td>自建 Grafana + Loki</td> <td style="text-align: center">免费但需 K8s 经验</td> <td style="text-align: center">⭐⭐⭐⭐</td> <td style="text-align: center">有运维能力的团队</td> </tr> <tr> <td><strong>DuckDB + Streamlit</strong></td> <td style="text-align: center"><strong>纯免费</strong></td> <td style="text-align: center"><strong>⭐</strong></td> <td style="text-align: center"><strong>中小团队、个人开发者</strong></td> </tr> </tbody> </table> <h3 id="升级服务">升级服务 </h3><ol> <li><strong>多服务器聚合</strong>:多台服务器的日志通过 SCP/rsync 收集到一台机器上分析</li> <li><strong>实时告警</strong>:集成钉钉/企业微信 Webhook,错误率超标自动通知</li> <li><strong>自定义仪表板</strong>:允许客户通过配置文件自定义看板维度</li> <li><strong>历史数据归档</strong>:按周/月归档,支持历史趋势对比</li> </ol> <hr> <h2 id="六总结">六、总结 </h2><p>DuckDB 处理日志分析的优势:</p> <ol> <li><strong>零运维</strong>:不需要安装 Elasticsearch、Logstash、Kibana 这一套庞大系统,一个 <code>pip install duckdb streamlit</code> 搞定</li> <li><strong>SQL 能力</strong>:<code>regexp_extract</code> + <code>date_trunc</code> + <code>PERCENTILE_CONT</code> 等函数,让日志分析从「字符串处理」升级为「数据分析」</li> <li><strong>性能</strong>:向量化引擎处理 GB 级日志仍然秒级响应</li> <li><strong>可交付</strong>:Streamlit 看板 + Excel 导出,客户不用学任何工具</li> </ol> <blockquote> <p><strong>一句话总结:</strong> 原来 30 分钟的 grep/awk 日志排查,现在 5 分钟开出诊断报告——这个技能卖给创业公司,报价 ¥3,000 起步。</p> </blockquote> <hr> <h2 id="扩展阅读">扩展阅读 </h2><ul> <li><a class="link" href="https://duckdb.org/docs/sql/functions/char" target="_blank" rel="noopener" >DuckDB 官方文档 - 字符串函数</a></li> <li><a class="link" href="https://docs.streamlit.io" target="_blank" rel="noopener" >Streamlit 官方文档</a></li> <li>DuckDB GitHub: <a class="link" href="https://github.com/duckdb/duckdb" target="_blank" rel="noopener" >https://github.com/duckdb/duckdb</a></li> </ul>