CN112148772A - Alarm root cause identification method, device, equipment and storage medium - Google Patents
Alarm root cause identification method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN112148772A CN112148772A CN202011017358.7A CN202011017358A CN112148772A CN 112148772 A CN112148772 A CN 112148772A CN 202011017358 A CN202011017358 A CN 202011017358A CN 112148772 A CN112148772 A CN 112148772A
- Authority
- CN
- China
- Prior art keywords
- alarm
- preselected
- cluster
- information
- historical
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000003860 storage Methods 0.000 title claims abstract description 11
- 239000013598 vector Substances 0.000 claims description 54
- 230000001364 causal effect Effects 0.000 claims description 43
- 230000011218 segmentation Effects 0.000 claims description 17
- 238000012545 processing Methods 0.000 claims description 11
- 230000015654 memory Effects 0.000 claims description 10
- 238000013507 mapping Methods 0.000 claims description 7
- 238000012549 training Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 2
- 238000004458 analytical method Methods 0.000 description 15
- 238000012423 maintenance Methods 0.000 description 12
- 238000012544 monitoring process Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 238000001914 filtration Methods 0.000 description 6
- 238000004519 manufacturing process Methods 0.000 description 5
- 238000012360 testing method Methods 0.000 description 5
- 230000000875 corresponding effect Effects 0.000 description 4
- 238000004422 calculation algorithm Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 101100513046 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) eth-1 gene Proteins 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000008030 elimination Effects 0.000 description 2
- 238000003379 elimination reaction Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000012925 reference material Substances 0.000 description 2
- 230000000717 retained effect Effects 0.000 description 2
- 238000012952 Resampling Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000010223 real-time analysis Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2458—Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
- G06F16/2465—Query processing support for facilitating data mining operations in structured databases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/36—Creation of semantic tools, e.g. ontology or thesauri
- G06F16/367—Ontology
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/22—Matching criteria, e.g. proximity measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/205—Parsing
- G06F40/216—Parsing using statistical methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/279—Recognition of textual entities
- G06F40/289—Phrasal analysis, e.g. finite state techniques or chunking
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Artificial Intelligence (AREA)
- Computational Linguistics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Databases & Information Systems (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Evolutionary Biology (AREA)
- Health & Medical Sciences (AREA)
- Audiology, Speech & Language Pathology (AREA)
- Bioinformatics & Computational Biology (AREA)
- General Health & Medical Sciences (AREA)
- Evolutionary Computation (AREA)
- Probability & Statistics with Applications (AREA)
- Mathematical Physics (AREA)
- Fuzzy Systems (AREA)
- Software Systems (AREA)
- Animal Behavior & Ethology (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
The application provides an alarm root cause identification method, an alarm root cause identification device, alarm root cause identification equipment and a storage medium, wherein the method comprises the following steps: receiving alarm flow information of each alarm source; denoising the alarm stream information to generate a preselected alarm set; clustering the preselected alarm set; and identifying root factor information of the preselected alarm set based on the clustering result information of the preselected alarm set. The method and the device realize that the alarm root cause information is identified based on the clustering result information after the alarm stream information is denoised and clustered.
Description
Technical Field
The present application relates to the field of information processing technologies, and in particular, to a method, an apparatus, a device, and a storage medium for identifying an alarm root cause.
Background
For a large-scale system, such as an e-commerce system, due to a local fault which may occur inside the system, when the system fails, the monitoring system will give an alarm signal according to the fault condition. And the sources and kinds of alarms are very diverse, including infrastructure alarms, call chain alarms, and so on. A large number of alarms bring huge pressure to system operation and maintenance personnel, and are difficult to discriminate which alarms are root alarms and which are auxiliary alarms, thereby bringing huge difficulty to quick positioning and elimination of faults.
The alarm management system in the traditional operation and maintenance monitoring field usually depends on a mode of artificial rule setting to converge the alarm and depends on data such as a calling chain to carry out limited alarm root cause analysis. The traditional alarm management scheme usually only can set a simple alarm convergence strategy, has limited compression amplitude of alarm amount and can not automatically correlate related alarms, so that the alarms are difficult to be effectively analyzed.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method, an apparatus, a device, and a storage medium for identifying alarm root cause information based on clustering result information after denoising and clustering processing are performed on alarm stream information.
A first aspect of an embodiment of the present application provides a method for identifying an alarm root cause, including: receiving alarm flow information of each alarm source; denoising the alarm stream information to generate a preselected alarm set; clustering the preselected alarm set; and identifying root factor information of the preselected alarm set based on the clustering result information of the preselected alarm set.
In an embodiment, the denoising processing on the alarm stream information to generate a preselected alarm set includes: removing the source information of each alarm information in the alarm flow information; respectively carrying out word segmentation processing on each residual warning message, and respectively generating a current word frequency vector of each warning message based on word segmentation results; and selecting at least one preselected alarm from the rest alarm information according to the current word frequency vector and a preset historical word frequency vector to generate the preselected alarm set.
In an embodiment, the selecting at least one preselected alarm from each of the remaining alarm information according to the current word frequency vector and a preset historical word frequency vector to generate the preselected alarm set includes: respectively calculating the cross entropy between each current word frequency vector and the historical word frequency vector; and comparing the cross entropy with a preset threshold value, and selecting the alarm information of which the cross entropy is greater than the preset threshold value from the rest alarm information to generate the preselected alarm set.
In an embodiment, the clustering the preselected set of alarms includes: respectively calculating the topological distance between each preselected alarm and each alarm cluster in the clustered alarm library on the network topology aiming at each preselected alarm; judging whether a first alarm cluster set enabling the topological distance to be smaller than a distance threshold exists in the clustered alarm library or not; when the first alarm cluster set exists in the clustered alarm library, respectively calculating the similarity of the preselected alarm and each first alarm cluster in the first alarm cluster set; judging whether a target alarm cluster set with the similarity larger than a similarity threshold exists in the first alarm cluster set; and when the target alarm cluster set exists in the first alarm cluster set, selecting the target alarm cluster which enables the similarity to be maximum in the target alarm cluster set, and classifying the preselected alarm into the target alarm cluster.
In an embodiment, the clustering the preselected alarms further includes: when the first alarm cluster set which enables the topological distance to be smaller than the distance threshold value does not exist in the clustered alarm library, establishing a first alarm cluster, and classifying the preselected alarms into the first alarm cluster.
In an embodiment, the clustering the preselected alarms further includes: and when the target alarm cluster set with the similarity larger than the similarity threshold does not exist in the first alarm cluster set, establishing a second alarm cluster, and classifying the preselected alarms into the second alarm cluster.
In one embodiment, the identifying root cause information of the preselected set of alarms based on the clustering result information of the preselected set of alarms includes: acquiring a cause-and-effect map of preset historical alarms; aiming at each alarm cluster in the clustering result information, mapping all the preselected alarms in the alarm cluster to a causal graph of the historical alarms according to preset field information; and extracting a causal graph where the alarm cluster is located from the causal graph of the historical alarms, wherein the root of the alarm cluster is a root node of the causal graph.
In an embodiment, the step of presetting the cause and effect map of the historical alarm includes: acquiring historical alarm data of each alarm source; dividing each historical alarm in the historical alarm data into a time sequence according to the preset field information and the time sequence, wherein the time sequence at least comprises the occurrence state of the historical alarm; and inputting a plurality of time sequences into a preset structure learning model for training, and then generating a causal graph of the historical alarm.
A second aspect of the embodiments of the present application provides an alarm root cause identification device, including: the receiving module is used for receiving the alarm flow information of each alarm source; the denoising module is used for denoising the alarm stream information to generate a preselected alarm set; the clustering module is used for clustering the preselected alarm set; and the identification module is used for identifying root factor information of the preselected alarm set based on the clustering result information of the preselected alarm set.
In one embodiment, the denoising module is configured to: removing the source information of each alarm information in the alarm flow information; respectively carrying out word segmentation processing on each residual warning message, and respectively generating a current word frequency vector of each warning message based on word segmentation results; and selecting at least one preselected alarm from the rest alarm information according to the current word frequency vector and a preset historical word frequency vector to generate the preselected alarm set.
In an embodiment, the selecting at least one preselected alarm from each of the remaining alarm information according to the current word frequency vector and a preset historical word frequency vector to generate the preselected alarm set includes: respectively calculating the cross entropy between each current word frequency vector and the historical word frequency vector; and comparing the cross entropy with a preset threshold value, and selecting the alarm information of which the cross entropy is greater than the preset threshold value from the rest alarm information to generate the preselected alarm set.
In one embodiment, the clustering module is configured to: respectively calculating the topological distance between each preselected alarm and each alarm cluster in the clustered alarm library on the network topology aiming at each preselected alarm; judging whether a first alarm cluster set enabling the topological distance to be smaller than a distance threshold exists in the clustered alarm library or not; when the first alarm cluster set exists in the clustered alarm library, respectively calculating the similarity of the preselected alarm and each first alarm cluster in the first alarm cluster set; judging whether a target alarm cluster set with the similarity larger than a similarity threshold exists in the first alarm cluster set; and when the target alarm cluster set exists in the first alarm cluster set, selecting the target alarm cluster which enables the similarity to be maximum in the target alarm cluster set, and classifying the preselected alarm into the target alarm cluster.
In an embodiment, the clustering module is further configured to: when the first alarm cluster set which enables the topological distance to be smaller than the distance threshold value does not exist in the clustered alarm library, establishing a first alarm cluster, and classifying the preselected alarms into the first alarm cluster.
In an embodiment, the clustering module is further configured to: and when the target alarm cluster set with the similarity larger than the similarity threshold does not exist in the first alarm cluster set, establishing a second alarm cluster, and classifying the preselected alarms into the second alarm cluster.
In one embodiment, the identification module is configured to: acquiring a cause-and-effect map of preset historical alarms; aiming at each alarm cluster in the clustering result information, mapping all the preselected alarms in the alarm cluster to a causal graph of the historical alarms according to preset field information; and extracting a causal graph where the alarm cluster is located from the causal graph of the historical alarms, wherein the root of the alarm cluster is a root node of the causal graph.
In one embodiment, the method further comprises: a preset module for: acquiring historical alarm data of each alarm source; dividing each historical alarm in the historical alarm data into a time sequence according to the preset field information and the time sequence, wherein the time sequence at least comprises the occurrence state of the historical alarm; and inputting a plurality of time sequences into a preset structure learning model for training, and then generating a causal graph of the historical alarm.
A third aspect of embodiments of the present application provides an electronic device, including: a memory to store a computer program; a processor configured to perform the method of the first aspect of the embodiments of the present application and any of the embodiments thereof, to identify root cause information of each alarm.
A fourth aspect of embodiments of the present application provides a non-transitory electronic device-readable storage medium, including: a program which, when run by an electronic device, causes the electronic device to perform the method of the first aspect of an embodiment of the present application and any embodiment thereof.
According to the alarm root cause identification method, the alarm root cause identification device, the alarm equipment and the storage medium, most of noise alarms can be filtered by denoising the received alarm stream information, and the alarm amount required to be processed by operation and maintenance personnel is reduced; and then clustering the associated alarms to facilitate the operation and maintenance personnel to quickly check the associated alarms, and finally performing automatic alarm causal analysis based on the clustering result information to provide reference materials for quick fault location and fault removal.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 2 is a schematic view of an operation and maintenance monitoring system scenario according to an embodiment of the present application;
fig. 3 is a flowchart illustrating an alarm root cause identification method according to an embodiment of the present application;
fig. 4A to 4B are schematic flow diagrams of an alarm root cause identification method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an alarm root cause identification device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. In the description of the present application, the terms "first," "second," and the like are used solely to distinguish one from another and are not to be construed as indicating or implying relative importance.
As shown in fig. 1, the present embodiment provides an electronic apparatus 1 including: at least one processor 11 and a memory 12, one processor being exemplified in fig. 1. Processor 11 and memory 12 are connected by bus 10, and memory 12 stores instructions executable by processor 11, and the instructions are executed by processor 11 to cause electronic device 1 to perform all or part of the flow of the method in the embodiments described below to identify root cause information for each alarm.
In an embodiment, the electronic device 1 may be a mobile phone, a notebook computer, a desktop computer, or a computing system composed of multiple computers.
Please refer to fig. 2, which is a scenario of an operation and maintenance monitoring system according to an embodiment of the present application, including: an electronic device 1 and a data system 2, both of which can establish a communication connection, wherein the data system 2 can perform a large amount of data processing, such as e-commerce systems, wherein a plurality of alert sources, such as infrastructure and/or call chains, etc., can be included. In the operation process of the data system 2, various faults can be accompanied, and then the warning source can generate a large amount of warning information, so that the root cause of the warning information can be quickly and accurately analyzed, and the fault repairing efficiency can be improved. The electronic device 1 may be configured to analyze the alarm information in real time and automatically locate the root cause of the alarm.
Please refer to fig. 3, which is a method for identifying an alarm cause according to an embodiment of the present application, and the method may be executed by the electronic device 1 shown in fig. 1 and may be applied in the scenario of the operation and maintenance monitoring system shown in fig. 2 to perform a cause analysis on a large amount of alarm information generated by the data system 2. The method comprises the following steps:
step 301: and receiving alarm flow information of each alarm source.
In this step, a monitored data system 2 may include a plurality of alarm sources, receive alarm stream information sent by each alarm source in real time, or receive a preset alarm information stream of a specific alarm source, which may be specifically set according to an actual scene.
Step 302: and denoising the alarm flow information to generate a preselected alarm set.
In this step, the alarm information stream received in step 301 may include a large amount of invalid noise information, and for accuracy of subsequent analysis, denoising processing may be performed on the alarm stream information first, and the content of the alarm information remaining after denoising is a preselected alarm set. The pre-selected alarm set may include information of a plurality of pre-warning alarms.
Step 303: and clustering the preselected alarm set.
In this step, in practical application, the larger the data stream processed by the data system 2 is, the larger the alarm information stream occurring at the same time is, and in order to perform the root cause analysis of the alarms quickly and accurately, before the root cause analysis, the preselected alarm sets may be clustered, for example, by analyzing the positions of the alarms in the network topology and the text contents of the alarms, the alarms having potential correlations are correlated to form an alarm cluster.
Step 304: and identifying root factor information of the preselected alarm set based on the clustering result information of the preselected alarm set.
In this step, the clustering result information of the preselected alarm set may include one or more alarm clusters, each alarm cluster may include one or more preselected alarms, different preselected alarms clustered to the same alarm cluster belong to the same type of alarm, and root cause information of the preselected alarms may be identified based on the type of each alarm cluster.
According to the alarm root cause identification method, most of noise alarms can be filtered by denoising the received alarm stream information, and the alarm amount required to be processed by operation and maintenance personnel is reduced. And then clustering the associated alarms, so that operation and maintenance personnel can conveniently and quickly check the associated alarms, and finally, automatic alarm causal analysis can be performed based on the clustering result information, so that a reference material is provided for quick fault positioning and fault elimination.
Please refer to fig. 4A to 4B, which are diagrams illustrating an alarm cause identification method according to an embodiment of the present application, wherein the method can be executed by the electronic device 1 shown in fig. 1 and can be applied to the operation and maintenance monitoring system scenario shown in fig. 2 to perform cause analysis on a large amount of alarm information generated by the data system 2.
In one embodiment, since some historical data is used in the process of performing online management and analysis on alarms in real time, preparation work such as relevant model construction, topology construction and the like can be completed in an offline stage. The specific contents of the method are described below for the offline phase and the online phase, respectively.
An off-line phase, first:
a historical alarm word bank can be established based on historical alarm data, so that historical word frequency vectors are obtained. The method comprises the following specific steps:
i. historical alarm data is obtained for various alarm sources (including infrastructure alarms, call chain alarms, etc.).
initializing a historical alert thesaurus for each alert source, the historical alert thesaurus indicating the frequency of occurrence of each word.
And iii, removing IP (Internet Protocol) information, url (Uniform Resource Locator) information and file path information from the alarm content field of the historical alarm regularly.
Performing word segmentation on the rest of the alarm content.
v. updating each word in the alarm content to a corresponding historical alarm word bank.
And vi, outputting a historical alarm word bank, so as to obtain a preset historical word frequency vector based on the historical alarm word bank.
An off-line phase, second:
since subsequent online root cause analysis requires the use of the network topology of data system 2 (i.e., the connection relationships between hosts within data system 2), the network topology may be constructed in advance at the offline stage. For example, the network topology of the data system 2 may be constructed by monitoring the communication between the IP ports of the hosts in the network of the data system 2 with an external tool (e.g., sky dive, a real-time network topology of open source code).
An off-line stage, third:
as shown in fig. 4A, which is a method for presetting a cause and effect map of historical alarms according to an embodiment of the present application, the method includes the following steps:
step 401: historical alarm data of each alarm source is obtained.
In this step, the alert sources include infrastructure, call chains, and the like.
Step 402: according to the preset field information and the time sequence, dividing each historical alarm in the historical alarm data into a time sequence, wherein the time sequence at least comprises the occurrence state of the historical alarm.
In this step, the preset field may be a system, a software type, an alarm type, or the like. The historical alarm data can be aggregated into 0-1 time series according to preset fields, wherein 1 represents that a certain alarm type occurs, and 0 represents that the alarm type does not occur. And then resampling the generated time sequence according to a certain time granularity to construct a learning sample, wherein each time corresponds to one sample, each sample represents whether each specific node (namely the combination of the system, the software type and the alarm type) sends an alarm or not, the form of each sample is a vector formed by {0,1}, and the length of each vector is the number of all nodes of the data system 2, namely the number of the combination of a preset field system, the software type and the alarm type.
Step 403: and inputting the time sequences into a preset structure learning model for training, and then generating a causal graph of the historical alarm.
In this step, the preset structure learning model may be constructed by using a PC (abbreviation of Peter and Clark) structure learning algorithm, the sample generated in step 403 may be used as an input of the PC structure learning algorithm to train, and then a causal Graph DAG (direct Acyclic Graph, DAG for short) of the historical alarm is constructed, nodes of the causal Graph DAG of the historical alarm are specific preset field (system, software type, alarm type) combinations, and finally the causal Graph DAG of the historical alarm may be output.
In an embodiment, the steps completed in the offline stage are not limited to be completed only in the offline stage, and may also be completed in real time in the online stage.
As shown in fig. 4B, which is a method for identifying an alarm root cause according to an embodiment of the present application, after entering a real-time analysis process of an online alarm root cause, the method further includes the following steps:
step 404: and receiving alarm flow information of each alarm source. See the description of step 301 in the above embodiments for details.
Step 405: and removing the source information of each alarm information in the alarm flow information.
In this step, the source information is removed regularly from the alarm content field of the alarm information stream in real time, and the source information may include one or more of IP information, URL information, and a file directory. So as to improve the subsequent alarm analysis efficiency.
Step 406: and respectively carrying out word segmentation processing on each residual alarm message, and respectively generating a current word frequency vector of each alarm message based on word segmentation results.
In this step, the remaining alarm content of each alarm information from which the source information is removed in step 405 is segmented, the segmentation result includes a plurality of words, and the current word frequency vector of each alarm information is generated based on the segmentation result.
And then selecting at least one preselected alarm from each residual alarm information according to the current word frequency vector and a preset historical word frequency vector to generate a preselected alarm set. The method comprises the following specific steps:
step 407: and respectively calculating the cross entropy between each current word frequency vector and the historical word frequency vector.
In this step, for each alarm message, the cross entropy CE between the current word frequency vector and the historical word frequency vector may be calculated by using the following formula:
wherein CE represents cross entropy, p represents historical word frequency vector, q represents current word frequency vector, p (i) represents frequency of word i appearing in historical alarm word bank, and q (i) represents frequency of word i appearing in current alarm information stream.
In an embodiment, for example, the dictionary has three words of "you, me, and he", the historical word frequency vector p of the historical alarm word library is (1//3, 1/3, 1/3) to indicate that the frequency of occurrence of the three words of "you, me, and he" is 1/3, the current word frequency vector q of the current alarm is (1/2, 1/4, 1/4) to indicate that the frequency of occurrence of "you" in the current alarm information stream is 1/2, and the frequency of occurrence of "i, he" in the current alarm information stream is 1/4, so that the cross entropy CE (p, q) between the current word frequency vector and the historical word frequency vector is 1/3 log (2) +1/3 log (4) +1/3 log (4).
Step 408: and comparing the cross entropy with a preset threshold value, and selecting the alarm information of which the cross entropy is greater than the preset threshold value from the rest alarm information to generate a preselected alarm set.
In this step, for each alarm information, the corresponding cross entropy is compared with a preset threshold, if the cross entropy is lower than or equal to the preset threshold, the alarm information is filtered, if the cross entropy is higher than the preset threshold, the alarm information is retained, and a set formed by the retained alarm information is a preselected alarm set.
In one embodiment, the setting rule of the preset threshold is as follows: the setting can be generally combined with the alarm amount, the actually required filtering ratio and the historical experience data. A higher preset threshold indicates a larger filtering ratio, whereas a smaller filtering ratio.
In one embodiment, if the alarm amount is large and most of the noise is actually filtered, the predetermined threshold may be appropriately adjusted to be high. If the alarm amount itself is small and the noise contained therein is not much, only a small part of the noise can be filtered, and the preset threshold can be adjusted down.
In one embodiment, an appropriate threshold may be selected based on analysis of historical data to avoid filtering useful alarms due to an excessive threshold. For example, by filtering alarms in advance by using the method for historical data, when the preset threshold is set to 0.7, most of noise alarms can be filtered, other useful alarms cannot be filtered, and meanwhile, after the filtering step, the alarm amount is effectively compressed, the purpose of actual requirements is achieved, and then the preset threshold can be set to the value.
In an embodiment, the current word frequency vector corresponding to the alarm information in the preselected alarm set can be updated into the historical alarm word bank, so that the diversity of the historical alarm word bank is enriched, and the data analysis accuracy is improved.
Step 409: and respectively calculating the topological distance between the preselected alarm and each alarm cluster in the clustered alarm library on the network topology aiming at each preselected alarm.
In the step, the alarm clustering step belongs to an online step, and real-time clustering is carried out on alarm information coming in real time. In the initial state, there is no alarm cluster, and when the first alarm comes, a cluster is created for the alarm, that is, the alarm is used as a cluster alone. The incoming alarm will match the existing cluster in turn, and if it can be clustered into the existing cluster, it can be directly merged, otherwise a new cluster is created for the alarm, and so on. The number of clusters is dynamically changed. The clustered alarm library at least comprises alarm clustering records generated by all alarm sources of the data system 2, and clustered alarm clusters. The calculation mode of the topological distance between the preselected alarm and the clustered alarm cluster is that the distance between the topological node where the preselected alarm is located and all the topological nodes in the clustered alarm cluster is the minimum value on the network topology.
Step 410: and judging whether a first alarm cluster set enabling the topological distance to be smaller than a distance threshold exists in the clustered alarm library. If yes, go to step 411, otherwise go to step 414.
In this step, the distance threshold is a distance threshold on the topological structure, and may be obtained according to historical data statistics. The distance threshold represents the extent of the propagation of the preselected alarm and may be set to 1 or 2, for example. The first set of alarm clusters may include a plurality of clustered alarm clusters.
Step 411: and respectively calculating the similarity between the preselected alarm and each first alarm cluster in the first alarm cluster set.
In this step, when there is a first alarm cluster set in the clustered alarm library, and the first alarm cluster set may include a plurality of clustered alarm clusters, in order to further accurately cluster the preselected alarm set, for each preselected alarm, the similarity of the preselected alarm and each first alarm cluster in the first alarm cluster set on the preset alarm field is calculated respectively.
In an embodiment, in the alarm clustering process, different alarm fields, such as a data center, an alarm level, alarm content, and the like, may be preset as the basis for clustering. The field and similarity calculation rule can be increased or decreased according to actual requirements.
In one embodiment, for example, the alarm field "environment type" includes two values: a "production environment" and a "test environment". If the user wants to separate the alarms of the production environment and the test environment, the similarity can be calculated for the preselected alarm and the alarm field "environment type" in the first alarm cluster, and the similarity threshold is set to 100%, which means that the alarm fields are completely the same and are grouped into one type, so that the alarm information of the production environment and the test environment cannot be simultaneously contained in the same alarm cluster.
In an embodiment, for example, the preset alarm field "alarm type", which may include "memory", "CPU", "network card eth 0", "network card eth 1", etc., may be used to calculate the similarity of the alarm field and set a suitable similarity threshold, so that the alarms of the types "network card eth 0" and "network card eth 1" are grouped into one class, which is regarded as a network card alarm, rather than which network card is specifically distinguished, and the granularity of distinguishing the alarms may be controlled by the size of the similarity threshold.
In an embodiment, the alarm field similarity may be calculated by: for each preselected alarm, performing word segmentation or word segmentation on the alarm field, generating a word bag of the alarm field, and calculating a jaccard (Jacard coefficient) coefficient between the word bag of the preselected alarm and the word bag of the clustered alarm cluster in the first alarm cluster set:
wherein S represents the word bag of the pre-selected alarm corresponding to the alarm field, T represents the word bag of the clustered alarm cluster, | S ^ T | represents the number of coincident words in two word bags, | S ^ T | represents how many words are shared by two word bags.
For example, the bag of words S of the alarm fields of the preselected alarms is calculated: production environment and word bag T of clustered alarm clusters: the similarity of the "test environment" is that they are first divided into words, and the two words contain 6 different words, namely: production, test, environment, wherein there are two coincident words: environment, their similarity is 2/6 ═ 0.33.
In one embodiment, the similarity between two bags of words can also be calculated using the singling algorithm.
It should be noted that the similarity of the alarm fields is not necessary, and may be set according to actual requirements.
Step 412: and judging whether a target alarm cluster set with the similarity larger than a similarity threshold exists in the first alarm cluster set. If so, go to step 413, otherwise go to step 415.
Step 413: and selecting the target alarm cluster with the maximum similarity in the target alarm cluster set, and classifying the preselected alarms into the target alarm cluster. Step 416 is then entered.
In this step, when a target alarm cluster set exists in the first alarm cluster set, that is, a target alarm cluster with similarity greater than a similarity threshold exists, it indicates that the preselected alarm belongs to the target alarm cluster, and the preselected alarm is classified into the target alarm cluster. Step 416 is then entered.
Step 414: and establishing a first alarm cluster, and classifying the preselected alarms into the first alarm cluster. Step 416 is then entered.
In this step, when the clustered alarm library does not have the first alarm cluster set which enables the topological distance to be smaller than the distance threshold, it is indicated that the clustered alarm library does not have the clustered alarm cluster which is the same as the preselected alarm, the preselected alarm is not changed, the first alarm cluster is created, and the preselected alarm is classified into the first alarm cluster. Step 416 is then entered.
Step 415: and establishing a second alarm cluster, and classifying the preselected alarms into the second alarm cluster. Step 416 is then entered.
In this step, when there is no target alarm cluster set in the first alarm cluster set, which makes the similarity greater than the similarity threshold, it indicates that, although there may be clustered alarm clusters that are the same as the preselected alarm in terms of topological distance, after the comparison of the similarities, there are no clustered alarm clusters that are exactly the same, a new second alarm cluster is created for the preselected alarm, and the preselected alarm is classified into the second alarm cluster. Step 416 is then entered.
In an embodiment, the topology nodes included in the alarm clusters in the clustered alarm library and the word bags of the alarm clusters on the alarm fields may be updated according to the clustering result information.
Step 416: and acquiring a cause-and-effect map of preset historical alarms.
In this step, the specific manner of obtaining the cause and effect map of the historical alarm may be as described in steps 401 to 403 shown in fig. 4A.
Step 417: and aiming at each alarm cluster in the clustering result information, mapping all preselected alarms in the alarm cluster to a causal graph of the historical alarms according to preset field information.
In the step, aiming at each alarm cluster in the clustering result information, mapping the preselected alarms in the alarm cluster to a causal graph DAG of the historical alarms according to the combination of preset field information (such as a system, a software type and an alarm type).
Step 418: and extracting a causal subgraph in which the alarm cluster is positioned from the causal graph of the historical alarms, wherein the root of the alarm cluster is the root node of the causal graph.
In this step, a causal graph where an alarm cluster is located in a clustering result is extracted from a causal graph DAG of a historical alarm, and then a root node of the causal graph is the root of the alarm cluster.
According to the alarm root cause identification method, historical alarm data is mined, alarm stream information is analyzed in real time, the alarm information entropy is calculated, alarms with low information entropy are filtered, most of noise alarms can be filtered, and the alarm amount required to be processed by operation and maintenance personnel is reduced. And associating the alarms with potential relevance by analyzing the positions of the alarms in the network topology and the text content of the alarms to form an alarm cluster. The method comprises the steps of mining historical alarms, constructing a causal relationship diagram among the alarms, and using the offline constructed causal diagram for online root cause analysis of alarm clusters, so that automatic causal analysis is realized, and guiding reference information is provided for rapid fault location and fault removal.
Please refer to fig. 5, which is a diagram illustrating an alarm cause recognition apparatus 500 according to an embodiment of the present application, which is applicable to the electronic device 1 shown in fig. 1 and the operation and maintenance monitoring system scenario shown in fig. 2, so as to perform cause analysis on a large amount of alarm information generated by the data system 2. The device includes: the system comprises a receiving module 501, a denoising module 502, a clustering module 503 and a recognition module 504, wherein the principle relationship of the modules is as follows:
the receiving module 501 is configured to receive alarm flow information of each alarm source. See the description of step 301 in the above embodiments for details.
And the denoising module 502 is configured to perform denoising processing on the alarm stream information to generate a preselected alarm set. See the description of step 302 in the above embodiments for details.
And the clustering module 503 is configured to cluster the preselected alarm sets. See the description of step 303 in the above embodiments for details.
And the identifying module 504 is configured to identify root cause information of the preselected alarm set based on the clustering result information of the preselected alarm set. See the description of step 304 in the above embodiments for details.
In one embodiment, the denoising module 502 is configured to: and removing the source information of each alarm information in the alarm flow information. And respectively carrying out word segmentation processing on each residual alarm message, and respectively generating a current word frequency vector of each alarm message based on word segmentation results. And selecting at least one preselected alarm from each residual alarm information to generate a preselected alarm set according to the current word frequency vector and a preset historical word frequency vector. See the above embodiments for a detailed description of steps 404 to 406.
In an embodiment, selecting at least one preselected alarm from each of the remaining alarm information according to the current word frequency vector and the preset historical word frequency vector to generate a preselected alarm set, includes: and respectively calculating the cross entropy between each current word frequency vector and the historical word frequency vector. And comparing the cross entropy with a preset threshold value, and selecting the alarm information of which the cross entropy is greater than the preset threshold value from the rest alarm information to generate a preselected alarm set. See the description of step 407 to step 408 in the above embodiments in detail.
In one embodiment, the clustering module 503 is configured to: and respectively calculating the topological distance between the preselected alarm and each alarm cluster in the clustered alarm library on the network topology aiming at each preselected alarm. And judging whether a first alarm cluster set enabling the topological distance to be smaller than a distance threshold exists in the clustered alarm library. And when a first alarm cluster set exists in the clustered alarm library, respectively calculating the similarity between the preselected alarm and each first alarm cluster in the first alarm cluster set. And judging whether a target alarm cluster set with the similarity larger than a similarity threshold exists in the first alarm cluster set. And when the target alarm cluster set exists in the first alarm cluster set, selecting the target alarm cluster with the maximum similarity in the target alarm cluster set, and classifying the preselected alarms into the target alarm cluster. See the description of steps 409 to 413 in the above embodiments in detail.
In an embodiment, the clustering module 503 is further configured to: and when the clustered alarm library does not have a first alarm cluster set which enables the topological distance to be smaller than the distance threshold, establishing a first alarm cluster, and classifying the preselected alarms into the first alarm cluster. See the description of step 414 in the above embodiments for details.
In an embodiment, the clustering module 503 is further configured to: and when the target alarm cluster set with the similarity larger than the similarity threshold does not exist in the first alarm cluster set, establishing a second alarm cluster, and classifying the preselected alarms into the second alarm cluster. See the description of step 415 in the above embodiments for details.
In one embodiment, the identification module 504 is configured to: and acquiring a cause-and-effect map of preset historical alarms. And aiming at each alarm cluster in the clustering result information, mapping all preselected alarms in the alarm cluster to a causal graph of the historical alarms according to preset field information. And extracting a causal subgraph in which the alarm cluster is positioned from the causal graph of the historical alarms, wherein the root of the alarm cluster is the root node of the causal graph. See the description of steps 416 through 418 in the above embodiments for details.
In one embodiment, the method further comprises: a preset module 505, configured to: historical alarm data of each alarm source is obtained. According to the preset field information and the time sequence, dividing each historical alarm in the historical alarm data into a time sequence, wherein the time sequence at least comprises the occurrence state of the historical alarm. And inputting the time sequences into a preset structure learning model for training, and then generating a causal graph of the historical alarm. Refer to the description of steps 401 to 403 in the above embodiments in detail.
For a detailed description of the above alarm factor identification apparatus 500, please refer to the description of the related method steps in the above embodiments.
An embodiment of the present invention further provides a non-transitory electronic device readable storage medium, including: a program that, when run on an electronic device, causes the electronic device to perform all or part of the procedures of the methods in the above-described embodiments. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like. The storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.
Claims (18)
1. An alarm root cause identification method is characterized by comprising the following steps:
receiving alarm flow information of each alarm source;
denoising the alarm stream information to generate a preselected alarm set;
clustering the preselected alarm set;
and identifying root factor information of the preselected alarm set based on the clustering result information of the preselected alarm set.
2. The method of claim 1, wherein the denoising the alarm stream information to generate a preselected set of alarms comprises:
removing the source information of each alarm information in the alarm flow information;
respectively carrying out word segmentation processing on each residual warning message, and respectively generating a current word frequency vector of each warning message based on word segmentation results;
and selecting at least one preselected alarm from the rest alarm information according to the current word frequency vector and a preset historical word frequency vector to generate the preselected alarm set.
3. The method according to claim 2, wherein said selecting at least one preselected alarm from each of the remaining alarm information according to the current word frequency vector and a preset historical word frequency vector to generate the preselected alarm set comprises:
respectively calculating the cross entropy between each current word frequency vector and the historical word frequency vector;
and comparing the cross entropy with a preset threshold value, and selecting the alarm information of which the cross entropy is greater than the preset threshold value from the rest alarm information to generate the preselected alarm set.
4. The method of claim 1, wherein said clustering said preselected set of alarms comprises:
respectively calculating the topological distance between each preselected alarm and each alarm cluster in the clustered alarm library on the network topology aiming at each preselected alarm;
judging whether a first alarm cluster set enabling the topological distance to be smaller than a distance threshold exists in the clustered alarm library or not;
when the first alarm cluster set exists in the clustered alarm library, respectively calculating the similarity of the preselected alarm and each first alarm cluster in the first alarm cluster set;
judging whether a target alarm cluster set with the similarity larger than a similarity threshold exists in the first alarm cluster set;
and when the target alarm cluster set exists in the first alarm cluster set, selecting the target alarm cluster which enables the similarity to be maximum in the target alarm cluster set, and classifying the preselected alarm into the target alarm cluster.
5. The method of claim 4, wherein said clustering said preselected alarms further comprises:
when the first alarm cluster set which enables the topological distance to be smaller than the distance threshold value does not exist in the clustered alarm library, establishing a first alarm cluster, and classifying the preselected alarms into the first alarm cluster.
6. The method of claim 4, wherein said clustering said preselected alarms further comprises:
and when the target alarm cluster set with the similarity larger than the similarity threshold does not exist in the first alarm cluster set, establishing a second alarm cluster, and classifying the preselected alarms into the second alarm cluster.
7. The method of claim 1, wherein identifying root cause information for the preselected set of alarms based on clustering result information for the preselected set of alarms comprises:
acquiring a cause-and-effect map of preset historical alarms;
aiming at each alarm cluster in the clustering result information, mapping all the preselected alarms in the alarm cluster to a causal graph of the historical alarms according to preset field information;
and extracting a causal graph where the alarm cluster is located from the causal graph of the historical alarms, wherein the root of the alarm cluster is a root node of the causal graph.
8. The method according to claim 7, characterized in that the step of presetting a causal graph of said historical alarms comprises:
acquiring historical alarm data of each alarm source;
dividing each historical alarm in the historical alarm data into a time sequence according to the preset field information and the time sequence, wherein the time sequence at least comprises the occurrence state of the historical alarm;
and inputting a plurality of time sequences into a preset structure learning model for training, and then generating a causal graph of the historical alarm.
9. An alarm cause identification device, comprising:
the receiving module is used for receiving the alarm flow information of each alarm source;
the denoising module is used for denoising the alarm stream information to generate a preselected alarm set;
the clustering module is used for clustering the preselected alarm set;
and the identification module is used for identifying root factor information of the preselected alarm set based on the clustering result information of the preselected alarm set.
10. The apparatus of claim 9, wherein the denoising module is configured to:
removing the source information of each alarm information in the alarm flow information;
respectively carrying out word segmentation processing on each residual warning message, and respectively generating a current word frequency vector of each warning message based on word segmentation results;
and selecting at least one preselected alarm from the rest alarm information according to the current word frequency vector and a preset historical word frequency vector to generate the preselected alarm set.
11. The apparatus of claim 10, wherein said selecting at least one preselected alarm from said remaining each alarm information according to said current word frequency vector and a preset historical word frequency vector to generate said preselected set of alarms comprises:
respectively calculating the cross entropy between each current word frequency vector and the historical word frequency vector;
and comparing the cross entropy with a preset threshold value, and selecting the alarm information of which the cross entropy is greater than the preset threshold value from the rest alarm information to generate the preselected alarm set.
12. The apparatus of claim 9, wherein the clustering module is configured to:
respectively calculating the topological distance between each preselected alarm and each alarm cluster in the clustered alarm library on the network topology aiming at each preselected alarm;
judging whether a first alarm cluster set enabling the topological distance to be smaller than a distance threshold exists in the clustered alarm library or not;
when the first alarm cluster set exists in the clustered alarm library, respectively calculating the similarity of the preselected alarm and each first alarm cluster in the first alarm cluster set;
judging whether a target alarm cluster set with the similarity larger than a similarity threshold exists in the first alarm cluster set;
and when the target alarm cluster set exists in the first alarm cluster set, selecting the target alarm cluster which enables the similarity to be maximum in the target alarm cluster set, and classifying the preselected alarm into the target alarm cluster.
13. The apparatus of claim 12, wherein the clustering module is further configured to:
when the first alarm cluster set which enables the topological distance to be smaller than the distance threshold value does not exist in the clustered alarm library, establishing a first alarm cluster, and classifying the preselected alarms into the first alarm cluster.
14. The apparatus of claim 12, wherein the clustering module is further configured to: and when the target alarm cluster set with the similarity larger than the similarity threshold does not exist in the first alarm cluster set, establishing a second alarm cluster, and classifying the preselected alarms into the second alarm cluster.
15. The apparatus of claim 9, wherein the identification module is configured to:
acquiring a cause-and-effect map of preset historical alarms;
aiming at each alarm cluster in the clustering result information, mapping all the preselected alarms in the alarm cluster to a causal graph of the historical alarms according to preset field information;
and extracting a causal graph where the alarm cluster is located from the causal graph of the historical alarms, wherein the root of the alarm cluster is a root node of the causal graph.
16. The apparatus of claim 15, further comprising: a preset module for:
acquiring historical alarm data of each alarm source;
dividing each historical alarm in the historical alarm data into a time sequence according to the preset field information and the time sequence, wherein the time sequence at least comprises the occurrence state of the historical alarm;
and inputting a plurality of time sequences into a preset structure learning model for training, and then generating a causal graph of the historical alarm.
17. An electronic device, comprising:
a memory to store a computer program;
a processor configured to perform the method of any one of claims 1 to 8 to identify root cause information for each alarm.
18. A non-transitory electronic device readable storage medium, comprising: program which, when run by an electronic device, causes the electronic device to perform the method of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011017358.7A CN112148772A (en) | 2020-09-24 | 2020-09-24 | Alarm root cause identification method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011017358.7A CN112148772A (en) | 2020-09-24 | 2020-09-24 | Alarm root cause identification method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112148772A true CN112148772A (en) | 2020-12-29 |
Family
ID=73896764
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011017358.7A Pending CN112148772A (en) | 2020-09-24 | 2020-09-24 | Alarm root cause identification method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112148772A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112613576A (en) * | 2020-12-30 | 2021-04-06 | 绿盟科技集团股份有限公司 | Method and device for determining alarm, electronic equipment and storage medium |
| CN112988509A (en) * | 2021-03-09 | 2021-06-18 | 京东数字科技控股股份有限公司 | Alarm message filtering method and device, electronic equipment and storage medium |
| CN113542037A (en) * | 2021-09-14 | 2021-10-22 | 杭州海康威视数字技术股份有限公司 | Alarm multidimensional association method and device based on root cause analysis in Internet of things environment |
| CN113708977A (en) * | 2021-09-27 | 2021-11-26 | 中国工商银行股份有限公司 | Method and device for acquiring root cause alarm information, computer equipment and storage medium |
| CN113992495A (en) * | 2021-10-15 | 2022-01-28 | 中国工商银行股份有限公司 | Alarm information processing method and device, computer equipment and storage medium |
| CN114090326A (en) * | 2022-01-14 | 2022-02-25 | 云智慧(北京)科技有限公司 | Alarm root cause determination method, device and equipment |
| CN114422324A (en) * | 2021-12-29 | 2022-04-29 | 中国电信股份有限公司 | Alarm information processing method and device, electronic equipment and storage medium |
| WO2022174759A1 (en) * | 2021-02-19 | 2022-08-25 | 腾讯科技(深圳)有限公司 | Alarm processing method and apparatus, electronic device, computer program product, and computer readable storage medium |
| CN114978778A (en) * | 2022-08-01 | 2022-08-30 | 北京六方云信息技术有限公司 | Multi-step attack detection method, device and equipment based on causal inference |
| CN115086154A (en) * | 2021-03-11 | 2022-09-20 | 中国电信股份有限公司 | Fault delimitation method and device, storage medium and electronic equipment |
| CN115174350A (en) * | 2022-06-30 | 2022-10-11 | 济南浪潮数据技术有限公司 | Operation and maintenance warning method, device, equipment and medium |
| CN116112339A (en) * | 2022-12-29 | 2023-05-12 | 北京博睿宏远数据科技股份有限公司 | Root cause alarm positioning method, device, equipment and medium |
| CN116155692A (en) * | 2023-02-24 | 2023-05-23 | 北京优特捷信息技术有限公司 | Alarm solution recommending method and device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016029570A1 (en) * | 2014-08-28 | 2016-03-03 | 北京科东电力控制系统有限责任公司 | Intelligent alert analysis method for power grid scheduling |
| CN109684181A (en) * | 2018-11-20 | 2019-04-26 | 华为技术有限公司 | Alarm root is because of analysis method, device, equipment and storage medium |
| CN111309565A (en) * | 2020-05-14 | 2020-06-19 | 北京必示科技有限公司 | Alarm processing method and device, electronic equipment and computer readable storage medium |
| CN111352759A (en) * | 2019-12-31 | 2020-06-30 | 杭州亚信软件有限公司 | Alarm root cause judgment method and device |
-
2020
- 2020-09-24 CN CN202011017358.7A patent/CN112148772A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016029570A1 (en) * | 2014-08-28 | 2016-03-03 | 北京科东电力控制系统有限责任公司 | Intelligent alert analysis method for power grid scheduling |
| CN109684181A (en) * | 2018-11-20 | 2019-04-26 | 华为技术有限公司 | Alarm root is because of analysis method, device, equipment and storage medium |
| CN111352759A (en) * | 2019-12-31 | 2020-06-30 | 杭州亚信软件有限公司 | Alarm root cause judgment method and device |
| CN111309565A (en) * | 2020-05-14 | 2020-06-19 | 北京必示科技有限公司 | Alarm processing method and device, electronic equipment and computer readable storage medium |
Non-Patent Citations (5)
| Title |
|---|
| 孙雪: "物流信息管理与电子商务", 30 April 2016, 武汉大学出版社, pages: 194 - 197 * |
| 张绍麟: "辞书与数字化研究", 31 August 2005, 上海辞书出版社, pages: 55 - 63 * |
| 张霄军: "计算语言学", 31 October 2011, 陕西师范大学出版总社有限公司, pages: 22 - 25 * |
| 荣垂田等: "中文关键短语自动提取方法研究", 计算机科学与探索, 31 December 2019 (2019-12-31), pages 1481 - 1492 * |
| 马慧芳等: "融合词语共现距离和类别信息的短文本特征提取方法", 计算机工程与科学, 30 September 2018 (2018-09-30), pages 1689 - 1695 * |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112613576A (en) * | 2020-12-30 | 2021-04-06 | 绿盟科技集团股份有限公司 | Method and device for determining alarm, electronic equipment and storage medium |
| CN112613576B (en) * | 2020-12-30 | 2024-03-19 | 绿盟科技集团股份有限公司 | Method, device, electronic equipment and storage medium for determining alarm |
| WO2022174759A1 (en) * | 2021-02-19 | 2022-08-25 | 腾讯科技(深圳)有限公司 | Alarm processing method and apparatus, electronic device, computer program product, and computer readable storage medium |
| CN112988509A (en) * | 2021-03-09 | 2021-06-18 | 京东数字科技控股股份有限公司 | Alarm message filtering method and device, electronic equipment and storage medium |
| CN115086154A (en) * | 2021-03-11 | 2022-09-20 | 中国电信股份有限公司 | Fault delimitation method and device, storage medium and electronic equipment |
| CN113542037A (en) * | 2021-09-14 | 2021-10-22 | 杭州海康威视数字技术股份有限公司 | Alarm multidimensional association method and device based on root cause analysis in Internet of things environment |
| CN113708977A (en) * | 2021-09-27 | 2021-11-26 | 中国工商银行股份有限公司 | Method and device for acquiring root cause alarm information, computer equipment and storage medium |
| CN113992495A (en) * | 2021-10-15 | 2022-01-28 | 中国工商银行股份有限公司 | Alarm information processing method and device, computer equipment and storage medium |
| CN113992495B (en) * | 2021-10-15 | 2024-02-02 | 中国工商银行股份有限公司 | Alarm information processing method and device, computer equipment and storage medium |
| CN114422324A (en) * | 2021-12-29 | 2022-04-29 | 中国电信股份有限公司 | Alarm information processing method and device, electronic equipment and storage medium |
| CN114422324B (en) * | 2021-12-29 | 2024-02-23 | 中国电信股份有限公司 | Alarm information processing method and device, electronic equipment and storage medium |
| CN114090326B (en) * | 2022-01-14 | 2022-06-03 | 云智慧(北京)科技有限公司 | Alarm root cause determination method, device and equipment |
| CN114090326A (en) * | 2022-01-14 | 2022-02-25 | 云智慧(北京)科技有限公司 | Alarm root cause determination method, device and equipment |
| CN115174350A (en) * | 2022-06-30 | 2022-10-11 | 济南浪潮数据技术有限公司 | Operation and maintenance warning method, device, equipment and medium |
| CN114978778A (en) * | 2022-08-01 | 2022-08-30 | 北京六方云信息技术有限公司 | Multi-step attack detection method, device and equipment based on causal inference |
| CN114978778B (en) * | 2022-08-01 | 2022-10-28 | 北京六方云信息技术有限公司 | Multi-step attack detection method, device and equipment based on causal inference |
| CN116112339A (en) * | 2022-12-29 | 2023-05-12 | 北京博睿宏远数据科技股份有限公司 | Root cause alarm positioning method, device, equipment and medium |
| CN116155692A (en) * | 2023-02-24 | 2023-05-23 | 北京优特捷信息技术有限公司 | Alarm solution recommending method and device, electronic equipment and storage medium |
| CN116155692B (en) * | 2023-02-24 | 2023-11-24 | 北京优特捷信息技术有限公司 | Alarm solution recommending method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112148772A (en) | Alarm root cause identification method, device, equipment and storage medium | |
| JP7373611B2 (en) | Log auditing methods, equipment, electronic equipment, media and computer programs | |
| CN107786388B (en) | Anomaly detection system based on large-scale network flow data | |
| CN110460591B (en) | CDN flow abnormity detection device and method based on improved hierarchical time memory network | |
| EP3916584A1 (en) | Information processing method and apparatus, electronic device and storage medium | |
| CN111539493B (en) | Alarm prediction method and device, electronic equipment and storage medium | |
| CN110287316A (en) | A kind of Alarm Classification method, apparatus, electronic equipment and storage medium | |
| CN109992484B (en) | Network alarm correlation analysis method, device and medium | |
| CN114553591B (en) | Training method of random forest model, abnormal flow detection method and device | |
| CN110716868A (en) | Abnormal program behavior detection method and device | |
| CN113890821B (en) | Log association method and device and electronic equipment | |
| CN111931809A (en) | Data processing method and device, storage medium and electronic equipment | |
| CN114328106A (en) | Log data processing method, device, equipment and storage medium | |
| CN114647558A (en) | Method and device for detecting log abnormity | |
| CN112306820A (en) | Log operation and maintenance root cause analysis method and device, electronic equipment and storage medium | |
| CN112148841A (en) | Object classification and classification model construction method and device | |
| CN113746780A (en) | Abnormal host detection method, device, medium and equipment based on host image | |
| CN116155541A (en) | Automatic machine learning platform and method for network security application | |
| CN115766176A (en) | Network traffic processing method, device, equipment and storage medium | |
| CN111026940A (en) | Network public opinion and risk information monitoring system and electronic equipment for power grid electromagnetic environment | |
| CN111241145A (en) | Self-healing rule mining method and device based on big data | |
| CN115913710A (en) | Abnormality detection method, apparatus, device and storage medium | |
| CN115495587A (en) | Alarm analysis method and device based on knowledge graph | |
| CN112750047B (en) | Behavior relation information extraction method and device, storage medium and electronic equipment | |
| CN116822491A (en) | Log analysis method and device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |