JP2012059063A - Computer system management method and management system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a failure analysis result classification function capable of reducing time required for recovery from a failure in a monitored device.SOLUTION: A failure analysis result (a failure cause candidate) obtained during failure analysis processing is analyzed to find which failure cause candidates other than the failure cause candidate are related to a device abnormality failure event as grounds for deriving the failure cause candidate, so that the failure cause candidates are classified by each range of effect of being dealt therewith. Then, a classification result is displayed on a GUI.

Description

  The present invention relates to a computer system management method and management system, for example, a technique for managing a failure of a host computer, a network switch, and a storage system constituting the computer system.

  When managing a computer system, for example, as disclosed in Patent Document 1, a cause event is detected from a plurality of faults detected in the system or signs thereof. More specifically, in Patent Document 1, management software is used to generate an event that the performance value exceeds the threshold value in the managed device, and information is stored in the event DB.

  The management software also has an analysis engine for analyzing the causal relationship between a plurality of failure events that have occurred in the managed device. This analysis engine can access the configuration DB with inventory information of managed devices to recognize in-device components on the path on the I / O path and affect the performance of logical volumes on the host. The components are recognized as a group called “topology”. Then, when an event occurs, the analysis engine applies an analysis rule including a predetermined conditional statement and an analysis result to each topology and constructs an expansion rule. This expansion rule includes a cause event that is a cause of performance degradation in another device and a related event group caused by the cause event. Specifically, an event described as the cause of the failure in the THEN part of the rule is a cause event, and an event other than the cause event among the events described in the IF part is a related event.

U.S. Pat. No. 7,107,185

  In the failure analysis function disclosed in Patent Document 1, a combination of events received from managed devices and failure cause candidates are described as rules in the IF-THEN format. The failure analysis function calculates the certainty factor of the failure cause candidate described in the THEN portion by calculating the occurrence rate of the event described in the IF portion of the rule. The calculated certainty factor and failure cause candidate are displayed in a GUI according to the user's request.

  However, in such a conventional failure analysis function, if failures occur frequently in a short period of time, the number of failure analysis results to be saved increases, and it is impossible for an administrator to determine which failure is really to be dealt with. Sometimes. For this reason, it takes a long time to eliminate the failure in the monitored device, which may make the situation more serious.

  The present invention has been made in view of such a situation, and provides a function for shortening the time required for eliminating a failure in a monitored device.

  In order to solve the above-described problem, in the present invention, after the failure cause analysis process, the obtained cause candidates are classified for each affected range. The cause candidates are classified and grouped according to related failure events, and these are displayed in a GUI. More specifically, when a cause candidate group is inferred as a result of failure cause analysis, the cause candidate group having the same device abnormal state as a derivation basis is classified. The cause candidate groups derived from the same device abnormal state are regarded as a set of cause candidates for solving the same failure, and are classified and displayed in the GUI.

  That is, according to the present invention, the management system acquires a processing performance value indicating the processing performance of the node device, and detects that a failure has occurred in the node device from the acquired processing performance value. Then, the management system applies the detected failure to an analysis rule indicating a relationship between a combination of one or more condition events that can occur in the node device and a conclusion event that is a cause of the failure of the combination of the condition events. A certainty factor, which is information indicating the possibility of a failure occurring in the apparatus, is calculated. Furthermore, the management system selects one conclusion event that is regarded as the cause of the failure as a starting cause candidate, and extracts a condition event related to the starting cause candidate. In addition, the management system selects a conclusion event related to the extracted condition event, which is one or a plurality of conclusion events that are different from the conclusion event of the origin cause candidate, as a related cause candidate, The conclusion event of the cause candidate and the conclusion event of the related cause candidate are classified and processed separately from the other conclusion events. The classified conclusion event is displayed as a GUI on the display screen.

  Further features of the present invention will become apparent from the following detailed description and the accompanying drawings.

  According to the present invention, when the failure analysis result is presented to the administrator (user), the inferred failure cause candidate is classified and displayed according to the failure event related to the failure to be solved thereby, so that the administrator can analyze it. The response priority of the result can be easily determined, and the load required for analysis result confirmation and failure response can be reduced.

It is a figure which shows the physical structural example of a computer system. It is a figure which shows the detailed structural example of a host computer. It is a figure which shows the detailed structural example of a storage apparatus. It is a figure which shows the detailed structural example of a management server. It is a figure which shows the structural example of the apparatus performance management table | surface which a management server has. It is a figure which shows the structural example of the volume topology management table | surface which a management server has. It is a figure which shows the structural example of the event management table | surface which a management server has. It is a figure which shows the structural example (1) of the general purpose rule which a management server has. It is a figure which shows the structural example (2) of the general purpose rule which a management server has. It is a figure which shows the structural example (1) of the expansion | deployment rule which a management server has. It is a figure which shows the structural example (2) of the expansion | deployment rule which a management server has. It is a figure which shows the structural example (3) of the expansion | deployment rule which a management server has. It is a figure which shows the structural example (4) of the expansion | deployment rule which a management server has. It is a figure which shows the structural example (5) of the expansion | deployment rule which a management server has. It is a figure which shows the structural example (6) of the expansion | deployment rule which a management server has. It is a figure which shows the structural example (7) of the expansion | deployment rule which a management server has. It is a figure which shows the structural example (8) of the expansion | deployment rule which a management server has. It is a figure which shows the structural example of the analysis result management table | surface which a management server has. It is a flowchart for demonstrating the outline | summary of the performance information acquisition process which a management server implements. It is a flowchart for demonstrating the failure analysis process which a management server implements. It is a flowchart for demonstrating the cause candidate classification | category process which a management server implements. It is a figure which shows the structural example of the failure analysis result screen which a management server displays in 1st Embodiment. In 2nd Embodiment, it is a flowchart for demonstrating the process of the management server when an administrator selects the cause candidate classified. It is a flowchart for demonstrating the cause candidate reclassification process which a management server implements in 2nd Embodiment. It is a figure which shows the structural example of the failure analysis result screen which a management server displays in 2nd Embodiment.

  Embodiments of the present invention relate to failure cause analysis for solving IT system failures. As described above, in the prior art, failure cause candidates are presented to the administrator so that the failure can be dealt with. However, when a large number of cause candidates are generated due to a plurality of failure causes, it is impossible to efficiently cope with the failure unless it is understood which cause cause is associated with which cause of the failure. For example, even if failure handling is performed on the top number candidates based on the certainty factor, these candidates may actually be candidates for failure causes due to failures occurring in the same device. In addition, if a failure has occurred in another device and the cause of failure caused by the failure has been presented with a low priority, the candidate should be dealt with at the same level as the higher number candidates. . However, software that performs failure cause analysis does not have a method for grouping a plurality of cause candidates due to a plurality of failure causes according to the range of influence of the cause candidates. For this reason, it is difficult for the administrator to determine which cause candidate should be preferentially dealt with. In other words, since there is no information indicating which failure cause candidates are related to the conventional failure analysis results, it takes a long time for the administrator to refer to the analysis results that should be preferentially taken. It takes a long time to resolve the problem.

  Therefore, the embodiment of the present invention provides a function for presenting cause candidates that should be dealt with with higher reliability and priority.

  Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. However, it should be noted that this embodiment is merely an example for realizing the present invention, and does not limit the technical scope of the present invention. In each drawing, the same reference numerals are assigned to common components.

  In this specification, the information used in the present invention is described by the expression “aaa table”. However, expressions such as “aaa table”, “aaa list”, “aaaDB”, “aaa queue”, etc. It may be expressed in other than data structures such as list, DB, and queue. Therefore, in order to show that the information used in the present invention does not depend on the data structure, “aaa table”, “aaa list”, “aaaDB”, “aaa queue”, etc. may be referred to as “aaa information”. is there.

  Further, in describing the contents of each information, the expressions “identification information”, “identifier”, “name”, “name”, and “ID” are used, but these can be replaced with each other.

  Furthermore, in the following description of the processing operation of the present invention, “program” or “module” may be described as the subject of operation (subject), but the program or module is defined by being executed by the processor. Since the above processing is performed using the memory and the communication port (communication control device), the processing may be read as processing in which the processor is an operation subject (subject). Further, the processing disclosed with the program or module as the subject may be processing performed by a computer such as a management server or an information processing apparatus. Part or all of the program may be realized by dedicated hardware. Various programs may be installed in each computer by a program distribution server or a storage medium.

  In the embodiment described in this specification, the scale of a system to be managed is not mentioned. However, the larger the system, the higher the possibility that multiple failures will occur simultaneously. Therefore, when the present invention is applied to a large-scale system, the effects of the present invention can be enjoyed more.

(1) 1st Embodiment 1st Embodiment is related with the failure cause candidate display process by management software (for example, contained in a management server).

<System configuration>
FIG. 1 is a diagram showing a physical configuration of a computer system according to the present invention. The computer system 1 includes a storage device 20000, a host computer 10000, a management server 30000, a WEB browser activation server 35000, and an IP switch 40000, which are connected by a network 45000. .

  For example, the host computers 10000 to 10010 receive a file I / O request from a client computer (not shown) connected thereto, and realize access to the storage apparatuses 20000 to 20010 based on the received request. The management server (management computer) 30000 manages the operation of the entire computer system.

  The web browser activation server 35000 communicates with the GUI display processing module 32400 of the management server 30000 via the network 45000, and displays various information on the web browser. The user manages the devices in the computer system by referring to the information displayed on the WEB browser on the WEB browser activation server. However, the management server 30000 and the web browser activation server 35000 may be composed of a single server.

<Internal configuration of host computer>
FIG. 2 is a diagram showing a detailed internal configuration example of the host computer 10000 according to the present invention. The host computer 10000 has a port 11000 for connecting to the network 45000, a processor 12000, and a memory 13000 (which may include a disk device as a component), which are connected to each other via a circuit such as an internal bus. It becomes the composition which is done.

  The memory 13000 stores a business application 13100 and an operating system 13200.

  The business application 13100 uses a storage area provided from the operating system 13200 and performs data input / output (hereinafter referred to as I / O) to the storage area.

  The operating system 13200 executes processing for causing the business application 13100 to recognize the logical volumes on the storage apparatuses 20000 to 20010 connected to the host computer 10000 via the network 45000 as storage areas.

  The port 11000 is a single port including an I / O port for communicating with the storage device 20000 by iSCSI and a management port for the management server 30000 to acquire management information in the host computers 10000 to 10010. However, it may be divided into an I / O port for communication by iSCSI and a management port.

<Internal configuration of storage device>
FIG. 3 is a diagram showing a detailed internal configuration example of the storage apparatus 20000 according to the present invention. The storage device 20010 has the same configuration.

  The storage device 20000 stores I / O ports 21000 and 21010 for connecting to the host computer 10000 via the network 45000, a management port 21100 for connecting to the management server 30000 via the network 45000, and various management information. Management memory 23000 for storing data, RAID groups 24000 to 24010 for storing data, and controllers 25000 and 25010 for controlling management information in the data and management memory, and these are circuits such as an internal bus It is the structure connected mutually via. Note that the connection of the RAID groups 24000 to 24010 indicates that the storage devices constituting the RAID groups 24000 to 24010 are more accurately connected to other components.

  The management memory 23000 stores a storage apparatus management program 23100. The management program 23100 communicates with the management server 30000 via the management port 21100 and provides the configuration information of the storage device 20000 to the management server 30000.

  Each of the RAID groups 24000 to 24010 includes one or more magnetic disks 24200, 24210, 24220, and 24230. In the case of being constituted by a plurality of magnetic disks, these magnetic disks may have a RAID configuration. The RAID groups 24000 to 24010 are logically divided into a plurality of volumes 24100 to 24110.

  If the logical volumes 24100 and 24110 are configured using storage areas of one or more magnetic disks, it is not necessary to form a RAID configuration. Furthermore, as long as a storage area corresponding to a logical volume is provided, a storage device using another storage medium such as a flash memory may be used instead of the magnetic disk.

  The controllers 25000 and 25010 have therein a processor that controls the storage device 20000 and a cache memory that temporarily stores data exchanged with the host computer 10000. Each controller is interposed between the I / O port and the RAID group, and exchanges data between them.

  The storage device 20000 provides a logical volume to any host computer, receives an access request (indicating an I / O request), and reads / writes data from / to a storage device in response to the received access request If the controller and the storage device that provides the storage area are included, the configuration other than that illustrated in FIG. 3 and the above description may be used. For example, the storage controller and the storage device that provides the storage area may be stored in different cases Good. That is, in the example of FIG. 3, the management memory 23000 and the controllers 25000 and 25110 are provided as separate entities, but may be configured as a storage controller in which they are integrated. Further, in this specification, a storage device may be referred to as a storage system when the storage controller and the storage device are present in the same housing or as an expression including another housing.

<Internal configuration of management server>
FIG. 4 is a diagram showing a detailed internal configuration example of the management server 30000 according to the present invention. The management server 30000 includes a management port 31000 for connection to the network 45000, a processor 31100, a memory 32000 such as a cache memory, a secondary storage device (secondary storage area) 33000 such as an HDD, and processing results to be described later. A configuration having an output device 31200 such as a display device for outputting and an input device 31300 such as a keyboard for the storage administrator to input instructions, and these are connected to each other via a circuit such as an internal bus It has become.

  The memory 32000 stores a program control module 32100, a configuration management information acquisition module 32200, an apparatus performance acquisition module 32300, a GUI display processing module 32400, an event analysis processing module 32500, and a rule expansion module 32600. . In FIG. 4, each module is provided as a software module of the memory 32000, but may be provided as a hardware module. Also, the processing performed by each module may be provided as one or more program codes, and there may be no clear boundary between modules. Modules may be read as programs.

  The secondary storage area 33000 stores an apparatus performance management table 33100, a volume topology management table 33200, an event management table 33300, a general rule repository 33400, an expansion rule repository 33500, and an analysis result management table 33600. . The secondary storage area 33000 is composed of either a semiconductor memory or a magnetic disk, or both a semiconductor memory and a magnetic disk.

  The GUI display processing module 32400 displays the acquired configuration management information via the output device 31200 in response to a request from the administrator via the input device 31300. The input device and the output device may be separate devices, or one or more integrated devices.

  The management server (management computer) 30000 has, for example, a keyboard and pointer device as the input device 31300, and a display, a printer, and the like as the output device 31200, but may be other devices. In addition, a serial interface or an Ethernet interface is used as an alternative to the input / output device, a display computer having a display or keyboard or pointer device is connected to the interface, and the display information is transmitted to the display computer, or the input information May be displayed by the display computer, or the input and display at the input / output device may be substituted by receiving the input.

  In this specification, a set of one or more computers that manage the computer system (information processing system) 1 and display display information may be referred to as a management system. When the management server 30000 displays display information, the management server 30000 is a management system, and a combination of the management server 30000 and a display computer (for example, the WEB browser activation server 35000 in FIG. 1) is also a management system. In addition, in order to increase the speed and reliability of management processing, processing equivalent to that of the management server may be realized with a plurality of computers. In this case, the plurality of computers (if the display computer performs display, display (Including computers) is the management system.

<Configuration of device performance management table>
FIG. 5 is a diagram showing a configuration example of the device performance management table 33100 that the management server 30000 has.

  The device performance management table 33100 includes a field 33110 for registering a device ID that is an identifier of a device to be managed, a field 33120 for registering a device ID that is a device identifier inside the device to be managed, and performance information of the management target device. A field 33130 for storing the metric name, a field 33140 for registering the OS type of the device that detected the threshold abnormality (which means “determined to be abnormal based on the threshold”), and the management target device A field 33150 for acquiring and storing the performance value from the corresponding device, and a field 33160 for storing a threshold (alert execution threshold) that is the upper limit or lower limit of the normal range of the performance value of the management target device in response to an input from the user. A field for registering whether the threshold is the upper limit or lower limit of the normal value. And de 33170 includes a field 33180 for performance value registers whether the abnormal value is a normal value, as configuration items.

  For example, from the first row (first entry) in FIG. 5, the processor operating rate in the controller CTL1 in the storage device SYS1 is 40% (see 33150) at the present time, and the operating rate of CTL1 is 20%. The management server 30000 determines that the controller CTL1 is overloaded when exceeding (see 33160), but in this specific example, it is understood that this performance value is determined to be an abnormal value (see 33180).

  Here, the I / O amount per unit time, the operation rate, and the response time are exemplified as the performance values of the devices managed by the management server 30000, but the performance values managed by the management server 30000 may be other than this.

<Configuration of volume topology management table>
FIG. 6 is a diagram showing a configuration example of the volume topology management table 33200 that the management server 30000 has.

  The volume topology management table 33200 includes a field 33210 for registering a device ID serving as a storage device identifier, a field 33220 for registering a volume ID serving as a volume identifier of the storage device, and an LU (Logical Unit) used by the host computer 10000. ) Field 33230 for registering an LU number as an identifier, a field 33240 for registering an ID of a controller used for communication between a port and a volume, and a field 33250 for registering an identifier of a host computer 10000 to which the volume is connected. And a field 33260 for registering the drive name of the logical volume of the host computer 10000 in which the volume is an entity.

  For example, from the first line (first entry) in FIG. 6, the volume VOL1 of the storage device SYS1 is provided to the host computer as a logical unit indicated by LU1, and is passed through the storage-side controller indicated by CTL1. It can be seen that it is connected to the host computer HOST1 and is recognized as a logical volume (/ var) on the host.

<Configuration of event management table>
FIG. 7 is a diagram showing a configuration example of the event management table 33300 that the management server 30000 has. This event management table 33300 is appropriately referred to in failure cause analysis processing and cause candidate classification processing described later.

  The event management table 33300 includes a field 33310 for registering an event ID serving as an identifier of the event itself, a field 33320 for registering a device ID serving as an identifier of a device having an event such as a threshold abnormality in the acquired performance value, and an event occurrence A field 33330 for registering the identifier of the part in the device that has been detected, a field 33340 for registering the name of the metric in which the threshold abnormality is detected, a field 33350 for registering the OS type of the device in which the threshold abnormality is detected, and a part in the device The configuration item includes a field 33360 for registering the state when the event occurs, a field 33370 for registering whether the event has been analyzed by the event analysis processing module 32500 described later, and a field 33380 for registering the date and time when the event occurred. so That.

  For example, from the first line (first entry) in FIG. 7, the management server 30000 detects the threshold abnormality of the processor operation rate in the controller indicated by CTL1 of the storage device SYS1, and the event ID is EV1. It turns out that it is.

<General rule configuration>
FIGS. 8A and 8B are diagrams illustrating a configuration example of the general rules in the general rule repository 33400 included in the management server 30000. FIG. A general-purpose rule (the same applies to an expansion rule described later) is a combination of one or more condition events that can occur in the node devices constituting the computer system 1 and a conclusion event that is a cause of failure for the combination of condition events. It shows the relationship. That is, the general-purpose rule and the later-described expansion rule indicate that the contents described in the conclusion part can cause a failure when an event in the condition part occurs.

  In general, the event propagation model for identifying the cause in failure analysis is a combination of events that are expected to occur as a result of a failure and the cause in “IF-THEN” format. Yes. The general-purpose rules are not limited to those shown in FIGS. 8A and 8B, and there may be more rules.

  The general rule includes a field 33430 for registering a general rule ID as an identifier of the general rule, a field 33410 for registering an observation event corresponding to the IF part of the general rule described in the “IF-THEN” format, and “IF-THEN”. A field 33420 for registering the cause event corresponding to the THEN part of the general rule described in the format, and a field 33440 for registering the topology acquired when the general rule is expanded in the real system and the expanded rule is generated. Are included as configuration items. If the event of the condition part 33410 is detected, the event of the conclusion part 33420 is the cause of the failure, and if the status of the conclusion part 33420 becomes normal, the problem of the condition part 33410 is also solved. 8A and 8B, three events are described in the condition part 33410, but the number of events is not limited.

  For example, from FIG. 8A, a general-purpose rule whose general-purpose rule ID is Rule1 indicates that a threshold error (related event) of the response time of the logical volume on the host computer as an observation event, and the operating rate of the controller in the storage device (processor usage) Ratio) threshold error (cause event) and LU unit time I / O threshold error (related event) in the storage device are detected, the storage device controller operation rate (processor usage rate) bottleneck It can be concluded that is the cause of disability.

  Note that topology information is acquired from the volume topology management table when generating an expansion rule. Moreover, you may define that a certain condition is normal as an event contained in an observation phenomenon. In the example of the general rule shown in FIG. 8B, it is defined as an observation event that the processor usage rate of the controller of the storage device and the I / O amount of LU unit time in the storage device are normal.

<Configuration of deployment rules>
FIGS. 9A to 9H are diagrams illustrating configuration examples of expansion rules in the expansion rule repository 33500 included in the management server 30000. FIG. These expansion rules are generated by inserting items of each entry of the volume topology management table (FIG. 7) into the general-purpose rules (FIGS. 8A and 8B).

  The expansion rule includes a field 33530 for registering an expansion rule ID serving as an expansion rule identifier, a field 33540 for registering a general rule ID serving as a general rule identifier based on the expansion rule, and “IF-THEN”. A field 33510 for registering an observation event corresponding to the IF part of the expansion rule described in the format and a field 33520 for registering a cause event corresponding to the THEN part of the expansion rule described in the “IF-THEN” format are configured. Includes as an item.

  For example, the expansion rule of FIG. 9A inserts the controller name 32240, the host ID 32250, the connection destination drive name 32260, and the LU number 32230 of the first entry of FIG. 6 into the device type and device part type in the general rule ID Rule1. Is generated by From FIG. 9A, an expansion rule whose expansion rule ID is ExRule1-1 is expanded based on the general rule whose general rule ID is Rule1, and the response time of the logical volume on the host computer is observed as an observation event. When a threshold error, a threshold error in the controller operation rate (processor usage rate) in the storage device, and a threshold error in the LU unit time I / O amount in the storage device are detected, the controller operation rate ( It can be concluded that the bottleneck of the processor usage rate is the cause of the failure.

<Configuration of analysis result management table>
FIG. 10 is a diagram showing a configuration example of the analysis result management table 33600 that the management server 30000 has.

  The analysis result management table 33600 registers a field 33610 for registering a device ID that is an identifier of a device in which an event has been determined to be the cause of the failure in the failure cause analysis process, and an identifier of a part in the device in which the event has occurred. Field 33620, field 33630 for registering the name of the metric that detected the threshold abnormality, field 33640 for registering the occurrence rate of the event described in the condition part in the expansion rule, and the basis for determining the event as the cause of the failure The field 33650 for registering the ID of the expansion rule, the field 33660 for registering the ID of the actually received event among the events described in the condition part in the expansion rule, and the administrator who is the user based on the analysis result Field 3 for registering whether or not an actual failure has been handled 3670, a field 33680 for registering the classified group ID, a field 33690 for registering whether or not the classification has been started from the analysis result, and a field for registering the date and time when the failure analysis process accompanying the occurrence of the event is started 33695 is included as a configuration item.

  For example, from the first row (first entry) in FIG. 10, based on the expansion rule ExRule1-1, the management server 30000 fails the threshold abnormality of the processor operation rate in the controller indicated by CTL1 of the storage device SYS1. As a cause, it is understood that the event IDs EV1, EV3, and EV6 are received as the basis, that is, the occurrence rate of the conditional event is 3/3.

<Configuration management information acquisition processing and volume topology management table update processing>
The program control module 32100 instructs the configuration information acquisition module 32200 to periodically acquire configuration management information from the storage device 20000, the host computer 10000, and the IP switch 40000 in the computer system 1 by, for example, polling processing.

  The configuration management information acquisition module 32200 acquires configuration management information from the storage device 20000, the host computer 10000, and the IP switch 40000, and updates the volume topology management table 33200.

<Device performance information acquisition processing and event analysis processing>
FIG. 11 is a flowchart for explaining a normal device performance information acquisition process executed by the device performance acquisition module 32300 of the management server 30000. The program control module 32100 instructs the device performance acquisition module 32300 to execute the device performance information acquisition process at the time of starting the program or every time a predetermined time elapses from the previous device performance information acquisition processing. It should be noted that when the execution instruction is repeatedly issued, it is not necessarily strictly every fixed period, and it is only necessary to repeat it.

  The device performance information acquisition module 32300 repeats the following series of processes for each device to be monitored.

  The device performance information acquisition module 32300 first instructs each device to be monitored to transmit configuration management information (step 61010).

  The device performance information acquisition module 32300 determines whether or not there is a response from the monitoring target device (step 61020). If there is a response of the device performance information from the device (Yes in step 61020), the acquired device performance information is displayed. The information is stored in the device performance management table 33100 (step 61030). If there is no response for configuration management information from the device (No in step 61020), the configuration management information acquisition process ends.

  Next, the device performance acquisition module 32300 refers to the device performance information stored in the device performance management table 33100, and repeats the processing from step 61050 to step 61070 for each performance value (step 61040). The device performance acquisition module 32300 checks whether the performance value exceeds the threshold, and updates the state registered in the device performance management table 33100 (Step 61050). Then, the device performance acquisition module 32300 determines whether or not the state has changed from normal to threshold abnormality or from threshold abnormality to normal (step 61060). If the state has changed (Yes in step 61060), the event An event is registered in the management table 33700 (step 61070). If the state has not changed (No in step 61060), the processing returns to step 61050 if the state confirmation processing has not been completed for all performance values.

After the above processing for all performance values is completed, the device performance acquisition module 32300 determines whether or not there is a newly added event in a series of processing (step 61080). If there is an additional event (for example, when a new abnormality occurs during processing), the program control module 32100 instructs the event analysis processing module 32500 to perform the failure cause analysis processing shown in FIG. 12 ( Step 61090).
The above is the apparatus performance information acquisition process performed by the apparatus performance acquisition module 32300.

<Details of Failure Analysis Processing (Step 61090)>
FIG. 12 is a flowchart for explaining the details of the failure cause analysis processing (step 61090 in FIG. 11) executed by the event analysis processing module 32500 of the management server 30000.

  The event analysis processing module 32500 acquires an event whose analyzed flag is not Yes from the event management table 33300 (step 62010).

  Next, the event analysis processing module 32500 repeats the processing from step 62020 to step 62040 for each expansion rule in the expansion rule repository 33500 (step 62020). The event analysis processing module 32500 first calculates the number of occurrences in the past certain period for each event corresponding to the condition part described in the expansion rule (step 62030).

  Subsequently, the event analysis processing module 32500 executes cause candidate classification processing (FIG. 13) (step 62050). Then, the event analysis processing module 32500 determines whether or not the number of event occurrences counted in the processing of step 62030 exceeds a certain ratio in all events described in the condition part. The display processing module 32400 is instructed to display the event causing the failure based on the classification performed in Step 62050 together with the event occurrence ratio in the conditional sentence (Step 62060). Thereafter, with reference to the event management table 33300, the analyzed flag 33370 is set to Yes for the event acquired in step 622010 (step 62070).

  Finally, the event analysis processing module 32500 writes, in the analysis result management table 33600, each of the expansion rules in the expansion rule repository that has a certainty factor that is not 0 (step 62080).

  For example, in the expansion rule ExRule1-1 shown in FIG. 9A, the condition part includes “abnormal response time threshold value of logical volume (/ var) in host computer HOST1” and “abnormal threshold value operation rate of controller CTL1 in storage device SYS1”. “And“ abnormal threshold value of unit time I / O amount of logical unit LU1 in storage device SYS1 ”are defined.

  7 is registered in the event management table 33300 shown in FIG. 7, the event analysis process is performed when “the threshold abnormality of the operation rate of the controller CTL1 in the storage device SYS1” (occurrence date: 2010-01-01 15:05:00) is registered. The module 32500 refers to the event management table 33300 after waiting for a certain period of time, and acquires events that have occurred in the past certain period.

  Next, the event analysis processing module 32500 calculates the number of occurrences in the past certain period for each event corresponding to the condition part described in the expansion rule ExRule1-1 of the expansion rule repository 33500. As a result, "Threshold error of logical volume (/ var) response time in host computer HOST1" (related event) and "Threshold error of logical unit LU1 unit time I / O amount" (related event) are also in the past certain period Therefore, the number of occurrences of each event (cause event and related event) corresponding to the condition part described in the expansion rule ExRule1-1 in the past certain period occupies in all the events described in the condition part The ratio will be 3/3.

  When the ratio calculated as described above exceeds a certain value, the event analysis processing module 32500 instructs the GUI display processing module 32400 to display the event causing the failure together with the event occurrence ratio in the conditional statement. To do. If the constant value here is 30%, for example, in this specific example, the occurrence ratio of each event in the condition part of the expansion rule ExRule1-1 in the past certain period is 3/3, that is, 100%. Will be displayed in the GUI.

  The above processing is executed for all the expansion rules defined in the expansion rule repository 33500.

  The above is the failure cause analysis processing performed by the event analysis processing module 32500. As described above, in the failure analysis function according to Patent Document 1, when a plurality of failures frequently occur in a short period, the number of failure analysis results to be stored increases. However, when a large number of cause candidates are inferred for a plurality of failures, there is no method for presenting which cause candidates are related to which failure actually occurs. In particular, when a large number of failure events occur and a large number of failure cause candidates are inferred, the administrator makes an analogy as to which failure cause candidate corresponds to which failure can be resolved immediately. It is difficult, and it takes a long time for the administrator to refer to the analysis result that should be preferentially taken. As a result, there is a problem that it takes a long time to resolve the failure.

  Therefore, in the embodiment according to the present invention, a cause candidate classification process is newly provided so that a large number of analysis results can be classified and displayed.

<Contents of cause candidate classification processing>
In order to solve the problems in the prior art, a cause candidate classification process in the management server 30000 is added in the first embodiment of the present invention. Hereinafter, details of the operation of the cause candidate classification process will be described.

  The cause candidate classification process is based on an event included in a cause candidate as a starting point (for example, a cause candidate with the highest certainty), and if there is another cause candidate including the event, it is a cause candidate for the same cause of failure This is the process of classifying (grouping) by assuming that Since related cause candidates are grouped together, it becomes possible to know candidates to be dealt with preferentially.

  FIG. 13 is a flowchart for explaining details of the cause candidate classification process (step 63050) performed by the event analysis processing module 32500 of the management server 30000 in the first embodiment.

  The event analysis processing module 32500 selects a cause candidate having the highest certainty factor in a certain period (for example, one polling period) from the analysis result management table 33600 (step 63010). Then, “Yes” is registered in the classification starting point flag field 33690 of the analysis result management table 33600 for the selected cause candidate entry. The event analysis processing module 32500 acquires the reception event ID included in the selected candidate from the analysis result management table 33600 (step 63020). Then, the event analysis processing module 32500 acquires from the analysis result management table 33600 a cause candidate that includes any one or more of the same reception event IDs among the acquired reception event IDs (step 63030). After acquiring the cause candidates, the event analysis processing module 32500 acquires a list of group IDs used from the field 33680 for registering group IDs in the analysis result management table 33600, creates a group ID that does not overlap, and in step 63010 With respect to the selected cause candidate and the cause candidate entry acquired in step 63030, the contents of the field 33680 are updated to the created group ID (step 63040).

  Next, the event analysis processing module 32500 checks whether there is an entry for which no group ID is described in the field 33680 from the analysis result management table 33600. If such an entry exists (No in step 63050), the cause candidate having the highest certainty among such entries is selected (step 63060), and the selected cause candidate in the analysis result management table 33600 is selected. For the entry, Yes is registered in the classification start flag field 33690. And the process after step 63020 is performed again with respect to the selected candidate.

  When the field 33680 of the analysis result management table 33600 is referred to and the group ID is described in all entries (Yes in step 63050), the event analysis processing module 32500 receives the received event ID field of the analysis result management table 33600. All reception event IDs are acquired from 33660. Next, an entry in which Yes is described in the classification start flag field 33690 of the analysis result management table 33600 is acquired, and it is checked whether or not all received event IDs are included in the acquired entry.

  When there is one or more reception IDs not included in the entry (No in step 63070), the event analysis processing module 32500 includes the cause candidate entries including the cause candidates including those reception IDs. Then, the cause candidate with the highest certainty factor is selected (step 63080), and Yes is registered in the classification start point flag field 33690 for the selected cause candidate entry in the analysis result management table 33600. And the process after step 63020 is performed again with respect to the selected candidate.

When an entry in which Yes is described in the classification start flag field 33690 of the analysis result management table 33600 is acquired and all received event IDs are included in the acquired entries (Yes in step 63070), the cause candidate classification The process ends.
The above is the cause candidate classification process performed by the event analysis processing module 32500.

  A specific example of the cause candidate classification process will be described below. It is assumed that the analysis result management table at the beginning of the processing is as shown in FIG. 10, the development rules are as shown in FIG. 9, and the event management table is as shown in FIG. Then, it is assumed that the processing is completed until immediately before step 62050 in FIG.

  The event analysis processing module 32500 has the highest certainty factor from the analysis result management table 33600. From the first level (first entry) of the analysis result management table, the event analysis processing module 32500 has the CTL1 failure cause candidate of the SYS1 device. Select an entry. Next, EV1, EV3, and EV6, which are failure events included in this candidate, are extracted. Then, the second-stage entry (SYS1 / CTL2) and the fifth-stage entry (IPSW1) are selected as other failure cause candidates including these failure events. These three entries are grouped, GR1 is generated as a group ID, and the generated group ID is registered in the group ID registration field 33680 of the analysis result management table for these entries. Further, since the first-stage entry is treated as a reference for classification, Yes is recorded in the classification start flag 33690 of the first-stage entry, and No is recorded in the classification start flag 33690 of the remaining two entries.

  Since there are remaining entries (third and fourth levels) that are not yet grouped in the analysis result management table, the operations up to this point are repeated. First, the third entry (SYS1 / CTL3) is selected as an entry with a high certainty factor. Then, the failure events EV2, EV4, and EV8 included in this candidate are extracted. The fifth entry (IPSW1) is selected as another failure cause candidate including these failure events. Then, these two entries are grouped, GR2 is generated as a group ID, and the generated group ID is registered in the group ID registration field 33680 of the analysis result management table of these entries. Note that the group ID is already registered in the fifth row entry, but it is additionally registered to indicate that it belongs to a plurality of groups. For this purpose, the group ID registration field 33680 is structured so that a plurality of IDs can be registered. Furthermore, since the third-stage entry is handled as a reference for classification, Yes is recorded in the classification start flag 33690 of the third-stage entry.

Furthermore, the analysis result management table has remaining entries (fourth row) that are not yet grouped. The same operation is repeated for this entry. Then, EV5 and EV9, which are failure events included in this candidate, are extracted. The fifth entry (IPSW1) is selected as another failure cause candidate including these failure events. Then, these two entries are grouped, GR3 is generated as a group ID, and the generated group ID is registered in the group ID registration field 33680 of the analysis result management table of these entries. Since the group ID is already registered in the fifth row entry, it is additionally registered. Furthermore, since the fourth-stage entry is handled as a reference for classification, Yes is recorded in the classification start flag 33690 of the fourth-stage entry.
Through the processing so far, all entries in the analysis result management table have been grouped.

  Next, failure events that were not referenced during grouping are extracted. Of all event IDs included in the received event ID field 33660 of the analysis result management table 33600, EV7 is extracted as not included in the entry in which Yes is recorded in the classification start flag 33690. As cause candidates including EV7, there are a second-stage entry (SYS1 / CTL2) and a fifth-stage entry (IPSW1). If the same grouping is performed starting from the second-stage entry (SYS1 / CTL2) with a high degree of certainty, these two entries and the first-stage entry (SYS1 / CTL1) can be newly grouped. . Here, all these entries are included in the group GR1. Considering that the failure handling is focused on GR1, even if the failure of SYS1 / CTL1 is dealt with to solve the entry of the first row that is the starting point of GR1, EV7 included in the entry of the second row There is a possibility that cannot be resolved. In this embodiment, a group starting from the second-stage entry (SYS1 / CTL2) is also generated separately from GR1 so that all faults can be repaired by dealing with one entry of each group. Then, GR4 is generated as the group ID, and the generated group ID is registered in the group ID registration field 33680 of the analysis result management table of these entries. Since each group already has a group ID registered, it is additionally registered. Further, since the second-stage entry is treated as a reference for classification, Yes is recorded in the classification start flag 33690 of the second-stage entry.

  As a result, all the event IDs included in the received event ID field 33660 of the analysis result management table 33600 are not included in the entry whose Yes is recorded in the classification start flag 33690. finish.

<Configuration of failure analysis result display screen>
FIG. 14 is a diagram illustrating a display example 71000 of a failure analysis result display screen that the management server 30000 displays to the user (administrator).

  On the failure analysis result display screen 71000, the analysis results defined in the analysis result management table are displayed together with the group IDs that match. At this time, entries classified into a plurality of groups are displayed in duplicate in the plurality of groups. In addition, the cause candidate that is the starting point for grouping in each group is displayed at the top of the group. The other candidates are displayed in descending order of certainty.

  In this embodiment, all the cause candidate groups are displayed on the same screen. However, since it is only necessary to divide and display each cause group, each group can be displayed on a separate screen and switched by a tab or the like. May be implemented.

  According to the above failure analysis result display, for example, the administrator is likely to be able to efficiently remove the cause of the failure if he / she deals with the top candidate of each cause candidate group displayed on the screen of the management server 30000. I can know that.

<Modification>
If the number of groups generated as a result of the above classification process is too large, it may be difficult to confirm the failure result by grouping. Therefore, when the number of groups generated by the classification process is greater than or equal to a predetermined number (the number of groups can be set by the administrator), the classification results may be automatically collected. In this process, for example, first, it is determined whether or not a certain percentage or more of the condition events included in a certain classification result group is included in another classification result group. When condition events having a certain percentage of abnormality are included in different classification result groups, the cause candidates included in these groups are grouped into one group. This is because when a certain group of conditional events of a certain group is included in another group, the failure event included in both groups is caused by the failure that occurred in the same device. This is because there is a high possibility that there is no problem even if they are treated as the same group.

<Effects of cause candidate classification processing>
As described above, according to the first embodiment, the management software of the management server 30000 classifies the inferred failure cause candidates after the failure cause analysis processing shown in FIG. To display. In the classification method according to the first embodiment and the display format of the result, classification can be performed so that all faults can be repaired by dealing with one entry at the top of each group. Conventionally, when the cause candidate classification process is not performed, the contents of the list shown in FIG. 10 are displayed as they are as inferred failure cause candidates. By performing the cause candidate classification processing, the administrator can easily determine which cause candidate should be preferentially dealt with, and the load required for analysis result confirmation and failure handling can be reduced.

  And by classifying into groups as shown in FIG. 14 and displaying each cause candidate, it is possible for the administrator to verify cause candidates with high priority (candidates to be dealt with preferentially) in a well-balanced manner. It becomes possible to shorten the time for failure handling.

(2) Second Embodiment In the second embodiment, after presenting a cause candidate to the administrator according to the first embodiment, the cause candidate classification process is performed again based on the failure handling procedure performed by the administrator. Is. Since the system configuration and the configuration of each device are the same as those in the first embodiment, description thereof will be omitted. Hereinafter, in the description of the second embodiment, processing performed based on the operation of the administrator after the failure analysis result is displayed on the screen as shown in FIG. 14 according to the first embodiment will be described.

<Processing when the cause candidate is dealt with>
FIG. 15 is a flowchart for explaining processing when the administrator performs a failure response using a failure analysis result in the second embodiment. For example, when the administrator detects from the failure analysis result display screen 71000 that a cause candidate has been selected and handled the failure (step 64010), the event analysis module 32500 has already dealt with the candidate selected by the administrator. The flag is changed to Yes (step 64020). In the first embodiment, classification is performed so that all faults can be repaired by dealing with one entry at the top of each group. Therefore, if the candidate selected first at the time of failure handling is the highest candidate in any group, the classification is performed so as to match the intention of the manager and the actual configuration status. Conversely, if a candidate that is not the highest in any group is selected first, it means that classification has not been performed properly. Therefore, when the candidate initially selected by the administrator is not the top of any group, the event analysis module 32500 performs a cause candidate reclassification process (steps 6040 to 64040). In other words, the fact that a candidate other than the top candidate has been selected indicates that the administrator does not trust the first classification result based on his / her own experience, etc. Classification is performed so that the administrator can deal with the cause candidates more efficiently.

<Details of cause candidate reclassification processing>
FIG. 16 is a flowchart for explaining the details of the cause candidate reclassification process (step 64040) according to the second embodiment. The cause candidate reclassification process of this embodiment is the same as the process performed for the cause candidate classification process (steps 63010 to 63080) in the first embodiment, with the corresponding flag set to Yes. Priority should be given to the candidates that are present.

  First, the event analysis processing module 32500 deletes the values of all candidate group ID fields 33680 and the classification start flag field 33690 as pre-processing (step 65005).

  Next, from the analysis result management table 33600, the event analysis processing module 32500 selects a cause candidate having the highest certainty among candidates whose corresponding flag field 33670 is set to Yes (step 65010). Then, the event analysis processing module 32500 registers Yes for the selected cause candidate entry in the classification start flag field 33690 of the analysis result management table 33600.

  The event analysis processing module 32500 acquires the reception event ID included in the selected candidate from the analysis result management table 33600 (step 65020). Then, the event analysis processing module 32500 acquires a cause candidate including any one or more of the same reception event IDs from the acquired reception event IDs from the analysis result management table 33600 (step 65030).

  After acquiring the cause candidates, the event analysis processing module 32500 acquires a list of group IDs used from the field 33680 for registering group IDs in the analysis result management table 33600, creates non-overlapping group IDs, and in step 65010 For the selected cause candidate and the cause candidate entry acquired in step 65030, the contents of the field 33680 are updated to the created group ID (step 65040).

  Subsequently, the event analysis processing module 32500 determines from the analysis result management table 33600 whether there is an entry in which the group ID is not described in the field 33680 from among candidates whose corresponding flag field 33670 is set to Yes. To check. When such an entry exists (in the case of No in step 65050), a cause candidate having the highest certainty is selected from such entries (step 65060), and the cause candidate selected in the analysis result management table 33600 is selected. For the entry, Yes is registered in the classification start flag field 33690. And the process after step 65020 is performed again with respect to the selected candidate.

  When it is determined that all the cause candidates of the handled flag Yes are classified (Yes in Step 65050), the event analysis processing module 32500 has a group ID described in the field 33680 from the analysis result management table 33600. Check for missing entries. When such an entry exists (No in step 65070), the event analysis processing module 32500 selects a cause candidate having the highest certainty among such entries (step 65080), and an analysis result management table. For the selected cause candidate entry 33600, Yes is registered in the classification start flag field 33690. And the process after step 65020 is performed again with respect to the selected candidate.

  Furthermore, with reference to the field 33680 of the analysis result management table 33600, if the group ID is described in all entries (Yes in step 65070), the event analysis processing module 32500 receives the received event of the analysis result management table 33600. All received event IDs are acquired from the ID field 33660.

  Next, the event analysis processing module 32500 acquires an entry in which Yes is described in the classification start flag field 33690 of the analysis result management table 33600, and checks whether all received event IDs are included in the acquired entries. To do.

  When one or more reception IDs not included in the entry exist (No in step 65090), the event analysis processing module 32500 includes the cause candidate entries including the cause candidates including those reception IDs. Then, the cause candidate having the highest certainty factor is selected (step 65095), and Yes is registered in the classification starting point flag field 33690 for the entry of the selected cause candidate in the analysis result management table 33600. Then, the event analysis processing module 32500 performs the processing from step 65020 on the selected candidate again.

  The event analysis processing module 32500 acquires an entry in which Yes is described in the classification start flag field 33690 of the analysis result management table 33600, and if all received event IDs are included in the acquired entries (Yes in step 65090). ), The cause candidate reclassification process is terminated.

  The above is the cause candidate reclassification processing performed by the event analysis processing module 32500. In FIG. 16, the relationship between the timing at which the handled flag is set to Yes and the timing at which the cause candidate reclassification processing is executed is not specified, but the administrator handles several cause candidates, After the handled flag becomes Yes, the cause candidate reclassification process (FIG. 16) may be executed in accordance with an instruction from the administrator, or each time the handled flag is changed to Yes, the cause candidate reclassification process May be executed.

  A specific example of the cause candidate reclassification process will be described below. As in the first embodiment, it is assumed that the analysis result management table at the beginning of the processing is as shown in FIG. 10, the development rules are as shown in FIG. 9, and the event management table is as shown in FIG. It is assumed that the processing has been completed until immediately before the execution of step 64040 in FIG. 15. In the process, the administrator first selects the cause of failure of IPSW1 on the result screen display in FIG. Assume that Yes is recorded only in the entry (IPSW1) in the fifth row in the corresponding flag field 33670 in FIG.

  The event analysis processing module 32500 first deletes all the cause candidate group ID fields and classification start flag field values of the analysis result management table 33600. Next, from the analysis result management table 33600, the entry with the highest certainty among the cause candidates whose corresponding flag is Yes is the fifth entry (fifth entry) of the analysis result management table, and the IPSW device Select a failure cause candidate entry.

Next, the event analysis processing module 32500 extracts EV6, EV7, EV8, and EV9, which are failure events included in this candidate. As other failure cause candidates including these failure events, the first row entry (SYS1 / CTL1), the second row entry (SYS1 / CTL2), the third row entry (SYS1 / CTL3), the fourth row Select the first entry (SYS1 / CTL4). Then, these five entries are grouped, GR1 is generated as a group ID, and the generated group ID is registered in the group ID registration field 33680 of the analysis result management table of these entries. Further, since the fifth row entry is treated as a reference for classification, Yes is recorded in the classification start flag 33690 of the fifth row entry, and No is recorded in the remaining four entry classification start flag 33690.
Through the processing so far, all entries in the analysis result management table have been grouped.

  Subsequently, the event analysis processing module 32500 extracts a failure event that has not been referred to when grouping. Among all event IDs included in the received event ID field 33660 of the analysis result management table 33600, EV1, EV2, EV3, EV4, and EV5 are extracted as those not included in the entry whose Yes is recorded in the classification start flag 33690. Is done. There are four entries from the first entry to the fourth entry as cause candidates including them. If the same grouping is performed starting from the entry with the first level having a high certainty among these, the event analysis processing module 32500 determines the second level as other failure cause candidates including the failure events EV1, EV3, and EV6. Select the entry (SYS1 / CTL2) and the fifth entry (IPSW1). Then, the event analysis processing module 32500 groups these three entries, generates GR2 as a group ID, and registers the generated group ID in the group ID registration field 33680 of the analysis result management table of these entries. Further, since the event analysis processing module 32500 has handled the first-stage entry as a reference for performing classification, Yes is recorded in the classification start flag 33690 of the first-stage entry.

  The event analysis processing module 32500 assumes that all event IDs included in the received event ID field 33660 of the analysis result management table 33600 are not included in the entry whose Yes is recorded in the classification start flag 33690, EV2, EV4, Extract EV5. There are two entries, the third row entry and the fourth row entry, as cause candidates including them. If the same grouping is performed starting from the entry of the third level with a high certainty among these, the event analysis processing module 32500 will display the fifth level as other failure cause candidates including the failure events EV2, EV4, and EV8. Select the entry (IPSW1). The event analysis processing module 32500 groups these two entries, generates GR3 as a group ID, and registers the generated group ID in the group ID registration field 33680 of the analysis result management table of these entries. Further, since the third-stage entry has been handled as a reference for classification, the event analysis processing module 32500 records Yes in the classification start flag 33690 of the third-stage entry.

  Further, the event analysis processing module 32500 determines that EV5 is not included in the entry whose Yes is recorded in the classification start flag 33690 among all event IDs included in the reception event ID field 33660 of the analysis result management table 33600. Extract. Further, when the event analysis processing module 32500 performs the same grouping starting from the entry in the fourth row as the cause candidates including them, the event analysis processing module 32500 sets the fifth step as other failure cause candidates including the failure events EV5 and EV9. Select the entry (IPSW1). The event analysis processing module 32500 groups these two entries, generates GR4 as the group ID, and registers the generated group ID in the group ID registration field 33680 of the analysis result management table of these entries. Furthermore, since the event analysis processing module 32500 has handled the fourth-stage entry as a reference for performing classification, Yes is recorded in the classification start flag 33690 of the fourth-stage entry.

  Since all the event IDs included in the received event ID field 33660 of the analysis result management table 33600 are not included in the entry whose Yes is recorded in the classification start flag 33690, the event analysis processing module 32500 causes the cause The candidate reclassification process is terminated.

<Configuration of failure analysis result display screen>
FIG. 17 is a diagram illustrating a display example 72000 of a failure analysis result display screen that the management server 30000 displays to the user (administrator) after the cause candidate reclassification processing.

  Similar to the first embodiment, on the failure analysis result display screen 72000, the analysis results defined in the analysis result management table are displayed together with the group IDs that match. At this time, entries classified into a plurality of groups are displayed in duplicate in the plurality of groups. In addition, the cause candidate that is the starting point for grouping in each group is displayed at the top of the group. The other candidates are displayed in descending order of certainty.

  As in the first embodiment, in this embodiment, all the cause candidate groups are displayed on the same screen. However, since the groups may be displayed separately for each group, a separate screen is displayed for each group. You may implement so that it may be displayed and switched with a tab etc.

<Effects of cause candidate reclassification processing>
As described above, according to the second embodiment, as shown in FIG. 15, the management software of the management server 30000 allows the administrator to first select the cause of failure that was not displayed at the top of the group in the first embodiment. When the failure cause is selected, the failure cause candidate classification is executed again based on the failure cause. In the situation classified as in the first embodiment (FIG. 14), the management software of the present invention does not know that the administrator has selected IPSW1 displayed at the bottom of each group. However, there may be an external situation that causes the administrator to guess that IPSW1 is the cause of the failure. In such a case, the grouping is dynamically reconfigured according to the administrator's selection as in the second embodiment.

  As a result, when the cause of the failure occurring in IPSW1 is dealt with first, the other cause of failure should be classified and displayed. For this reason, even if the result presented in the first embodiment is different from the intention of the administrator, the classification can be corrected accordingly, and the load required for handling the failure of the administrator can be reduced. it can.

(3) Summary In the failure cause analysis, after inferring the cause of the failure, a failure event applied to the analysis rule in the derivation process is acquired for each failure cause candidate inferred in the management server. Then, the failure cause candidates are classified based on the certainty factor of each cause candidate and the failure event that is the basis for derivation thereof. However, if multiple failures due to different causes occur frequently in a short period, the number of stored failure analysis results will increase, and it will be necessary for the administrator to determine which failure cause candidate is inferred about which failure actually occurs. It may not be possible to judge. In such a case, the present invention classifies cause candidates that commonly include failure events that are actually occurring as the same group. As a result, even when a plurality of failures due to different causes occur, it is possible to classify the cause candidates in a probable combination.

  When there is a failure event related to only one cause candidate, there is no means other than using the cause candidate in order to solve the failure that causes the failure event. In such a case, since a plurality of cause candidates are not related to the failure event, there is no group classified based on the failure event. Therefore, the failure event may not be resolved even if the failure cause candidates of all the groups are dealt with. In particular, if some other failure event causes the only candidate cause that can resolve this failure event to be accidentally categorized into a group, the only cause in the group that can be resolved for a particular failure event It may be considered that the failure event is not quickly dealt with because it is identified with many other cause candidates and as a result of the classification. In order to prevent this, if there is a failure event that is not used as a basis for failure cause candidate classification in the present invention, a separate group is created for the cause candidate or cause candidate group to solve it. That is, the management server repeats the conclusion event classification process by changing the origin cause candidate, classifies all the conclusion events that are the cause of the failure, and then concludes events other than the conclusion event selected as the origin cause candidate (for example, When the second entry in FIG. 10 includes a residual condition event that is a condition event other than the conditional event included in the conclusion event selected as the starting cause candidate, the conclusion event including the remaining condition event is set as the starting cause candidate. Further classification processing is executed. By doing this, it is possible to group the cause candidates without omission and to repair all the faults.

  Furthermore, in the present invention, the management server displays a failure analysis result based on such a classification result. At this time, the display is made so that the administrator can understand which other cause candidates are grouped with each other. For example, the cause candidates may be displayed separately on different screens for each group based on the classification result, or displayed so that each group can be recognized after changing the order for each candidate group within the same screen. Similarly, after the cause candidates are displayed in the order not related to the group such as the certainty factor in the same screen, the groups to which the cause belongs may be displayed in each cause candidate entry.

  In this embodiment, an abnormal state is detected from the performance value of each node device, and a failure cause candidate is presented to the administrator as an analysis result (calculation of the certainty of the abnormal state). At that time, assuming that an event indicating some abnormal state is caused by an event of a specific abnormal state, classify candidate failure causes including the abnormal state common to the cause of failure with the highest certainty. . On the failure analysis result display screen, the analysis result is displayed in such a way that the administrator can understand the classification. More specifically, in the computer system of this embodiment, the management server (management system) acquires a processing performance value indicating the processing performance of the node device, and a failure has occurred in the node device from the acquired processing performance value. This is detected, one of the conclusion events that are assumed to be the cause of the failure is selected as a starting cause candidate, and a condition event related to the starting cause candidate is extracted. In addition, the management server selects one or a plurality of conclusion events that are conclusion events related to the extracted condition event and that are different from the conclusion event of the origin cause candidate as related cause candidates, The conclusion event of the cause candidate and the conclusion event of the related cause candidate are classified and processed separately from the other conclusion events. Then, the management server displays the classified conclusion event on the display screen. By doing in this way, the administrator can easily determine the response priority of the analysis result, and can reduce the load required for analysis result confirmation and failure handling.

  Further, the management server distinguishes the conclusion event that is the cause of the failure for each classification result according to the classification result of the conclusion event corresponding to the origin cause candidate and the related cause candidate, and displays them on the display screen. By doing so, it is possible to easily determine the analysis result to be dealt with and manage separately the dealt result and the unhandled result.

  In addition, the management server classifies the conclusion event of the related cause candidate including at least one condition event related to the conclusion event of the origin cause candidate in the analysis rule as the same group as the conclusion event of the origin cause candidate To do. By doing this, the classification conditions are clarified, and cause candidates that can be resolved simultaneously when dealing with the starting cause candidates are classified into the same group, so that the burden on the administrator can be reduced. become.

  Note that the conclusion event with the highest certainty factor may be selected as the starting cause candidate. As a result, it is possible to automatically perform a classification process with an analysis result considered to have a high response priority as an axis, and to efficiently handle a failure.

  Moreover, the management server that performs failure analysis does not always have a complete understanding of the external situation surrounding the management target. Therefore, it cannot be denied that the cause of failure presented by the classification result in the present embodiment may be different from the event that the administrator actually considers as the cause of failure. Therefore, when an administrator selects a cause cause with a low priority (confidence) and performs failure recovery, grouping is dynamically reconfigured according to the administrator's selection (No. 1). 2 embodiment). That is, in the classification result including a plurality of classification groups, the management server executes classification processing again based on information about which classification group is included in the classification group at the time of failure handling. decide. That is, the classification process is executed again with the conclusion event selected at the time of handling the failure as the starting cause candidate. By dynamically executing the classification process again in this manner, the administrator can execute a failure handling based on experience, and can efficiently manage the computer system.

  The present invention can also be realized by a program code of software that realizes the functions of the embodiments. In this case, a storage medium in which the program code is recorded is provided to the system or apparatus, and the computer (or CPU or MPU) of the system or apparatus reads the program code stored in the storage medium. In this case, the program code itself read from the storage medium realizes the functions of the above-described embodiments, and the program code itself and the storage medium storing the program code constitute the present invention. As a storage medium for supplying such program code, for example, a flexible disk, CD-ROM, DVD-ROM, hard disk, optical disk, magneto-optical disk, CD-R, magnetic tape, nonvolatile memory card, ROM Etc. are used.

  Also, based on the instruction of the program code, an OS (operating system) running on the computer performs part or all of the actual processing, and the functions of the above-described embodiments are realized by the processing. May be. Further, after the program code read from the storage medium is written in the memory on the computer, the computer CPU or the like performs part or all of the actual processing based on the instruction of the program code. Thus, the functions of the above-described embodiments may be realized.

  Further, by distributing the program code of the software that realizes the functions of the embodiment via a network, the program code is stored in a storage means such as a hard disk or memory of a system or apparatus, or a storage medium such as a CD-RW or CD-R And the computer (or CPU or MPU) of the system or apparatus may read and execute the program code stored in the storage means or the storage medium when used.

10000: Server 20000: Storage device 30000: Management server 35000: Web browser activation server 40000: IP switch 45000: Network

Claims (13)

A management method for a computer system comprising: a node device to be monitored; and a management system connected to the node device via a network and monitoring and managing the node device,
The management system acquires a processing performance value indicating the processing performance of the node device, detects that a failure has occurred in the node device from the acquired processing performance value,
The management system applies the detected failure to an analysis rule indicating a relationship between a combination of one or more condition events that may occur in the node device and a conclusion event that is a cause of the failure of the combination of the condition events. , Calculating a certainty factor that is information indicating the possibility of failure in the node device,
The management system selects one of a plurality of conclusion events that are regarded as a cause of failure as a starting cause candidate, extracts the condition event related to the starting cause candidate,
The management system selects a conclusion event related to the extracted condition event, which is one or more conclusion events that are different from the conclusion event of the origin cause candidate, as related cause candidates,
The management system classifies the conclusion event of the origin cause candidate and the conclusion event of the related cause candidate separately from other conclusion events,
The management system displays the classified conclusion event on a display screen;
A computer system management method characterized by the above. In claim 1,
The management system is characterized in that, according to the classification result of the conclusion event corresponding to the origin cause candidate and the related cause candidate, the conclusion event to be the cause of the failure is distinguished for each classification result and displayed on the display screen. Computer system management method. In claim 1,
The management system includes the conclusion event of the related cause candidate that includes at least one condition event in the analysis rule that is the same as the condition event related to the conclusion event of the origin cause candidate, and the same as the conclusion event of the origin cause candidate A management method of a computer system, characterized by classifying as a group. In claim 1,
The management system selects the conclusion event having the highest certainty factor as the origin cause candidate, and classifies the conclusion event of the related cause candidate according to the condition event related to the conclusion event of the origin cause candidate. A management method for a computer system. In claim 1,
The management system repeats the classification process of the conclusion event by changing the starting cause candidate in the plurality of conclusion events that are the cause of the failure, classifies all the conclusion events that are the cause of the failure, and then the starting cause candidate It is determined whether a conclusion event other than the conclusion event selected as a candidate event includes a residual condition event that is a condition event other than the conditional event included in the conclusion event selected as the origin cause candidate, and includes the residual condition event A computer system management method, wherein a classification event is further executed with a conclusion event as the origin cause candidate. In claim 2,
In the classification result including a plurality of classification groups, the management system determines whether to execute the classification process again based on information on which classification group is included in the classification group at the time of failure handling. A computer system management method characterized by: In claim 6,
The management system re-executes the classification process by using the conclusion event selected at the time of the failure handling as the origin cause candidate. A management system connected to a monitored node device via a network and managing the node device,
A processor that acquires a processing performance value indicating the processing performance of the node device, and detects a state of the node device from the acquired processing performance value;
A memory for storing an analysis rule indicating a relationship between a combination of one or more condition events that can occur in the node device and a conclusion event that is a cause of a failure in the combination of the condition events;
The processor is
Applying the detected state to the analysis rule, calculating a certainty factor that is information indicating the possibility of failure in the node device,
Selecting one of a plurality of conclusion events regarded as a cause of failure as a starting cause candidate, and extracting the condition event related to the starting cause candidate,
A conclusion event related to the extracted condition event, and one or more conclusion events that are different from the conclusion event of the origin cause candidate are selected as related cause candidates;
Classifying the conclusion event of the origin cause candidate and the conclusion event of the related cause candidate separately from other conclusion events;
Displaying the classified conclusion event on a display screen;
Management system characterized by that. In claim 8,
The processor is characterized in that, according to the classification result of the conclusion event corresponding to the origin cause candidate and the related cause candidate, the conclusion event to be the cause of the failure is distinguished for each classification result and displayed on the display screen. system. In claim 8,
The processor includes a conclusion event of the related cause candidate including at least one condition event in the analysis rule that is the same as the condition event related to the conclusion event of the origin cause candidate, and the same as the conclusion event of the origin cause candidate Management system characterized by classifying as a group. In claim 8,
The processor selects the conclusion event having the highest certainty factor as the origin cause candidate, and classifies the conclusion event of the related cause candidate according to the condition event related to the conclusion event of the origin cause candidate. Management system. In claim 8,
The processor repeats the classification process of the conclusion event by changing the origin cause candidate in the plurality of conclusion events that are the cause of failure, classifies all the conclusion events that are the cause of the failure, and then as the origin cause candidate It is determined whether a conclusion event other than the selected conclusion event includes a residual condition event that is a condition event other than the condition event included in the conclusion event selected as the origin cause candidate, and a conclusion including the residual condition event A management system further executing a classification process using an event as the origin cause candidate. In claim 9,
In the classification result including a plurality of classification groups, the processor determines whether to execute the classification process again based on information on which classification group is included in the classification group at the time of failure handling. When it is determined that the classification process is to be executed again, the management system is configured to execute the classification process again using the conclusion event selected at the time of handling the failure as the origin cause candidate.

Images