CN111294218B - Information processing method, device, system and storage medium - Google Patents
Information processing method, device, system and storage medium Download PDFInfo
- Publication number
- CN111294218B CN111294218B CN201811483988.6A CN201811483988A CN111294218B CN 111294218 B CN111294218 B CN 111294218B CN 201811483988 A CN201811483988 A CN 201811483988A CN 111294218 B CN111294218 B CN 111294218B
- Authority
- CN
- China
- Prior art keywords
- alarm
- message
- event
- field
- alarms
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
Abstract
The invention provides an information processing method, an information processing device, an information processing system and a storage medium, which are applied to the field of operation and maintenance monitoring, wherein the information processing method comprises the following steps: receiving an alarm message, wherein the alarm message is an original alarm message sent by an alarm source; compressing the same type of alarm messages to generate alarms according to the alarm messages, wherein the alarms are message lists formed by compressing the same type of alarm messages; merging the alarms according to a preset merging rule to generate an alarm event, wherein the alarm event is an alarm list formed by merging the alarms according with the corresponding merging rule; and notifying the alarm event by taking a preset operation and maintenance range corresponding to the alarm event as a unit. The invention can efficiently compress the alarm message, reduce the frequency of the alarm message, reduce the interference of a large amount of alarm messages to operation and maintenance personnel and improve the operation and maintenance work efficiency.
Description
Technical Field
The present invention relates to the field of operation and maintenance monitoring, and in particular, to an information processing method, apparatus, system, and storage medium.
Background
The operation and maintenance monitoring is a general name of a series of IT management products, and the products contained in the operation and maintenance monitoring system have the advantages of strong functions, easy use and complete solutions, and can meet various IT management requirements of users in a one-stop manner.
More and more customers are considering or adopting a business focused solution. However, after the business system is centralized, not only the working intensity of operation and maintenance is increased, but also the centralized system becomes more complicated. An effective system and an application monitoring system become keys for knowing service resource use conditions, timely discovering hidden dangers which may cause system faults and realizing system operation guarantee.
On the other hand, by means of the centralized monitoring solution, a user can correctly and timely know the running state of the system, find bottlenecks affecting the running of the whole system, help system personnel to carry out necessary system optimization and configuration change, and even provide basis for upgrading and expanding the system. The powerful monitoring and diagnostic tool can also help operation and maintenance personnel to quickly analyze the cause of the application fault and release the cause from complicated and repeated labor.
Thus, many customers' IT departments place demands on the establishment of a centralized IT management system, the monitored content including networks, servers, databases, middleware, and applications. Faults in the system are discovered in time through the centralized monitoring system, and the fault processing time is shortened.
However, most of the conventional operation and maintenance monitoring triggers an alarm according to a fixed threshold, and this monitoring mode may frequently encounter problems of alarm error, report missing, alarm storm, etc., and may seriously interfere with the work efficiency of the operation and maintenance personnel.
Disclosure of Invention
The invention provides an information processing method device, an information processing system and a storage medium, aiming at the technical problems that the existing monitoring mode can frequently encounter the problems of alarm error, report omission, alarm storm and the like and seriously interfere the working efficiency of operation and maintenance personnel.
In a first aspect, an embodiment of the present invention provides an information processing method, including: receiving an alarm message, wherein the alarm message is an original alarm message sent by an alarm source; compressing the same type of alarm messages to generate alarms according to the alarm messages, wherein the alarms are message lists formed by compressing the same type of alarm messages; combining the alarms according to a preset combination rule to generate an alarm event, wherein the alarm event is an alarm list formed by combining the alarms according with the corresponding combination rule; and taking a preset operation and maintenance range corresponding to the alarm event [ in a specific embodiment, a time window is used as a threshold, and if the time window is exceeded, the operation and maintenance of the event are not performed, but the event needs to be created as a unit to notify the alarm event.
In one optional implementation, the compressing the same type of alert message according to the alert message to generate an alert includes: determining whether an alarm corresponding to the alarm message exists in alarms of the current operation and maintenance according to the alarm message; if the alarm corresponding to the alarm message exists, updating the corresponding alarm according to the alarm message; and if not, the alarm which is closed beyond a time window or is closed after status is returned, or the alarm which is not created at all is not existed [ the alarm is not closed ] is corresponding to the alarm message, and the corresponding alarm is created according to the alarm message.
In one optional implementation manner, the determining whether an alarm corresponding to the warning message exists in the alarms of the current operation and maintenance according to the warning message includes: extracting a classification key field according to the alarm message; if the alarm for message compression by using the classification key field exists in the alarms of the current operation and maintenance, determining that the alarm corresponding to the alarm message exists; otherwise it is not present.
In one optional embodiment, the classification key field includes an object field for representing an object and/or an index field for representing a monitoring index.
In one optional embodiment, the merging the alarms according to a preset merging rule to generate an alarm event includes: determining whether an alarm event corresponding to the alarm exists in the current operation and maintenance events according to the combination rule and the alarm; if the alarm event corresponding to the alarm does not exist [ the absence of the alarm event refers to the fact that the alarm event is not created or is closed due to the fact that the alarm event exceeds the operation and maintenance range ], creating the corresponding alarm event according to the combination rule and the alarm, and establishing the association between the alarm and the alarm event; and if an alarm event corresponding to the alarm exists and the alarm is the current established alarm, establishing the association between the alarm and the alarm event.
In one optional implementation, the determining whether an alarm event corresponding to the alarm exists in the events of the current operation and maintenance according to the merge rule and the alarm includes: determining the identifier of an alarm event corresponding to the alarm according to the combination rule and the alarm; if the identifier corresponding to the alarm event of the current operation and maintenance exists in the identifier corresponding to the alarm event of the current operation and maintenance, determining that the alarm event corresponding to the alarm exists; otherwise it is not present.
In one optional implementation, the operation and maintenance range is a time window.
In a second aspect, an embodiment of the present invention further provides an information processing apparatus, including:
a receiving unit, configured to receive an alarm message, where the alarm message is an original alarm message sent by an alarm source;
the compression unit is used for compressing the same type of alarm information according to the alarm information received by the receiving unit to generate an alarm, and the alarm is a message list formed by compressing the same type of alarm information;
the merging unit is used for merging the alarms obtained by compression of the compression unit according to a preset merging rule to generate an alarm event, wherein the alarm event is an alarm list formed by merging the alarms conforming to the corresponding merging rule;
and the notification unit is used for notifying the alarm events obtained by combining the combining units by taking a preset operation and maintenance range corresponding to the alarm events as a unit.
In one optional embodiment, the compressing unit includes:
the first determining module is used for determining whether an alarm corresponding to the alarm message exists in the alarms of the current operation and maintenance according to the alarm message received by the receiving unit;
the alarm updating module is used for updating the corresponding alarm according to the alarm message if the first determining module determines that the alarm corresponding to the alarm message exists;
and the alarm creating module is used for creating a corresponding alarm according to the alarm message if the first determining module determines that the alarm corresponding to the alarm message does not exist.
In one optional implementation, the first determining module includes:
the extraction submodule is used for extracting a classification key field according to the alarm message received by the receiving unit;
the first determining submodule is used for determining that an alarm corresponding to the alarm message exists if the alarm of the current operation and maintenance carries out message compression by using the classification key field extracted by the extracting submodule; otherwise it is not present.
In one optional embodiment, the classification key field includes an object field for representing an object and/or an index field for representing a monitoring index.
In one optional implementation, the merging unit includes:
the second determining module is used for determining whether an alarm event corresponding to the alarm exists in the current operation and maintenance events according to the combination rule and the alarm obtained by compression of the compression unit;
the event processing module is used for creating a corresponding alarm event according to the combination rule and the alarm and establishing the association between the alarm and the alarm event if the second determining module determines that the alarm event corresponding to the alarm does not exist;
and the event correlation module is used for establishing the correlation between the alarm and the alarm event if the second determination module determines that the alarm event corresponding to the alarm exists and the alarm is the currently established alarm.
In an optional implementation manner, the second determining module includes:
the second determining submodule is used for determining the identifier of the alarm event corresponding to the alarm according to the combination rule and the alarm;
the third determining submodule is used for determining that the alarm event corresponding to the alarm exists if the identifier of the alarm event corresponding to the alarm, which is determined by the second determining submodule, exists in the identifier corresponding to the alarm event of the current operation and maintenance; otherwise it is not present.
In a third aspect, embodiments of the present invention also provide an information processing system, comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions for:
receiving an alarm message, wherein the alarm message is an original alarm message sent by an alarm source;
compressing the same type of alarm messages to generate alarms according to the alarm messages, wherein the alarms are message lists formed by compressing the same type of alarm messages;
combining the alarms according to a preset combination rule to generate an alarm event, wherein the alarm event is an alarm list formed by combining the alarms according with the corresponding combination rule;
and notifying the alarm event by taking a preset operation and maintenance range corresponding to the alarm event as a unit.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the information processing method described above.
The information processing method, the device, the system and the storage medium provided by the invention distinguish whether the same alarm belongs to the same alarm by identifying the alarm message, and compress the alarm message of the same alarm by using the same type of alarm message as the same alarm; and for different alarms, combining a plurality of alarms according to a preset combination rule, wherein the combined alarms are called alarm events, and finally carrying out alarm notification to the client by taking the events as the minimum granularity and taking the operation and maintenance range as a unit. Aiming at massive and continuous redundant alarm messages, the number of the alarm messages is suppressed on the premise of ensuring the alarm content, so that an effective alarm notification is provided for operation and maintenance personnel. The invention can efficiently compress the alarm message, reduce the frequency of the alarm message, reduce the interference of a large amount of alarm messages to operation and maintenance personnel and improve the operation and maintenance work efficiency.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and, together with the description, serve to explain the principles of the disclosure.
Fig. 1 is a schematic flowchart of an information processing method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of an information processing method according to another embodiment of the present invention;
FIG. 3 is a schematic diagram of an information processing apparatus according to another embodiment of the present invention;
FIG. 4 is a schematic diagram showing a configuration of a compression unit in the information processing apparatus shown in FIG. 3;
fig. 5 is a schematic diagram of a configuration of a merging unit in the information processing apparatus shown in fig. 3.
With the foregoing drawings in mind, certain embodiments of the disclosure have been shown and described in more detail below. These drawings and written description are not intended to limit the scope of the disclosed concepts in any way, but rather to illustrate the concepts of the disclosure to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.
The following describes the technical solutions of the present invention and how to solve the above technical problems with specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present invention will be described below with reference to the accompanying drawings.
As shown in fig. 1, an embodiment of the present invention provides an information processing method, where an execution subject of the method may be an information processing apparatus or an information processing system, and the method includes:
In this embodiment, the alert source is a system that sends an original alert message to the system, and may be in the form of an app, or may be a web application such as a website. The alert source may access the execution body of the method through the API. The alarm message includes a plurality of fields, which generally include an alarm source name, an alarm status, object information, and index information, wherein the alarm status represents a level of the alarm message, and may include a plurality of levels, for example, 4 levels, including disaster, severe, warning, and normal. It may also be classified into 3 levels or 5 levels, which is not limited herein, but the alarm status needs to be included in the alarm message. The object information is used to identify an object in the warning source that issues a warning, such as a host (host), a service (service), an application (application), and a business (business) in the warning source. The index information may be null, or may be a monitored index, such as an average CPU utilization rate, a memory utilization rate, a packet loss rate, or the like.
And step 102, compressing the same type of alarm information according to the alarm information to generate an alarm, wherein the alarm is a message list formed by compressing the same type of alarm information.
Specifically, the same type of alarm messages may be alarm messages having the same field, for example, the same object field (i.e., object information) may also be the same index field (i.e., index information, it is worth noting that the index information may only include the index field, or may include both the index field and the index description field), or the same object field and the same index field. Without limitation, specific fields in the alarm message may be used as criteria for classifying the same type of alarm message according to the specific fields.
And 103, combining the alarms according to a preset combination rule to generate an alarm event, wherein the alarm event is an alarm list formed by combining the alarms according with the corresponding combination rule.
In this embodiment, the preset merge rule may be a default merge rule of the execution subject, or may be a user-defined merge rule, for example:
the default merging rules are 5, and the priority is from high to low: the method comprises the steps of alarm combination based on a Host field, alarm combination based on a service field, alarm combination based on an application field, alarm combination based on a business field and upgrading alarm combination based on a cluster field. And (4) the newly generated alarms are sequentially matched with the combination rule according to the priority order, and events are generated according to the matched combination rule.
Or, the user defines the rule name, description and operation and maintenance range in a page displayed by the execution subject. When the alarm rule is defined, the combination across the alarm sources and the combination according to the label are supported. The screening condition of a rule supports equal, unequal, in list, not in list, etc. matching conditions, supports adding "and" or ". The custom combination rule supports the definition of an operation and maintenance range, and in the operation and maintenance range, if an alarm meeting the preset combination rule exists, the alarm can be combined into an alarm event. In one embodiment, the operation and maintenance range may be a time window, and the alarm or warning event is in the operation and maintenance state in the corresponding time window. The operation and maintenance range may also be the number of times of initiating the same type of alarm message, and the like, which is not limited herein.
In addition, the specific merge rule in the present embodiment is not limited herein, and the above description is only presented by way of example to facilitate understanding of those skilled in the art.
And 104, notifying the alarm event by taking a preset operation and maintenance range corresponding to the alarm event as a unit.
In this embodiment, the display hierarchy of the alert message, the alarm, and the alert event is: and displaying the alarm events in the alarm event list, displaying one or more alarms in the alarm events, and displaying one or more alarm messages under each alarm. The alarm event may be viewed as an alarm list and the alarm as an alarm message list.
The information processing method distinguishes whether the same alarm belongs to the same alarm or not by identifying the alarm message, and compresses the alarm message of the same alarm by using the same type of alarm message as the same alarm; and for different alarms, combining a plurality of alarms according to a preset combination rule, wherein the combined alarms are called alarm events, and finally carrying out alarm notification to the client by taking the events as the minimum granularity and taking the operation and maintenance range as a unit. Aiming at massive and continuous redundant alarm messages, the number of the alarm messages is suppressed on the premise of ensuring the alarm content, so that effective alarm notification is provided for operation and maintenance personnel. The invention can efficiently compress the alarm message, reduce the frequency of the alarm message, reduce the interference of a large amount of alarm messages to operation and maintenance personnel and improve the operation and maintenance work efficiency. Through actual production verification, the inhibiting function of the invention can effectively reduce the number of the alarm notifications sent to the user, and the actual compression rate is between 50% and 95% according to different types of clients.
On the basis of the foregoing embodiment, in order to further explain the data processing method provided by the present invention, fig. 2 is a schematic flow chart of an information processing method according to another embodiment of the present invention. As shown in fig. 2, the information processing method includes:
In this embodiment, the implementation manner of step 201 is the same as that of step 101, and is not described herein again.
In an alternative embodiment, the alert message may be a JSON string that conforms to the JSON syntax. JSON (JavaScript Object Notation) is a lightweight data exchange format. It stores and represents data in a text format that is completely independent of the programming language, based on a subset of ECMAScript (js specification set by the european computer association). The compact and clear hierarchy makes JSON an ideal data exchange language. The network transmission method is easy to read and write by people, is easy to analyze and generate by machines, and effectively improves the network transmission efficiency.
In an optional real-time scenario, the API that the alert source accesses to the execution body is a REST API, the REST API may interact with the execution body by any device that supports sending HTTP requests, and the REST API may be used to implement the following functions, for example: a mobile website can acquire data on an execution body through JavaScript; a website may present data from an executing agent; a large amount of data can be uploaded and then can be read by a mobile App; recent data can be downloaded for your custom analytical statistics; programs written in any language can manipulate data on the execution body; you can export all data if you no longer need to use the execution agent.
In an alternative embodiment, the step 202 may include extracting a classification key field according to the alert message; if the alarm for message compression by using the classification key field exists in the alarms of the current operation and maintenance, determining that the alarm corresponding to the alarm message exists; otherwise it is not present. For example, the classification key field is used as the identifier or name of the alarm, the classification key of the alarm message may be extracted to match the identifier or name of the alarm of the current operation and maintenance.
In an optional embodiment, the classification key field includes an object field for representing an object and/or an index field for representing a monitoring index. The concrete expression form of the object field may be an application Key (APP Key) agreed with the execution subject of the method, or may be other identification information for identifying a unique identity, which is not limited herein.
In an optional embodiment, the operation and maintenance standard of the alarm operation and maintenance may be an alarm state of an alarm message in the alarm, and if the alarm state is normal, the alarm may be disengaged from the operation and maintenance. The operation and maintenance standard of the alarm may also be a time window, and when the end point of the time window is reached, the alarm may be separated from the operation and maintenance. If the time window is used as the operation and maintenance standard, when the generation or the reception of the alarm message falls within the time window, it can be understood that the alarm message finds a corresponding alarm, and the alarm is currently in an operation and maintenance state.
And step 203, updating the corresponding alarm according to the alarm message.
In this embodiment, updating the corresponding alarm may be to cover the same alarm message in the alarms according to the alarm message, to show the latest alarm message only in the dimension related to the operation and maintenance range, or to add the alarm message to the corresponding alarm, which is not limited herein.
It should be noted that when there is an alarm corresponding to the alarm message, because of the display relationship among the alarm message, the alarm and the alarm event, when the alarm message is received and the alarm corresponding to the alarm message exists, it is indicated that the alarm event corresponding to the alarm is in the operation and maintenance range, otherwise, the alarm will be upgraded to the corresponding alarm event. Therefore, when the alarm corresponding to the alarm message exists currently, the alarm event corresponding to the alarm is in the operation and maintenance range, and the alarm notification is performed according to the fact that the operation and maintenance range of the alarm event reaches the threshold after the alarm message is updated. In the process, the alarm is updated in real time according to the alarm message received in real time until the operation and maintenance range of the alarm event reaches the threshold value.
And step 204, creating a corresponding alarm according to the alarm message.
Specifically, when the alarm message has no corresponding alarm, the classification key field may be used as the identifier of the alarm message, the alarm message is upgraded to an alarm, and the same type of alarm message is updated in real time in the subsequent operation and maintenance range of the alarm.
In an alternative embodiment, the step 205 may include determining an identification of an alarm event corresponding to the alarm according to the merging rule and the alarm; if the identifier corresponding to the alarm event of the current operation and maintenance exists in the identifier corresponding to the alarm event of the current operation and maintenance, determining that the alarm event corresponding to the alarm exists; otherwise it is not present.
In an alternative embodiment, the merging rule is used to merge multiple alarms within the same or similar fault, and the merged alarms are referred to as alarm events, and each event represents a set of one or similar faults.
And step 206, creating a corresponding alarm event according to the combination rule and the alarm and establishing the association between the alarm and the alarm event.
And 208, notifying the alarm event by taking a preset operation and maintenance range corresponding to the alarm event as a unit.
The information processing method distinguishes whether the same alarm belongs to the same alarm or not by identifying the alarm message, and compresses the alarm message of the same alarm by using the same type of alarm message as the same alarm; and for different alarms, combining a plurality of alarms according to a preset combination rule, wherein the combined alarms are called alarm events, and finally carrying out alarm notification to the client by taking the events as the minimum granularity and taking the operation and maintenance range as a unit. Aiming at massive and continuous redundant alarm messages, the number of the alarm messages is suppressed on the premise of ensuring the alarm content, so that effective alarm notification is provided for operation and maintenance personnel. The invention can efficiently compress the alarm message, reduce the frequency of the alarm message, reduce the interference of a large amount of alarm messages to operation and maintenance personnel and improve the operation and maintenance work efficiency. Through actual production verification, the inhibiting function of the invention can effectively reduce the number of the alarm notifications sent to the user, and the actual compression rate is between 50% and 95% according to different types of clients.
In order to make those skilled in the art better understand the information processing method provided by the embodiment of the present invention, a specific example is explained. A large system is internally provided with a plurality of online shopping malls, office systems and financial systems, and relates to a plurality of machine rooms and dozens of service systems. By the information processing method provided by the embodiment of the invention, the alarm messages of the basic environment and the service system are uniformly accessed into the execution main body of the method in a manner of restAPI; the basic environment refers to an operating environment of the user application, such as a physical machine, a virtual machine, a cloud environment, or a hybrid environment. In this context are containers and databases etc. of applications of the user. For example, for a bank, an app corresponding to the bank or an online website may be called a business system.
When an alarm source in the system is initially accessed to the execution main body of the method, a corresponding APP Key is distributed to an object in each alarm source, so that the APP Key is carried by the alarm source when the alarm message is sent to the execution main body of the method in the later operation and maintenance period and is used as object information of a monitoring object.
In the embodiment, an alarm message is received through RESTAPI, and the alarm message is used as an alarm source to generate an original alarm message; compressing the alarm messages of the same object and the same index into an alarm; the alarms are merged based on the same field (such as a cluster) according to a preset merging rule, and become an alarm event.
Specifically, the determination is performed according to the main key and check (the check item (index field) of the alarm message may be empty) of the alarm message, and if the contents of the two items are the same, the two items are regarded as the same alarm message, and the alarm compression may be performed.
It is worth to be noted that the alarm message has one and only one master Key, and when a plurality of APP keys exist at the same time, the priority of the master Key is from high to low: host- > service- > application- > business.
In this embodiment, the alarm compression operation and maintenance range is a default time window, and in the default time window, if the alarm status is not OK continuously, all the alarm messages of the same main key and check item are always under the current alarm. Within a default time window, the alarm is restored when the status of the alarm is OK. If the alarm message is generated again after the alarm is finished and the alarm is turned on again in the default time window. The content of the alert is updated with the latest message. When the time window exceeds the default time window, a new alert is created for the incoming alert message.
Before the information processing method provided by the embodiment of the invention is used, the operation and maintenance work is greatly interfered by frequent alarm notification messages, and in order to avoid the interference, the operation and maintenance personnel of the large-scale system can only temporarily close the monitoring functions of a plurality of systems, but the mode causes the monitoring loss of a service system and a basic environment and cannot effectively control the quality of the whole operation and maintenance supporting environment in real time. After the information processing method provided by the embodiment of the invention is used, the message sending quantity is finally restrained from 500 pieces per day and 1000 pieces per day originally, the average sending quantity per day is less than 100 pieces per day, and zero loss of core content is realized. The core content here refers to the name of the alarm source, the object information, the index information, and the alarm state in the alarm message. The core content in the alarm message is preserved when compression and combination are performed.
Fig. 3 is a schematic structural diagram of an information processing apparatus according to another embodiment of the present invention. As shown in fig. 3, the information processing apparatus includes:
a receiving unit 31, configured to receive an alarm message, where the alarm message is an original alarm message sent by an alarm source;
the compressing unit 32 is configured to compress the same type of alarm messages according to the alarm messages received by the receiving unit to generate alarms, where the alarms are message lists formed by compressing the same type of alarm messages;
the merging unit 33 is configured to merge the alarms compressed by the compression unit according to a preset merging rule to generate an alarm event, where the alarm event is an alarm list formed by merging alarms conforming to the corresponding merging rule;
and the notifying unit 34 is configured to notify the alarm event obtained by merging the merging units by using a preset operation and maintenance range corresponding to the alarm event as a unit.
In one optional embodiment, as shown in fig. 4, the compressing unit 32 includes:
a first determining module 321, configured to determine whether an alarm corresponding to the alarm message exists in the alarms of the current operation and maintenance according to the alarm message received by the receiving unit;
an alarm updating module 322, configured to update the corresponding alarm according to the alarm message if the first determining module determines that the alarm corresponding to the alarm message exists;
an alarm creating module 323, configured to create a corresponding alarm according to the warning message if the first determining module determines that the alarm corresponding to the warning message does not exist.
In one optional implementation, the first determining module includes: the extraction submodule is used for extracting the classification key field according to the alarm message received by the receiving unit; the first confirming sub-module is used for confirming that an alarm corresponding to the alarm message exists if the alarm for message compression by using the classification key field extracted by the extracting sub-module exists in the alarm of the current operation and maintenance; otherwise it is not present.
In one optional embodiment, the classification key field includes an object field for representing an object and/or an index field for representing a monitoring index.
In one optional implementation, as shown in fig. 5, the merging unit 33 includes:
a second determining module 331, configured to determine whether an alarm event corresponding to the alarm exists in the current operation and maintenance events according to the merging rule and the alarm compressed by the compressing unit;
an event processing module 332, configured to, if the second determining module determines that there is no alarm event corresponding to the alarm, create a corresponding alarm event according to the merge rule and the alarm, and establish a relationship between the alarm and the alarm event;
the event association module 333, if the second determination module determines that the alarm event corresponding to the alarm exists and the alarm is the currently created alarm, is configured to establish an association between the alarm and the alarm event.
In one optional implementation, the second determining module includes: the second determining submodule is used for determining the identifier of an alarm event corresponding to the alarm according to the combination rule and the alarm; the third determining submodule is used for determining that the alarm event corresponding to the alarm exists if the identifier, corresponding to the alarm event, of the current operation and maintenance exists in the identifiers corresponding to the alarm events determined by the second determining submodule; otherwise it is not present.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process and corresponding beneficial effects of the apparatus described above may refer to the corresponding process in the foregoing method embodiments, and are not described herein again.
The information processing device distinguishes whether the alarm messages belong to the same alarm or not by identifying the alarm messages, and compresses the alarm messages of the same alarm by using the same type of alarm messages as the same alarm; and for different alarms, combining a plurality of alarms according to a preset combination rule, wherein the combined alarms are called alarm events, and finally carrying out alarm notification to the client by taking the events as the minimum granularity and taking the operation and maintenance range as a unit. Aiming at massive and continuous redundant alarm messages, the number of the alarm messages is suppressed on the premise of ensuring the alarm content, so that an effective alarm notification is provided for operation and maintenance personnel. The invention can efficiently compress the alarm message, reduce the frequency of the alarm message, reduce the interference of massive alarm messages to operation and maintenance personnel and improve the operation and maintenance work efficiency. Through actual production verification, the inhibiting function of the invention can effectively reduce the number of the alarm notifications sent to the user, and the actual compression rate is between 50% and 95% according to different types of clients.
Yet another embodiment of the present invention also provides an information handling system, comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions for:
receiving an alarm message, wherein the alarm message is an original alarm message sent by an alarm source;
compressing the same type of alarm messages to generate alarms according to the alarm messages, wherein the alarms are message lists formed by compressing the same type of alarm messages;
merging the alarms according to a preset merging rule to generate an alarm event, wherein the alarm event is an alarm list formed by merging the alarms according with the corresponding merging rule;
and notifying the alarm event by taking a preset operation and maintenance range corresponding to the alarm event as a unit.
Another embodiment of the present invention provides a computer-readable storage medium on which a computer program is stored, wherein the program is configured to implement the information processing method according to the above-described embodiment when executed by a processor.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working process and corresponding beneficial effects of the program in the system and the storage medium described above may refer to the corresponding process in the foregoing method embodiments, and details are not described herein again.
The information processing system and the storage medium provided by the invention distinguish whether the same alarm belongs to the same alarm by identifying the alarm message, and compress the alarm message of the same alarm by using the same type of alarm message as the same alarm; and for different alarms, combining a plurality of alarms according to a preset combination rule, wherein the combined alarms are called alarm events, and finally carrying out alarm notification to the client by taking the events as the minimum granularity and taking the operation and maintenance range as a unit. Aiming at massive and continuous redundant alarm messages, the number of the alarm messages is suppressed on the premise of ensuring the alarm content, so that effective alarm notification is provided for operation and maintenance personnel. The invention can efficiently compress the alarm message, reduce the frequency of the alarm message, reduce the interference of massive alarm messages to operation and maintenance personnel and improve the operation and maintenance work efficiency. Through actual production verification, the inhibiting function of the invention can effectively reduce the number of the alarm notifications sent to the user, and the actual compression rate is between 50% and 95% according to different types of clients.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements that have been described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.
Claims (15)
1. An information processing method, characterized by comprising:
receiving an alarm message, wherein the alarm message is an original alarm message sent by an alarm source, the alarm message comprises a plurality of fields, the fields comprise alarm source names, alarm states, object information and index information, the alarm states represent the levels of the alarm message, the levels of the alarm message comprise a plurality of levels, the object information is used for identifying objects sending alarms in the alarm source, and comprises a host, a service, an application and a service business in the alarm source, the index information is empty or a monitored index, and the monitored index comprises a CPU average utilization rate, a memory utilization rate and a packet loss rate;
compressing the same type of alarm messages to generate alarms according to the alarm messages, wherein the alarms are message lists formed by compressing the same type of alarm messages, the same type of alarm messages are specific fields in the alarm messages, the specific fields are used as standards for dividing the same type of alarm messages, the same type of alarm messages comprise the alarm messages with the same fields, and the method comprises the following steps: the system comprises a same object field, a same index field, a same object field and a same index field, wherein the same object field refers to the same object information, the same index field refers to the same index information, and the same index information further comprises or does not comprise an index description field;
combining the alarms according to preset combination rules to generate alarm events, wherein the alarm events are alarm lists formed by combining the alarms conforming to the corresponding combination rules, the number of the default combination rules is 5, and the priority is from high to low: performing alarm combination based on the Host field, performing alarm combination based on the service field, performing alarm combination based on the application field, performing alarm combination based on the business field, and performing upgrade alarm combination based on the cluster field; the newly generated alarms are sequentially subjected to merging rule matching according to a priority sequence, and an alarm event is generated according to the matched merging rule, wherein judgment is carried out according to a main Key and a check of the alarm message, if the contents of the two items of alarm message are the same, the two items of alarm message are regarded as the same alarm message, and alarm compression is carried out, wherein the check refers to a check item of the alarm message, the check item comprises an index field or is empty, the alarm message has only one main Key, and when a plurality of APP keys exist at the same time, the priority of the main Key is from high to low: host- > service- > application- > business;
and notifying the alarm event by taking a preset operation and maintenance range corresponding to the alarm event as a unit, wherein the display levels of the alarm message, the alarm and the alarm event are as follows: and displaying the alarm event in the alarm event list, displaying one or more alarms in the alarm event, and displaying one or more alarm messages under each alarm.
2. The method of claim 1, wherein compressing the same type of alert message to generate an alert according to the alert message comprises:
determining whether an alarm corresponding to the alarm message exists in the alarms of the current operation and maintenance according to the alarm message;
if the alarm corresponding to the alarm message exists, updating the corresponding alarm according to the alarm message;
and if the alarm corresponding to the alarm message does not exist, establishing a corresponding alarm according to the alarm message.
3. The method according to claim 2, wherein the determining whether an alarm corresponding to the alarm message exists in the alarms of the current operation and maintenance according to the alarm message comprises:
extracting a classification key field according to the alarm message;
if the alarm for message compression by using the classification key field exists in the alarms of the current operation and maintenance, determining that the alarm corresponding to the alarm message exists; otherwise it is not present.
4. The method of claim 3, wherein the classification key field comprises an object field for representing an object and/or a metric field for representing a monitoring metric.
5. The method according to claim 1, wherein the merging the alarms to generate an alarm event according to a preset merging rule comprises:
determining whether an alarm event corresponding to the alarm exists in the current operation and maintenance events according to the combination rule and the alarm;
if the alarm event corresponding to the alarm does not exist, establishing a corresponding alarm event according to the combination rule and the alarm and establishing the association between the alarm and the alarm event;
and if an alarm event corresponding to the alarm exists and the alarm is the current established alarm, establishing the association between the alarm and the alarm event.
6. The method of claim 5, wherein the determining whether an alarm event corresponding to the alarm exists in the current operation and maintenance events according to the merge rule and the alarm comprises:
determining the identifier of an alarm event corresponding to the alarm according to the combination rule and the alarm;
if the identifier corresponding to the alarm event of the current operation and maintenance exists in the identifier corresponding to the alarm event of the current operation and maintenance, determining that the alarm event corresponding to the alarm exists; otherwise it is not present.
7. The method of any of claims 1-6, wherein the operation and maintenance scope is a time window.
8. An information processing apparatus characterized by comprising:
a receiving unit, configured to receive an alarm message, where the alarm message is an original alarm message sent by an alarm source, the alarm message includes multiple fields, and the multiple fields include an alarm source name, an alarm state, object information, and indicator information, where the alarm state indicates a level of the alarm message, the level of the alarm message includes multiple levels, the object information is used to identify an object sending an alarm in the alarm source, and the object information includes a host, a service, an application, and a service business in the alarm source, where the indicator information is a null or monitored indicator, and the monitored indicator includes a CPU average utilization rate, a memory utilization rate, and a packet loss rate;
the compressing unit is used for compressing the same type of alarm messages according to the alarm messages received by the receiving unit to generate alarms, the alarms are message lists formed by compressing the same type of alarm messages, the same type of alarm messages are specific fields in the alarm messages, the specific fields are used as standards for dividing the same type of alarm messages, the same type of alarm messages comprise the alarm messages with the same fields, and the compressing unit comprises: the system comprises a same object field, a same index field, a same object field and a same index field, wherein the same object field refers to the same object information, the same index field refers to the same index information, and the same index information further comprises or does not comprise an index description field;
a merging unit, configured to merge the alarms compressed by the compression unit according to a preset merging rule to generate an alarm event, where the alarm event is an alarm list formed by merging alarms that meet the corresponding merging rule, and the default merging rules include 5, and the priorities from high to low are: performing alarm combination based on the Host field, performing alarm combination based on the service field, performing alarm combination based on the application field, performing alarm combination based on the business field, and performing upgrade alarm combination based on the cluster field; the newly generated alarms are sequentially matched with the merging rules according to the priority sequence, and an alarm event is generated according to the matched merging rules, wherein the judgment is carried out according to the main Key and the check of the alarm message, if the contents of the two items of alarms are the same, the two items of alarms are regarded as the same alarm message, and the alarm compression is carried out, wherein the check of the alarm message refers to the check item of the alarm message, the check item comprises an index field or is empty, the alarm message has only one main Key, and when a plurality of APP keys exist at the same time, the priority of the main Key is from high to low: host- > service- > application- > business;
and the notification unit is used for notifying the alarm events obtained by combining the combining units by taking a preset operation and maintenance range corresponding to the alarm events as a unit, wherein the display levels of the alarm messages, the alarms and the alarm events are as follows: and displaying the alarm events in the alarm event list, displaying one or more alarms in the alarm events, and displaying one or more alarm messages under each alarm.
9. The apparatus of claim 8, wherein the compression unit comprises:
the first determining module is used for determining whether an alarm corresponding to the alarm message exists in the alarms of the current operation and maintenance according to the alarm message received by the receiving unit;
the alarm updating module is used for updating the corresponding alarm according to the alarm message if the first determining module determines that the alarm corresponding to the alarm message exists;
and the alarm creating module is used for creating a corresponding alarm according to the alarm message if the first determining module determines that the alarm corresponding to the alarm message does not exist.
10. The apparatus of claim 9, wherein the first determining module comprises:
the extraction submodule is used for extracting the classification key field according to the alarm message received by the receiving unit;
the first determining submodule is used for determining that an alarm corresponding to the alarm message exists if the alarm of the current operation and maintenance carries out message compression by using the classification key field extracted by the extracting submodule; otherwise it is not present.
11. The apparatus of claim 10, wherein the classification key field comprises an object field for representing an object and/or a metric field for representing a monitoring metric.
12. The apparatus of claim 8, wherein the merging unit comprises:
the second determining module is used for determining whether an alarm event corresponding to the alarm exists in the current operation and maintenance events according to the combination rule and the alarm obtained by compression of the compression unit;
the event processing module is used for creating a corresponding alarm event according to the combination rule and the alarm and establishing the association between the alarm and the alarm event if the second determining module determines that the alarm event corresponding to the alarm does not exist;
and the event correlation module is used for establishing the correlation between the alarm and the alarm event if the second determination module determines that the alarm event corresponding to the alarm exists and the alarm is the currently established alarm.
13. The apparatus of claim 12, wherein the second determining module comprises:
the second determining submodule is used for determining the identifier of the alarm event corresponding to the alarm according to the combination rule and the alarm;
the third determining submodule is used for determining that the alarm event corresponding to the alarm exists if the identifier of the alarm event corresponding to the alarm, which is determined by the second determining submodule, exists in the identifier corresponding to the alarm event of the current operation and maintenance; otherwise it is not present.
14. An information handling system comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by one or more processors, the one or more programs including instructions for:
receiving an alarm message, wherein the alarm message is an original alarm message sent by an alarm source, the alarm message comprises a plurality of fields, the fields comprise an alarm source name, an alarm state, object information and index information, the alarm state represents the level of the alarm message, the level of the alarm message comprises a plurality of levels, the object information is used for identifying an object sending an alarm in the alarm source and comprises a host, a service, an application and a service bussiness in the alarm source, the index information is empty or a monitored index, and the monitored index comprises a CPU average utilization rate, a memory utilization rate and a packet loss rate;
compressing the same type of alarm messages to generate alarms according to the alarm messages, wherein the alarms are message lists formed by compressing the same type of alarm messages, the same type of alarm messages are specific fields in the alarm messages, the specific fields are used as standards for dividing the same type of alarm messages, the same type of alarm messages comprise the alarm messages with the same fields, and the method comprises the following steps: the system comprises the same object field, the same index field, the same object field and the same index field, wherein the same object field refers to the same object information, the same index field refers to the same index information, and the same index information also comprises or does not comprise an index description field;
combining the alarms according to preset combination rules to generate alarm events, wherein the alarm events are alarm lists formed by combining the alarms according with the corresponding combination rules, the number of the default combination rules is 5, and the priority levels are respectively from high to low: performing alarm combination based on the Host field, performing alarm combination based on the service field, performing alarm combination based on the application field, performing alarm combination based on the business field, and performing upgrade alarm combination based on the cluster field; the newly generated alarms are sequentially subjected to merging rule matching according to a priority sequence, and an alarm event is generated according to the matched merging rule, wherein judgment is carried out according to a main Key and a check of the alarm message, if the contents of the two items of alarm message are the same, the two items of alarm message are regarded as the same alarm message, and alarm compression is carried out, wherein the check refers to a check item of the alarm message, the check item comprises an index field or is empty, the alarm message has only one main Key, and when a plurality of APP keys exist at the same time, the priority of the main Key is from high to low: host- > service- > application- > business;
and notifying the alarm event by taking a preset operation and maintenance range corresponding to the alarm event as a unit, wherein the display levels of the alarm message, the alarm and the alarm event are as follows: and displaying the alarm event in the alarm event list, displaying one or more alarms in the alarm event, and displaying one or more alarm messages under each alarm.
15. A computer-readable storage medium on which a computer program is stored, characterized in that the program, when executed by a processor, implements the information processing method of any one of claims 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811483988.6A CN111294218B (en) | 2018-12-06 | 2018-12-06 | Information processing method, device, system and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811483988.6A CN111294218B (en) | 2018-12-06 | 2018-12-06 | Information processing method, device, system and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111294218A CN111294218A (en) | 2020-06-16 |
CN111294218B true CN111294218B (en) | 2022-07-26 |
Family
ID=71030824
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811483988.6A Active CN111294218B (en) | 2018-12-06 | 2018-12-06 | Information processing method, device, system and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111294218B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113347045A (en) * | 2021-06-30 | 2021-09-03 | 北京九章云极科技有限公司 | Alarm message processing method and device |
CN113326173B (en) * | 2021-08-04 | 2021-11-23 | 云智慧(北京)科技有限公司 | Method, device and equipment for processing alarm message |
CN115412422B (en) * | 2022-08-08 | 2024-02-20 | 浪潮云信息技术股份公司 | Dynamic window adjusting system |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101958803A (en) * | 2010-09-09 | 2011-01-26 | 中兴通讯股份有限公司 | Alarm compression system and method based on communication network |
CN105262629A (en) * | 2015-11-18 | 2016-01-20 | 上海斐讯数据通信技术有限公司 | Method and system enabling WebSocket in network management system to push alarm information |
CN106371986A (en) * | 2016-09-08 | 2017-02-01 | 上海新炬网络技术有限公司 | Log treatment operation and maintenance monitoring system |
CN106713017A (en) * | 2016-12-08 | 2017-05-24 | 国网北京市电力公司 | Alarm information processing method and apparatus |
CN107196804A (en) * | 2017-06-01 | 2017-09-22 | 国网山东省电力公司信息通信公司 | Power system terminal communication access network Centralized Alarm Monitoring system and method |
CN107679713A (en) * | 2017-09-16 | 2018-02-09 | 广西电网有限责任公司电力科学研究院 | A kind of power transmission and transformation equipment state alert processing method |
CN107832200A (en) * | 2017-10-24 | 2018-03-23 | 平安科技(深圳)有限公司 | Alert processing method, device, computer equipment and storage medium |
CN108847994A (en) * | 2018-07-25 | 2018-11-20 | 山东中创软件商用中间件股份有限公司 | Alarm localization method, device, equipment and storage medium based on data analysis |
-
2018
- 2018-12-06 CN CN201811483988.6A patent/CN111294218B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101958803A (en) * | 2010-09-09 | 2011-01-26 | 中兴通讯股份有限公司 | Alarm compression system and method based on communication network |
CN105262629A (en) * | 2015-11-18 | 2016-01-20 | 上海斐讯数据通信技术有限公司 | Method and system enabling WebSocket in network management system to push alarm information |
CN106371986A (en) * | 2016-09-08 | 2017-02-01 | 上海新炬网络技术有限公司 | Log treatment operation and maintenance monitoring system |
CN106713017A (en) * | 2016-12-08 | 2017-05-24 | 国网北京市电力公司 | Alarm information processing method and apparatus |
CN107196804A (en) * | 2017-06-01 | 2017-09-22 | 国网山东省电力公司信息通信公司 | Power system terminal communication access network Centralized Alarm Monitoring system and method |
CN107679713A (en) * | 2017-09-16 | 2018-02-09 | 广西电网有限责任公司电力科学研究院 | A kind of power transmission and transformation equipment state alert processing method |
CN107832200A (en) * | 2017-10-24 | 2018-03-23 | 平安科技(深圳)有限公司 | Alert processing method, device, computer equipment and storage medium |
CN108847994A (en) * | 2018-07-25 | 2018-11-20 | 山东中创软件商用中间件股份有限公司 | Alarm localization method, device, equipment and storage medium based on data analysis |
Also Published As
Publication number | Publication date |
---|---|
CN111294218A (en) | 2020-06-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10129118B1 (en) | Real time anomaly detection for data streams | |
CN111294217B (en) | Alarm analysis method, device, system and storage medium | |
US9979608B2 (en) | Context graph generation | |
US9838483B2 (en) | Methods, systems, and computer readable media for a network function virtualization information concentrator | |
CN111294218B (en) | Information processing method, device, system and storage medium | |
US11150896B2 (en) | Automated generation of service definitions for message queue application clients | |
US9280437B2 (en) | Dynamically scalable real-time system monitoring | |
CN105573824B (en) | Monitoring method and system for distributed computing system | |
CN113254466B (en) | Data processing method and device, electronic equipment and storage medium | |
CN111309550A (en) | Data acquisition method, system, equipment and storage medium of application program | |
CN114363042B (en) | Log analysis method, device, equipment and readable storage medium | |
CN111538563A (en) | Event analysis method and device for Kubernetes | |
CN111782672B (en) | Multi-field data management method and related device | |
CN114090366A (en) | Method, device and system for monitoring data | |
CN111258798A (en) | Fault positioning method and device for monitoring data, computer equipment and storage medium | |
Solmaz et al. | ALACA: A platform for dynamic alarm collection and alert notification in network management systems | |
CN111352809A (en) | Distributed alarm method, system and computer readable storage medium | |
CN113590437A (en) | Alarm information processing method, device, equipment and medium | |
CN112134719A (en) | Method and system for analyzing base station security log | |
CN112149975B (en) | APM monitoring system and method based on artificial intelligence | |
EP3011456B1 (en) | Sorted event monitoring by context partition | |
CN113760634A (en) | Data processing method and device | |
CN114756301A (en) | Log processing method, device and system | |
CN114860782A (en) | Data query method, device, equipment and medium | |
CN110677271B (en) | Big data alarm method, device, equipment and storage medium based on ELK |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |