CN111294218B - Information processing method, device, system and storage medium - Google Patents

Information processing method, device, system and storage medium Download PDF

Info

Publication number
CN111294218B
CN111294218B CN201811483988.6A CN201811483988A CN111294218B CN 111294218 B CN111294218 B CN 111294218B CN 201811483988 A CN201811483988 A CN 201811483988A CN 111294218 B CN111294218 B CN 111294218B
Authority
CN
China
Prior art keywords
alarm
message
event
field
alarms
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811483988.6A
Other languages
Chinese (zh)
Other versions
CN111294218A (en
Inventor
陈泉伯
陆兴海
孔文
阙裕斌
胡升跃
张晶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cloudwise Beijing Technology Co Ltd
Original Assignee
Cloudwise Beijing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cloudwise Beijing Technology Co Ltd filed Critical Cloudwise Beijing Technology Co Ltd
Priority to CN201811483988.6A priority Critical patent/CN111294218B/en
Publication of CN111294218A publication Critical patent/CN111294218A/en
Application granted granted Critical
Publication of CN111294218B publication Critical patent/CN111294218B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications

Abstract

The invention provides an information processing method, an information processing device, an information processing system and a storage medium, which are applied to the field of operation and maintenance monitoring, wherein the information processing method comprises the following steps: receiving an alarm message, wherein the alarm message is an original alarm message sent by an alarm source; compressing the same type of alarm messages to generate alarms according to the alarm messages, wherein the alarms are message lists formed by compressing the same type of alarm messages; merging the alarms according to a preset merging rule to generate an alarm event, wherein the alarm event is an alarm list formed by merging the alarms according with the corresponding merging rule; and notifying the alarm event by taking a preset operation and maintenance range corresponding to the alarm event as a unit. The invention can efficiently compress the alarm message, reduce the frequency of the alarm message, reduce the interference of a large amount of alarm messages to operation and maintenance personnel and improve the operation and maintenance work efficiency.

Description

Information processing method, device, system and storage medium
Technical Field
The present invention relates to the field of operation and maintenance monitoring, and in particular, to an information processing method, apparatus, system, and storage medium.
Background
The operation and maintenance monitoring is a general name of a series of IT management products, and the products contained in the operation and maintenance monitoring system have the advantages of strong functions, easy use and complete solutions, and can meet various IT management requirements of users in a one-stop manner.
More and more customers are considering or adopting a business focused solution. However, after the business system is centralized, not only the working intensity of operation and maintenance is increased, but also the centralized system becomes more complicated. An effective system and an application monitoring system become keys for knowing service resource use conditions, timely discovering hidden dangers which may cause system faults and realizing system operation guarantee.
On the other hand, by means of the centralized monitoring solution, a user can correctly and timely know the running state of the system, find bottlenecks affecting the running of the whole system, help system personnel to carry out necessary system optimization and configuration change, and even provide basis for upgrading and expanding the system. The powerful monitoring and diagnostic tool can also help operation and maintenance personnel to quickly analyze the cause of the application fault and release the cause from complicated and repeated labor.
Thus, many customers' IT departments place demands on the establishment of a centralized IT management system, the monitored content including networks, servers, databases, middleware, and applications. Faults in the system are discovered in time through the centralized monitoring system, and the fault processing time is shortened.
However, most of the conventional operation and maintenance monitoring triggers an alarm according to a fixed threshold, and this monitoring mode may frequently encounter problems of alarm error, report missing, alarm storm, etc., and may seriously interfere with the work efficiency of the operation and maintenance personnel.
Disclosure of Invention
The invention provides an information processing method device, an information processing system and a storage medium, aiming at the technical problems that the existing monitoring mode can frequently encounter the problems of alarm error, report omission, alarm storm and the like and seriously interfere the working efficiency of operation and maintenance personnel.
In a first aspect, an embodiment of the present invention provides an information processing method, including: receiving an alarm message, wherein the alarm message is an original alarm message sent by an alarm source; compressing the same type of alarm messages to generate alarms according to the alarm messages, wherein the alarms are message lists formed by compressing the same type of alarm messages; combining the alarms according to a preset combination rule to generate an alarm event, wherein the alarm event is an alarm list formed by combining the alarms according with the corresponding combination rule; and taking a preset operation and maintenance range corresponding to the alarm event [ in a specific embodiment, a time window is used as a threshold, and if the time window is exceeded, the operation and maintenance of the event are not performed, but the event needs to be created as a unit to notify the alarm event.
In one optional implementation, the compressing the same type of alert message according to the alert message to generate an alert includes: determining whether an alarm corresponding to the alarm message exists in alarms of the current operation and maintenance according to the alarm message; if the alarm corresponding to the alarm message exists, updating the corresponding alarm according to the alarm message; and if not, the alarm which is closed beyond a time window or is closed after status is returned, or the alarm which is not created at all is not existed [ the alarm is not closed ] is corresponding to the alarm message, and the corresponding alarm is created according to the alarm message.
In one optional implementation manner, the determining whether an alarm corresponding to the warning message exists in the alarms of the current operation and maintenance according to the warning message includes: extracting a classification key field according to the alarm message; if the alarm for message compression by using the classification key field exists in the alarms of the current operation and maintenance, determining that the alarm corresponding to the alarm message exists; otherwise it is not present.
In one optional embodiment, the classification key field includes an object field for representing an object and/or an index field for representing a monitoring index.
In one optional embodiment, the merging the alarms according to a preset merging rule to generate an alarm event includes: determining whether an alarm event corresponding to the alarm exists in the current operation and maintenance events according to the combination rule and the alarm; if the alarm event corresponding to the alarm does not exist [ the absence of the alarm event refers to the fact that the alarm event is not created or is closed due to the fact that the alarm event exceeds the operation and maintenance range ], creating the corresponding alarm event according to the combination rule and the alarm, and establishing the association between the alarm and the alarm event; and if an alarm event corresponding to the alarm exists and the alarm is the current established alarm, establishing the association between the alarm and the alarm event.
In one optional implementation, the determining whether an alarm event corresponding to the alarm exists in the events of the current operation and maintenance according to the merge rule and the alarm includes: determining the identifier of an alarm event corresponding to the alarm according to the combination rule and the alarm; if the identifier corresponding to the alarm event of the current operation and maintenance exists in the identifier corresponding to the alarm event of the current operation and maintenance, determining that the alarm event corresponding to the alarm exists; otherwise it is not present.
In one optional implementation, the operation and maintenance range is a time window.
In a second aspect, an embodiment of the present invention further provides an information processing apparatus, including:
a receiving unit, configured to receive an alarm message, where the alarm message is an original alarm message sent by an alarm source;
the compression unit is used for compressing the same type of alarm information according to the alarm information received by the receiving unit to generate an alarm, and the alarm is a message list formed by compressing the same type of alarm information;
the merging unit is used for merging the alarms obtained by compression of the compression unit according to a preset merging rule to generate an alarm event, wherein the alarm event is an alarm list formed by merging the alarms conforming to the corresponding merging rule;
and the notification unit is used for notifying the alarm events obtained by combining the combining units by taking a preset operation and maintenance range corresponding to the alarm events as a unit.
In one optional embodiment, the compressing unit includes:
the first determining module is used for determining whether an alarm corresponding to the alarm message exists in the alarms of the current operation and maintenance according to the alarm message received by the receiving unit;
the alarm updating module is used for updating the corresponding alarm according to the alarm message if the first determining module determines that the alarm corresponding to the alarm message exists;
and the alarm creating module is used for creating a corresponding alarm according to the alarm message if the first determining module determines that the alarm corresponding to the alarm message does not exist.
In one optional implementation, the first determining module includes:
the extraction submodule is used for extracting a classification key field according to the alarm message received by the receiving unit;
the first determining submodule is used for determining that an alarm corresponding to the alarm message exists if the alarm of the current operation and maintenance carries out message compression by using the classification key field extracted by the extracting submodule; otherwise it is not present.
In one optional embodiment, the classification key field includes an object field for representing an object and/or an index field for representing a monitoring index.
In one optional implementation, the merging unit includes:
the second determining module is used for determining whether an alarm event corresponding to the alarm exists in the current operation and maintenance events according to the combination rule and the alarm obtained by compression of the compression unit;
the event processing module is used for creating a corresponding alarm event according to the combination rule and the alarm and establishing the association between the alarm and the alarm event if the second determining module determines that the alarm event corresponding to the alarm does not exist;
and the event correlation module is used for establishing the correlation between the alarm and the alarm event if the second determination module determines that the alarm event corresponding to the alarm exists and the alarm is the currently established alarm.
In an optional implementation manner, the second determining module includes:
the second determining submodule is used for determining the identifier of the alarm event corresponding to the alarm according to the combination rule and the alarm;
the third determining submodule is used for determining that the alarm event corresponding to the alarm exists if the identifier of the alarm event corresponding to the alarm, which is determined by the second determining submodule, exists in the identifier corresponding to the alarm event of the current operation and maintenance; otherwise it is not present.
In a third aspect, embodiments of the present invention also provide an information processing system, comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions for:
receiving an alarm message, wherein the alarm message is an original alarm message sent by an alarm source;
compressing the same type of alarm messages to generate alarms according to the alarm messages, wherein the alarms are message lists formed by compressing the same type of alarm messages;
combining the alarms according to a preset combination rule to generate an alarm event, wherein the alarm event is an alarm list formed by combining the alarms according with the corresponding combination rule;
and notifying the alarm event by taking a preset operation and maintenance range corresponding to the alarm event as a unit.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the information processing method described above.
The information processing method, the device, the system and the storage medium provided by the invention distinguish whether the same alarm belongs to the same alarm by identifying the alarm message, and compress the alarm message of the same alarm by using the same type of alarm message as the same alarm; and for different alarms, combining a plurality of alarms according to a preset combination rule, wherein the combined alarms are called alarm events, and finally carrying out alarm notification to the client by taking the events as the minimum granularity and taking the operation and maintenance range as a unit. Aiming at massive and continuous redundant alarm messages, the number of the alarm messages is suppressed on the premise of ensuring the alarm content, so that an effective alarm notification is provided for operation and maintenance personnel. The invention can efficiently compress the alarm message, reduce the frequency of the alarm message, reduce the interference of a large amount of alarm messages to operation and maintenance personnel and improve the operation and maintenance work efficiency.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and, together with the description, serve to explain the principles of the disclosure.
Fig. 1 is a schematic flowchart of an information processing method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of an information processing method according to another embodiment of the present invention;
FIG. 3 is a schematic diagram of an information processing apparatus according to another embodiment of the present invention;
FIG. 4 is a schematic diagram showing a configuration of a compression unit in the information processing apparatus shown in FIG. 3;
fig. 5 is a schematic diagram of a configuration of a merging unit in the information processing apparatus shown in fig. 3.
With the foregoing drawings in mind, certain embodiments of the disclosure have been shown and described in more detail below. These drawings and written description are not intended to limit the scope of the disclosed concepts in any way, but rather to illustrate the concepts of the disclosure to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.
The following describes the technical solutions of the present invention and how to solve the above technical problems with specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present invention will be described below with reference to the accompanying drawings.
As shown in fig. 1, an embodiment of the present invention provides an information processing method, where an execution subject of the method may be an information processing apparatus or an information processing system, and the method includes:
step 101, receiving an alarm message, wherein the alarm message is an original alarm message sent by an alarm source.
In this embodiment, the alert source is a system that sends an original alert message to the system, and may be in the form of an app, or may be a web application such as a website. The alert source may access the execution body of the method through the API. The alarm message includes a plurality of fields, which generally include an alarm source name, an alarm status, object information, and index information, wherein the alarm status represents a level of the alarm message, and may include a plurality of levels, for example, 4 levels, including disaster, severe, warning, and normal. It may also be classified into 3 levels or 5 levels, which is not limited herein, but the alarm status needs to be included in the alarm message. The object information is used to identify an object in the warning source that issues a warning, such as a host (host), a service (service), an application (application), and a business (business) in the warning source. The index information may be null, or may be a monitored index, such as an average CPU utilization rate, a memory utilization rate, a packet loss rate, or the like.
And step 102, compressing the same type of alarm information according to the alarm information to generate an alarm, wherein the alarm is a message list formed by compressing the same type of alarm information.
Specifically, the same type of alarm messages may be alarm messages having the same field, for example, the same object field (i.e., object information) may also be the same index field (i.e., index information, it is worth noting that the index information may only include the index field, or may include both the index field and the index description field), or the same object field and the same index field. Without limitation, specific fields in the alarm message may be used as criteria for classifying the same type of alarm message according to the specific fields.
And 103, combining the alarms according to a preset combination rule to generate an alarm event, wherein the alarm event is an alarm list formed by combining the alarms according with the corresponding combination rule.
In this embodiment, the preset merge rule may be a default merge rule of the execution subject, or may be a user-defined merge rule, for example:
the default merging rules are 5, and the priority is from high to low: the method comprises the steps of alarm combination based on a Host field, alarm combination based on a service field, alarm combination based on an application field, alarm combination based on a business field and upgrading alarm combination based on a cluster field. And (4) the newly generated alarms are sequentially matched with the combination rule according to the priority order, and events are generated according to the matched combination rule.
Or, the user defines the rule name, description and operation and maintenance range in a page displayed by the execution subject. When the alarm rule is defined, the combination across the alarm sources and the combination according to the label are supported. The screening condition of a rule supports equal, unequal, in list, not in list, etc. matching conditions, supports adding "and" or ". The custom combination rule supports the definition of an operation and maintenance range, and in the operation and maintenance range, if an alarm meeting the preset combination rule exists, the alarm can be combined into an alarm event. In one embodiment, the operation and maintenance range may be a time window, and the alarm or warning event is in the operation and maintenance state in the corresponding time window. The operation and maintenance range may also be the number of times of initiating the same type of alarm message, and the like, which is not limited herein.
In addition, the specific merge rule in the present embodiment is not limited herein, and the above description is only presented by way of example to facilitate understanding of those skilled in the art.
And 104, notifying the alarm event by taking a preset operation and maintenance range corresponding to the alarm event as a unit.
In this embodiment, the display hierarchy of the alert message, the alarm, and the alert event is: and displaying the alarm events in the alarm event list, displaying one or more alarms in the alarm events, and displaying one or more alarm messages under each alarm. The alarm event may be viewed as an alarm list and the alarm as an alarm message list.
The information processing method distinguishes whether the same alarm belongs to the same alarm or not by identifying the alarm message, and compresses the alarm message of the same alarm by using the same type of alarm message as the same alarm; and for different alarms, combining a plurality of alarms according to a preset combination rule, wherein the combined alarms are called alarm events, and finally carrying out alarm notification to the client by taking the events as the minimum granularity and taking the operation and maintenance range as a unit. Aiming at massive and continuous redundant alarm messages, the number of the alarm messages is suppressed on the premise of ensuring the alarm content, so that effective alarm notification is provided for operation and maintenance personnel. The invention can efficiently compress the alarm message, reduce the frequency of the alarm message, reduce the interference of a large amount of alarm messages to operation and maintenance personnel and improve the operation and maintenance work efficiency. Through actual production verification, the inhibiting function of the invention can effectively reduce the number of the alarm notifications sent to the user, and the actual compression rate is between 50% and 95% according to different types of clients.
On the basis of the foregoing embodiment, in order to further explain the data processing method provided by the present invention, fig. 2 is a schematic flow chart of an information processing method according to another embodiment of the present invention. As shown in fig. 2, the information processing method includes:
step 201, receiving an alarm message.
In this embodiment, the implementation manner of step 201 is the same as that of step 101, and is not described herein again.
In an alternative embodiment, the alert message may be a JSON string that conforms to the JSON syntax. JSON (JavaScript Object Notation) is a lightweight data exchange format. It stores and represents data in a text format that is completely independent of the programming language, based on a subset of ECMAScript (js specification set by the european computer association). The compact and clear hierarchy makes JSON an ideal data exchange language. The network transmission method is easy to read and write by people, is easy to analyze and generate by machines, and effectively improves the network transmission efficiency.
In an optional real-time scenario, the API that the alert source accesses to the execution body is a REST API, the REST API may interact with the execution body by any device that supports sending HTTP requests, and the REST API may be used to implement the following functions, for example: a mobile website can acquire data on an execution body through JavaScript; a website may present data from an executing agent; a large amount of data can be uploaded and then can be read by a mobile App; recent data can be downloaded for your custom analytical statistics; programs written in any language can manipulate data on the execution body; you can export all data if you no longer need to use the execution agent.
Step 202, determining whether an alarm corresponding to the alarm message exists in the alarms of the current operation and maintenance according to the alarm message, if so, executing step 203, and if not, executing step 204.
In an alternative embodiment, the step 202 may include extracting a classification key field according to the alert message; if the alarm for message compression by using the classification key field exists in the alarms of the current operation and maintenance, determining that the alarm corresponding to the alarm message exists; otherwise it is not present. For example, the classification key field is used as the identifier or name of the alarm, the classification key of the alarm message may be extracted to match the identifier or name of the alarm of the current operation and maintenance.
In an optional embodiment, the classification key field includes an object field for representing an object and/or an index field for representing a monitoring index. The concrete expression form of the object field may be an application Key (APP Key) agreed with the execution subject of the method, or may be other identification information for identifying a unique identity, which is not limited herein.
In an optional embodiment, the operation and maintenance standard of the alarm operation and maintenance may be an alarm state of an alarm message in the alarm, and if the alarm state is normal, the alarm may be disengaged from the operation and maintenance. The operation and maintenance standard of the alarm may also be a time window, and when the end point of the time window is reached, the alarm may be separated from the operation and maintenance. If the time window is used as the operation and maintenance standard, when the generation or the reception of the alarm message falls within the time window, it can be understood that the alarm message finds a corresponding alarm, and the alarm is currently in an operation and maintenance state.
And step 203, updating the corresponding alarm according to the alarm message.
In this embodiment, updating the corresponding alarm may be to cover the same alarm message in the alarms according to the alarm message, to show the latest alarm message only in the dimension related to the operation and maintenance range, or to add the alarm message to the corresponding alarm, which is not limited herein.
It should be noted that when there is an alarm corresponding to the alarm message, because of the display relationship among the alarm message, the alarm and the alarm event, when the alarm message is received and the alarm corresponding to the alarm message exists, it is indicated that the alarm event corresponding to the alarm is in the operation and maintenance range, otherwise, the alarm will be upgraded to the corresponding alarm event. Therefore, when the alarm corresponding to the alarm message exists currently, the alarm event corresponding to the alarm is in the operation and maintenance range, and the alarm notification is performed according to the fact that the operation and maintenance range of the alarm event reaches the threshold after the alarm message is updated. In the process, the alarm is updated in real time according to the alarm message received in real time until the operation and maintenance range of the alarm event reaches the threshold value.
And step 204, creating a corresponding alarm according to the alarm message.
Specifically, when the alarm message has no corresponding alarm, the classification key field may be used as the identifier of the alarm message, the alarm message is upgraded to an alarm, and the same type of alarm message is updated in real time in the subsequent operation and maintenance range of the alarm.
Step 205, determining whether an alarm event corresponding to the alarm exists in the current operation and maintenance events according to the combination rule and the alarm; if not, go to step 206; if yes and the alarm is the currently created alarm, go to step 207.
In an alternative embodiment, the step 205 may include determining an identification of an alarm event corresponding to the alarm according to the merging rule and the alarm; if the identifier corresponding to the alarm event of the current operation and maintenance exists in the identifier corresponding to the alarm event of the current operation and maintenance, determining that the alarm event corresponding to the alarm exists; otherwise it is not present.
In an alternative embodiment, the merging rule is used to merge multiple alarms within the same or similar fault, and the merged alarms are referred to as alarm events, and each event represents a set of one or similar faults.
And step 206, creating a corresponding alarm event according to the combination rule and the alarm and establishing the association between the alarm and the alarm event.
Step 207, establishing the association of the alarm and the alarm event.
And 208, notifying the alarm event by taking a preset operation and maintenance range corresponding to the alarm event as a unit.
The information processing method distinguishes whether the same alarm belongs to the same alarm or not by identifying the alarm message, and compresses the alarm message of the same alarm by using the same type of alarm message as the same alarm; and for different alarms, combining a plurality of alarms according to a preset combination rule, wherein the combined alarms are called alarm events, and finally carrying out alarm notification to the client by taking the events as the minimum granularity and taking the operation and maintenance range as a unit. Aiming at massive and continuous redundant alarm messages, the number of the alarm messages is suppressed on the premise of ensuring the alarm content, so that effective alarm notification is provided for operation and maintenance personnel. The invention can efficiently compress the alarm message, reduce the frequency of the alarm message, reduce the interference of a large amount of alarm messages to operation and maintenance personnel and improve the operation and maintenance work efficiency. Through actual production verification, the inhibiting function of the invention can effectively reduce the number of the alarm notifications sent to the user, and the actual compression rate is between 50% and 95% according to different types of clients.
In order to make those skilled in the art better understand the information processing method provided by the embodiment of the present invention, a specific example is explained. A large system is internally provided with a plurality of online shopping malls, office systems and financial systems, and relates to a plurality of machine rooms and dozens of service systems. By the information processing method provided by the embodiment of the invention, the alarm messages of the basic environment and the service system are uniformly accessed into the execution main body of the method in a manner of restAPI; the basic environment refers to an operating environment of the user application, such as a physical machine, a virtual machine, a cloud environment, or a hybrid environment. In this context are containers and databases etc. of applications of the user. For example, for a bank, an app corresponding to the bank or an online website may be called a business system.
When an alarm source in the system is initially accessed to the execution main body of the method, a corresponding APP Key is distributed to an object in each alarm source, so that the APP Key is carried by the alarm source when the alarm message is sent to the execution main body of the method in the later operation and maintenance period and is used as object information of a monitoring object.
In the embodiment, an alarm message is received through RESTAPI, and the alarm message is used as an alarm source to generate an original alarm message; compressing the alarm messages of the same object and the same index into an alarm; the alarms are merged based on the same field (such as a cluster) according to a preset merging rule, and become an alarm event.
Specifically, the determination is performed according to the main key and check (the check item (index field) of the alarm message may be empty) of the alarm message, and if the contents of the two items are the same, the two items are regarded as the same alarm message, and the alarm compression may be performed.
It is worth to be noted that the alarm message has one and only one master Key, and when a plurality of APP keys exist at the same time, the priority of the master Key is from high to low: host- > service- > application- > business.
In this embodiment, the alarm compression operation and maintenance range is a default time window, and in the default time window, if the alarm status is not OK continuously, all the alarm messages of the same main key and check item are always under the current alarm. Within a default time window, the alarm is restored when the status of the alarm is OK. If the alarm message is generated again after the alarm is finished and the alarm is turned on again in the default time window. The content of the alert is updated with the latest message. When the time window exceeds the default time window, a new alert is created for the incoming alert message.
Before the information processing method provided by the embodiment of the invention is used, the operation and maintenance work is greatly interfered by frequent alarm notification messages, and in order to avoid the interference, the operation and maintenance personnel of the large-scale system can only temporarily close the monitoring functions of a plurality of systems, but the mode causes the monitoring loss of a service system and a basic environment and cannot effectively control the quality of the whole operation and maintenance supporting environment in real time. After the information processing method provided by the embodiment of the invention is used, the message sending quantity is finally restrained from 500 pieces per day and 1000 pieces per day originally, the average sending quantity per day is less than 100 pieces per day, and zero loss of core content is realized. The core content here refers to the name of the alarm source, the object information, the index information, and the alarm state in the alarm message. The core content in the alarm message is preserved when compression and combination are performed.
Fig. 3 is a schematic structural diagram of an information processing apparatus according to another embodiment of the present invention. As shown in fig. 3, the information processing apparatus includes:
a receiving unit 31, configured to receive an alarm message, where the alarm message is an original alarm message sent by an alarm source;
the compressing unit 32 is configured to compress the same type of alarm messages according to the alarm messages received by the receiving unit to generate alarms, where the alarms are message lists formed by compressing the same type of alarm messages;
the merging unit 33 is configured to merge the alarms compressed by the compression unit according to a preset merging rule to generate an alarm event, where the alarm event is an alarm list formed by merging alarms conforming to the corresponding merging rule;
and the notifying unit 34 is configured to notify the alarm event obtained by merging the merging units by using a preset operation and maintenance range corresponding to the alarm event as a unit.
In one optional embodiment, as shown in fig. 4, the compressing unit 32 includes:
a first determining module 321, configured to determine whether an alarm corresponding to the alarm message exists in the alarms of the current operation and maintenance according to the alarm message received by the receiving unit;
an alarm updating module 322, configured to update the corresponding alarm according to the alarm message if the first determining module determines that the alarm corresponding to the alarm message exists;
an alarm creating module 323, configured to create a corresponding alarm according to the warning message if the first determining module determines that the alarm corresponding to the warning message does not exist.
In one optional implementation, the first determining module includes: the extraction submodule is used for extracting the classification key field according to the alarm message received by the receiving unit; the first confirming sub-module is used for confirming that an alarm corresponding to the alarm message exists if the alarm for message compression by using the classification key field extracted by the extracting sub-module exists in the alarm of the current operation and maintenance; otherwise it is not present.
In one optional embodiment, the classification key field includes an object field for representing an object and/or an index field for representing a monitoring index.
In one optional implementation, as shown in fig. 5, the merging unit 33 includes:
a second determining module 331, configured to determine whether an alarm event corresponding to the alarm exists in the current operation and maintenance events according to the merging rule and the alarm compressed by the compressing unit;
an event processing module 332, configured to, if the second determining module determines that there is no alarm event corresponding to the alarm, create a corresponding alarm event according to the merge rule and the alarm, and establish a relationship between the alarm and the alarm event;
the event association module 333, if the second determination module determines that the alarm event corresponding to the alarm exists and the alarm is the currently created alarm, is configured to establish an association between the alarm and the alarm event.
In one optional implementation, the second determining module includes: the second determining submodule is used for determining the identifier of an alarm event corresponding to the alarm according to the combination rule and the alarm; the third determining submodule is used for determining that the alarm event corresponding to the alarm exists if the identifier, corresponding to the alarm event, of the current operation and maintenance exists in the identifiers corresponding to the alarm events determined by the second determining submodule; otherwise it is not present.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process and corresponding beneficial effects of the apparatus described above may refer to the corresponding process in the foregoing method embodiments, and are not described herein again.
The information processing device distinguishes whether the alarm messages belong to the same alarm or not by identifying the alarm messages, and compresses the alarm messages of the same alarm by using the same type of alarm messages as the same alarm; and for different alarms, combining a plurality of alarms according to a preset combination rule, wherein the combined alarms are called alarm events, and finally carrying out alarm notification to the client by taking the events as the minimum granularity and taking the operation and maintenance range as a unit. Aiming at massive and continuous redundant alarm messages, the number of the alarm messages is suppressed on the premise of ensuring the alarm content, so that an effective alarm notification is provided for operation and maintenance personnel. The invention can efficiently compress the alarm message, reduce the frequency of the alarm message, reduce the interference of massive alarm messages to operation and maintenance personnel and improve the operation and maintenance work efficiency. Through actual production verification, the inhibiting function of the invention can effectively reduce the number of the alarm notifications sent to the user, and the actual compression rate is between 50% and 95% according to different types of clients.
Yet another embodiment of the present invention also provides an information handling system, comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions for:
receiving an alarm message, wherein the alarm message is an original alarm message sent by an alarm source;
compressing the same type of alarm messages to generate alarms according to the alarm messages, wherein the alarms are message lists formed by compressing the same type of alarm messages;
merging the alarms according to a preset merging rule to generate an alarm event, wherein the alarm event is an alarm list formed by merging the alarms according with the corresponding merging rule;
and notifying the alarm event by taking a preset operation and maintenance range corresponding to the alarm event as a unit.
Another embodiment of the present invention provides a computer-readable storage medium on which a computer program is stored, wherein the program is configured to implement the information processing method according to the above-described embodiment when executed by a processor.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working process and corresponding beneficial effects of the program in the system and the storage medium described above may refer to the corresponding process in the foregoing method embodiments, and details are not described herein again.
The information processing system and the storage medium provided by the invention distinguish whether the same alarm belongs to the same alarm by identifying the alarm message, and compress the alarm message of the same alarm by using the same type of alarm message as the same alarm; and for different alarms, combining a plurality of alarms according to a preset combination rule, wherein the combined alarms are called alarm events, and finally carrying out alarm notification to the client by taking the events as the minimum granularity and taking the operation and maintenance range as a unit. Aiming at massive and continuous redundant alarm messages, the number of the alarm messages is suppressed on the premise of ensuring the alarm content, so that effective alarm notification is provided for operation and maintenance personnel. The invention can efficiently compress the alarm message, reduce the frequency of the alarm message, reduce the interference of massive alarm messages to operation and maintenance personnel and improve the operation and maintenance work efficiency. Through actual production verification, the inhibiting function of the invention can effectively reduce the number of the alarm notifications sent to the user, and the actual compression rate is between 50% and 95% according to different types of clients.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements that have been described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (15)

1. An information processing method, characterized by comprising:
receiving an alarm message, wherein the alarm message is an original alarm message sent by an alarm source, the alarm message comprises a plurality of fields, the fields comprise alarm source names, alarm states, object information and index information, the alarm states represent the levels of the alarm message, the levels of the alarm message comprise a plurality of levels, the object information is used for identifying objects sending alarms in the alarm source, and comprises a host, a service, an application and a service business in the alarm source, the index information is empty or a monitored index, and the monitored index comprises a CPU average utilization rate, a memory utilization rate and a packet loss rate;
compressing the same type of alarm messages to generate alarms according to the alarm messages, wherein the alarms are message lists formed by compressing the same type of alarm messages, the same type of alarm messages are specific fields in the alarm messages, the specific fields are used as standards for dividing the same type of alarm messages, the same type of alarm messages comprise the alarm messages with the same fields, and the method comprises the following steps: the system comprises a same object field, a same index field, a same object field and a same index field, wherein the same object field refers to the same object information, the same index field refers to the same index information, and the same index information further comprises or does not comprise an index description field;
combining the alarms according to preset combination rules to generate alarm events, wherein the alarm events are alarm lists formed by combining the alarms conforming to the corresponding combination rules, the number of the default combination rules is 5, and the priority is from high to low: performing alarm combination based on the Host field, performing alarm combination based on the service field, performing alarm combination based on the application field, performing alarm combination based on the business field, and performing upgrade alarm combination based on the cluster field; the newly generated alarms are sequentially subjected to merging rule matching according to a priority sequence, and an alarm event is generated according to the matched merging rule, wherein judgment is carried out according to a main Key and a check of the alarm message, if the contents of the two items of alarm message are the same, the two items of alarm message are regarded as the same alarm message, and alarm compression is carried out, wherein the check refers to a check item of the alarm message, the check item comprises an index field or is empty, the alarm message has only one main Key, and when a plurality of APP keys exist at the same time, the priority of the main Key is from high to low: host- > service- > application- > business;
and notifying the alarm event by taking a preset operation and maintenance range corresponding to the alarm event as a unit, wherein the display levels of the alarm message, the alarm and the alarm event are as follows: and displaying the alarm event in the alarm event list, displaying one or more alarms in the alarm event, and displaying one or more alarm messages under each alarm.
2. The method of claim 1, wherein compressing the same type of alert message to generate an alert according to the alert message comprises:
determining whether an alarm corresponding to the alarm message exists in the alarms of the current operation and maintenance according to the alarm message;
if the alarm corresponding to the alarm message exists, updating the corresponding alarm according to the alarm message;
and if the alarm corresponding to the alarm message does not exist, establishing a corresponding alarm according to the alarm message.
3. The method according to claim 2, wherein the determining whether an alarm corresponding to the alarm message exists in the alarms of the current operation and maintenance according to the alarm message comprises:
extracting a classification key field according to the alarm message;
if the alarm for message compression by using the classification key field exists in the alarms of the current operation and maintenance, determining that the alarm corresponding to the alarm message exists; otherwise it is not present.
4. The method of claim 3, wherein the classification key field comprises an object field for representing an object and/or a metric field for representing a monitoring metric.
5. The method according to claim 1, wherein the merging the alarms to generate an alarm event according to a preset merging rule comprises:
determining whether an alarm event corresponding to the alarm exists in the current operation and maintenance events according to the combination rule and the alarm;
if the alarm event corresponding to the alarm does not exist, establishing a corresponding alarm event according to the combination rule and the alarm and establishing the association between the alarm and the alarm event;
and if an alarm event corresponding to the alarm exists and the alarm is the current established alarm, establishing the association between the alarm and the alarm event.
6. The method of claim 5, wherein the determining whether an alarm event corresponding to the alarm exists in the current operation and maintenance events according to the merge rule and the alarm comprises:
determining the identifier of an alarm event corresponding to the alarm according to the combination rule and the alarm;
if the identifier corresponding to the alarm event of the current operation and maintenance exists in the identifier corresponding to the alarm event of the current operation and maintenance, determining that the alarm event corresponding to the alarm exists; otherwise it is not present.
7. The method of any of claims 1-6, wherein the operation and maintenance scope is a time window.
8. An information processing apparatus characterized by comprising:
a receiving unit, configured to receive an alarm message, where the alarm message is an original alarm message sent by an alarm source, the alarm message includes multiple fields, and the multiple fields include an alarm source name, an alarm state, object information, and indicator information, where the alarm state indicates a level of the alarm message, the level of the alarm message includes multiple levels, the object information is used to identify an object sending an alarm in the alarm source, and the object information includes a host, a service, an application, and a service business in the alarm source, where the indicator information is a null or monitored indicator, and the monitored indicator includes a CPU average utilization rate, a memory utilization rate, and a packet loss rate;
the compressing unit is used for compressing the same type of alarm messages according to the alarm messages received by the receiving unit to generate alarms, the alarms are message lists formed by compressing the same type of alarm messages, the same type of alarm messages are specific fields in the alarm messages, the specific fields are used as standards for dividing the same type of alarm messages, the same type of alarm messages comprise the alarm messages with the same fields, and the compressing unit comprises: the system comprises a same object field, a same index field, a same object field and a same index field, wherein the same object field refers to the same object information, the same index field refers to the same index information, and the same index information further comprises or does not comprise an index description field;
a merging unit, configured to merge the alarms compressed by the compression unit according to a preset merging rule to generate an alarm event, where the alarm event is an alarm list formed by merging alarms that meet the corresponding merging rule, and the default merging rules include 5, and the priorities from high to low are: performing alarm combination based on the Host field, performing alarm combination based on the service field, performing alarm combination based on the application field, performing alarm combination based on the business field, and performing upgrade alarm combination based on the cluster field; the newly generated alarms are sequentially matched with the merging rules according to the priority sequence, and an alarm event is generated according to the matched merging rules, wherein the judgment is carried out according to the main Key and the check of the alarm message, if the contents of the two items of alarms are the same, the two items of alarms are regarded as the same alarm message, and the alarm compression is carried out, wherein the check of the alarm message refers to the check item of the alarm message, the check item comprises an index field or is empty, the alarm message has only one main Key, and when a plurality of APP keys exist at the same time, the priority of the main Key is from high to low: host- > service- > application- > business;
and the notification unit is used for notifying the alarm events obtained by combining the combining units by taking a preset operation and maintenance range corresponding to the alarm events as a unit, wherein the display levels of the alarm messages, the alarms and the alarm events are as follows: and displaying the alarm events in the alarm event list, displaying one or more alarms in the alarm events, and displaying one or more alarm messages under each alarm.
9. The apparatus of claim 8, wherein the compression unit comprises:
the first determining module is used for determining whether an alarm corresponding to the alarm message exists in the alarms of the current operation and maintenance according to the alarm message received by the receiving unit;
the alarm updating module is used for updating the corresponding alarm according to the alarm message if the first determining module determines that the alarm corresponding to the alarm message exists;
and the alarm creating module is used for creating a corresponding alarm according to the alarm message if the first determining module determines that the alarm corresponding to the alarm message does not exist.
10. The apparatus of claim 9, wherein the first determining module comprises:
the extraction submodule is used for extracting the classification key field according to the alarm message received by the receiving unit;
the first determining submodule is used for determining that an alarm corresponding to the alarm message exists if the alarm of the current operation and maintenance carries out message compression by using the classification key field extracted by the extracting submodule; otherwise it is not present.
11. The apparatus of claim 10, wherein the classification key field comprises an object field for representing an object and/or a metric field for representing a monitoring metric.
12. The apparatus of claim 8, wherein the merging unit comprises:
the second determining module is used for determining whether an alarm event corresponding to the alarm exists in the current operation and maintenance events according to the combination rule and the alarm obtained by compression of the compression unit;
the event processing module is used for creating a corresponding alarm event according to the combination rule and the alarm and establishing the association between the alarm and the alarm event if the second determining module determines that the alarm event corresponding to the alarm does not exist;
and the event correlation module is used for establishing the correlation between the alarm and the alarm event if the second determination module determines that the alarm event corresponding to the alarm exists and the alarm is the currently established alarm.
13. The apparatus of claim 12, wherein the second determining module comprises:
the second determining submodule is used for determining the identifier of the alarm event corresponding to the alarm according to the combination rule and the alarm;
the third determining submodule is used for determining that the alarm event corresponding to the alarm exists if the identifier of the alarm event corresponding to the alarm, which is determined by the second determining submodule, exists in the identifier corresponding to the alarm event of the current operation and maintenance; otherwise it is not present.
14. An information handling system comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by one or more processors, the one or more programs including instructions for:
receiving an alarm message, wherein the alarm message is an original alarm message sent by an alarm source, the alarm message comprises a plurality of fields, the fields comprise an alarm source name, an alarm state, object information and index information, the alarm state represents the level of the alarm message, the level of the alarm message comprises a plurality of levels, the object information is used for identifying an object sending an alarm in the alarm source and comprises a host, a service, an application and a service bussiness in the alarm source, the index information is empty or a monitored index, and the monitored index comprises a CPU average utilization rate, a memory utilization rate and a packet loss rate;
compressing the same type of alarm messages to generate alarms according to the alarm messages, wherein the alarms are message lists formed by compressing the same type of alarm messages, the same type of alarm messages are specific fields in the alarm messages, the specific fields are used as standards for dividing the same type of alarm messages, the same type of alarm messages comprise the alarm messages with the same fields, and the method comprises the following steps: the system comprises the same object field, the same index field, the same object field and the same index field, wherein the same object field refers to the same object information, the same index field refers to the same index information, and the same index information also comprises or does not comprise an index description field;
combining the alarms according to preset combination rules to generate alarm events, wherein the alarm events are alarm lists formed by combining the alarms according with the corresponding combination rules, the number of the default combination rules is 5, and the priority levels are respectively from high to low: performing alarm combination based on the Host field, performing alarm combination based on the service field, performing alarm combination based on the application field, performing alarm combination based on the business field, and performing upgrade alarm combination based on the cluster field; the newly generated alarms are sequentially subjected to merging rule matching according to a priority sequence, and an alarm event is generated according to the matched merging rule, wherein judgment is carried out according to a main Key and a check of the alarm message, if the contents of the two items of alarm message are the same, the two items of alarm message are regarded as the same alarm message, and alarm compression is carried out, wherein the check refers to a check item of the alarm message, the check item comprises an index field or is empty, the alarm message has only one main Key, and when a plurality of APP keys exist at the same time, the priority of the main Key is from high to low: host- > service- > application- > business;
and notifying the alarm event by taking a preset operation and maintenance range corresponding to the alarm event as a unit, wherein the display levels of the alarm message, the alarm and the alarm event are as follows: and displaying the alarm event in the alarm event list, displaying one or more alarms in the alarm event, and displaying one or more alarm messages under each alarm.
15. A computer-readable storage medium on which a computer program is stored, characterized in that the program, when executed by a processor, implements the information processing method of any one of claims 1 to 7.
CN201811483988.6A 2018-12-06 2018-12-06 Information processing method, device, system and storage medium Active CN111294218B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811483988.6A CN111294218B (en) 2018-12-06 2018-12-06 Information processing method, device, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811483988.6A CN111294218B (en) 2018-12-06 2018-12-06 Information processing method, device, system and storage medium

Publications (2)

Publication Number Publication Date
CN111294218A CN111294218A (en) 2020-06-16
CN111294218B true CN111294218B (en) 2022-07-26

Family

ID=71030824

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811483988.6A Active CN111294218B (en) 2018-12-06 2018-12-06 Information processing method, device, system and storage medium

Country Status (1)

Country Link
CN (1) CN111294218B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113347045A (en) * 2021-06-30 2021-09-03 北京九章云极科技有限公司 Alarm message processing method and device
CN113326173B (en) * 2021-08-04 2021-11-23 云智慧(北京)科技有限公司 Method, device and equipment for processing alarm message
CN115412422B (en) * 2022-08-08 2024-02-20 浪潮云信息技术股份公司 Dynamic window adjusting system

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101958803A (en) * 2010-09-09 2011-01-26 中兴通讯股份有限公司 Alarm compression system and method based on communication network
CN105262629A (en) * 2015-11-18 2016-01-20 上海斐讯数据通信技术有限公司 Method and system enabling WebSocket in network management system to push alarm information
CN106371986A (en) * 2016-09-08 2017-02-01 上海新炬网络技术有限公司 Log treatment operation and maintenance monitoring system
CN106713017A (en) * 2016-12-08 2017-05-24 国网北京市电力公司 Alarm information processing method and apparatus
CN107196804A (en) * 2017-06-01 2017-09-22 国网山东省电力公司信息通信公司 Power system terminal communication access network Centralized Alarm Monitoring system and method
CN107679713A (en) * 2017-09-16 2018-02-09 广西电网有限责任公司电力科学研究院 A kind of power transmission and transformation equipment state alert processing method
CN107832200A (en) * 2017-10-24 2018-03-23 平安科技(深圳)有限公司 Alert processing method, device, computer equipment and storage medium
CN108847994A (en) * 2018-07-25 2018-11-20 山东中创软件商用中间件股份有限公司 Alarm localization method, device, equipment and storage medium based on data analysis

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101958803A (en) * 2010-09-09 2011-01-26 中兴通讯股份有限公司 Alarm compression system and method based on communication network
CN105262629A (en) * 2015-11-18 2016-01-20 上海斐讯数据通信技术有限公司 Method and system enabling WebSocket in network management system to push alarm information
CN106371986A (en) * 2016-09-08 2017-02-01 上海新炬网络技术有限公司 Log treatment operation and maintenance monitoring system
CN106713017A (en) * 2016-12-08 2017-05-24 国网北京市电力公司 Alarm information processing method and apparatus
CN107196804A (en) * 2017-06-01 2017-09-22 国网山东省电力公司信息通信公司 Power system terminal communication access network Centralized Alarm Monitoring system and method
CN107679713A (en) * 2017-09-16 2018-02-09 广西电网有限责任公司电力科学研究院 A kind of power transmission and transformation equipment state alert processing method
CN107832200A (en) * 2017-10-24 2018-03-23 平安科技(深圳)有限公司 Alert processing method, device, computer equipment and storage medium
CN108847994A (en) * 2018-07-25 2018-11-20 山东中创软件商用中间件股份有限公司 Alarm localization method, device, equipment and storage medium based on data analysis

Also Published As

Publication number Publication date
CN111294218A (en) 2020-06-16

Similar Documents

Publication Publication Date Title
US10129118B1 (en) Real time anomaly detection for data streams
CN111294217B (en) Alarm analysis method, device, system and storage medium
US9979608B2 (en) Context graph generation
US9838483B2 (en) Methods, systems, and computer readable media for a network function virtualization information concentrator
CN111294218B (en) Information processing method, device, system and storage medium
US11150896B2 (en) Automated generation of service definitions for message queue application clients
US9280437B2 (en) Dynamically scalable real-time system monitoring
CN105573824B (en) Monitoring method and system for distributed computing system
CN113254466B (en) Data processing method and device, electronic equipment and storage medium
CN111309550A (en) Data acquisition method, system, equipment and storage medium of application program
CN114363042B (en) Log analysis method, device, equipment and readable storage medium
CN111538563A (en) Event analysis method and device for Kubernetes
CN111782672B (en) Multi-field data management method and related device
CN114090366A (en) Method, device and system for monitoring data
CN111258798A (en) Fault positioning method and device for monitoring data, computer equipment and storage medium
Solmaz et al. ALACA: A platform for dynamic alarm collection and alert notification in network management systems
CN111352809A (en) Distributed alarm method, system and computer readable storage medium
CN113590437A (en) Alarm information processing method, device, equipment and medium
CN112134719A (en) Method and system for analyzing base station security log
CN112149975B (en) APM monitoring system and method based on artificial intelligence
EP3011456B1 (en) Sorted event monitoring by context partition
CN113760634A (en) Data processing method and device
CN114756301A (en) Log processing method, device and system
CN114860782A (en) Data query method, device, equipment and medium
CN110677271B (en) Big data alarm method, device, equipment and storage medium based on ELK

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant