CN111880959A - Abnormity detection method and device and electronic equipment - Google Patents

Abnormity detection method and device and electronic equipment Download PDF

Info

Publication number
CN111880959A
CN111880959A CN202010587758.5A CN202010587758A CN111880959A CN 111880959 A CN111880959 A CN 111880959A CN 202010587758 A CN202010587758 A CN 202010587758A CN 111880959 A CN111880959 A CN 111880959A
Authority
CN
China
Prior art keywords
target
monitoring data
abnormal
index
time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010587758.5A
Other languages
Chinese (zh)
Inventor
赵俊峰
李晓丹
黄聘
龙金华
冯伟
王桉楠
周亮亮
王一帅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hanhai Information Technology Shanghai Co Ltd
Original Assignee
Hanhai Information Technology Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hanhai Information Technology Shanghai Co Ltd filed Critical Hanhai Information Technology Shanghai Co Ltd
Priority to CN202010587758.5A priority Critical patent/CN111880959A/en
Publication of CN111880959A publication Critical patent/CN111880959A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/079Root cause analysis, i.e. error or fault diagnosis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0706Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment

Abstract

The specification discloses an abnormality detection method, an abnormality detection device and electronic equipment, wherein the method comprises the following steps: acquiring target monitoring data of a target index of target equipment at a target moment; determining whether the target index is abnormal or not according to the target monitoring data; determining the abnormal reason of the target index under the condition that the target index is abnormal; and alarming the target equipment according to the abnormal reason.

Description

Abnormity detection method and device and electronic equipment
Technical Field
The present disclosure relates to the field of anomaly detection technologies, and more particularly, to an anomaly detection method, an anomaly detection apparatus, and an electronic device.
Background
The availability of a system is typically determined based on the mean time to failure and the mean time to repair. The time before the average fault, i.e. how long the system can operate normally on average, is a fault. The higher the reliability of the system, the longer the time before mean failure. The average repair time is the time from the occurrence of a fault to the repair of the fault, and the shorter the average repair time is, the higher the reliability of the system is. Generally, the availability of the system can be increased by reducing the average repair time of the system.
However, in the prior art, the state of the index is usually monitored according to a fixed threshold, and when the index is abnormal, an alarm is given, so that an engineer needs to manually analyze the abnormal index to determine the abnormal cause. This approach is strongly dependent on the engineer's experience and also has an impact on the timeliness of resolving anomalies.
Disclosure of Invention
An object of the present specification is to provide a new technical solution for detecting device abnormality.
According to a first aspect of the present specification, there is provided an abnormality detection method including:
acquiring target monitoring data of a target index of target equipment at a target moment;
determining whether the target index is abnormal or not according to the target monitoring data;
determining the abnormal reason of the target index under the condition that the target index is abnormal;
and alarming the target equipment according to the abnormal reason.
Optionally, the determining whether the target indicator is abnormal according to the target monitoring data includes:
determining whether the target monitoring data at the target moment is abnormal;
and determining that the target index is abnormal under the condition that target monitoring data of a set number of continuous target moments are abnormal.
Optionally, the determining whether the target monitoring data at the target time is abnormal includes:
acquiring historical monitoring data of the target index of the target equipment at a plurality of historical moments;
determining a reference value of the target index according to the historical monitoring data;
and determining whether the target monitoring data at the target moment is abnormal or not according to the target monitoring data and the reference value.
Optionally, the determining whether the target monitoring data at the target time is abnormal includes:
acquiring reference monitoring data of the target index of the target equipment at a reference time, wherein the reference time is a time before the target time;
according to the reference monitoring data, determining the predicted monitoring data of the target moment;
and determining whether the target monitoring data at the target moment is abnormal or not according to the predicted monitoring data and the target monitoring data at the target moment.
Optionally, the obtaining target monitoring data of the target index of the target device at the target time includes:
acquiring monitoring data of the target index of the target equipment in a target time segment, wherein the target time segment is a time segment corresponding to the target time;
determining the mean value and the standard deviation of the monitoring data in the target time segment;
and generating target monitoring data of the target time according to the mean value and the standard deviation.
Optionally, the determining the abnormal cause of the target index includes:
acquiring a selected characteristic, wherein the selected characteristic is a characteristic affecting a determination result of an abnormal reason of the target equipment;
obtaining a feature value of the selected feature of the target device;
and determining the abnormal reason of the target index according to the characteristic value based on a preset machine learning model.
Optionally, the alerting the target device according to the abnormality cause includes:
acquiring an alarm template corresponding to the abnormal reason;
generating alarm information according to the alarm template;
and pushing the alarm information to the target equipment to alarm the target equipment.
Optionally, the method further includes:
acquiring a user portrait of the target equipment;
determining an alarm strategy corresponding to the user image;
and alarming the target equipment according to the alarm strategy.
Optionally, the method further includes:
and displaying the target monitoring data in an interface.
According to a second aspect of the present specification, there is provided an abnormality detection apparatus comprising:
the data acquisition module is used for acquiring target monitoring data of a target index of the target equipment at a target moment;
the abnormality detection module is used for determining whether the target index is abnormal or not according to the target monitoring data;
the reason determining module is used for determining the abnormal reason of the target index under the condition that the target index is abnormal;
and the warning module is used for warning the target equipment according to the abnormal reason.
According to a third aspect of the present specification, there is provided an electronic apparatus comprising:
the apparatus according to the second aspect of the present description, or,
a processor and a memory for storing an executable computer program for controlling the processor to perform the method according to the first aspect of the present description.
The method has the advantages that the target index of the target equipment can be detected abnormally according to the target monitoring data, the abnormal reason can be obtained through automatic analysis, the target equipment is warned according to the abnormal reason, a warning pushing closed loop is formed, and therefore the fault recovery time of the target equipment can be shortened, and the usability of the target equipment can be improved.
Other features of the present description and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the specification and together with the description, serve to explain the principles of the specification.
Fig. 1 is a block diagram of one example of a hardware configuration of an electronic device that can be used to implement embodiments of the present description.
Fig. 2 is a block diagram of another example of a hardware configuration of an electronic device that may be used to implement embodiments of the present description.
Fig. 3 is a flowchart illustrating an abnormality detection method according to an embodiment of the present disclosure.
Fig. 4 shows a schematic block diagram of an abnormality detection apparatus according to an embodiment of the present specification.
FIG. 5 illustrates a functional block diagram of an electronic device of one embodiment of the present description.
Detailed Description
Various exemplary embodiments of the present specification will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present specification unless specifically stated otherwise.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
< hardware configuration >
Fig. 1 and 2 are block diagrams of hardware configurations of electronic devices that can be used to implement embodiments of the present specification.
In one embodiment, as shown in FIG. 1, the electronic device 1000 may be a server 1100.
The server 1100 is a service point that provides processing, databases, and communications facilities. The server 1100 can be a unitary server or a distributed server across multiple computers or computer data centers. The server may be of various types, such as, but not limited to, a web server, a news server, a mail server, a message server, an advertisement server, a file server, an application server, an interaction server, a database server, or a proxy server. In some embodiments, each server may include hardware, software, or embedded logic components or a combination of two or more such components for performing the appropriate functions supported or implemented by the server.
In an embodiment, the server may be a blade server, a rack server, or a cloud server, or may be a server group composed of a plurality of servers, or may be implemented as a cloud architecture, for example, implemented by a server cluster deployed in a cloud, and may further include one or more of the above types of servers.
In this embodiment, the server 1100 may include a processor 1110, a memory 1120, an interface device 1130, a communication device 1140, a display device 1150, and an input device 1160, as shown in fig. 1.
In this embodiment, the server 1100 may also include a speaker, a microphone, and the like, which are not limited herein.
The processor 1110 may be a dedicated server processor, or may be a desktop processor, a mobile version processor, or the like that meets performance requirements, and is not limited herein. The memory 1120 includes, for example, a ROM (read only memory), a RAM (random access memory), a nonvolatile memory such as a hard disk, and the like. The interface device 1130 includes various bus interfaces such as a serial bus interface (including a USB interface), a parallel bus interface, and the like. The communication device 1140 is capable of wired or wireless communication, for example. The display device 1150 is, for example, a liquid crystal display panel, an LED display panel touch display panel, or the like. Input devices 1160 may include, for example, a touch screen, a keyboard, and the like.
In this embodiment, the memory 1120 of the server 1100 is configured to store instructions for controlling the processor 1110 to operate at least to perform the anomaly detection method according to any embodiment of the present description. The skilled person can design the instructions according to the solution disclosed in the present specification. How the instructions control the operation of the processor is well known in the art and will not be described in detail herein.
Although a number of devices are shown in fig. 1 for server 1100, this description may refer to only some of the devices, for example, server 1100 may refer to only memory 1120 and processor 1110.
In one embodiment, the electronic device 1000 may be a terminal device 1200 such as a PC, a notebook computer, etc. used by an operator, as shown in fig. 2, which is not limited herein.
In this embodiment, referring to fig. 2, the terminal apparatus 1200 may include a processor 1210, a memory 1220, an interface device 1230, a communication device 1240, a display device 1250, an input device 1260, a speaker 1270, a microphone 1280, and the like.
The processor 1210 may be a mobile version processor. The memory 1220 includes, for example, a ROM (read only memory), a RAM (random access memory), a nonvolatile memory such as a hard disk, and the like. The interface device 1230 includes, for example, a USB interface, a headphone interface, and the like. The communication device 1240 may be capable of wired or wireless communication, for example, the communication device 1240 may include a short-range communication device, such as any device that performs short-range wireless communication based on short-range wireless communication protocols, such as the Hilink protocol, WiFi (IEEE 802.11 protocol), Mesh, bluetooth, ZigBee, Thread, Z-Wave, NFC, UWB, LiFi, and the like, and the communication device 1240 may also include a long-range communication device, such as any device that performs WLAN, GPRS, 2G/3G/4G/5G long-range communication. The display device 1250 is, for example, a liquid crystal display, a touch display, or the like. The input device 1260 may include, for example, a touch screen, a keyboard, and the like. A user can input/output voice information through the speaker 1270 and the microphone 1280.
In this embodiment, the memory 1220 of the terminal device 1200 is configured to store instructions for controlling the processor 1210 to operate at least to perform an anomaly detection method according to any of the embodiments of the present description. The skilled person can design the instructions according to the solution disclosed in the present specification. How the instructions control the operation of the processor is well known in the art and will not be described in detail herein.
Although a plurality of devices of the terminal apparatus 1200 are shown in fig. 2, the present specification may refer to only some of the devices, for example, the terminal apparatus 1200 refers to only the memory 1220, the processor 1210 and the display device 1250.
< method examples >
Fig. 3 is a schematic flow chart diagram of a detection method for a network address according to an embodiment of the present description.
In one example, the method shown in fig. 3 may be implemented by only the server or the terminal device, or may be implemented by both the server and the terminal device. In one embodiment, the terminal device may be the terminal device 1200 as shown in FIG. 2 and the server may be the server 1100 as shown in FIG. 1.
As shown in fig. 3, the method of the present embodiment includes the following steps S3100 to S3400:
step S3100, acquiring target monitoring data of a target index of a target device at a target time.
In one embodiment of the present description, the target index may include an index of at least one monitoring dimension, such as a system resource index, a performance index, a traffic index, a service link index, and the like.
In an embodiment of the present specification, the target device may be at least one device in at least one system to be monitored, and each server of the system to be monitored may have a collection program, where the collection program may bury a point in the system to be monitored, and collect monitoring data of target indexes of multiple devices in the system to be monitored according to a preset frequency. The preset frequency may be preset according to an application scenario or specific requirements, and for example, the preset frequency may be 10 Hz.
The acquisition programs set in the plurality of system servers to be monitored can synchronize the acquired monitoring data to Kafka respectively. Kafka then synchronizes the data to Flink for data aggregation.
Kafka is a high-throughput distributed publish-subscribe messaging system that can handle all the action flow data of a consumer in a web site. The purpose of Kafka is to unify online and offline message processing through the parallel loading mechanism of Hadoop, and also to provide real-time messages through clustering.
Flink is an open source streaming framework, and the core of the Flink is a distributed streaming data streaming engine written in Java and Scale. Flink executes arbitrary stream data programs in a data parallel and pipelined manner, and Flink's pipelined runtime system can execute batch and stream processing programs.
In this embodiment, target monitoring data of a target index of a target device at a target time can be obtained according to a data stream aggregated by Flink.
In one embodiment of the present specification, the target monitoring data at the target time may be missing, and then acquiring the target monitoring data at the target time of the target index of the target device may include steps S3110 to S3130 as follows:
step S3110, acquiring monitoring data of the target index of the target device in the target time slice.
And the target time segment is a time segment corresponding to the target moment.
In an embodiment of the present disclosure, the time slices may be divided in advance, and the time length of the time slices may be set in advance according to an application scenario or a specific requirement, or may be determined according to a preset frequency of the acquisition program for acquiring the monitoring data. The time length of the time slice is larger than the time interval of the acquisition program for acquiring at least two times of monitoring data. For example, the time length of the time slice may be 1 s.
And S3120, determining the mean value and standard deviation of the monitoring data in the target time segment.
Step S3130, generating target monitoring data at the target time according to the mean and the standard deviation.
In one example, the target monitoring data may be generated according to a mean and a standard deviation of the monitoring data in the target time segment, and data having a difference value smaller than or equal to the standard deviation from the mean may be randomly generated as the target monitoring data.
Through the embodiments of the present description, when the target monitoring data at the target time is missing, the target monitoring data generated randomly according to the mean value and the standard deviation of the monitoring data in the target time segment corresponding to the target time conforms to the change rule of the monitoring data in the target time segment, and the abnormal detection result of the target index is not affected.
Step S3200, determine whether the target index is abnormal according to the target monitoring data.
In an embodiment of the present specification, determining whether the target index of the target device is abnormal according to the target monitoring data may include steps S3210 to S3220 as follows:
step S3210 determines whether the target monitoring data at the target time is abnormal.
In one embodiment of the present disclosure, determining whether the target monitoring data at the target time is abnormal may include steps S3211-1 to S3211-3 as follows:
step S3211-1, historical monitoring data of the target index of the target device at a plurality of historical moments is obtained.
The history time in the present embodiment may be any time before the target time. The historical monitoring data may be obtained by referring to the above-mentioned target monitoring data, which is not described herein again.
And S3211-2, determining a reference value of the target index according to the historical monitoring data.
In one embodiment of the present description, a mean value of the historical monitoring data may be determined as a reference value of the target index.
And S3211-3, determining whether the target monitoring data at the target moment is abnormal according to the target monitoring data and the reference value.
Specifically, it may be determined whether or not a deviation between the target monitoring data and the reference value is within a first set range to determine whether or not the target monitoring data at the target time is abnormal.
In one embodiment of the present specification, the first setting range may be set in advance according to an application scenario or a specific requirement.
In another embodiment of the present specification, a standard deviation of the target index may be determined based on the historical detection data, and the first setting range may be determined based on the standard deviation.
In the case where the historical monitoring data is normally distributed, the first setting range may be determined based on the "Nsigma rule". Wherein, N is a positive number preset according to an application scene or specific requirements. For example, N may be 3. In the case where the standard deviation is σ, the first set range may be determined to be [ -N σ, N σ ].
In this embodiment, the reference value used for determining whether the target monitoring data is abnormal is determined according to the historical data, so that the reference value can be more accurate, and the abnormality detection result of the target monitoring data can be more accurate.
In another embodiment of the present specification, a plurality of outlier algorithms may be further integrated, whether the target monitoring data is outlier is voted, and if the majority of outlier algorithms consider that the target monitoring data is outlier, it may be determined that the target monitoring algorithm at the target time is abnormal.
In yet another embodiment of the present specification, determining whether the target monitoring data at the target time is abnormal may include steps S3212-1 to S3212-3 as follows:
step S3212-1, reference monitoring data of the target index of the target device at a reference time is obtained.
In one embodiment of the present description, the reference time may be M consecutive times before the target time, where M is a positive integer.
In one embodiment, the M consecutive reference time instants include at least a time instant preceding the target time instant. I.e. the last reference moment may be a moment preceding the target moment. Under the condition that the acquisition program of the server of the system to be monitored acquires the monitoring data of the target index of the target equipment according to the preset frequency f, if the target moment is t, the previous moment of the target moment can be t-1/f.
In one embodiment of the present specification, the reference monitoring data may include actual monitoring data of a target index of the target device at a reference time that is actually acquired by the acquisition program. The following description will be made with M being 5.
For example, when the target time is the 6 th time, the reference time may be the 1 st to 5 th times, and the reference monitoring data at the reference time may be the actual monitoring data at the 1 st to 5 th times.
For another example, when the target time is the 7 th time, the reference time may be the 2 nd to 6 th times, and the reference monitoring data at the reference time may be the actual monitoring data at the 2 nd to 6 th times.
In another embodiment of the present specification, the reference monitoring data may include actual monitoring data of a target index of the target device at a reference time, which is actually acquired by the acquisition program, and may also include predicted monitoring data. The predictive monitoring data in this embodiment may be obtained based on a predictive model. The following description will be made with M being 5.
For example, when the target time is the 6 th time, the reference time may be the 1 st to 5 th times. Then, the reference monitoring data at the reference time may be monitoring data of the target index of the target device at 1 st to 5 th times, which is actually acquired by the acquisition program.
For another example, when the target time is the 7 th time, the reference time may be the 2 nd to 6 th times. Then, the reference monitoring data at the 2 nd to 5 th moments can be monitoring data of target indexes of the target equipment, which are actually acquired by the acquisition program, at the 2 nd to 5 th moments; the reference monitoring data at the 6 th moment can be predicted monitoring data at the 6 th moment determined according to the monitoring data of the target index of the target equipment actually acquired by the acquisition program at the 1 st to 5 th moments.
For another example, when the target time is the 8 th time, the reference time may be the 3 rd to 7 th times. Then, the reference monitoring data at the 3 rd to 5 th moments can be monitoring data of the target index of the target equipment, which is actually acquired by the acquisition program, at the 3 rd to 5 th moments; the reference monitoring data at the 6 th moment can be predicted monitoring data at the 6 th moment determined according to monitoring data of target indexes of target equipment actually acquired by an acquisition program at the 1 st to 5 th moments; the reference monitoring data at the 7 th moment can be the monitoring data of the target index of the target equipment at the 2 nd to 5 th moments actually acquired by the acquisition program and the predicted monitoring data at the 7 th moment determined by the predicted monitoring data at the 6 th moment.
For another example, when the target time is the 9 th time, the reference time may be 4 th to 8 th times. Then, the reference monitoring data at the 4 th to 5 th moments can be monitoring data of target indexes of the target equipment, which are actually acquired by the acquisition program, at the 4 th to 5 th moments; the reference monitoring data at the 6 th moment can be predicted monitoring data at the 6 th moment determined according to monitoring data of target indexes of target equipment actually acquired by an acquisition program at the 1 st to 5 th moments; the reference monitoring data at the 7 th moment can be the monitoring data of the target index of the target equipment at the 2 nd to 5 th moments actually acquired by the acquisition program and the predicted monitoring data at the 7 th moment determined by the predicted monitoring data at the 6 th moment; the reference monitoring data at the 8 th moment can be the monitoring data of the target index of the target equipment at the 2 nd to 5 th moments and the predicted monitoring data at the 6 th to 7 th moments, which are actually acquired by the acquisition program, and the predicted monitoring data at the 8 th moment is determined.
For another example, when the target time is the 10 th time, the reference time may be the 5 th to 9 th times. Then, the reference monitoring data at the 5 th moment can be monitoring data of the target index of the target equipment, which is actually acquired by the acquisition program, at the 4 th to 5 th moments; the reference monitoring data at the 6 th moment can be predicted monitoring data at the 6 th moment determined according to monitoring data of target indexes of target equipment actually acquired by an acquisition program at the 1 st to 5 th moments; the reference monitoring data at the 7 th moment can be the monitoring data of the target index of the target equipment at the 2 nd to 5 th moments actually acquired by the acquisition program and the predicted monitoring data at the 7 th moment determined by the predicted monitoring data at the 6 th moment; the reference monitoring data at the 8 th moment can be the monitoring data of the target equipment at the 2 nd to 5 th moments and the predicted monitoring data at the 6 th to 7 th moments, which are actually acquired by the acquisition program, according to the predicted monitoring data at the 8 th moment; the reference monitoring data at the 9 th moment can be the monitoring data of the target index of the target equipment at the 2 nd to 5 th moments and the predicted monitoring data at the 6 th to 8 th moments, which are actually acquired by the acquisition program, and the predicted monitoring data at the 9 th moment is determined.
And step S3212-2, determining predicted monitoring data of the target moment according to the reference monitoring data.
In one embodiment of the present specification, the predicted monitoring data of the target time may be determined based on the reference monitoring data based on a preset prediction model.
Specifically, the training samples may be generated according to historical monitoring data at a plurality of historical times; and training a machine learning model according to the training sample based on a preset deep learning algorithm to obtain a prediction model.
The deep learning algorithm may be any one of RNN algorithm, LSTM algorithm, and DNN algorithm.
In the case where the deep learning algorithm is the RNN algorithm or the LSTM algorithm, the number of prediction models may be the same as the number of target indices.
In the case of a large number of target indexes, the prediction monitoring data at the target time is determined by using a prediction model based on the RNN algorithm or the LSTM algorithm, which requires a large amount of training and detection resources. Thus, the predictive model may be trained based on the DNN algorithm.
And S3212-3, determining whether the target monitoring data at the target moment is abnormal according to the predicted monitoring data and the target monitoring data at the target moment.
Specifically, it may be determined whether or not the deviation between the predicted monitored data and the target monitored data is within the second set range to determine whether or not the target monitored data at the target time is abnormal. If the deviation between the predicted monitoring data and the target monitoring data is within a second set range, the target monitoring data at the target moment can be determined to be normal; if the deviation between the predicted monitoring data and the target monitoring data exceeds the second set range, it may be determined that the target monitoring data at the target time is abnormal.
In an embodiment of the present specification, the second setting range may be set in advance according to an application scenario or a specific requirement.
On the basis of the embodiment, under the condition that the target monitoring data at the target time are normal, the prediction model can be corrected according to the target monitoring data at the target time, so that the prediction accuracy of the prediction model is improved.
In this embodiment, the monitoring data at the target moment is predicted, and whether the target monitoring data at the target moment is abnormal or not is determined according to the predicted monitoring data at the target moment and the actual target monitoring data, so that the abnormal detection result of the target monitoring data is more accurate, and the accuracy of the abnormal detection result of the target index of the target equipment can be improved.
Step S3220, in the case that the target monitoring data at the set number of consecutive target times is abnormal, determines that the target index of the target device is abnormal.
In this embodiment, the detection result of the target device is determined by detecting the abnormality of the target monitoring data at a set number of consecutive target times, so that the abnormal misinformation of the target device caused by the abnormality of the target monitoring data at a single target time can be prevented, and the accuracy of the abnormal detection result of the target index of the target device can be improved.
In another embodiment of the present specification, it may be determined whether target monitoring data at a plurality of target times within a target time segment is abnormal, and in a case where a set number of consecutive target times within the target time segment are abnormal, it is determined that a target index of the target device is abnormal. The target time slice may be a time slice in which the target time is located.
On the basis of the present embodiment, the target time segment may include M consecutive reference time instants and a set number of consecutive target time instants.
For example, when 10 time points for collecting monitoring data are included in the target time segment, the 6 th time point may be used as the target time point, and the 1 st to 5 th time points may be used as the reference time points, and then the monitoring data at the 1 st to 5 th time points acquired by the collecting program may be used as the reference monitoring data points, and the predicted monitoring data at the 6 th time point may be determined based on the prediction model. And then, taking the 7 th moment as a target moment, taking the 2 nd to 6 th moments as reference moments, taking the monitoring data of the 2 nd to 5 th moments and the predicted monitoring data of the 6 th moment, which are acquired by the acquisition program, as reference monitoring data, and determining the predicted monitoring data of the 7 th moment based on a prediction model. And then, taking the 8 th moment as a target moment, taking the 3 rd to 7 th moments as reference moments, taking the monitoring data of the 3 rd to 5 th moments and the predicted monitoring data of the 6 th to 7 th moments, which are acquired by the acquisition program, as reference monitoring data, and determining the predicted monitoring data of the 8 th moment based on a prediction model. And then taking the 9 th moment as a target moment, taking the 4 th to 8 th moments as reference moments, taking the monitoring data of the 4 th to 5 th moments and the predicted monitoring data of the 6 th to 8 th moments, which are acquired by the acquisition program, as reference monitoring data, and determining the predicted monitoring data of the 9 th moment based on a prediction model. And then, taking the 10 th moment as a target moment, taking the 5 th to 9 th moments as reference moments, taking the monitoring data of the 5 th moment and the predicted monitoring data of the 6 th to 9 th moments acquired by the acquisition program as reference monitoring data, and determining the predicted monitoring data of the 10 th moment based on a prediction model. And respectively determining whether the target monitoring data at the 6 th to 10 th moments are abnormal or not according to the predicted monitoring data at the 6 th to 10 th moments and the corresponding target monitoring data. And under the condition that the target monitoring data at the 6 th to 10 th moments are all abnormal, determining that the target index of the target equipment is abnormal.
In step S3300, when the target index of the target device is abnormal, the abnormality cause of the target index is determined.
In one embodiment of the present specification, a cause of an abnormality in a target index of a target device may be automatically analyzed. Specifically, determining the abnormality cause of the target index may include:
obtaining a selected feature; acquiring device data of the target device according to the selected features; and determining the abnormal reason of the target equipment according to the equipment data based on a preset machine learning model. Wherein the selected feature is a feature of an analysis result of an abnormality cause affecting the target device.
In one embodiment, the selected characteristic may be a characteristic of a change event that causes an abnormality in the target metric. For example, the selected characteristics may include cat error, whether single node error occurs, whether there is correlation between alarm streams, whether base change occurs, distribution of the target device in the system where the exception occurs, machine state of the target device, exception log of the target device, and the like.
The preset machine learning model may be a classification model, and for example, may be any one of a bayesian classification model, a decision tree, a random forest, a neural network, and a Support Vector Machine (SVM).
Decision Tree (Decision Tree) is a Decision analysis method for evaluating the risk of a project and judging the feasibility of the project by constructing a Decision Tree to obtain the probability that the expected value of the net present value is greater than or equal to zero on the basis of the known occurrence probability of various conditions, and is a graphical method for intuitively applying probability analysis. This decision branch is called a decision tree because it is drawn to resemble a branch of a tree. In machine learning, a decision tree is a predictive model that represents a mapping between object attributes and object values. Entrypy, the degree of clutter in the system, uses Entropy using algorithm ID3, C4.5 and C5.0 spanning tree algorithms. The decision tree is a tree-like structure in which each internal node represents a test of a selected feature, each branch represents a test output, and each leaf node represents a cause of an anomaly.
Specifically, a sample for training the decision tree may be obtained, and machine learning training may be performed according to the training sample to obtain the decision tree. One of the training samples may include feature values of the selected features and corresponding causes of abnormalities, which have been determined empirically by an engineer in advance. Therefore, a decision tree can be obtained through machine learning, and the decision tree can give the abnormal reason of the target index of the target equipment.
Random forest refers to a classifier that trains and predicts a sample using multiple trees. In machine learning, a random forest is a classifier that contains multiple decision trees, and the class of its output is determined by the mode of the class output by the individual trees. The random forest is randomly embodied in that the training sample of each tree is random, and the classification attribute of each node in the tree is randomly selected. With the two random guarantees, the random forest can not generate the phenomenon of overfitting. Moreover, the random forest is completely insensitive to noise and overfitting, has high universality and high accuracy and consumes time.
In this embodiment, based on the machine learning model, according to the feature value of the selected feature of the target device, the cause of the abnormality of the target index of the target device may be accurately determined, and an engineer does not need to analyze the cause according to experience, so that the dependency on manual experience may be reduced, the labor cost may be reduced, and the efficiency of determining the cause of the abnormality may be improved.
And step S3400, warning the target equipment according to the abnormal reason.
In this embodiment, the target device is alerted according to the abnormality cause, so that an engineer can know the cause of the abnormality of the target index of the target device through the alert, and the engineer can repair the abnormality conveniently.
According to the embodiment of the specification, the target index of the target equipment can be subjected to abnormity detection according to the target monitoring data, the abnormity reason is obtained through automatic analysis, the alarm is given to the target equipment according to the abnormity reason, and an alarm pushing closed loop is formed, so that the fault recovery time of the target equipment can be shortened, and the availability of the target equipment is improved.
In one embodiment of the present description, the method may further comprise:
and displaying the target monitoring data in the interface.
In this embodiment, by displaying the target monitoring data in the interface, the visualization of the monitoring data of the target index of the target device by the front end can be realized, so that an engineer can conveniently check the monitoring data in real time.
In one embodiment of the present specification, alerting the target device according to the cause of the abnormality may include steps S3410 to S3430 as follows:
step S3410 obtains an alarm template corresponding to the cause of the abnormality.
In this embodiment, corresponding alarm templates may be set in advance for multiple preset abnormal reasons.
In the alarm template, at least an alarm type for indicating a cause of the abnormality, an alarm rule, a device in which the abnormality occurs, an index in which the abnormality occurs, an alarm time, and the like may be included. The alarm rule may indicate a reason for determining the target index to be abnormal by the target monitoring data.
From the abnormality cause of the target index of the target device determined in the foregoing steps S3100 to S3300, the alarm template corresponding to the abnormality cause can be determined.
Step S3420, generating alarm information according to the alarm template.
In this embodiment, the related content may be added to the alarm template to generate the alarm template.
For example, the device name or the device identifier of the target device may be added to the device in which the abnormality occurs, the name of the target index may be added to the index in which the abnormality occurs, and the time for executing step S3400 may be added to the alarm time to obtain the alarm information.
Step S3430, the alarm information is pushed to the target device to alarm the target device.
In one embodiment, the alarm information is pushed to the target device, and the target device can display the alarm information in an interface for an engineer to check, so that the engineer can repair the target device according to the alarm information.
In the embodiment, the alarm information is generated according to the alarm template corresponding to the abnormal reason of the abnormal index of the target device, and the alarm information is pushed to the target device to alarm the target device, so that an engineer maintaining the target device can repair the target device in time according to the alarm information, thereby reducing the fault recovery time of the target device and improving the availability of the target device.
In one embodiment of the present description, the method may further comprise:
acquiring a user portrait of a target device; determining an alarm strategy corresponding to the user image; and alarming the target equipment according to the alarm strategy.
The user profile of the target device may be generated in advance based on the usage of the target device, registration information of the user using the target device, and the like.
The alarm policy in this embodiment may include at least one of an alarm frequency, an alarm mode, and an alarm object, for example.
The alarm frequency may be a frequency of alarming the target device when the target index of the target device is abnormal.
The alarm object may include at least one of a target device, an engineer maintaining the target device.
The warning mode may include at least one of displaying warning information on the target device and sending the warning information to an engineer maintaining the target device in a short message, mail, or the like.
In this embodiment, an alarm policy corresponding to a user profile of the target device may be determined through a preset machine learning model for determining the alarm policy, and an alarm may be given to the target device according to the alarm policy.
In the embodiment, the target device is alarmed according to the alarm strategy corresponding to the user portrait of the target device, so that personalized alarm of the target device can be realized.
< apparatus embodiment >
Corresponding to the method, the specification also provides an abnormality detection device 4000. As shown in fig. 4, the abnormality detection apparatus 4000 may include a data acquisition module 4100, an abnormality detection module 4200, a cause determination module 4300, and an alarm module 4400. The data acquiring module 4100 is configured to acquire target monitoring data of a target index of a target device at a target time; the anomaly detection module 4200 is configured to determine whether a target indicator is anomalous according to target monitoring data; the reason determining module 4300 is configured to determine an abnormal reason of the target index when the target index is abnormal; the alarm module 4400 is configured to alarm the target device according to the reason of the abnormality.
In one embodiment of the present description, the anomaly detection module 4200 may be further configured to:
determining whether target monitoring data at a target moment is abnormal;
and determining that the target index is abnormal under the condition that the target monitoring data of a set number of continuous target moments are abnormal.
In one embodiment of the present specification, determining whether the target monitoring data at the target time is abnormal includes:
acquiring historical monitoring data of a target index of target equipment at a plurality of historical moments;
determining a reference value of a target index according to historical monitoring data;
and determining whether the target monitoring data at the target moment is abnormal or not according to the target monitoring data and the reference value.
In one embodiment of the present specification, determining whether the target monitoring data at the target time is abnormal includes:
acquiring reference monitoring data of a target index of target equipment at a reference moment, wherein the reference moment is a moment before the target moment;
according to the reference monitoring data, determining the predicted monitoring data of the target moment;
and determining whether the target monitoring data at the target moment is abnormal or not according to the predicted monitoring data and the target monitoring data at the target moment.
In one embodiment of the present description, the data acquisition module 4100 may be further configured to:
acquiring monitoring data of a target index of target equipment in a target time segment, wherein the target time segment is a time segment corresponding to a target moment;
determining the mean value and the standard deviation of the monitoring data in the target time segment;
and generating target monitoring data of the target time according to the mean value and the standard deviation.
In one embodiment of the present specification, determining the cause of the abnormality of the target index may include:
acquiring selected characteristics, wherein the selected characteristics are characteristics of a determination result of an abnormal reason influencing target equipment;
obtaining a feature value of a selected feature of the target device;
and determining the abnormal reason of the target index according to the characteristic value based on a preset machine learning model.
In an embodiment of the present description, the alarm module 4400 may further be configured to:
acquiring an alarm template corresponding to the abnormal reason;
generating alarm information according to the alarm template;
and pushing the alarm information to the target equipment to alarm the target equipment.
In one embodiment of the present description, the abnormality detection apparatus 4000 may further include:
a module for obtaining a user representation of a target device;
means for determining an alert policy corresponding to the user representation;
the alarm module 4400 may also alarm the target device according to an alarm policy.
In one embodiment of the present description, the abnormality detection apparatus 4000 may further include:
and the module is used for displaying the target monitoring data in the interface.
It will be appreciated by those skilled in the art that the abnormality detection apparatus 4000 can be implemented in various ways. For example, the abnormality detection apparatus 4000 may be implemented by an instruction configuration processor. For example, the abnormality detection apparatus 4000 may be implemented by storing instructions in a ROM and reading the instructions from the ROM into a programmable device when starting up the device. For example, the abnormality detection apparatus 4000 may be incorporated into a dedicated device (e.g., ASIC). The abnormality detection apparatus 4000 may be divided into units independent of each other, or may be implemented by combining them together. The abnormality detection apparatus 4000 may be realized by one of the various implementations described above, or may be realized by a combination of two or more of the various implementations described above.
In this embodiment, the abnormality detection apparatus 4000 may have various implementation forms, for example, the abnormality detection apparatus 4000 may be any functional module running in a software product or application providing an abnormality detection function, or a peripheral insert, a plug-in, a patch, or the like of the software product or application, or the software product or application itself.
According to the embodiment of the specification, the target index of the target equipment can be subjected to abnormity detection according to the target monitoring data, the abnormity reason is obtained through automatic analysis, the alarm is given to the target equipment according to the abnormity reason, and an alarm pushing closed loop is formed, so that the fault recovery time of the target equipment can be shortened, and the availability of the target equipment is improved.
< electronic device embodiment >
The present specification also provides an electronic device 5000. The electronic device 5000 may be a server 1100 as shown in fig. 1. The electronic device 5000 may also be a terminal device 1200 as shown in fig. 2.
In an example, the electronic device 5000 may include the abnormality detection apparatus 4000 provided in the foregoing embodiment, and is configured to execute the abnormality detection method according to any embodiment of the present specification.
In another example, as shown in fig. 5, the electronic device 5000 may further include a processor 5100 and a memory 5200, the memory 5200 being for storing computer programs; the computer program is used to control the processor 5100 to perform the abnormality detection method of any of the embodiments of the present specification.
According to the embodiment of the specification, the target index of the target equipment can be subjected to abnormity detection according to the target monitoring data, the abnormity reason is obtained through automatic analysis, the alarm is given to the target equipment according to the abnormity reason, and an alarm pushing closed loop is formed, so that the fault recovery time of the target equipment can be shortened, and the availability of the target equipment is improved.
The present description may be systems, methods, and/or computer program products. The computer program product may include a computer-readable storage medium having computer-readable program instructions embodied thereon for causing a processor to implement various aspects of the specification.
The computer readable storage medium may be a tangible device that can hold and store the instructions for use by the instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device, such as punch cards or in-groove projection structures having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media as used herein is not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission medium (e.g., optical pulses through a fiber optic cable), or electrical signals transmitted through electrical wires.
The computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a respective computing/processing device, or to an external computer or external storage device via a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in the respective computing/processing device.
The computer program instructions for carrying out operations of the present specification may be assembler instructions, Instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source code or secondary code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, an electronic circuit, such as a programmable logic circuit, a Field Programmable Gate Array (FPGA), or a Programmable Logic Array (PLA), can execute computer-readable program instructions to implement various aspects of the present description by utilizing state information of the computer-readable program instructions to personalize the electronic circuit.
Aspects of the present description are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the description. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer-readable medium storing the instructions comprises an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present description. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. It is well known to those skilled in the art that implementation by hardware, by software, and by a combination of software and hardware are equivalent.
The foregoing description of the embodiments of the present specification has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen in order to best explain the principles of the embodiments, the practical application, or improvements made to the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein. The scope of the present description is defined by the appended claims.

Claims (11)

1. An anomaly detection method comprising:
acquiring target monitoring data of a target index of target equipment at a target moment;
determining whether the target index is abnormal or not according to the target monitoring data;
determining the abnormal reason of the target index under the condition that the target index is abnormal;
and alarming the target equipment according to the abnormal reason.
2. The method of claim 1, the determining whether the target indicator is abnormal from the target monitoring data comprising:
determining whether the target monitoring data at the target moment is abnormal;
and determining that the target index is abnormal under the condition that target monitoring data of a set number of continuous target moments are abnormal.
3. The method of claim 2, the determining whether the target monitoring data for the target time instance is anomalous comprising:
acquiring historical monitoring data of the target index of the target equipment at a plurality of historical moments;
determining a reference value of the target index according to the historical monitoring data;
and determining whether the target monitoring data at the target moment is abnormal or not according to the target monitoring data and the reference value.
4. The method of claim 2, the determining whether the target monitoring data for the target time instance is anomalous comprising:
acquiring reference monitoring data of the target index of the target equipment at a reference time, wherein the reference time is a time before the target time;
according to the reference monitoring data, determining the predicted monitoring data of the target moment;
and determining whether the target monitoring data at the target moment is abnormal or not according to the predicted monitoring data and the target monitoring data at the target moment.
5. The method of claim 1, wherein the obtaining target monitoring data of a target index of a target device at a target time comprises:
acquiring monitoring data of the target index of the target equipment in a target time segment, wherein the target time segment is a time segment corresponding to the target time;
determining the mean value and the standard deviation of the monitoring data in the target time segment;
and generating target monitoring data of the target time according to the mean value and the standard deviation.
6. The method of claim 1, the determining a cause of abnormality of the target metric comprising:
acquiring a selected characteristic, wherein the selected characteristic is a characteristic affecting a determination result of an abnormal reason of the target equipment;
obtaining a feature value of the selected feature of the target device;
and determining the abnormal reason of the target index according to the characteristic value based on a preset machine learning model.
7. The method of claim 1, the alerting the target device according to the cause of the abnormality comprising:
acquiring an alarm template corresponding to the abnormal reason;
generating alarm information according to the alarm template;
and pushing the alarm information to the target equipment to alarm the target equipment.
8. The method of claim 1, further comprising:
acquiring a user portrait of the target equipment;
determining an alarm strategy corresponding to the user image;
and alarming the target equipment according to the alarm strategy.
9. The method of claim 1, further comprising:
and displaying the target monitoring data in an interface.
10. An abnormality detection device comprising:
the data acquisition module is used for acquiring target monitoring data of a target index of the target equipment at a target moment;
the abnormality detection module is used for determining whether the target index is abnormal or not according to the target monitoring data;
the reason determining module is used for determining the abnormal reason of the target index under the condition that the target index is abnormal;
and the warning module is used for warning the target equipment according to the abnormal reason.
11. An electronic device, comprising:
the apparatus of claim 10, or,
a processor and a memory for storing an executable computer program for controlling the processor to perform the method according to any of claims 1 to 9.
CN202010587758.5A 2020-06-24 2020-06-24 Abnormity detection method and device and electronic equipment Pending CN111880959A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010587758.5A CN111880959A (en) 2020-06-24 2020-06-24 Abnormity detection method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010587758.5A CN111880959A (en) 2020-06-24 2020-06-24 Abnormity detection method and device and electronic equipment

Publications (1)

Publication Number Publication Date
CN111880959A true CN111880959A (en) 2020-11-03

Family

ID=73157817

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010587758.5A Pending CN111880959A (en) 2020-06-24 2020-06-24 Abnormity detection method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN111880959A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115392812A (en) * 2022-10-31 2022-11-25 成都飞机工业(集团)有限责任公司 Abnormal root cause positioning method, device, equipment and medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115392812A (en) * 2022-10-31 2022-11-25 成都飞机工业(集团)有限责任公司 Abnormal root cause positioning method, device, equipment and medium
CN115392812B (en) * 2022-10-31 2023-03-24 成都飞机工业(集团)有限责任公司 Abnormal root cause positioning method, device, equipment and medium

Similar Documents

Publication Publication Date Title
US11586972B2 (en) Tool-specific alerting rules based on abnormal and normal patterns obtained from history logs
US20220036264A1 (en) Real-time adaptive operations performance management system
US10585774B2 (en) Detection of misbehaving components for large scale distributed systems
US10600002B2 (en) Machine learning techniques for providing enriched root causes based on machine-generated data
US11023325B2 (en) Resolving and preventing computer system failures caused by changes to the installed software
US10860406B2 (en) Information processing device and monitoring method
US20150347923A1 (en) Error classification in a computing system
US11816586B2 (en) Event identification through machine learning
US9524223B2 (en) Performance metrics of a computer system
CN105573824B (en) Monitoring method and system for distributed computing system
CN109685089B (en) System and method for evaluating model performance
JP2018045403A (en) Abnormality detection system and abnormality detection method
US20200272923A1 (en) Identifying locations and causes of network faults
US10581667B2 (en) Method and network node for localizing a fault causing performance degradation of a service
US11449488B2 (en) System and method for processing logs
CN115357470B (en) Information generation method and device, electronic equipment and computer readable medium
CN112395156A (en) Fault warning method and device, storage medium and electronic equipment
CN114567538A (en) Alarm information processing method and device
US20200372367A1 (en) Cognitive methods and systems for responding to computing system incidents
CN113282920B (en) Log abnormality detection method, device, computer equipment and storage medium
US11120460B2 (en) Effectiveness of service complexity configurations in top-down complex services design
US11055631B2 (en) Automated meta parameter search for invariant based anomaly detectors in log analytics
CN111880959A (en) Abnormity detection method and device and electronic equipment
CN111309585A (en) Log data testing method, device and system, electronic equipment and storage medium
US11861509B2 (en) Automated positive train control event data extraction and analysis engine for performing root cause analysis of unstructured data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination