CN111984499A - Fault detection method and device for big data cluster - Google Patents
Fault detection method and device for big data cluster Download PDFInfo
- Publication number
- CN111984499A CN111984499A CN202010773292.8A CN202010773292A CN111984499A CN 111984499 A CN111984499 A CN 111984499A CN 202010773292 A CN202010773292 A CN 202010773292A CN 111984499 A CN111984499 A CN 111984499A
- Authority
- CN
- China
- Prior art keywords
- abnormal
- data
- information
- log data
- log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 103
- 230000002159 abnormal effect Effects 0.000 claims abstract description 182
- 238000012423 maintenance Methods 0.000 claims abstract description 85
- 238000012545 processing Methods 0.000 claims abstract description 78
- 238000000034 method Methods 0.000 claims abstract description 65
- 238000010801 machine learning Methods 0.000 claims abstract description 17
- 230000002776 aggregation Effects 0.000 claims description 43
- 238000004220 aggregation Methods 0.000 claims description 43
- 238000009826 distribution Methods 0.000 claims description 30
- 230000008569 process Effects 0.000 claims description 21
- 238000004891 communication Methods 0.000 claims description 17
- 238000004422 calculation algorithm Methods 0.000 claims description 16
- 238000003860 storage Methods 0.000 claims description 12
- 238000010219 correlation analysis Methods 0.000 claims description 11
- 238000005065 mining Methods 0.000 claims description 10
- 230000026676 system process Effects 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 9
- 230000011218 segmentation Effects 0.000 claims description 8
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000010606 normalization Methods 0.000 claims description 6
- 230000036541 health Effects 0.000 claims description 5
- 230000007366 host health Effects 0.000 claims description 5
- 238000004519 manufacturing process Methods 0.000 claims description 5
- 230000007246 mechanism Effects 0.000 claims description 5
- 230000004083 survival effect Effects 0.000 claims description 5
- 238000013450 outlier detection Methods 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 15
- 238000007726 management method Methods 0.000 description 9
- 238000004458 analytical method Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000012544 monitoring process Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 238000010276 construction Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 239000000523 sample Substances 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003203 everyday effect Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000005070 sampling Methods 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 208000024891 symptom Diseases 0.000 description 2
- 238000013024 troubleshooting Methods 0.000 description 2
- 238000012935 Averaging Methods 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000002354 daily effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 208000035475 disorder Diseases 0.000 description 1
- 235000019580 granularity Nutrition 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000006698 induction Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000012567 pattern recognition method Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3006—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3466—Performance evaluation by tracing or monitoring
- G06F11/3476—Data logging
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Quality & Reliability (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Mathematical Physics (AREA)
- Artificial Intelligence (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computer Hardware Design (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a fault detection method and device for a big data cluster, and relates to the technical field of computers. One embodiment of the method comprises: acquiring index data and log data of a big data cluster; determining abnormal information and a corresponding processing scheme according to the index data and the log data; performing machine learning on the abnormal information and the corresponding processing scheme thereof, and storing the learning result into an operation and maintenance library; and carrying out fault detection on the big data cluster based on the learning result in the operation and maintenance library. The implementation method can solve the technical problems of difficulty in fault source detection and high operation and maintenance cost.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a fault detection method and device for a big data cluster.
Background
With the development of services, the operation management of a large data cluster presents the following pain points:
(1) "slow": the service operation environment is more and more complex, the fault detection is slow, various service systems and large data systems are more and more, the dependency of the systems on IT resources is high, once any problem occurs in the systems, the problems need to be eliminated one by one, and the fault detection is difficult.
(2) The following steps: the operation and maintenance work is heavy, an automatic tool and means are lacked, operation and maintenance personnel face a large amount of repetitive and manual troubleshooting work every day, time and labor are consumed, errors are easy to occur, and the efficiency is low.
(3) "disorder": the operation and maintenance work is not streamlined, normalized and electronized, the daily big data operation and maintenance work flow is disordered, a standard flow is not available, the work efficiency is low, and application complaints and complaints are not reduced.
(4) "difficult to handle": the information-based construction investment is huge, and the effect is difficult to show. The operation and maintenance personnel are tired and running every day, the workload is measured, and the quality cannot be controlled!
At present, fault detection technologies for big data related clusters are deficient, information such as cluster load condition monitoring, log troubleshooting, fault analysis and fault removal cannot be directly embodied, and in an enterprise-level data warehouse, the number of big data related clusters is large, the cluster scale is huge, management is very complex, a unified operation management interface is not provided, and the problem of the large data related clusters is often considered.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art:
the fault detection of the existing big data cluster mainly depends on a manual mode, and manual operation and maintenance are carried out by a special method, or basic monitoring is carried out aiming at basic resources such as a CPU, a memory, a hard disk, a network and the like on the level of an operating system.
The fault detection of the existing big data cluster can only be managed aiming at a single cluster, and mostly monitors the bottom layer indexes of a single operating system, and has the following defects:
unified monitoring management and quick query cannot be carried out on a plurality of big data clusters, and the unified management requirements of enterprises cannot be met;
there are difficulties with data analysis: difficult query, analysis and comparison;
and (3) fault detection: the personnel utilization rate is low, and the fault source detection is difficult;
the operation and maintenance cost is as follows: high cost, low efficiency, more service complaints and high system risk.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for detecting a failure of a big data cluster, so as to solve the technical problems of difficulty in detecting a failure root and high operation and maintenance costs.
To achieve the above object, according to an aspect of an embodiment of the present invention, there is provided a fault detection method for a large data cluster, including:
acquiring index data and log data of a big data cluster;
determining abnormal information and a corresponding processing scheme according to the index data and the log data;
performing machine learning on the abnormal information and the corresponding processing scheme thereof, and storing the learning result into an operation and maintenance library;
and carrying out fault detection on the big data cluster based on the learning result in the operation and maintenance library.
Optionally, the index data includes index data of an operating system process, a single server, a distributed service, and a distributed cluster.
Optionally, the index data of the single server includes: host name configuration checking, NTP offset checking, average load, host disk read-write efficiency, CPU utilization rate, host file handle utilization rate, host network state and load, HA state checking, key directory checking, memory utilization rate, hardware state checking, SWAP utilization rate, host state checking, alarm information and error information.
Optionally, the index data of the operating system process includes: big data process survival status, multithreading information, process congestion status, stack usage status.
Optionally, the index data of the distributed service includes: the system comprises a start-stop state, a Kerberos identity authentication mechanism communication state, a key process health state, a database communication state, a service state and alarm information.
Optionally, the metric data of the distributed cluster includes: the method comprises the following steps of cluster host health state statistics, host network read-write rate distribution, host disk occupancy rate distribution, host memory occupancy rate distribution and host CPU occupancy rate distribution.
Optionally, determining abnormal information and a corresponding processing scheme according to the index data and the log data includes:
determining abnormal information according to the index data and the log data;
and determining a corresponding processing scheme according to the abnormal information.
Optionally, the exception information includes: abnormal points, context information when the abnormal points are generated, abnormal classification, abnormal keywords and abnormal detailed information;
determining abnormal information according to the index data and the log data, wherein the determining of abnormal information comprises the following steps:
abnormal point detection is carried out on the index data to obtain abnormal points;
and determining the context, the abnormal classification, the abnormal keywords and the abnormal detailed information when the abnormal point is generated according to the log data.
Optionally, before determining the abnormal information and the corresponding processing scheme according to the index data and the log data, the method further includes:
carrying out standardization operation on the collected log data;
performing aggregation operation on the log data subjected to the standardized operation;
and carrying out abnormal point detection on the log data after the aggregation operation.
Optionally, the collected log data is subjected to a normalization operation, including:
the log data is standardized using the system sed command and awk command of Linux, so that the log data is mapped into tuples.
Optionally, the system sed command and awk command of Linux are used to perform standardization work on log data, including:
using the sed command to realize operations of replacing, deleting, newly adding, selecting a specific row and the like on the data;
using the awk command, a row is divided into multiple fields for processing, and in conjunction with the grep command, the row of a particular character is filtered, and the string is split using the split command.
Optionally, the tuple comprises: time of production, name of application or component, IP address, details and remarks.
Optionally, performing an aggregation operation on the log data after the normalization operation, including:
and performing aggregation calculation on the log data after the standardized operation based on a concept clustering algorithm, and performing aggregation of multi-dimensional fields to combine or aggregate the alarms into a related event.
Optionally, the aggregated dimensions field includes: time, place, line of business, service, and interface.
Optionally, performing anomaly point detection on the log data after the aggregation operation, including:
abnormal point detection is carried out on the log data after the aggregation operation by using a univariate or multivariate abnormal point detection method based on normal distribution, and abnormal points in the low-dimensional data set are detected;
and carrying out anomaly point detection on the log data after the aggregation operation by using an independent forest algorithm, and detecting anomaly points in the high-dimensional data set.
Optionally, performing machine learning on the abnormal information and the processing scheme corresponding to the abnormal information, and storing a learning result in an operation and maintenance library, including:
analyzing the abnormal information and the corresponding processing scheme based on the correlation analysis of the association rule to generate the association rule;
matching an alarm event with the association rule based on the attribute value set frequently appearing in the abnormal information so as to obtain an alarm combination about the fault source;
and storing the alarm combination and the corresponding processing scheme thereof into an operation and maintenance library.
Optionally, performing fault detection on the big data cluster based on the learning result in the operation and maintenance library, including:
performing word segmentation processing on each log marked as having abnormal points, and extracting keywords related to the state;
inquiring the operation and maintenance library, searching and matching the full text of the operation and maintenance library through the keywords, and directly returning a processing scheme in the operation and maintenance library to a user if the full text of the operation and maintenance library is completely matched; if the log is not completely matched, a fuzzy matching identification method is used for finding out similar associated indexes and events, and assisting a user in comparing and regularly mining the log, so that fault detection is carried out.
In addition, according to another aspect of the embodiments of the present invention, there is provided a fault detection apparatus for a big data cluster, including:
the acquisition module is used for acquiring index data and log data of the big data cluster;
the determining module is used for determining abnormal information and a corresponding processing scheme thereof according to the index data and the log data;
the learning module is used for performing machine learning on the abnormal information and the corresponding processing scheme thereof and storing a learning result into an operation and maintenance library;
and the detection module is used for carrying out fault detection on the big data cluster based on the learning result in the operation and maintenance library.
Optionally, the index data includes index data of an operating system process, a single server, a distributed service, and a distributed cluster.
Optionally, the index data of the single server includes: host name configuration checking, NTP offset checking, average load, host disk read-write efficiency, CPU utilization rate, host file handle utilization rate, host network state and load, HA state checking, key directory checking, memory utilization rate, hardware state checking, SWAP utilization rate, host state checking, alarm information and error information.
Optionally, the index data of the operating system process includes: big data process survival status, multithreading information, process congestion status, stack usage status.
Optionally, the index data of the distributed service includes: the system comprises a start-stop state, a Kerberos identity authentication mechanism communication state, a key process health state, a database communication state, a service state and alarm information.
Optionally, the metric data of the distributed cluster includes: the method comprises the following steps of cluster host health state statistics, host network read-write rate distribution, host disk occupancy rate distribution, host memory occupancy rate distribution and host CPU occupancy rate distribution.
Optionally, the determining module is further configured to:
determining abnormal information according to the index data and the log data;
and determining a corresponding processing scheme according to the abnormal information.
Optionally, the exception information includes: abnormal points, context information when the abnormal points are generated, abnormal classification, abnormal keywords and abnormal detailed information;
the determination module is further to:
abnormal point detection is carried out on the index data to obtain abnormal points;
and determining the context, the abnormal classification, the abnormal keywords and the abnormal detailed information when the abnormal point is generated according to the log data.
Optionally, the determining module is further configured to:
before determining abnormal information and a corresponding processing scheme according to the index data and the log data, carrying out standardization operation on the collected log data;
performing aggregation operation on the log data subjected to the standardized operation;
and carrying out abnormal point detection on the log data after the aggregation operation.
Optionally, the determining module is further configured to:
the log data is standardized using the system sed command and awk command of Linux, so that the log data is mapped into tuples.
Optionally, the determining module is further configured to:
using the sed command to realize operations of replacing, deleting, newly adding, selecting a specific row and the like on the data;
using the awk command, a row is divided into multiple fields for processing, and in conjunction with the grep command, the row of a particular character is filtered, and the string is split using the split command.
Optionally, the tuple comprises: time of production, name of application or component, IP address, details and remarks.
Optionally, the determining module is further configured to:
and performing aggregation calculation on the log data after the standardized operation based on a concept clustering algorithm, and performing aggregation of multi-dimensional fields to combine or aggregate the alarms into a related event.
Optionally, the aggregated dimensions field includes: time, place, line of business, service, and interface.
Optionally, the determining module is further configured to:
abnormal point detection is carried out on the log data after the aggregation operation by using a univariate or multivariate abnormal point detection method based on normal distribution, and abnormal points in the low-dimensional data set are detected;
and carrying out anomaly point detection on the log data after the aggregation operation by using an independent forest algorithm, and detecting anomaly points in the high-dimensional data set.
Optionally, the learning module is further configured to:
analyzing the abnormal information and the corresponding processing scheme based on the correlation analysis of the association rule to generate the association rule;
matching an alarm event with the association rule based on the attribute value set frequently appearing in the abnormal information so as to obtain an alarm combination about the fault source;
and storing the alarm combination and the corresponding processing scheme thereof into an operation and maintenance library.
Optionally, the detection module is further configured to:
performing word segmentation processing on each log marked as having abnormal points, and extracting keywords related to the state;
inquiring the operation and maintenance library, searching and matching the full text of the operation and maintenance library through the keywords, and directly returning a processing scheme in the operation and maintenance library to a user if the full text of the operation and maintenance library is completely matched; if the log is not completely matched, a fuzzy matching identification method is used for finding out similar associated indexes and events, and assisting a user in comparing and regularly mining the log, so that fault detection is carried out.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including:
one or more processors;
a storage device for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement the method of any of the embodiments described above.
According to another aspect of the embodiments of the present invention, there is also provided a computer readable medium, on which a computer program is stored, which when executed by a processor implements the method of any of the above embodiments.
One embodiment of the above invention has the following advantages or benefits: the technical means that the abnormal information and the corresponding processing scheme are determined according to the index data and the log data, the abnormal information and the corresponding processing scheme are subjected to machine learning, the learning result is stored in the operation and maintenance library, and the fault detection is performed on the large data cluster based on the learning result in the operation and maintenance library are adopted, so that the technical problems that the fault source detection is difficult and the operation and maintenance cost is high in the prior art are solved. The embodiment of the invention abstractly aggregates and converges the alarms with various dimensions in the log into a small number of events, thereby effectively reducing the number of alarms, avoiding that really useful alarm information is submerged into massive useless alarm information, quickly and accurately detecting the fault and reducing the operation and maintenance cost.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of the main flow of a fault detection method for large data clusters according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a main flow of a fault detection method of a large data cluster according to one referential embodiment of the present invention;
FIG. 3 is a schematic diagram of a main flow of a fault detection method of a large data cluster according to another referential embodiment of the present invention;
FIG. 4 is a schematic diagram of the main modules of a fault detection apparatus for big data clusters according to an embodiment of the present invention;
FIG. 5 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 6 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
The invention relates to the technical field of realizing fault detection of a big data cluster, and realizing fault detection and management of big data products such as a plurality of MPP parallel database clusters and a plurality of Hadoop big data clusters.
Fig. 1 is a schematic diagram of a main flow of a fault detection method of a large data cluster according to an embodiment of the present invention. As an embodiment of the present invention, as shown in fig. 1, the method for detecting a failure of a big data cluster may include:
step 101, collecting index data and log data of a big data cluster.
The probe technology can be used for acquiring index data of the big data cluster, and log data such as system logs, application logs and the like can be acquired through Filebeat to realize the omnidirectional data acquisition capability of the big data cluster and collect as much data as possible for subsequent log analysis and fault detection. For example, real-time performance index data of a CPU, an internal memory, a disk, and the like of server resources in a cluster are acquired based on a network probe and a system resource probe; a lightweight log collector based on Filebeat acquires log data such as system logs, application logs and the like of a large data cluster.
Optionally, the index data includes index data of an operating system process, a single server, a distributed service, and a distributed cluster. The embodiment of the invention collects indexes with different granularities from thin to thick (namely, an operating system process- > a single server- > a distributed service- > a distributed cluster) for a big data cluster and assembles the indexes into index data.
Optionally, the index data of the single server includes: host name configuration checking, NTP offset checking, average load, host disk read-write efficiency, CPU utilization rate, host file handle utilization rate, host network state and load, HA state checking, key directory checking, memory utilization rate, hardware state checking, SWAP utilization rate, host state checking, alarm information and error information. Optionally, the index data of the operating system process includes: big data process survival status, multithreading information, process congestion status, stack usage status. Optionally, the index data of the distributed service includes: the system comprises a start-stop state, a Kerberos identity authentication mechanism communication state, a key process health state, a database communication state, a service state and alarm information. Optionally, the metric data of the distributed cluster includes: the method comprises the following steps of cluster host health state statistics, host network read-write rate distribution, host disk occupancy rate distribution, host memory occupancy rate distribution and host CPU occupancy rate distribution. Alarm thresholds may be set for these indicators, respectively, and an alarm may be triggered once the thresholds are exceeded.
And 102, determining abnormal information and a corresponding processing scheme according to the index data and the log data.
Optionally, step 102 may comprise: determining abnormal information according to the index data and the log data; and determining a corresponding processing scheme according to the abnormal information. Optionally, the exception information includes: abnormal points, context information when the abnormal points are generated, abnormal classification, abnormal keywords and abnormal detailed information; accordingly, step 102 may include: abnormal point detection is carried out on the index data to obtain abnormal points; and determining the context, the abnormal classification, the abnormal keywords and the abnormal detailed information when the abnormal point is generated according to the log data. And if the index data exceeds the alarm threshold value, indicating that the abnormity occurs, triggering an alarm, and determining the context, the abnormity classification, the abnormity keywords and the abnormity detailed information when the abnormal point is generated by combining the log data.
Optionally, before step 102, further comprising: carrying out standardization operation on the collected log data; performing aggregation operation on the log data subjected to the standardized operation; and carrying out abnormal point detection on the log data after the aggregation operation. The context, the abnormal classification, the abnormal keywords and the abnormal detailed information when the abnormal point is generated can be located by processing and analyzing the log data.
Optionally, the collected log data is subjected to a normalization operation, including: the log data is standardized using the system sed command and awk command of Linux, so that the log data is mapped into tuples. Optionally, the system sed command and awk command of Linux are used to perform standardization work on log data, including: using the sed command to realize operations of replacing, deleting, newly adding, selecting a specific row and the like on the data; using the awk command, a row is divided into multiple fields for processing, and in conjunction with the grep command, the row of a particular character is filtered, and the string is split using the split command. Optionally, the tuple comprises: time of production, name of application or component, IP address, details and remarks.
Because the real-time index data is standardized according to the octave group of time, cluster name, service name, IP address, process name, index value and remark, no additional standardization operation is needed, and therefore, the standardization operation needs to be carried out on the log data. The log data standardization operation can use a system sed command and an awk command of Linux to standardize the log data of a plurality of heterogeneous systems from a large data cluster: using sed command to realize operations such as replacement, deletion, newly adding, selection of specific row and the like of data, for example, ' nl/var/log/ngin x.log | sed ' 2a test ', namely, adding a column in the 2 nd row of the nginx.log of the log file; the row can be divided into a plurality of 'fields' for processing by using the awk command, the row of a specific character is filtered by combining the grep command, the character string is split by using the split command, and finally logs with different formats are uniformly mapped into quintuple < generation time, the name of an application or a component, an IP address, detailed content and remark >, so that the log content is standardized to be understandable by a machine, the format is relatively uniform, self identification such as a service line and a service which can explain a source can be carried out, the automation degree is improved, and analysis and detection of faults are facilitated.
Optionally, performing an aggregation operation on the log data after the normalization operation, including: and performing aggregation calculation on the log data after the standardized operation based on a concept clustering algorithm, and performing aggregation of multi-dimensional fields to combine or aggregate the alarms into a related event. Optionally, the aggregated dimensions field includes: time, place, line of business, service, and interface.
Log aggregation, on one hand, counting the number of log data, sampling to obtain data and the like, and obtaining some statistical information, such as counting (how many alarm logs exist); on the other hand, the method is to perform multidimensional aggregation based on the dimensionality (fields) of the data, for example, usually all the dimensionality fields in the log data have time, place, service line, service, interface and the like, so that the log data can be aggregated and converged based on the time dimensionality to form a log, and repeated log data is reduced, for example, all 30 pieces of log data or alarm information about a network fault of a certain server in a system within 5 minutes are aggregated to form 1 alarm (every 10 seconds), that is, the machine is shown to be in the same fault within the 5 minutes.
And aiming at the standardized data, performing aggregation calculation (counting, averaging, sampling and the like) and multi-dimensional aggregation (including time, place, service line, service and interface) based on the concept clustering algorithm AOI (Attribute-based Induction), realizing dimensionality reduction of alarm information, and performing alarm combination or aggregation to form a correlation event. For example, in a streaming computing cluster, when an interface of an IP write queue is time-consuming and long (exceeds an alarm convergence threshold set by the system), the IP attribute of an alarm is replaced by a more abstract "queue service pool", and similarly, the "queue service pool" can also be replaced by a "machine room", and finally alarms of various dimensions are aggregated and converged into a small number of events through several layers of abstractions, so that the number of alarms can be effectively reduced, and really useful alarm information is prevented from being submerged into massive useless alarm information.
Optionally, performing anomaly point detection on the log data after the aggregation operation, including: abnormal point detection is carried out on the log data after the aggregation operation by using a univariate or multivariate abnormal point detection method based on normal distribution, and abnormal points in the low-dimensional data set are detected; and carrying out anomaly point detection on the log data after the aggregation operation by using an independent forest algorithm, and detecting anomaly points in the high-dimensional data set.
The embodiment of the invention can acquire the abnormal points which are possibly faults from massive log data:
(1) aiming at low-dimensional log data, a probability distribution model is constructed based on data through a univariate or multivariate abnormal point detection method based on normal distribution, a probability density function of the model is obtained, abnormal points are detected through the distance from a judgment point to the center of the normal distribution (the probability of the abnormal points is usually lower and is far away from the center of the normal distribution), the basic idea is that the difference between an object and surrounding objects is calculated, and the higher the score is, the more possible the abnormal points are.
(2) For high-dimensional data and mass data, anomaly detection can be performed by using an independent forest algorithm, a random binary tree is firstly constructed, and each node has a left sub-tree and a right sub-tree or no sub-nodes. After the random binary tree construction is completed, data is predicted: the data records are searched from the root node of the random binary tree to determine the leaf node on which the record falls. However, because the random tree is unstable, a plurality of random binary trees can be combined to form an independent forest, so that the abnormality can be detected more stably.
Therefore, the abnormal value in the discovery log data is detected by using an abnormal detection algorithm such as an abnormal detection method based on normal distribution, an independent forest, or the like. It should be noted that the main difference between the high-dimensional data and the low-dimensional data is the number of dimensions, the general field of the low-dimensional data is relatively simple, and there is no correlation between the attributes, such as simple log data < time, IP address, log index value >; the general format of the high-dimensional data is < time, IP address, < log index 1, log index value 1>, < log index 2, log index value 2>,. < log index n, log index value n > >, and the log analysis needs to be analyzed by combining a plurality of or all of the indexes such as log index 1, log index 2.. log index m, and the like.
And 103, performing machine learning on the abnormal information and the corresponding processing scheme thereof, and storing a learning result into an operation and maintenance library.
Optionally, step 103 may comprise: analyzing the abnormal information and the corresponding processing scheme based on the correlation analysis of the association rule to generate the association rule; matching an alarm event with the association rule based on the attribute value set frequently appearing in the abnormal information so as to obtain an alarm combination about the fault source; and storing the alarm combination and the corresponding processing scheme thereof into an operation and maintenance library.
The faults are generally represented by events, errors and symptoms, and the correlation analysis based on the association rules is used for mining the relation between the events, errors and alarm data to assist the detection, prediction and prevention of the faults. The correlation analysis based on the association rule is a machine learning algorithm based on the rule, and can generate an FP-growth algorithm of a frequent item set based on an FP tree, the algorithm can directly compress a data set into a frequent pattern tree, and finally, the association rule is produced according to the number or strong rules existing in the data set are distinguished by adopting some measurement indexes. After the association rules are generated, the association rules can be used for assisting in carrying out correlation analysis of events (errors and alarms), when one alarm/event occurs, the association rules can be used for matching, so that whether the alarm/event is an independent alarm/event or an associated alarm/event is judged, the root cause of the fault is determined, and the fault is detected.
For example, we obtain the following association rules of alarm events by analyzing and mining: { HBase big data cluster load high } → { object library delay }, { object library delay } → { individual account detail online query failure rate is high }; assuming that the current fault symptom is that the failure rate of online query of personal account details is high, the alarm related to the object library delay and the HBase big data cluster load is certain to be received. When the alarm hits the two rules, a simple failure source can be tracked, namely { HBase big data cluster load is high } → { object base delay } → { personal account detail online query failure rate is high }. At this time, operation and maintenance personnel can be informed to perform capacity expansion operation of the HBase big data cluster in time so as to reduce the load of the HBase big data cluster and improve the success rate of 'personal account detail online query' of the key application. Through correlation analysis based on the association rules, useful association or correlation is found from massive system and application log data sets, namely frequently-occurring attribute value sets (frequent item sets) are identified from data, then the frequent item sets are utilized to create a process for describing the association rules, different alarm combinations can be formed, which faults are about to occur can be pre-judged, operation and maintenance personnel can be informed in advance, and therefore detection and prediction prevention of the faults are achieved.
And 104, carrying out fault detection on the big data cluster based on the learning result in the operation and maintenance library.
Optionally, step 104 may include: performing word segmentation processing on each log marked as having abnormal points, and extracting keywords related to the state; inquiring the operation and maintenance library, searching and matching the full text of the operation and maintenance library through the keywords, and directly returning a processing scheme in the operation and maintenance library to a user if the full text of the operation and maintenance library is completely matched; if the log is not completely matched, a fuzzy matching identification method is used for finding out similar associated indexes and events, and assisting a user in comparing and regularly mining the log, so that fault detection is carried out.
Performing word segmentation on each log marked as having an abnormal point by using an IK word segmentation device of the ElsticSearch, extracting keywords (such as warning, error, exception and the like) related to the state, querying the operation and maintenance library, matching the full-text retrieval of the operation and maintenance library through the log keywords, and directly returning the previous processing scheme to the user if the log keywords are completely matched with the full-text retrieval of the operation and maintenance library; if the complete matching does not exist, similar associated indexes and events are found out by using a pattern recognition method such as fuzzy matching and the like, and the log comparison and regular mining are assisted by a user, so that the system fault or abnormity detection and discovery are realized. If the keyword does not exist in the operation and maintenance library, the keyword and the alarm information are recorded into the operation and maintenance library, so that the fault processing rule can be conveniently added by subsequent manual work.
According to the embodiment of the invention, dominant faults such as machine downtime, network outage, hard disk faults and the like are rapidly detected by monitoring key indexes; through log analysis, some faults which have unobvious characteristics such as operation error report, memory overflow, no response to requests and the like or cannot be judged directly through vision are detected; hidden associated faults existing in complex alarms are identified through association rule mining based on machine learning, so that all-around monitoring, fault analysis and solution optimization of a big data cluster are realized, the large data cluster is displayed for users more intuitively, the service quality is improved, and the management cost is reduced.
According to the various embodiments, it can be seen that the technical means of determining the abnormal information and the corresponding processing scheme thereof according to the index data and the log data, performing machine learning on the abnormal information and the corresponding processing scheme thereof, storing the learning result in the operation and maintenance library, and performing fault detection on the large data cluster based on the learning result in the operation and maintenance library in the embodiments of the present invention solves the technical problems of difficulty in detecting the root cause of a fault and high operation and maintenance cost in the prior art. The embodiment of the invention abstractly aggregates and converges the alarms with various dimensions in the log into a small number of events, thereby effectively reducing the number of alarms, avoiding that really useful alarm information is submerged into massive useless alarm information, quickly and accurately detecting the fault and reducing the operation and maintenance cost.
Fig. 2 is a schematic diagram of a main flow of a fault detection method of a large data cluster according to one referential embodiment of the present invention. As another embodiment of the present invention, as shown in fig. 2, the method for detecting a failure of a big data cluster may include:
step 201, collecting index data and log data of a big data cluster.
And 202, carrying out abnormal point detection on the index data to obtain abnormal points.
Step 203, determining the context, the abnormal classification, the abnormal keyword and the abnormal detailed information when the abnormal point is generated according to the log data.
And step 204, determining a corresponding processing scheme according to the abnormal point, the context when the abnormal point is generated, the abnormal classification, the abnormal keyword and the abnormal detailed information.
Step 205, analyzing the abnormal information and the corresponding processing scheme based on the correlation analysis of the association rule, and generating the association rule.
And step 206, matching the alarm event with the association rule based on the attribute value set frequently appearing in the abnormal information, so as to obtain an alarm combination related to the fault source.
And step 207, storing the alarm combination and the corresponding processing scheme thereof in an operation and maintenance library.
And step 208, performing word segmentation processing on each log marked as having the abnormal point, and extracting keywords related to the state.
Step 209, inquiring the operation and maintenance library, searching and matching the full text of the operation and maintenance library through the keywords, and directly returning a processing scheme in the operation and maintenance library to the user if the full text of the operation and maintenance library is completely matched; if the log is not completely matched, a fuzzy matching identification method is used for finding out similar associated indexes and events, and assisting a user in comparing and regularly mining the log, so that fault detection is carried out.
In addition, in one embodiment of the present invention, the detailed implementation of the fault detection method for a big data cluster is described in detail in the above-mentioned fault detection method for a big data cluster, so that the repeated content is not described again.
Fig. 3 is a schematic diagram of a main flow of a fault detection method of a large data cluster according to another referential embodiment of the present invention. As another embodiment of the present invention, as shown in fig. 3, the method for detecting a failure of a big data cluster may include:
step 301, collecting index data and log data of a big data cluster.
Step 302, performing a standardization operation on the collected log data.
And step 303, performing aggregation operation on the log data after the standardization operation.
And step 304, abnormal point detection is carried out on the log data after the aggregation operation.
And 305, determining abnormal information and a corresponding processing scheme according to the index data and the log data.
And step 306, performing machine learning on the abnormal information and the corresponding processing scheme thereof, and storing the learning result into an operation and maintenance library.
And 307, performing fault detection on the big data cluster based on the learning result in the operation and maintenance library.
In addition, in another embodiment of the present invention, the detailed implementation of the fault detection method for a big data cluster is described in detail in the above fault detection method for a big data cluster, so that repeated descriptions are not described herein.
Fig. 4 is a schematic diagram of main modules of a fault detection apparatus for a big data cluster according to an embodiment of the present invention, and as shown in fig. 4, the fault detection apparatus 400 for a big data cluster includes an acquisition module 401, a determination module 402, a learning module 403, and a detection module 404; the acquisition module 401 is configured to acquire index data and log data of a big data cluster; the determining module 402 is configured to determine abnormal information and a processing scheme corresponding to the abnormal information according to the index data and the log data; the learning module 403 is configured to perform machine learning on the abnormal information and the corresponding processing scheme thereof, and store a learning result in an operation and maintenance library; the detection module 404 is configured to perform fault detection on the big data cluster based on the learning result in the operation and maintenance library.
Optionally, the index data includes index data of an operating system process, a single server, a distributed service, and a distributed cluster.
Optionally, the index data of the single server includes: host name configuration checking, NTP offset checking, average load, host disk read-write efficiency, CPU utilization rate, host file handle utilization rate, host network state and load, HA state checking, key directory checking, memory utilization rate, hardware state checking, SWAP utilization rate, host state checking, alarm information and error information.
Optionally, the index data of the operating system process includes: big data process survival status, multithreading information, process congestion status, stack usage status.
Optionally, the index data of the distributed service includes: the system comprises a start-stop state, a Kerberos identity authentication mechanism communication state, a key process health state, a database communication state, a service state and alarm information.
Optionally, the metric data of the distributed cluster includes: the method comprises the following steps of cluster host health state statistics, host network read-write rate distribution, host disk occupancy rate distribution, host memory occupancy rate distribution and host CPU occupancy rate distribution.
Optionally, the determining module 402 is further configured to:
determining abnormal information according to the index data and the log data;
and determining a corresponding processing scheme according to the abnormal information.
Optionally, the exception information includes: abnormal points, context information when the abnormal points are generated, abnormal classification, abnormal keywords and abnormal detailed information;
the determining module 402 is further configured to:
abnormal point detection is carried out on the index data to obtain abnormal points;
and determining the context, the abnormal classification, the abnormal keywords and the abnormal detailed information when the abnormal point is generated according to the log data.
Optionally, the determining module 402 is further configured to:
before determining abnormal information and a corresponding processing scheme according to the index data and the log data, carrying out standardization operation on the collected log data;
performing aggregation operation on the log data subjected to the standardized operation;
and carrying out abnormal point detection on the log data after the aggregation operation.
Optionally, the determining module 402 is further configured to:
the log data is standardized using the system sed command and awk command of Linux, so that the log data is mapped into tuples.
Optionally, the determining module 402 is further configured to:
using the sed command to realize operations of replacing, deleting, newly adding, selecting a specific row and the like on the data;
using the awk command, a row is divided into multiple fields for processing, and in conjunction with the grep command, the row of a particular character is filtered, and the string is split using the split command.
Optionally, the tuple comprises: time of production, name of application or component, IP address, details and remarks.
Optionally, the determining module 402 is further configured to:
and performing aggregation calculation on the log data after the standardized operation based on a concept clustering algorithm, and performing aggregation of multi-dimensional fields to combine or aggregate the alarms into a related event.
Optionally, the aggregated dimensions field includes: time, place, line of business, service, and interface.
Optionally, the determining module 402 is further configured to:
abnormal point detection is carried out on the log data after the aggregation operation by using a univariate or multivariate abnormal point detection method based on normal distribution, and abnormal points in the low-dimensional data set are detected;
and carrying out anomaly point detection on the log data after the aggregation operation by using an independent forest algorithm, and detecting anomaly points in the high-dimensional data set.
Optionally, the learning module 403 is further configured to:
analyzing the abnormal information and the corresponding processing scheme based on the correlation analysis of the association rule to generate the association rule;
matching an alarm event with the association rule based on the attribute value set frequently appearing in the abnormal information so as to obtain an alarm combination about the fault source;
and storing the alarm combination and the corresponding processing scheme thereof into an operation and maintenance library.
Optionally, the detecting module 404 is further configured to:
performing word segmentation processing on each log marked as having abnormal points, and extracting keywords related to the state;
inquiring the operation and maintenance library, searching and matching the full text of the operation and maintenance library through the keywords, and directly returning a processing scheme in the operation and maintenance library to a user if the full text of the operation and maintenance library is completely matched; if the log is not completely matched, a fuzzy matching identification method is used for finding out similar associated indexes and events, and assisting a user in comparing and regularly mining the log, so that fault detection is carried out.
According to the various embodiments, it can be seen that the technical means of determining the abnormal information and the corresponding processing scheme thereof according to the index data and the log data, performing machine learning on the abnormal information and the corresponding processing scheme thereof, storing the learning result in the operation and maintenance library, and performing fault detection on the large data cluster based on the learning result in the operation and maintenance library in the embodiments of the present invention solves the technical problems of difficulty in detecting the root cause of a fault and high operation and maintenance cost in the prior art. The embodiment of the invention abstractly aggregates and converges the alarms with various dimensions in the log into a small number of events, thereby effectively reducing the number of alarms, avoiding that really useful alarm information is submerged into massive useless alarm information, quickly and accurately detecting the fault and reducing the operation and maintenance cost.
It should be noted that, in the implementation of the fault detection apparatus for a big data cluster according to the present invention, the above fault detection method for a big data cluster has been described in detail, and therefore, the repeated content is not described herein.
Fig. 5 shows an exemplary system architecture 500 of a fault detection method of a big data cluster or a fault detection apparatus of a big data cluster to which an embodiment of the present invention may be applied.
As shown in fig. 5, the system architecture 500 may include terminal devices 501, 502, 503, a network 504, and a server 505. The network 504 serves to provide a medium for communication links between the terminal devices 501, 502, 503 and the server 505. Network 504 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 501, 502, 503 to interact with a server 505 over a network 504 to receive or send messages or the like. The terminal devices 501, 502, 503 may have installed thereon various communication client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 501, 502, 503 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 505 may be a server providing various services, such as a background management server (for example only) providing support for shopping websites browsed by users using the terminal devices 501, 502, 503. The background management server can analyze and process the received data such as the article information query request and feed back the processing result to the terminal equipment.
It should be noted that the method for detecting a fault of a big data cluster provided in the embodiment of the present invention is generally executed by the server 505, and accordingly, the fault detection apparatus of the big data cluster is generally disposed in the server 505.
It should be understood that the number of terminal devices, networks, and servers in fig. 5 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 6, a block diagram of a computer system 600 suitable for use with a terminal device implementing an embodiment of the invention is shown. The terminal device shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 6, the computer system 600 includes a Central Processing Unit (CPU)601 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM603, various programs and data necessary for the operation of the system 600 are also stored. The CPU 601, ROM 602, and RAM603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, a mouse, and the like; an output portion 607 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The driver 610 is also connected to the I/O interface 605 as needed. A removable medium 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted in the storage section 608 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 601.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer programs according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes an acquisition module, a determination module, a learning module, and a detection module, where the names of the modules do not in some cases constitute a limitation on the modules themselves.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, implement the method of: acquiring index data and log data of a big data cluster; determining abnormal information and a corresponding processing scheme according to the index data and the log data; performing machine learning on the abnormal information and the corresponding processing scheme thereof, and storing the learning result into an operation and maintenance library; and carrying out fault detection on the big data cluster based on the learning result in the operation and maintenance library.
According to the technical scheme of the embodiment of the invention, the abnormal information and the corresponding processing scheme are determined according to the index data and the log data, the abnormal information and the corresponding processing scheme are subjected to machine learning, the learning result is stored in the operation and maintenance library, and the large data cluster is subjected to fault detection based on the learning result in the operation and maintenance library, so that the technical problems of difficulty in fault root cause detection and high operation and maintenance cost in the prior art are solved. The embodiment of the invention abstractly aggregates and converges the alarms with various dimensions in the log into a small number of events, thereby effectively reducing the number of alarms, avoiding that really useful alarm information is submerged into massive useless alarm information, quickly and accurately detecting the fault and reducing the operation and maintenance cost.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (23)
1. A fault detection method for a big data cluster is characterized by comprising the following steps:
acquiring index data and log data of a big data cluster;
determining abnormal information and a corresponding processing scheme according to the index data and the log data;
performing machine learning on the abnormal information and the corresponding processing scheme thereof, and storing the learning result into an operation and maintenance library;
and carrying out fault detection on the big data cluster based on the learning result in the operation and maintenance library.
2. The method of claim 1, wherein the metric data comprises operating system processes, individual servers, distributed services, and distributed cluster metric data.
3. The method of claim 2, wherein the metrics data for the single server comprises: host name configuration checking, NTP offset checking, average load, host disk read-write efficiency, CPU utilization rate, host file handle utilization rate, host network state and load, HA state checking, key directory checking, memory utilization rate, hardware state checking, SWAP utilization rate, host state checking, alarm information and error information.
4. The method of claim 2, wherein the metrics data for the operating system process comprises: big data process survival status, multithreading information, process congestion status, stack usage status.
5. The method of claim 2, wherein the metrics data for the distributed service comprises: the system comprises a start-stop state, a Kerberos identity authentication mechanism communication state, a key process health state, a database communication state, a service state and alarm information.
6. The method of claim 2, wherein the metric data for the distributed cluster comprises: the method comprises the following steps of cluster host health state statistics, host network read-write rate distribution, host disk occupancy rate distribution, host memory occupancy rate distribution and host CPU occupancy rate distribution.
7. The method of claim 1, wherein determining exception information and corresponding handling schemes based on the metric data and log data comprises:
determining abnormal information according to the index data and the log data;
and determining a corresponding processing scheme according to the abnormal information.
8. The method of claim 7, wherein the exception information comprises: abnormal points, context information when the abnormal points are generated, abnormal classification, abnormal keywords and abnormal detailed information;
determining abnormal information according to the index data and the log data, wherein the determining of abnormal information comprises the following steps:
abnormal point detection is carried out on the index data to obtain abnormal points;
and determining the context, the abnormal classification, the abnormal keywords and the abnormal detailed information when the abnormal point is generated according to the log data.
9. The method of claim 1, wherein before determining the exception information and the corresponding handling scheme according to the indicator data and the log data, further comprising:
carrying out standardization operation on the collected log data;
performing aggregation operation on the log data subjected to the standardized operation;
and carrying out abnormal point detection on the log data after the aggregation operation.
10. The method of claim 9, wherein performing a normalization operation on the collected log data comprises:
the log data is standardized using the system sed command and awk command of Linux, so that the log data is mapped into tuples.
11. The method of claim 10, wherein the normalization of log data using the system sed command and awk command of Linux comprises:
using the sed command to realize operations of replacing, deleting, newly adding, selecting a specific row and the like on the data;
using the awk command, a row is divided into multiple fields for processing, and in conjunction with the grep command, the row of a particular character is filtered, and the string is split using the split command.
12. The method of claim 10, wherein the tuple comprises: time of production, name of application or component, IP address, details and remarks.
13. The method of claim 9, wherein performing an aggregation operation on the normalized log data comprises:
and performing aggregation calculation on the log data after the standardized operation based on a concept clustering algorithm, and performing aggregation of multi-dimensional fields to combine or aggregate the alarms into a related event.
14. The method of claim 13, wherein the aggregated dimension field comprises: time, place, line of business, service, and interface.
15. The method of claim 14, wherein performing outlier detection on log data after the aggregation operation comprises:
abnormal point detection is carried out on the log data after the aggregation operation by using a univariate or multivariate abnormal point detection method based on normal distribution, and abnormal points in the low-dimensional data set are detected;
and carrying out anomaly point detection on the log data after the aggregation operation by using an independent forest algorithm, and detecting anomaly points in the high-dimensional data set.
16. The method of claim 1, wherein performing machine learning on the abnormal information and the corresponding processing scheme thereof, and storing the learning result in an operation and maintenance library comprises:
analyzing the abnormal information and the corresponding processing scheme based on the correlation analysis of the association rule to generate the association rule;
matching an alarm event with the association rule based on the attribute value set frequently appearing in the abnormal information so as to obtain an alarm combination about the fault source;
and storing the alarm combination and the corresponding processing scheme thereof into an operation and maintenance library.
17. The method of claim 1, wherein fault detecting the big data cluster based on the learning result in the operation and maintenance library comprises:
performing word segmentation processing on each log marked as having abnormal points, and extracting keywords related to the state;
inquiring the operation and maintenance library, searching and matching the full text of the operation and maintenance library through the keywords, and directly returning a processing scheme in the operation and maintenance library to a user if the full text of the operation and maintenance library is completely matched; if the log is not completely matched, a fuzzy matching identification method is used for finding out similar associated indexes and events, and assisting a user in comparing and regularly mining the log, so that fault detection is carried out.
18. A big data cluster fault detection device, comprising:
the acquisition module is used for acquiring index data and log data of the big data cluster;
the determining module is used for determining abnormal information and a corresponding processing scheme thereof according to the index data and the log data;
the learning module is used for performing machine learning on the abnormal information and the corresponding processing scheme thereof and storing a learning result into an operation and maintenance library;
and the detection module is used for carrying out fault detection on the big data cluster based on the learning result in the operation and maintenance library.
19. The apparatus of claim 18, wherein the determining module is further configured to:
determining abnormal information according to the index data and the log data;
and determining a corresponding processing scheme according to the abnormal information.
20. The apparatus of claim 18, wherein the exception information comprises: abnormal points, context information when the abnormal points are generated, abnormal classification, abnormal keywords and abnormal detailed information;
the determination module is further to:
abnormal point detection is carried out on the index data to obtain abnormal points;
and determining the context, the abnormal classification, the abnormal keywords and the abnormal detailed information when the abnormal point is generated according to the log data.
21. The apparatus of claim 18, wherein the learning module is further configured to:
analyzing the abnormal information and the corresponding processing scheme based on the correlation analysis of the association rule to generate the association rule;
matching an alarm event with the association rule based on the attribute value set frequently appearing in the abnormal information so as to obtain an alarm combination about the fault source;
and storing the alarm combination and the corresponding processing scheme thereof into an operation and maintenance library.
22. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
the one or more programs, when executed by the one or more processors, implement the method of any of claims 1-17.
23. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-17.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010773292.8A CN111984499B (en) | 2020-08-04 | 2020-08-04 | Fault detection method and device for big data cluster |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010773292.8A CN111984499B (en) | 2020-08-04 | 2020-08-04 | Fault detection method and device for big data cluster |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111984499A true CN111984499A (en) | 2020-11-24 |
| CN111984499B CN111984499B (en) | 2024-05-28 |
Family
ID=73444464
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010773292.8A Active CN111984499B (en) | 2020-08-04 | 2020-08-04 | Fault detection method and device for big data cluster |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111984499B (en) |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112506911A (en) * | 2020-12-18 | 2021-03-16 | 杭州数澜科技有限公司 | Data quality monitoring method and device, electronic equipment and storage medium |
| CN112527887A (en) * | 2020-12-02 | 2021-03-19 | 中国农业银行股份有限公司 | Visual operation and maintenance method and device applied to Gbase database |
| CN112631913A (en) * | 2020-12-23 | 2021-04-09 | 平安银行股份有限公司 | Method, device, equipment and storage medium for monitoring operation fault of application program |
| CN112783865A (en) * | 2021-01-29 | 2021-05-11 | 杭州优云软件有限公司 | Semi-supervised man-machine combined operation and maintenance fault library generation method and system |
| CN112838962A (en) * | 2020-12-31 | 2021-05-25 | 中国银联股份有限公司 | Performance bottleneck detection method and device for big data cluster |
| CN112860510A (en) * | 2021-01-20 | 2021-05-28 | 中国农业银行股份有限公司 | Alarm compensation method and device |
| CN112905371A (en) * | 2021-01-28 | 2021-06-04 | 清华大学 | Software change checking method and device based on heterogeneous multi-source data anomaly detection |
| CN113051147A (en) * | 2021-04-25 | 2021-06-29 | 中国建设银行股份有限公司 | Database cluster monitoring method, device, system and equipment |
| CN113094198A (en) * | 2021-04-13 | 2021-07-09 | 中国工商银行股份有限公司 | Service fault positioning method and device based on machine learning and text classification |
| CN113240140A (en) * | 2021-06-04 | 2021-08-10 | 海尔数字科技(青岛)有限公司 | Fault detection method, device, equipment and storage medium of physical equipment |
| CN113704790A (en) * | 2021-08-31 | 2021-11-26 | 深圳壹账通智能科技有限公司 | Abnormal log information summarizing method and computer equipment |
| CN113887749A (en) * | 2021-08-23 | 2022-01-04 | 国网江苏省电力有限公司信息通信分公司 | Cloud edge cooperation-based multi-dimensional monitoring and disposal method, device and platform for power internet of things |
| CN113919514A (en) * | 2021-12-09 | 2022-01-11 | 北京微步在线科技有限公司 | Sample data acquisition method and device based on threat intelligence |
| WO2022257421A1 (en) * | 2021-06-10 | 2022-12-15 | 天翼云科技有限公司 | Cluster anomaly detection method, apparatus, and related device |
| CN115981910A (en) * | 2023-03-20 | 2023-04-18 | 建信金融科技有限责任公司 | Method, device, electronic equipment and computer readable medium for processing exception request |
| CN116346590A (en) * | 2023-05-30 | 2023-06-27 | 国网汇通金财(北京)信息科技有限公司 | Positioning system for full link fault |
| CN116521490A (en) * | 2023-07-04 | 2023-08-01 | 苏州浪潮智能科技有限公司 | PC system health degree self-checking method, self-checking device, equipment and medium |
| CN117093951A (en) * | 2023-10-16 | 2023-11-21 | 北京安天网络安全技术有限公司 | Threat information merging method and device, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20180108446A (en) * | 2017-03-23 | 2018-10-04 | (주)모아데이타 | System and method for management of ict infra |
| CN109343995A (en) * | 2018-10-25 | 2019-02-15 | 金税信息技术服务股份有限公司 | Intelligent O&M analysis system based on multi-source heterogeneous data fusion, machine learning and customer service robot |
| KR101964412B1 (en) * | 2018-12-12 | 2019-04-01 | 주식회사 모비젠 | Method for diagnosing anomaly log of mobile commmunication data processing system and system thereof |
| CN109992569A (en) * | 2019-02-19 | 2019-07-09 | 平安科技(深圳)有限公司 | Cluster log feature extracting method, device and storage medium |
| CN110928718A (en) * | 2019-11-18 | 2020-03-27 | 上海维谛信息科技有限公司 | Exception handling method, system, terminal and medium based on correlation analysis |
| US20200133814A1 (en) * | 2018-10-25 | 2020-04-30 | Capital One Services, Llc | Application performance analytics platform |
| CN111290913A (en) * | 2020-02-04 | 2020-06-16 | 复旦大学 | Fault location visualization system and method based on operation and maintenance data prediction |
-
2020
- 2020-08-04 CN CN202010773292.8A patent/CN111984499B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20180108446A (en) * | 2017-03-23 | 2018-10-04 | (주)모아데이타 | System and method for management of ict infra |
| CN109343995A (en) * | 2018-10-25 | 2019-02-15 | 金税信息技术服务股份有限公司 | Intelligent O&M analysis system based on multi-source heterogeneous data fusion, machine learning and customer service robot |
| US20200133814A1 (en) * | 2018-10-25 | 2020-04-30 | Capital One Services, Llc | Application performance analytics platform |
| KR101964412B1 (en) * | 2018-12-12 | 2019-04-01 | 주식회사 모비젠 | Method for diagnosing anomaly log of mobile commmunication data processing system and system thereof |
| CN109992569A (en) * | 2019-02-19 | 2019-07-09 | 平安科技(深圳)有限公司 | Cluster log feature extracting method, device and storage medium |
| CN110928718A (en) * | 2019-11-18 | 2020-03-27 | 上海维谛信息科技有限公司 | Exception handling method, system, terminal and medium based on correlation analysis |
| CN111290913A (en) * | 2020-02-04 | 2020-06-16 | 复旦大学 | Fault location visualization system and method based on operation and maintenance data prediction |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112527887A (en) * | 2020-12-02 | 2021-03-19 | 中国农业银行股份有限公司 | Visual operation and maintenance method and device applied to Gbase database |
| CN112506911A (en) * | 2020-12-18 | 2021-03-16 | 杭州数澜科技有限公司 | Data quality monitoring method and device, electronic equipment and storage medium |
| CN112631913B (en) * | 2020-12-23 | 2024-02-02 | 平安银行股份有限公司 | Method, device, equipment and storage medium for monitoring operation faults of application program |
| CN112631913A (en) * | 2020-12-23 | 2021-04-09 | 平安银行股份有限公司 | Method, device, equipment and storage medium for monitoring operation fault of application program |
| CN112838962A (en) * | 2020-12-31 | 2021-05-25 | 中国银联股份有限公司 | Performance bottleneck detection method and device for big data cluster |
| CN112838962B (en) * | 2020-12-31 | 2022-10-18 | 中国银联股份有限公司 | Performance bottleneck detection method and device for big data cluster |
| CN112860510A (en) * | 2021-01-20 | 2021-05-28 | 中国农业银行股份有限公司 | Alarm compensation method and device |
| CN112905371A (en) * | 2021-01-28 | 2021-06-04 | 清华大学 | Software change checking method and device based on heterogeneous multi-source data anomaly detection |
| CN112905371B (en) * | 2021-01-28 | 2022-05-20 | 清华大学 | Software change checking method and device based on heterogeneous multi-source data anomaly detection |
| CN112783865A (en) * | 2021-01-29 | 2021-05-11 | 杭州优云软件有限公司 | Semi-supervised man-machine combined operation and maintenance fault library generation method and system |
| CN113094198A (en) * | 2021-04-13 | 2021-07-09 | 中国工商银行股份有限公司 | Service fault positioning method and device based on machine learning and text classification |
| CN113051147A (en) * | 2021-04-25 | 2021-06-29 | 中国建设银行股份有限公司 | Database cluster monitoring method, device, system and equipment |
| CN113240140A (en) * | 2021-06-04 | 2021-08-10 | 海尔数字科技(青岛)有限公司 | Fault detection method, device, equipment and storage medium of physical equipment |
| WO2022257421A1 (en) * | 2021-06-10 | 2022-12-15 | 天翼云科技有限公司 | Cluster anomaly detection method, apparatus, and related device |
| CN113887749A (en) * | 2021-08-23 | 2022-01-04 | 国网江苏省电力有限公司信息通信分公司 | Cloud edge cooperation-based multi-dimensional monitoring and disposal method, device and platform for power internet of things |
| CN113704790A (en) * | 2021-08-31 | 2021-11-26 | 深圳壹账通智能科技有限公司 | Abnormal log information summarizing method and computer equipment |
| CN113919514A (en) * | 2021-12-09 | 2022-01-11 | 北京微步在线科技有限公司 | Sample data acquisition method and device based on threat intelligence |
| CN115981910B (en) * | 2023-03-20 | 2023-06-16 | 建信金融科技有限责任公司 | Method, apparatus, electronic device and computer readable medium for processing exception request |
| CN115981910A (en) * | 2023-03-20 | 2023-04-18 | 建信金融科技有限责任公司 | Method, device, electronic equipment and computer readable medium for processing exception request |
| CN116346590A (en) * | 2023-05-30 | 2023-06-27 | 国网汇通金财(北京)信息科技有限公司 | Positioning system for full link fault |
| CN116346590B (en) * | 2023-05-30 | 2023-07-25 | 国网汇通金财(北京)信息科技有限公司 | Positioning system for full link fault |
| CN116521490A (en) * | 2023-07-04 | 2023-08-01 | 苏州浪潮智能科技有限公司 | PC system health degree self-checking method, self-checking device, equipment and medium |
| CN116521490B (en) * | 2023-07-04 | 2023-09-29 | 苏州浪潮智能科技有限公司 | PC system health degree self-checking method, self-checking device, equipment and medium |
| CN117093951A (en) * | 2023-10-16 | 2023-11-21 | 北京安天网络安全技术有限公司 | Threat information merging method and device, electronic equipment and storage medium |
| CN117093951B (en) * | 2023-10-16 | 2024-01-26 | 北京安天网络安全技术有限公司 | Threat information merging method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111984499B (en) | 2024-05-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111984499B (en) | Fault detection method and device for big data cluster | |
| US11789943B1 (en) | Configuring alerts for tags associated with high-latency and error spans for instrumented software | |
| CN110928718B (en) | Abnormality processing method, system, terminal and medium based on association analysis | |
| US10262032B2 (en) | Cache based efficient access scheduling for super scaled stream processing systems | |
| US9678822B2 (en) | Real-time categorization of log events | |
| CN103513983B (en) | method and system for predictive alert threshold determination tool | |
| EP4099170B1 (en) | Method and apparatus of auditing log, electronic device, and medium | |
| US11775501B2 (en) | Trace and span sampling and analysis for instrumented software | |
| Zhao et al. | An empirical investigation of practical log anomaly detection for online service systems | |
| CN111190876A (en) | Log management system and operation method thereof | |
| CN112948397A (en) | Data processing system, method, device and storage medium | |
| CN108182263A (en) | A kind of date storage method of data center's total management system | |
| CN114880405A (en) | Data lake-based data processing method and system | |
| CN115344207A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN114461792A (en) | Alarm event correlation method, device, electronic equipment, medium and program product | |
| CN115640300A (en) | Big data management method, system, electronic equipment and storage medium | |
| CN114443437A (en) | Alarm root cause output method, apparatus, device, medium, and program product | |
| CN116701525A (en) | Early warning method and system based on real-time data analysis and electronic equipment | |
| Bailis et al. | Macrobase: Analytic monitoring for the internet of things | |
| CN112306820A (en) | Log operation and maintenance root cause analysis method and device, electronic equipment and storage medium | |
| CN111414355A (en) | Offshore wind farm data monitoring and storing system, method and device | |
| CN110677271A (en) | Big data alarm method, device, equipment and storage medium based on ELK | |
| CN112825165A (en) | Project quality management method and device | |
| CN117271578A (en) | Data query method, visual data processing method and device, electronic equipment and storage medium | |
| CN114625763A (en) | Information analysis method and device for database, electronic equipment and readable medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220927 Address after: 25 Financial Street, Xicheng District, Beijing 100033 Applicant after: CHINA CONSTRUCTION BANK Corp. Address before: 25 Financial Street, Xicheng District, Beijing 100033 Applicant before: CHINA CONSTRUCTION BANK Corp. Applicant before: Jianxin Financial Science and Technology Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |