CN112799929A - Root cause analysis method and system for alarm log - Google Patents

Root cause analysis method and system for alarm log Download PDF

Info

Publication number
CN112799929A
CN112799929A CN202110126298.0A CN202110126298A CN112799929A CN 112799929 A CN112799929 A CN 112799929A CN 202110126298 A CN202110126298 A CN 202110126298A CN 112799929 A CN112799929 A CN 112799929A
Authority
CN
China
Prior art keywords
node
hierarchical tree
alarm
generalized hierarchical
batch
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110126298.0A
Other languages
Chinese (zh)
Inventor
吴冕冠
周文泽
陆新龙
谢伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202110126298.0A priority Critical patent/CN112799929A/en
Publication of CN112799929A publication Critical patent/CN112799929A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3466Performance evaluation by tracing or monitoring

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a root cause analysis method and a system of an alarm log, which can be used in the financial field or other fields, and the method comprises the following steps: receiving batch alarm logs; obtaining an alarm root factor of the batch alarm logs according to the batch alarm logs and a preset generalized hierarchical tree set; and the preset generalized hierarchical tree set is obtained according to a preset association coefficient algorithm, the batch historical alarm logs and actual results corresponding to the historical alarm logs respectively. According to the method and the device, the efficiency of the root cause analysis of the alarm log can be improved on the basis of ensuring the reliability of the root cause analysis of the alarm log.

Description

Root cause analysis method and system for alarm log
Technical Field
The application relates to the technical field of data processing, in particular to a root cause analysis method and system for an alarm log.
Background
With the continuous and rapid development of the distributed services in cloud computing, the calling complexity between services is exponentially increased compared with the traditional single architecture. When the transaction fails, the difficulty of troubleshooting of operation, maintenance and development related personnel on the problems is undoubtedly increased compared with the traditional single framework.
Particularly, when a large amount of alarms occur in production, at present, service personnel and operation and maintenance personnel cannot quickly locate the reasons of problems according to the alarm information, and need to send alarm logs to developers to assist in analyzing the reasons of the problems, and the developers are also difficult to quickly locate the reasons of the problems when facing a large amount of complicated alarm information, and may need to combine multiple developers for discussion and analysis together to finally locate the root causes of the problems, so that the efficiency is relatively low.
Disclosure of Invention
Aiming at the problems in the prior art, the application provides a root cause analysis method and a system for an alarm log, which can improve the efficiency of the root cause analysis of the alarm log on the basis of ensuring the reliability of the root cause analysis of the alarm log.
In order to solve the technical problem, the present application provides the following technical solutions:
in a first aspect, the present application provides a root cause analysis method for an alarm log, including:
receiving batch alarm logs;
obtaining an alarm root factor of the batch alarm logs according to the batch alarm logs and a preset generalized hierarchical tree set;
and the preset generalized hierarchical tree set is obtained according to a preset association coefficient algorithm, the batch historical alarm logs and actual results corresponding to the historical alarm logs respectively.
Further, before obtaining the alarm root of the batch alarm log according to the batch alarm log and a preset generalized hierarchical tree set, the method further includes:
obtaining batch historical alarm logs and actual results corresponding to the historical alarm logs, wherein the actual results comprise: an abnormal result or a normal result;
generating a plurality of generalized hierarchical trees according to the batch historical alarm logs;
obtaining the association coefficient of each intermediate node in the generalized hierarchical tree according to a preset association coefficient algorithm, a batch historical alarm log and an actual result;
and using the association coefficients of the generalized hierarchical trees and the intermediate nodes thereof as the generalized hierarchical tree set.
Further, the obtaining an alarm root factor of the batch alarm log according to the batch alarm log and a preset generalized hierarchical tree set includes:
loading all alarm logs into the preset generalized hierarchical tree set to obtain the number of characteristic attributes of all alarm logs corresponding to each leaf node, wherein the preset generalized hierarchical tree set comprises a plurality of generalized hierarchical trees and the association coefficients of each intermediate node of the generalized hierarchical trees, and each generalized hierarchical tree comprises a leaf node and an intermediate node;
if the leaf nodes with the characteristic attribute number larger than or equal to the number threshold exist, taking the leaf nodes as root cause nodes in the corresponding generalized hierarchical tree;
if a generalized hierarchical tree exists, wherein the number of the characteristic attributes corresponding to each leaf node is smaller than a quantity threshold, a root factor node in the generalized hierarchical tree is obtained according to the association coefficient of each intermediate node in the generalized hierarchical tree, the number of the characteristic attributes corresponding to each leaf node and the quantity threshold;
and obtaining the alarm root factors of the batch alarm logs according to the root factor nodes in each generalized hierarchical tree.
Further, the obtaining a root node in the generalized hierarchical tree according to the association coefficient of each intermediate node in the generalized hierarchical tree, the number of the feature attributes corresponding to each leaf node, and the quantity threshold includes:
taking the maximum correlation coefficient value in the nodes of the upper layer of the leaf nodes as a target node;
performing a generalization process, the generalization process comprising: taking the sum of the feature attribute numbers of the nodes related to the target node in the next layer of nodes of the target node as the feature attribute number of the target node;
if the number of the characteristic attributes of the target node is smaller than the number threshold, taking the node with the largest correlation coefficient value in the node at the upper layer of the target node as the target node, and executing the generalization process again until the number of the characteristic attributes of the target node is larger than or equal to the number threshold;
and taking the target node as a root factor node in the corresponding generalized hierarchical tree.
In a second aspect, the present application provides a root cause analysis system for an alarm log, comprising:
the receiving module is used for receiving batch alarm logs;
the root cause analysis module is used for obtaining the alarm root causes of the batch alarm logs according to the batch alarm logs and a preset generalized hierarchical tree set;
and the preset generalized hierarchical tree set is obtained according to a preset association coefficient algorithm, the batch historical alarm logs and actual results corresponding to the historical alarm logs respectively.
Further, the root cause analysis system of the alarm log further comprises:
an obtaining module, configured to obtain actual results corresponding to the batch of historical alarm logs and each historical alarm log, where the actual results include: an abnormal result or a normal result;
the generation module is used for generating a plurality of generalized hierarchical trees according to the batch historical alarm logs;
the correlation coefficient obtaining module is used for obtaining the correlation coefficient of each intermediate node in the generalized hierarchical tree according to a preset correlation coefficient algorithm, a batch historical alarm log and an actual result;
and the acquisition module is used for taking the association coefficients of the generalized hierarchical trees and the intermediate nodes thereof as the generalized hierarchical tree set.
Further, the root cause analysis module includes:
a loading unit, configured to load all alarm logs into the preset generalized hierarchical tree set to obtain the number of characteristic attributes of all alarm logs corresponding to each leaf node, where the preset generalized hierarchical tree set includes a plurality of generalized hierarchical trees and associated coefficients of each intermediate node thereof, and each generalized hierarchical tree includes a leaf node and an intermediate node;
the first judging unit is used for taking the leaf node as a root factor node in the corresponding generalized hierarchical tree if the leaf node with the characteristic attribute number larger than or equal to the number threshold exists;
a second judging unit, configured to, if there is a generalized hierarchical tree in which the number of feature attributes corresponding to each leaf node is smaller than a quantity threshold, obtain a root node in the generalized hierarchical tree according to the association coefficient of each intermediate node in the generalized hierarchical tree, the number of feature attributes corresponding to each leaf node, and the quantity threshold;
and the root cause analysis unit is used for obtaining the alarm root causes of the batch alarm logs according to the root cause nodes in each generalized hierarchical tree.
Further, the second determination unit includes:
a node determination subunit, configured to use the node in the previous layer of the leaf node with the largest correlation coefficient value as a target node;
an execution subunit, configured to execute a generalization process, the generalization process including: taking the sum of the feature attribute numbers of the nodes related to the target node in the next layer of nodes of the target node as the feature attribute number of the target node;
a cyclic subunit, configured to, if the number of the feature attributes of the target node is smaller than the number threshold, take the node in the previous layer of the target node with the largest correlation coefficient value as the target node, and execute the generalization process again until the number of the feature attributes of the target node is greater than or equal to the number threshold;
and obtaining a root factor node subunit, which is used for taking the target node as a root factor node in the corresponding generalized hierarchical tree.
In a third aspect, the present application provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the root cause analysis method of the alarm log when executing the program.
In a fourth aspect, the present application provides a computer readable storage medium having stored thereon computer instructions that, when executed, implement the method of root cause analysis of alarm logs.
According to the technical scheme, the root cause analysis method and the root cause analysis system for the alarm log are provided. Wherein, the method comprises the following steps: receiving batch alarm logs; obtaining an alarm root factor of the batch alarm logs according to the batch alarm logs and a preset generalized hierarchical tree set; the preset generalized hierarchical tree set is obtained according to a preset association coefficient algorithm, batch historical alarm logs and actual results corresponding to the historical alarm logs respectively, and the efficiency of root cause analysis of the alarm logs can be improved on the basis of ensuring the reliability of the root cause analysis of the alarm logs; specifically, the automation degree of the root cause analysis can be improved, the multiplexing of the generalized hierarchical tree and the association coefficient can be realized, the universality of the application scene of the root cause analysis can be improved, the labor cost can be saved, and the efficiency and the real-time performance of the root cause analysis can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of a root cause analysis method of an alarm log in an embodiment of the present application;
FIG. 2 is a schematic diagram of a service feature generalized hierarchical tree constructed in a specific application example of the present application;
FIG. 3 is a schematic diagram of a generalized hierarchical tree of method features constructed in a specific application example of the present application;
FIG. 4 is a diagram illustrating an application feature generalized hierarchical tree constructed in a specific application example of the present application;
FIG. 5 is a schematic diagram of a host feature generalized hierarchical tree constructed in a specific application example of the present application;
FIG. 6 is a diagram illustrating a service feature generalized hierarchical tree after feature attribute mapping in an exemplary application of the present application;
FIG. 7 is a diagram illustrating a generalized hierarchical tree of method features after feature attribute mapping in an exemplary application of the present application;
FIG. 8 is a diagram illustrating an application feature generalized hierarchical tree after feature attribute mapping in a specific application example of the present application;
FIG. 9 is a diagram illustrating a host feature generalized hierarchical tree after feature attribute mapping in an exemplary embodiment of the present application;
FIG. 10 is a schematic diagram of a generalized host feature generalized hierarchical tree in an exemplary embodiment of the present application;
FIG. 11 is a schematic structural diagram of a root cause analysis system of an alarm log in an embodiment of the present application;
FIG. 12 is a schematic diagram of a root cause analysis system of an alarm log in an application example of the present application;
FIG. 13 is a generalized hierarchical tree diagram illustrating an exemplary network fault signature of the present application;
FIG. 14 is a schematic structural diagram of a cluster attribute locating device in an application example of the present application;
FIG. 15 is a schematic structural diagram of a generalized hierarchical tree construction apparatus in an application example of the present application;
fig. 16 is a schematic block diagram of a system configuration of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to solve the problems that a system cannot analyze and locate the root cause of a problem through an automatic means and a developer has low efficiency in positioning the problem manually when a large number of alarms occur in production and realize efficient and automatic analysis of the root cause of the problem based on an alarm log, the application considers and provides a new root cause analysis mode of the alarm log, a generalized hierarchical tree of each characteristic and an association coefficient of each characteristic attribute and a final result are established by performing hierarchical generalization processing on each attribute of the alarm log, wherein a father node comprises the characteristic attribute of a child node. Then the system carries out log combination on each characteristic attribute of the alarm log such as a transaction alarm log, and continuously iterates upwards according to the correlation coefficient of each characteristic attribute and counts how many similar logs are contained in the characteristic attribute until the number of the logs contained in a certain clustering result is greater than a threshold set by a user (as optimization, the number is usually one fifth of the total number of the processing logs, and the user can also set the clustering result by himself/herself); the obtained generalized clustering result can represent a common root cause of the alarm log.
Based on this, in order to improve the efficiency of root cause analysis of the alarm log on the basis of ensuring the reliability of the root cause analysis of the alarm log, an embodiment of the present application provides a root cause analysis system of the alarm log, where the system may be a server or a client device, and the client device may include a smart phone, a tablet electronic device, a network set-top box, a portable computer, a desktop computer, a Personal Digital Assistant (PDA), a vehicle-mounted device, an intelligent wearable device, and the like. Wherein, intelligence wearing equipment can include intelligent glasses, intelligent wrist-watch and intelligent bracelet etc..
In practical applications, the part for performing root cause analysis of the alarm log may be performed on the server side as described above, or all operations may be performed in the client device. The selection may be specifically performed according to the processing capability of the client device, the limitation of the user usage scenario, and the like. This is not a limitation of the present application. The client device may further include a processor if all operations are performed in the client device.
The client device may have a communication module (i.e., a communication unit), and may be communicatively connected to a remote server to implement data transmission with the server. The server may include a server on the task scheduling center side, and in other implementation scenarios, the server may also include a server on an intermediate platform, for example, a server on a third-party server platform that is communicatively linked to the task scheduling center server. The server may include a single computer device, or may include a server cluster formed by a plurality of servers, or a server structure of a distributed apparatus.
The server and the client device may communicate using any suitable network protocol, including network protocols not yet developed at the filing date of this application. The network protocol may include, for example, a TCP/IP protocol, a UDP/IP protocol, an HTTP protocol, an HTTPS protocol, or the like. Of course, the network Protocol may also include, for example, an RPC Protocol (Remote Procedure Call Protocol), a REST Protocol (Representational State Transfer Protocol), and the like used above the above Protocol.
It should be noted that the root cause analysis method and system for alarm logs disclosed in the present application can be used in the field of financial technology, and can also be used in any field except the field of financial technology.
The following examples are intended to illustrate the details.
In order to improve the efficiency of root cause analysis of alarm logs on the basis of ensuring the reliability of the root cause analysis of the alarm logs, the embodiment provides a root cause analysis method for alarm logs of a root cause analysis system, in which the main execution body is the alarm logs, the root cause analysis system of the alarm logs includes but is not limited to a server, and as shown in fig. 1, the method specifically includes the following contents:
step 100: and receiving batch alarm logs.
Specifically, batch alarm logs sent by the distributed server may be received, and each alarm log may include: feature attributes corresponding to features such as services, methods, applications, and hosts.
Step 200: obtaining an alarm root factor of the batch alarm logs according to the batch alarm logs and a preset generalized hierarchical tree set; and the preset generalized hierarchical tree set is obtained according to a preset association coefficient algorithm, the batch historical alarm logs and actual results corresponding to the historical alarm logs respectively.
Specifically, the alarm root factor may represent a reason for generating a batch alarm log, and may be used to determine a method in which an exception may exist, and a host, an application, a service, and the like corresponding to the method; the preset correlation coefficient algorithm may be pd.corr () algorithm; the actual result may represent an actual condition of the operation of the distributed server corresponding to the history alarm log, and may be abnormal or normal.
As can be seen from the above description, the root cause analysis method for alarm logs provided in the embodiments of the present application receives batch alarm logs; obtaining an alarm root factor of the batch alarm logs according to the batch alarm logs and a preset generalized hierarchical tree set; the preset generalized hierarchical tree set is obtained according to a preset association coefficient algorithm, batch historical alarm logs and actual results corresponding to the historical alarm logs respectively, and the efficiency of root cause analysis of the alarm logs can be improved on the basis of ensuring the reliability of the root cause analysis of the alarm logs; the method has stronger theoretical interpretability compared with the traditional method for aggregating the attributes with less current log quantity, and is more efficient in clustering iteration, and the finally obtained result is more consistent with the actual root cause conclusion.
In order to further improve the reliability of obtaining the generalized hierarchical tree set and further improve the accuracy of performing root cause analysis by using the reliable generalized hierarchical tree set, in an embodiment of the present application, before step 200, the method further includes:
step 001: obtaining batch historical alarm logs and actual results corresponding to the historical alarm logs, wherein the actual results comprise: abnormal results or normal results.
Step 002: and generating a plurality of generalized hierarchical trees according to the batch historical alarm logs.
Specifically, a plurality of generalized hierarchical trees can be generated according to the batch historical alarm logs and a preset characteristic attribute relation table; the preset feature attribute relationship table may include direct correspondence between features and feature attributes and between feature attributes, that is, a direct interlayer relationship and a direct inclusion relationship, and may be specifically set according to actual needs, which is not limited in the present application, for example: the application characteristics comprise platform application and host application characteristic attributes, the platform application characteristic attributes comprise F-DSF and F-BAM characteristic attributes, and the host application characteristic attributes comprise F-AAA and F-BBB characteristic attributes; and when the leaf characteristic attribute of the generalized hierarchical tree is determined, applying a preset characteristic attribute relation table to obtain a complete generalized hierarchical tree.
Wherein, the root node in the generalized hierarchical tree can represent the characteristics of the alarm log, the non-root node can represent the characteristic attribute, and the characteristics of the generalized hierarchical trees are different; the non-root node is a node except the root node in the generalized hierarchical tree; the feature attributes may include feature attributes associated with them in the next level of nodes.
Step 003: and obtaining the association coefficient of each intermediate node in the generalized hierarchical tree according to a preset association coefficient algorithm, a batch historical alarm log and an actual result.
Specifically, the intermediate node may represent each node other than the root node and the leaf node in the generalized hierarchical tree, and the association coefficient of the intermediate node may represent an association coefficient between the intermediate node and the abnormal result.
Step 004: and using the association coefficients of the generalized hierarchical trees and the intermediate nodes thereof as the generalized hierarchical tree set.
To further improve the automation and efficiency of the root cause analysis, in one embodiment of the present application, the step 200 comprises:
step 210: and loading all the alarm logs into the preset generalized hierarchical tree set to obtain the number of the characteristic attributes of all the alarm logs corresponding to each leaf node, wherein the preset generalized hierarchical tree set comprises a plurality of generalized hierarchical trees and the association coefficients of each intermediate node of the generalized hierarchical trees, and each generalized hierarchical tree comprises a leaf node and an intermediate node.
Step 220: and if the leaf nodes with the characteristic attribute number larger than or equal to the number threshold exist, taking the leaf nodes as root nodes in the corresponding generalized hierarchical tree.
Specifically, the leaf node with the number of the feature attributes being greater than or equal to the number threshold may be used as a root node in the generalized hierarchical tree corresponding to the leaf node.
Step 230: and if the generalized hierarchical tree exists, wherein the number of the characteristic attributes corresponding to each leaf node is smaller than the quantity threshold, the root factor node in the generalized hierarchical tree is obtained according to the association coefficient of each intermediate node in the generalized hierarchical tree, the number of the characteristic attributes corresponding to each leaf node and the quantity threshold.
Specifically, if the number of the feature attributes corresponding to each leaf node in the generalized hierarchical tree is less than the number threshold, the root node in the generalized hierarchical tree is obtained according to the association coefficient of each intermediate node in the generalized hierarchical tree, the number of the feature attributes corresponding to each leaf node, and the number threshold.
Step 240: and obtaining the alarm root factors of the batch alarm logs according to the root factor nodes in each generalized hierarchical tree.
In order to further improve the accuracy and efficiency of determining root nodes, in an embodiment of the present application, the obtaining root nodes in the generalized hierarchical tree according to the association coefficients of each intermediate node in the generalized hierarchical tree, the number of the feature attributes corresponding to each leaf node, and the number threshold in step 230 includes:
step 241: and taking the node on the upper layer of the leaf nodes with the maximum correlation coefficient value as a target node.
Specifically, the leaf nodes are leaf nodes in the generalized hierarchical tree, the number of characteristic attributes corresponding to each leaf node is less than a quantity threshold; the generalized hierarchical tree may be divided into multiple levels, each level containing multiple nodes.
Step 242: performing a generalization process, the generalization process comprising: and taking the sum of the feature attribute numbers of the nodes related to the target node in the next layer of nodes of the target node as the feature attribute number of the target node.
Specifically, performing the generalization process may be equivalent to a process of clustering iteration; the node associated with the target node in the next-layer node may be a node directly included in the target node; for example, if there are two associated nodes, and the number of the feature attributes is a and B, respectively, then the number of the feature attributes of the target node is a + B.
Step 243: and if the number of the characteristic attributes of the target node is less than the number threshold, taking the node with the maximum correlation coefficient value in the node at the upper layer of the target node as the target node, and executing the generalization process again until the number of the characteristic attributes of the target node is more than or equal to the number threshold.
Step 244: and taking the target node as a root factor node in the corresponding generalized hierarchical tree.
To further explain the solution, in a specific application example of the root cause analysis method for an alarm log according to the present application, the method specifically includes:
step S1: as shown in table 1, the inventory alarm logs, that is, the batch history alarm logs, may include 20 inventory alarm logs, and each inventory alarm log includes: service, method, application and host, each feature has a plurality of feature attributes, such as application (application) features having 4 leaf feature attributes of "F-DSF", "F-BAM", "F-AAA" and "F-BBB", where "F-DSF" and "F-BAM" are platform class (platform) applications and "F-AAA" and "F-BBB" are host class (mainframe) applications, so the application features have 6 feature attributes in common.
TABLE 1
Figure BDA0002923620360000091
Figure BDA0002923620360000101
Step S2: training according to pd.corr () algorithm to obtain the correlation coefficient (the value range is 0-1,0 represents irrelevant, 1 represents 100% relevant) of each characteristic attribute and the final result (the last column is an abnormal part); applying pd.corr () algorithm, the stock alarm log in table 1 and the final result to obtain the correlation coefficient of each characteristic attribute in table 2; for example, in the application characteristics in table 1, the logs with the characteristic attribute of "F-AAA" all have abnormal results, so the correlation coefficient between the characteristic attribute of "F-AAA" and the final result is 1; the attribute of the "query" feature in the method feature has 10 records, wherein 8 records have an abnormal final result, so that the correlation coefficient between the "query" and the final result is 0.8; other characteristic attributes and final result correlation coefficients can be obtained similarly.
TABLE 2
Figure BDA0002923620360000102
Step S3: constructing and obtaining a service feature generalized hierarchical tree in fig. 2 according to the relationship between the attributes of the features in table 1 and table 2, wherein 0.5 and 0 represent the correlation coefficient of the non-leaf attribute, 0.2 and 0.8 represent the correlation coefficient of the non-leaf attribute in the method feature generalized hierarchical tree in fig. 3, 0.4 represents the application feature generalized hierarchical tree in fig. 4, 0 and 1 represent the correlation coefficient of the non-leaf attribute, and 0, 0.1 and 1 represent the correlation coefficient of the non-leaf attribute in the host feature generalized hierarchical tree in fig. 5.
For example, the host features a generalized hierarchical tree, all IPs corresponding to the host are distributed in the campus 1 and the campus 2, each campus is divided into a plurality of fault domains, and the IP nodes of each server which actually operates are located below each fault domain.
Step S4: after the building of the generalized hierarchical tree is completed, the system starts to receive the alarm logs in real time, for example, 10 alarm logs shown in table 3 are received by the system in a certain batch.
TABLE 3
Figure BDA0002923620360000111
Step S5: as shown in fig. 6 to 9, mapping each feature attribute of the alarm log to the four previously generated generalized hierarchical trees to obtain the number of logs of each generalized hierarchical tree feature attribute corresponding to the 10 logs; in fig. 2 and 6, bam, dtx, preapproval, consumerCredit, aml, comscore, service, and ipublic in the non-root nodes of the service feature generalized hierarchical tree all represent feature attributes; in fig. 3 and 7, response, "logMainTxStart," "logTxStart," request, and "query" in the non-root node of the method feature generalized hierarchical tree each represent a feature attribute; in FIGS. 4 and 8, the platform, "F-BAM", "F-DSF", mainframe, "F-AAA", and "F-BBB" in the non-root node of the application feature generalized hierarchical tree all represent feature attributes; in fig. 5 and 9, campus 1, campus 2, fault domain a to fault domain C, "× 49.74.45", "× 49.74.52", "× 27.77.59", "× 27.77.37", and "× 27.77.43" in the non-root nodes of the host feature generalized hierarchical tree all represent feature attributes.
Step S6: if the preset quantity threshold is 4, it can be seen that the three generalized hierarchical trees of service, method and application all have 4 or more logs contained in the node, so that the three trees do not need to be generalized upwards. The number of logs which do not contain the attributes in the host generalized hierarchical tree exceeds a threshold value, so that iterative generalization needs to be carried out on the attributes with the maximum correlation coefficients in the host generalized hierarchical tree; as shown in fig. 9, the tree can be generalized at present, and the association coefficient of the two attributes "fault domain a" and "fault domain B" is the largest, so that the two nodes are selected for generalization.
Step S7: as shown in fig. 10, in the generalized host generalized hierarchical tree, the number of logs included in the attribute of "fault domain a" is already greater than the threshold, and at this time, the number of logs included in all four attributes is greater than or equal to the threshold. Therefore, the generalization process is finished, and the generalization final result of each generalization hierarchical tree is output, namely: there may be an anomaly in the "query" method of the "bam.consumercredit.bamconsumercreditservice __1_0" service of the F-AAA application running in the failure domain a.
According to the above description, the root cause analysis method for the alarm log provided by the specific application example is characterized in that an attribute generalized hierarchical tree, the association coefficient of each characteristic attribute and the final result and the log number threshold value of the clustering end are established according to the relevant service characteristics, after the system is started, manual intervention is not required at all, the system can continuously analyze the alarm log through the whole model and output the root cause analysis result, and the efficiency and the real-time performance of the root cause analysis method are much higher than those of the traditional manual analysis; the attribute generalized hierarchical tree and the correlation coefficient of each characteristic attribute and the final result are constructed according to the technical characteristics of related services, and then the hierarchical tree and the correlation coefficient can be reused all the time without analyzing the reason for error reporting according to the alarm log each time, so that the labor cost in the root cause analysis process of the alarm log is greatly reduced; the model can be used in one type of application, different types of applications only need to construct corresponding attribute generalized hierarchical trees and association coefficients of each characteristic attribute and a final result according to the service-removing technical characteristics, and other devices can be universal in each scene, so that the model can be reused and popularized.
In another application example of the present application, the root cause analysis method for an alarm log includes: performing feature extraction on the inventory alarm log, applying pd.corr () algorithm to train to obtain the correlation coefficient of each feature attribute and the final result, and constructing a generalized hierarchical tree according to the feature attributes; each characteristic attribute of each alarm log has a unique and topmost generalization result; the generalized hierarchical trees of all the features form a generalized hierarchical tree set. When the system receives the alarm logs in the production environment, firstly, the alarm logs are subjected to feature extraction, effective feature attributes are screened out, then, a generalized hierarchical tree set is loaded, and the alarm logs of the same type are merged. And then judging whether the number of alarm logs contained in a certain clustering result is larger than a threshold value (generally set to be one fifth of the total number of the logs). If the condition is not met, selecting the characteristic attribute with the maximum absolute value of the current association coefficient, replacing the value of the characteristic attribute of all logs with the value of the upper layer of the characteristic attribute, and continuing to combine the logs of the same type until the number of the logs contained in a certain clustering result is greater than a threshold value. The clustering result is output, namely the root cause attributes of all alarm logs contained in the clustering result can be represented, and the efficiency of root cause analysis of the alarm logs can be improved on the basis of ensuring the reliability of the root cause analysis of the alarm logs.
In terms of software, in order to improve the efficiency of root cause analysis of the alarm log on the basis of ensuring the reliability of the root cause analysis of the alarm log, the present application provides an embodiment of a root cause analysis system of the alarm log for implementing all or part of the content in the root cause analysis method of the alarm log, referring to fig. 11, where the root cause analysis system of the alarm log specifically includes the following contents:
and the receiving module 10 is used for receiving the batch alarm logs.
The root cause analysis module 20 is configured to obtain an alarm root cause of the batch alarm logs according to the batch alarm logs and a preset generalized hierarchical tree set; and the preset generalized hierarchical tree set is obtained according to a preset association coefficient algorithm, the batch historical alarm logs and actual results corresponding to the historical alarm logs respectively.
In an embodiment of the present application, the root cause analysis system for alarm log further includes:
an obtaining module, configured to obtain actual results corresponding to the batch of historical alarm logs and each historical alarm log, where the actual results include: abnormal results or normal results.
And the generation module is used for generating a plurality of generalized hierarchical trees according to the batch historical alarm logs.
And the correlation coefficient obtaining module is used for obtaining the correlation coefficient of each intermediate node in the generalized hierarchical tree according to a preset correlation coefficient algorithm, a batch historical alarm log and an actual result.
And the acquisition module is used for taking the association coefficients of the generalized hierarchical trees and the intermediate nodes thereof as the generalized hierarchical tree set.
In an embodiment of the present application, the root cause analysis module includes:
and the loading unit is used for loading all the alarm logs into the preset generalized hierarchical tree set to obtain the number of the characteristic attributes of all the alarm logs corresponding to each leaf node, the preset generalized hierarchical tree set comprises a plurality of generalized hierarchical trees and the correlation coefficients of each intermediate node of the generalized hierarchical trees, and each generalized hierarchical tree comprises a leaf node and an intermediate node.
And the first judging unit is used for taking the leaf node as a root node in the corresponding generalized hierarchical tree if the leaf node with the characteristic attribute number larger than or equal to the number threshold exists.
And the second judging unit is used for obtaining root nodes in the generalized hierarchical tree according to the association coefficient of each intermediate node in the generalized hierarchical tree, the number of the characteristic attributes corresponding to each leaf node and the quantity threshold if the generalized hierarchical tree exists, wherein the number of the characteristic attributes corresponding to each leaf node is smaller than the quantity threshold.
And the root cause analysis unit is used for obtaining the alarm root causes of the batch alarm logs according to the root cause nodes in each generalized hierarchical tree.
In an embodiment of the present application, the second determining unit includes:
and the node determining subunit is used for taking the node with the maximum correlation coefficient value in the nodes of the layer above the leaf nodes as a target node.
An execution subunit, configured to execute a generalization process, the generalization process including: and taking the sum of the feature attribute numbers of the nodes related to the target node in the next layer of nodes of the target node as the feature attribute number of the target node.
And the circulating subunit is configured to, if the number of the characteristic attributes of the target node is smaller than the number threshold, take the node in the previous layer of the target node with the largest correlation coefficient value as the target node, and execute the generalization process again until the number of the characteristic attributes of the target node is greater than or equal to the number threshold.
And obtaining a root factor node subunit, which is used for taking the target node as a root factor node in the corresponding generalized hierarchical tree.
The embodiment of the root cause analysis system for an alarm log provided in this specification may be specifically configured to execute the processing procedure of the embodiment of the root cause analysis method for an alarm log, and the functions of the embodiment are not described herein again, and reference may be made to the detailed description of the embodiment of the root cause analysis method for an alarm log.
To further illustrate the present solution, the present application provides an application example of a root cause analysis system for an alarm log, as shown in fig. 12, the system specifically includes:
log access device 01: for receiving an alarm log.
Feature extraction device 02: the method is used for extracting the features of the alarm log and screening out effective feature attributes.
The generalized hierarchical tree loading apparatus 03: for loading the generalized hierarchical tree set.
Alarm log merging means 04: and the method is used for merging the alarm logs of the same type, counting the number of the alarm logs of the type and judging whether upward clustering is needed to be continued.
Cluster attribute locating device 05: the method is used for positioning the next characteristic attribute to be clustered, and the specific positioning method comprises the following steps of firstly calculating Fi corresponding to each characteristic attribute of the characteristic Ai:
and fi (v) SELECT s FROM T WHERE Ai (v) represents a correlation coefficient s for querying a feature attribute v in the Ai feature.
And Fi ═ max { Fi (v) | v ∈ Dom (Ai) } represents that the feature attribute v with the largest Fi (v) value in the feature Ai is selected as the feature attribute to be clustered next.
The attribute replacing device 06: and the characteristic attribute of the alarm log is replaced into the characteristic attribute of the upper layer.
Clustering result output means 07: for outputting the final clustering result.
Generalized hierarchical tree construction device 08: and the method is used for carrying out generalized hierarchical tree construction according to the characteristic attributes of the alarm log. Referring to fig. 13, in an example, the network fault types in the alarm log include network packet loss and network port non-communication, and the network port non-communication may be subdivided into local network port non-communication and remote network port non-communication, based on which, a generalized hierarchical tree of network fault characteristics is constructed.
Fig. 14 is a schematic structural diagram of the cluster attribute locating device 05, and as shown in fig. 14, the cluster attribute locating device 05 includes: a characteristic attribute correlation coefficient search unit 51 and a characteristic attribute correlation coefficient comparison unit 52,
wherein:
the feature attribute association coefficient search unit 51: and the correlation coefficient is used for inquiring the characteristic attribute.
The characteristic-attribute-correlation-coefficient comparing unit 52: for comparing how much each feature attribute contains the log number.
Fig. 15 is a schematic structural diagram of the generalized hierarchical tree construction apparatus 08, and as shown in fig. 15, the generalized hierarchical tree construction apparatus 08 includes: a generalized hierarchical tree construction unit 81, a generalized hierarchical tree integration unit 82, and a feature attribute association coefficient generation unit 83, wherein:
the generalized hierarchical tree construction unit 81: a generalized hierarchical tree for constructing the feature.
The generalized hierarchical tree integration unit 82: for integrating the different generalized hierarchical trees in the log.
Feature attribute correlation coefficient generation unit 83: and generating the association coefficient corresponding to each characteristic attribute in the hierarchical generalized tree.
According to the description, the root cause analysis method and the root cause analysis system for the alarm log can improve the efficiency of the root cause analysis of the alarm log on the basis of ensuring the reliability of the root cause analysis of the alarm log; specifically, the automation degree of the root cause analysis can be improved, the multiplexing of the generalized hierarchical tree and the association coefficient can be realized, the universality of the application scene of the root cause analysis can be improved, the labor cost can be saved, and the efficiency and the real-time performance of the root cause analysis can be improved.
In terms of hardware, in order to improve the efficiency of the alarm log root cause analysis on the basis of ensuring the reliability of the alarm log root cause analysis, the present application provides an embodiment of an electronic device for implementing all or part of the content in the alarm log root cause analysis method, where the electronic device specifically includes the following contents:
a processor (processor), a memory (memory), a communication Interface (Communications Interface), and a bus; the processor, the memory and the communication interface complete mutual communication through the bus; the communication interface is used for realizing information transmission between related equipment such as a root cause analysis system of the alarm log, a user terminal and the like; the electronic device may be a desktop computer, a tablet computer, a mobile terminal, and the like, but the embodiment is not limited thereto. In this embodiment, the electronic device may be implemented with reference to the embodiment of the root cause analysis method for implementing the alarm log and the embodiment of the root cause analysis system for implementing the alarm log, which are incorporated herein, and repeated details are not repeated here.
Fig. 16 is a schematic block diagram of a system configuration of an electronic device 9600 according to an embodiment of the present application. As shown in fig. 16, the electronic device 9600 can include a central processor 9100 and a memory 9140; the memory 9140 is coupled to the central processor 9100. Notably, this fig. 16 is exemplary; other types of structures may also be used in addition to or in place of the structure to implement telecommunications or other functions.
In one or more embodiments of the present application, the root cause analysis functionality of the alarm log can be integrated into the central processor 9100. The central processor 9100 may be configured to control as follows:
step 100: and receiving batch alarm logs.
Step 200: obtaining an alarm root factor of the batch alarm logs according to the batch alarm logs and a preset generalized hierarchical tree set; and the preset generalized hierarchical tree set is obtained according to a preset association coefficient algorithm, the batch historical alarm logs and actual results corresponding to the historical alarm logs respectively.
As can be seen from the above description, the electronic device provided in the embodiments of the present application can improve the efficiency of the alarm log root cause analysis on the basis of ensuring the reliability of the alarm log root cause analysis.
In another embodiment, the root cause analysis system of the alarm log may be configured separately from the central processor 9100, for example, the root cause analysis system of the alarm log may be configured as a chip connected to the central processor 9100, and the root cause analysis function of the alarm log is realized by the control of the central processor.
As shown in fig. 16, the electronic device 9600 may further include: a communication module 9110, an input unit 9120, an audio processor 9130, a display 9160, and a power supply 9170. It is noted that the electronic device 9600 also does not necessarily include all of the components shown in fig. 16; further, the electronic device 9600 may further include components not shown in fig. 16, which can be referred to in the related art.
As shown in fig. 16, a central processor 9100, sometimes referred to as a controller or operational control, can include a microprocessor or other processor device and/or logic device, which central processor 9100 receives input and controls the operation of the various components of the electronic device 9600.
The memory 9140 can be, for example, one or more of a buffer, a flash memory, a hard drive, a removable media, a volatile memory, a non-volatile memory, or other suitable device. The information relating to the failure may be stored, and a program for executing the information may be stored. And the central processing unit 9100 can execute the program stored in the memory 9140 to realize information storage or processing, or the like.
The input unit 9120 provides input to the central processor 9100. The input unit 9120 is, for example, a key or a touch input device. Power supply 9170 is used to provide power to electronic device 9600. The display 9160 is used for displaying display objects such as images and characters. The display may be, for example, an LCD display, but is not limited thereto.
The memory 9140 can be a solid state memory, e.g., Read Only Memory (ROM), Random Access Memory (RAM), a SIM card, or the like. There may also be a memory that holds information even when power is off, can be selectively erased, and is provided with more data, an example of which is sometimes called an EPROM or the like. The memory 9140 could also be some other type of device. Memory 9140 includes a buffer memory 9141 (sometimes referred to as a buffer). The memory 9140 may include an application/function storage portion 9142, the application/function storage portion 9142 being used for storing application programs and function programs or for executing a flow of operations of the electronic device 9600 by the central processor 9100.
The memory 9140 can also include a data store 9143, the data store 9143 being used to store data, such as contacts, digital data, pictures, sounds, and/or any other data used by an electronic device. The driver storage portion 9144 of the memory 9140 may include various drivers for the electronic device for communication functions and/or for performing other functions of the electronic device (e.g., messaging applications, contact book applications, etc.).
The communication module 9110 is a transmitter/receiver 9110 that transmits and receives signals via an antenna 9111. The communication module (transmitter/receiver) 9110 is coupled to the central processor 9100 to provide input signals and receive output signals, which may be the same as in the case of a conventional mobile communication terminal.
Based on different communication technologies, a plurality of communication modules 9110, such as a cellular network module, a bluetooth module, and/or a wireless local area network module, may be provided in the same electronic device. The communication module (transmitter/receiver) 9110 is also coupled to a speaker 9131 and a microphone 9132 via an audio processor 9130 to provide audio output via the speaker 9131 and receive audio input from the microphone 9132, thereby implementing ordinary telecommunications functions. The audio processor 9130 may include any suitable buffers, decoders, amplifiers and so forth. In addition, the audio processor 9130 is also coupled to the central processor 9100, thereby enabling recording locally through the microphone 9132 and enabling locally stored sounds to be played through the speaker 9131.
As can be seen from the above description, the electronic device provided in the embodiments of the present application can improve the efficiency of the alarm log root cause analysis on the basis of ensuring the reliability of the alarm log root cause analysis.
Embodiments of the present application further provide a computer-readable storage medium capable of implementing all the steps in the root cause analysis method of an alarm log in the above embodiments, where the computer-readable storage medium stores a computer program, and the computer program implements all the steps of the root cause analysis method of an alarm log in the above embodiments when executed by a processor, for example, the processor implements the following steps when executing the computer program:
step 100: and receiving batch alarm logs.
Step 200: obtaining an alarm root factor of the batch alarm logs according to the batch alarm logs and a preset generalized hierarchical tree set; and the preset generalized hierarchical tree set is obtained according to a preset association coefficient algorithm, the batch historical alarm logs and actual results corresponding to the historical alarm logs respectively.
As can be seen from the above description, the computer-readable storage medium provided in the embodiments of the present application can improve the efficiency of the alarm log root cause analysis on the basis of ensuring the reliability of the alarm log root cause analysis.
In the present application, each embodiment of the method is described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. Reference is made to the description of the method embodiments.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principle and the implementation mode of the present application are explained by applying specific embodiments in the present application, and the description of the above embodiments is only used to help understanding the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (10)

1. A root cause analysis method of an alarm log is characterized by comprising the following steps:
receiving batch alarm logs;
obtaining an alarm root factor of the batch alarm logs according to the batch alarm logs and a preset generalized hierarchical tree set;
and the preset generalized hierarchical tree set is obtained according to a preset association coefficient algorithm, the batch historical alarm logs and actual results corresponding to the historical alarm logs respectively.
2. The method for root cause analysis of alarm logs according to claim 1, wherein before obtaining the alarm root cause of the batch alarm logs according to the batch alarm logs and a preset generalized hierarchical tree set, the method further comprises:
obtaining batch historical alarm logs and actual results corresponding to the historical alarm logs, wherein the actual results comprise: an abnormal result or a normal result;
generating a plurality of generalized hierarchical trees according to the batch historical alarm logs;
obtaining the association coefficient of each intermediate node in the generalized hierarchical tree according to a preset association coefficient algorithm, a batch historical alarm log and an actual result;
and using the association coefficients of the generalized hierarchical trees and the intermediate nodes thereof as the generalized hierarchical tree set.
3. The root cause analysis method for the alarm logs according to claim 1, wherein the obtaining of the alarm root causes of the batch alarm logs according to the batch alarm logs and a preset generalized hierarchical tree set comprises:
loading all alarm logs into the preset generalized hierarchical tree set to obtain the number of characteristic attributes of all alarm logs corresponding to each leaf node, wherein the preset generalized hierarchical tree set comprises a plurality of generalized hierarchical trees and the association coefficients of each intermediate node of the generalized hierarchical trees, and each generalized hierarchical tree comprises a leaf node and an intermediate node;
if the leaf nodes with the characteristic attribute number larger than or equal to the number threshold exist, taking the leaf nodes as root cause nodes in the corresponding generalized hierarchical tree;
if a generalized hierarchical tree exists, wherein the number of the characteristic attributes corresponding to each leaf node is smaller than a quantity threshold, a root factor node in the generalized hierarchical tree is obtained according to the association coefficient of each intermediate node in the generalized hierarchical tree, the number of the characteristic attributes corresponding to each leaf node and the quantity threshold;
and obtaining the alarm root factors of the batch alarm logs according to the root factor nodes in each generalized hierarchical tree.
4. The method of claim 3, wherein the obtaining root cause nodes in the generalized hierarchical tree according to the correlation coefficient of each intermediate node in the generalized hierarchical tree, the number of the feature attributes corresponding to each leaf node, and the quantity threshold comprises:
taking the maximum correlation coefficient value in the nodes of the upper layer of the leaf nodes as a target node;
performing a generalization process, the generalization process comprising: taking the sum of the feature attribute numbers of the nodes related to the target node in the next layer of nodes of the target node as the feature attribute number of the target node;
if the number of the characteristic attributes of the target node is smaller than the number threshold, taking the node with the largest correlation coefficient value in the node at the upper layer of the target node as the target node, and executing the generalization process again until the number of the characteristic attributes of the target node is larger than or equal to the number threshold;
and taking the target node as a root factor node in the corresponding generalized hierarchical tree.
5. A root cause analysis system for alarm logs, comprising:
the receiving module is used for receiving batch alarm logs;
the root cause analysis module is used for obtaining the alarm root causes of the batch alarm logs according to the batch alarm logs and a preset generalized hierarchical tree set;
and the preset generalized hierarchical tree set is obtained according to a preset association coefficient algorithm, the batch historical alarm logs and actual results corresponding to the historical alarm logs respectively.
6. The alarm log root cause analysis system of claim 5, further comprising:
an obtaining module, configured to obtain actual results corresponding to the batch of historical alarm logs and each historical alarm log, where the actual results include: an abnormal result or a normal result;
the generation module is used for generating a plurality of generalized hierarchical trees according to the batch historical alarm logs;
the correlation coefficient obtaining module is used for obtaining the correlation coefficient of each intermediate node in the generalized hierarchical tree according to a preset correlation coefficient algorithm, a batch historical alarm log and an actual result;
and the acquisition module is used for taking the association coefficients of the generalized hierarchical trees and the intermediate nodes thereof as the generalized hierarchical tree set.
7. The alarm log factorization system of claim 5, wherein the factorization module comprises:
a loading unit, configured to load all alarm logs into the preset generalized hierarchical tree set to obtain the number of characteristic attributes of all alarm logs corresponding to each leaf node, where the preset generalized hierarchical tree set includes a plurality of generalized hierarchical trees and associated coefficients of each intermediate node thereof, and each generalized hierarchical tree includes a leaf node and an intermediate node;
the first judging unit is used for taking the leaf node as a root factor node in the corresponding generalized hierarchical tree if the leaf node with the characteristic attribute number larger than or equal to the number threshold exists;
a second judging unit, configured to, if there is a generalized hierarchical tree in which the number of feature attributes corresponding to each leaf node is smaller than a quantity threshold, obtain a root node in the generalized hierarchical tree according to the association coefficient of each intermediate node in the generalized hierarchical tree, the number of feature attributes corresponding to each leaf node, and the quantity threshold;
and the root cause analysis unit is used for obtaining the alarm root causes of the batch alarm logs according to the root cause nodes in each generalized hierarchical tree.
8. The root cause analysis system of alarm logs according to claim 7, wherein the second judging unit comprises:
a node determination subunit, configured to use the node in the previous layer of the leaf node with the largest correlation coefficient value as a target node;
an execution subunit, configured to execute a generalization process, the generalization process including: taking the sum of the feature attribute numbers of the nodes related to the target node in the next layer of nodes of the target node as the feature attribute number of the target node;
a cyclic subunit, configured to, if the number of the feature attributes of the target node is smaller than the number threshold, take the node in the previous layer of the target node with the largest correlation coefficient value as the target node, and execute the generalization process again until the number of the feature attributes of the target node is greater than or equal to the number threshold;
and obtaining a root factor node subunit, which is used for taking the target node as a root factor node in the corresponding generalized hierarchical tree.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the root cause analysis method of alarm log of any of claims 1 to 4 when executing the program.
10. A computer readable storage medium having stored thereon computer instructions, wherein the instructions when executed implement the method of root cause analysis of alarm logs of any of claims 1 to 4.
CN202110126298.0A 2021-01-29 2021-01-29 Root cause analysis method and system for alarm log Pending CN112799929A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110126298.0A CN112799929A (en) 2021-01-29 2021-01-29 Root cause analysis method and system for alarm log

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110126298.0A CN112799929A (en) 2021-01-29 2021-01-29 Root cause analysis method and system for alarm log

Publications (1)

Publication Number Publication Date
CN112799929A true CN112799929A (en) 2021-05-14

Family

ID=75812848

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110126298.0A Pending CN112799929A (en) 2021-01-29 2021-01-29 Root cause analysis method and system for alarm log

Country Status (1)

Country Link
CN (1) CN112799929A (en)

Similar Documents

Publication Publication Date Title
CN111782470B (en) Distributed container log data processing method and device
CN112163946A (en) Accounting processing method and device based on distributed transaction system
CN113392158A (en) Service data processing method and device and data center
CN110932918A (en) Log data acquisition method and device and storage medium
CN110737425B (en) Method and device for establishing application program of charging platform system
CN113408668A (en) Decision tree construction method and device based on federated learning system and electronic equipment
CN112181678A (en) Service data processing method, device and system, storage medium and electronic device
CN112910708B (en) Distributed service calling method and device
CN112396511B (en) Distributed wind control variable data processing method, device and system
CN113282590A (en) Interface joint debugging method and device based on 5G message
US11916853B2 (en) Group type identification method and apparatus, computer device, and medium
CN110892427B (en) Method and apparatus for retrieving data packets
CN112799929A (en) Root cause analysis method and system for alarm log
CN110930253A (en) Intelligent contract internal main key generation method and device, computer equipment and storage medium
CN112866268B (en) Message processing method and system
CN114222028A (en) Speech recognition method, speech recognition device, computer equipment and storage medium
CN113342811A (en) HBase table data processing method and device
CN112417018A (en) Data sharing method and device
CN111444253A (en) Data import method and device, computer readable storage medium and computer equipment
CN111930620B (en) Application running environment data processing method and device
CN117555905B (en) Service processing method, device, equipment, storage medium and program product
CN112532349B (en) Data processing method and device based on decoding abnormity
CN116561735B (en) Mutual trust authentication method and system based on multiple authentication sources and electronic equipment
CN113190236B (en) HQL script verification method and device
CN115038089B (en) Multi-terminal data monitoring and collecting method based on information extraction

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination