CN113961441A - Alarm event processing method, auditing method, device, equipment, medium and product - Google Patents

Alarm event processing method, auditing method, device, equipment, medium and product Download PDF

Info

Publication number
CN113961441A
CN113961441A CN202111279365.9A CN202111279365A CN113961441A CN 113961441 A CN113961441 A CN 113961441A CN 202111279365 A CN202111279365 A CN 202111279365A CN 113961441 A CN113961441 A CN 113961441A
Authority
CN
China
Prior art keywords
alarm
alarm event
event
data
priority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111279365.9A
Other languages
Chinese (zh)
Inventor
张蕊
贺卉珍
敬涛
楼闯宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202111279365.9A priority Critical patent/CN113961441A/en
Publication of CN113961441A publication Critical patent/CN113961441A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3452Performance evaluation by statistical analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Probability & Statistics with Applications (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Hardware Design (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Quality & Reliability (AREA)
  • General Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Alarm Systems (AREA)

Abstract

The present disclosure provides an alarm event processing method, which can be applied to the technical field of information security and the field of artificial intelligence, and comprises the following steps: and calculating the alarm guidance degree of the first alarm event, the text similarity and the incidence relation of the alarm data of the first alarm event and each second alarm event, and obtaining the processing priority of the first alarm event based on the alarm level, the text similarity and/or the incidence relation of the first alarm event, which meet the preset conditions, of the second alarm event and the alarm guidance degree, so as to process the first alarm event according to the priority. The present disclosure also provides an alarm event auditing method, including: and calculating the text similarity and the incidence relation between the problem root analysis report of the first alarm event and each second alarm event, and counting the second alarm events of which the text similarity and/or the incidence relation with the first alarm event meet preset conditions. The disclosure also provides corresponding apparatuses, devices, storage media and program products.

Description

Alarm event processing method, auditing method, device, equipment, medium and product
Technical Field
The present disclosure relates to the field of artificial intelligence, and in particular, to an alarm event processing method, an auditing method, apparatus, device, medium, and program product.
Background
With the gradual landing of cloud computing and distributed systems, various information systems are increasingly developed in enormous quantities. Because data centers of various information systems have a large amount of computing, storage and network resources and have a large amount of nodes, monitoring alarm data received by a monitoring platform every day reaches tens of thousands, however, the existing solution for monitoring alarms mainly depends on simple rule screening and manual processing of operation and maintenance personnel, the processing efficiency is low, great manual processing pressure is brought, and the problems of untimely alarm processing, incomplete alarm discovery, high redundant alarm processing pressure and the like exist. How to effectively monitor, alarm and emergency treatment for such information systems is a problem to be solved urgently at present.
Disclosure of Invention
In view of the foregoing, the present disclosure provides an alarm event processing method, an auditing method, an apparatus, a device, a medium, and a program product that improve alarm event processing efficiency.
According to a first aspect of the present disclosure, there is provided an alarm event processing method, including: acquiring a first alarm event and alarm data thereof, and acquiring all second alarm events and alarm data thereof in a first preset time period including the occurrence moment of the first alarm event; analyzing the alarm data of the first alarm event based on a preset guidance degree calculation rule to calculate the alarm guidance degree of the first alarm event; calculating text similarity and incidence relation of the alarm data of the first alarm event and each second alarm event; judging according to a preset priority judgment rule based on the alarm level, the text similarity and/or the alarm level and the alarm guidance degree of the second alarm event of which the incidence relation meets the preset condition of the first alarm event to obtain the processing priority of the first alarm event; and processing the first alarm event according to the priority order of the priority.
According to an embodiment of the present disclosure, the analyzing the alarm data of the first alarm event based on a preset guidance degree calculation rule to calculate the alarm guidance degree of the first alarm event includes: setting an initial alarm guidance degree; sequentially judging whether a plurality of first key fields in the alarm data of the first alarm event meet the conditions specified by the guidance degree calculation rule, wherein the plurality of first key fields are fields representing the environment, state, configuration and maintenance conditions of the first alarm event; and when the first key field meets the condition specified by the guidance degree calculation rule, subtracting a corresponding numerical value from the initial warning guidance degree to obtain the warning guidance degree.
According to an embodiment of the present disclosure, the method further comprises: calculating an alarm event noise probability of software generating the first alarm event; and taking the noise probability of the alarm event as one judgment rule of the guiding degree calculation rules to calculate the alarm guiding degree.
According to an embodiment of the present disclosure, the calculating an alarm event noise probability of software generating the first alarm event includes: constructing an alarm event noise probability fitting function which takes the transaction fluctuation rate and the alarm occurrence time of the software as input and takes the noise probability of the software as output; and calculating the noise probability of the first alarm event based on the transaction fluctuation rate and the alarm occurrence time of the software when the first alarm event occurs.
According to an embodiment of the present disclosure, the calculating the alarm guiding degree by using the magnitude of the alarm event noise probability as one of the judgment rules of the guiding degree calculation rules includes: obtaining the attribute grade of the alarm event based on the noise probability of the alarm event; subtracting a value corresponding to the attribute level from the initial warning guidance degree to calculate the warning guidance degree.
According to an embodiment of the present disclosure, the calculating the text similarity between the alarm data of the first alarm event and each of the second alarm events includes: and calculating the text similarity between the first alarm event and at least one second key field in the alarm data of each second alarm event, wherein the second key field is a field for describing alarm conditions.
According to an embodiment of the present disclosure, includes: and acquiring the alarm level of the second alarm event with the highest text similarity so as to be used for judging the processing priority of the first alarm event.
According to an embodiment of the present disclosure, the method further comprises: acquiring a link monitoring log of software generating the first alarm event and the second alarm event, wherein the link monitoring log is link information of transaction of the software in a second preset time period; and cleaning the link monitoring log, and generating a link frequent n item set of the software for transaction, wherein n is more than or equal to 2.
According to an embodiment of the present disclosure, the calculating an association relationship between the first alarm event and the alarm data of each of the second alarm events includes: performing minimum support scanning calculation on a plurality of third key fields in the alarm data of the first alarm event and all the second alarm events in the first preset time period to obtain an association relationship frequent n item set; the link frequent n item sets are added except the association frequent n item sets obtained by the (n-1) th scanning of the object to be scanned, n is more than or equal to 2, and the third key field is a field with the association characteristic of the alarm event.
According to an embodiment of the present disclosure, the method further comprises: acquiring a list of second alarm events of which the first alarm events have the same frequent item set; and screening out a second alarm event with the highest alarm level in the list, and using the alarm level of the second alarm event to judge the processing priority of the first alarm event.
According to an embodiment of the present disclosure, includes: the higher the alarm level of the first alarm event is, the higher the alarm level of the second alarm event of which the text similarity and/or the incidence relation meet preset conditions is, the lower the alarm guidance degree is, and the higher the priority of the first alarm event is; the higher the priority, the earlier the first alarm event is processed.
According to an embodiment of the present disclosure, the method further comprises: taking a plurality of fourth key fields in the alarm data of the first alarm event and the noise guidance degree as a denoising decision attribute, and performing decision tree judgment to judge whether the first alarm event is noise; and participating in the judgment of the priority judgment rule by using the noise judgment result of the first alarm event, wherein when the first alarm event is noise, the priority is reduced by a preset level on the basis of the alarm level of the first alarm event, the alarm level of the second alarm event and the priority obtained by the alarm guidance degree.
According to an embodiment of the present disclosure, the method further comprises: and cleaning and standardizing the alarm data of the first alarm event and the second alarm event.
According to an embodiment of the present disclosure, the method further comprises: and displaying the processing priority of the first alarm event, and displaying a second alarm event of which the text similarity with the first alarm event is greater than a preset threshold and/or has an association relation.
A second aspect of the present disclosure provides an alarm event auditing method, including: the method comprises the steps of obtaining a problem root analysis report of a first alarm event and obtaining alarm data of all second alarm events in a preset time period, wherein the problem root analysis report is obtained after problem processing is carried out on the basis of the alarm data of the first alarm event, and key fields of the problem root analysis report correspond to key fields of the alarm data; calculating text similarity between the problem root analysis report and the alarm data of each second alarm event, and calculating the incidence relation between the first alarm event and each second alarm event; and counting a second alarm event of which the text similarity and/or the incidence relation with the first alarm event meet preset conditions.
According to an embodiment of the present disclosure, the calculating the text similarity between the problem root cause analysis report and the alarm data of each second alarm event includes: and calculating text similarity between the problem root cause analysis report and at least one second key field in the alarm data of each second alarm event, wherein the second key field is a field for describing alarm conditions.
According to an embodiment of the present disclosure, includes: and counting the second alarm event of which the text similarity is greater than a preset threshold value.
According to an embodiment of the present disclosure, the method comprises: acquiring a link monitoring log of software generating the first alarm event and the second alarm event, wherein the link monitoring log is link information of transaction of the software in a second preset time period; and cleaning the link monitoring log, and generating a link frequent n item set of the software for transaction, wherein n is more than or equal to 2.
According to an embodiment of the present disclosure, the calculating an association relationship between the problem root cause analysis report and the alarm data of each of the second alarm events includes: performing minimum support scanning calculation on the problem root cause analysis report and a plurality of third key fields in the alarm data of all second alarm events to obtain a frequent n item set; the link frequent n item sets are added except the association frequent n item sets obtained by the (n-1) th scanning of the object to be scanned, n is more than or equal to 2, and the third key field is a field with the association characteristic of the alarm event.
According to an embodiment of the present disclosure, the method further comprises: and counting a second alarm event with the same frequent item set as the first alarm event.
A third aspect of the present disclosure provides an alarm event processing apparatus, including: the data acquisition module is used for acquiring a first alarm event and alarm data thereof, and acquiring all second alarm events and alarm data thereof in a first preset time period including the occurrence moment of the first alarm event; the guidance degree calculation module is used for analyzing the alarm data of the first alarm event based on a preset guidance degree calculation rule so as to calculate the alarm guidance degree of the first alarm event; the similarity and incidence relation calculation module is used for calculating the text similarity and incidence relation of the alarm data of the first alarm event and each second alarm event; the priority judging module is used for judging according to a preset priority judging rule based on the alarm level of the first alarm event, the alarm level of the second alarm event and the alarm guidance degree, wherein the text similarity and/or the incidence relation of the first alarm event meet preset conditions, so as to obtain the processing priority of the first alarm event; and the event processing module is used for processing the first alarm event according to the priority order of the priority.
A fourth aspect of the present disclosure provides an alarm event auditing apparatus, including: the data acquisition module is used for acquiring a problem root analysis report of a first alarm event and acquiring alarm data of all second alarm events in a preset time period, wherein the problem root analysis report is obtained after problem processing is carried out on the basis of the alarm data of the first alarm event, and key fields of the problem root analysis report correspond to key fields of the alarm data; the calculation module is used for calculating text similarity between the problem root analysis report and the alarm data of each second alarm event and calculating the incidence relation between the first alarm event and each second alarm event; and the statistical module is used for counting a second alarm event of which the text similarity and/or the incidence relation with the first alarm event meet preset conditions.
A fifth aspect of the present disclosure provides an electronic device, comprising: one or more processors; memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of the first or second aspect.
A sixth aspect of the present disclosure also provides a computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of the first or second aspect.
A seventh aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the method of the first or second aspect.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario diagram of an alarm event processing method, apparatus, device, medium, and program product according to embodiments of the disclosure;
FIG. 2 schematically illustrates a flow chart of an alarm event handling method according to an embodiment of the present disclosure;
FIG. 3A schematically illustrates a similarity graph for single-reason feedback of events, according to an embodiment of the present disclosure;
FIG. 3B schematically illustrates a similarity graph representation intent of an alert summary in accordance with an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of an alarm event auditing method according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow diagram of an alarm event processing apparatus according to an embodiment of the present disclosure;
FIG. 6 schematically illustrates a flow chart of an alarm event auditing apparatus according to an embodiment of the present disclosure;
FIG. 7 schematically illustrates a block diagram of an electronic device adapted to implement an alarm event processing method or an alarm event auditing method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
It should be noted that the alarm event processing method and apparatus, and the alarm event auditing method and apparatus provided by the present disclosure may be used for alarm event processing in the aspect of information security in the financial field, and may also be used in any field other than the financial field.
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the personal information of the related user all accord with the regulations of related laws and regulations, necessary security measures are taken, and the customs of the public order is not violated.
The embodiment of the disclosure provides an alarm event processing method, which includes: acquiring a first alarm event and alarm data thereof, and acquiring all second alarm events and alarm data thereof in a first preset time period including the occurrence moment of the first alarm event; calculating the alarm guidance degree of the first alarm event, and the text similarity and incidence relation of the alarm data of the first alarm event and each second alarm event; and obtaining the processing priority of the first alarm event based on the alarm level, the text similarity and/or the alarm level and the alarm guidance degree of the second alarm event of which the incidence relation meets the preset condition of the first alarm event so as to process the first alarm event according to the priority. According to the method, the priority is obtained based on the alarm level of the first alarm event and the level of the second alarm event which is strongly related to the first alarm event, the accuracy is higher, and in the judgment of the priority, the evaluation index of the alarm guidance degree is added, namely the actual influence of the specific alarm data of the first alarm event is added in the judgment of the priority, so that the accuracy of the priority is further improved. The higher the priority, the higher the urgency of the alarm event, and the processing of the alarm event based on the priority can improve the emergency processing capability of the equipment or device applying the alarm event processing method to the alarm event.
Fig. 1 schematically shows an application scenario diagram of an alarm event processing method and apparatus according to an embodiment of the present disclosure.
As shown in fig. 1, an application scenario 100 according to this embodiment may include an operation system of a bank, where the operation system includes an alarm system, and is configured to report an alarm event occurring at each operation node of the operation system. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have installed thereon various communication client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (for example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that the alarm event processing method provided by the embodiment of the present disclosure may be generally executed by the server 105. Accordingly, the alarm event processing apparatus provided by the embodiments of the present disclosure may be generally disposed in the server 105. The alarm event processing method provided by the embodiment of the present disclosure may also be executed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the alarm event processing apparatus provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster different from the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The alarm event processing method of the disclosed embodiment will be described in detail below with reference to fig. 2 based on the scenario described in fig. 1.
FIG. 2 schematically shows a flow chart of an alarm event processing method according to an embodiment of the present disclosure.
As shown in fig. 2, the alarm event processing method of the embodiment includes operations S210 to S250, and the transaction processing method may be sequentially performed.
In operation S210, a first alarm event and alarm data thereof are acquired, and all second alarm events and alarm data thereof within a first preset time period including an occurrence time of the first alarm event are acquired.
In the embodiment of the present disclosure, the first alarm event is an alarm event currently reported in real time, and the second alarm event is an alarm event occurring at the same time period as the first alarm event, and is used to assist in determining the priority of the first alarm event. For example, the first preset time period may be 1 hour, the alarm start time of the first alarm event is located in the middle of the time period, and the second alarm event is all alarm events occurring within half an hour before and after the occurrence of the first alarm event.
The first alarm event and the second alarm event are both collected by a preset alarm event monitoring system, and various logs and data required by analysis are mainly collected from the monitoring system, an event list, a change list, a configuration management system, a distributed service system and the like to form alarm data.
Optionally, the data type of the alarm data may include monitoring system alarm data, event handling data, configuration management information, transaction link information, and the like, and specifically, the monitoring system alarm data may include an alarm ID, an alarm start time, an alarm end time, an IP address, a software name, an alarm level, an alarm summary, an alarm node maintenance department, an association number, the transaction link information may further include key fields such as software names, service names, clusters, and the like.
In operation S220, the alarm data of the first alarm event is analyzed based on a preset guidance degree calculation rule to calculate an alarm guidance degree of the first alarm event.
In the embodiment of the present disclosure, the index of the alarm guidance degree is used to measure the authenticity and the reliability of the monitoring alarm information, so as to indicate that the environment, the state, the configuration, and the maintenance condition of the alarm node affect the authenticity and the reliability of the alarm. The guidance degree calculation rule comprises a plurality of calculation rules, and is used for checking alarm data which represent the environment, state, configuration and maintenance condition of the first alarm event one by one and obtaining the alarm guidance degree according to the checking condition. The specific calculation method of the alarm guidance degree will be described later.
In operation S230, text similarity and association of the alert data of the first alert event and each second alert event are calculated.
According to the embodiment of the disclosure, by calculating the text similarity and the association relationship between the first alarm event and the second alarm event, the second alarm event strongly related to the first alarm event may be obtained, and then the priority of the first alarm event may be determined based on the priority or the alarm level of the second alarm event, for example, when the second alarm event with the text similarity of 97% to the first alarm event is answered, if the alarm level of the first alarm event is relatively low at this time and the alarm level or the priority of the second alarm event is relatively high, in operation S240, the priority of the first alarm event may be increased, so that the first alarm event may be processed as soon as possible.
In operation S240, based on the alarm level, the text similarity, and/or the alarm level and the alarm guidance of the second alarm event whose association relation satisfies the preset condition of the first alarm event, the second alarm event is judged according to the preset priority judgment rule, so as to obtain the processing priority of the first alarm event.
In the embodiment of the present disclosure, the priority determination rule provides a specific division rule of the alarm level and the alarm guidance degree of the second alarm event that the alarm level, the text similarity, and/or the association of the first alarm event satisfy the preset condition, so as to obtain the accurate priority of the first alarm event. As will be described in detail later.
In operation S250, the first alarm event is processed in order of priority.
According to the embodiment of the present disclosure, through the similarity analysis and the association analysis, a second alarm event that is strongly related to the first alarm event but is not processed may also be obtained according to operation 230, and the processing of such a second alarm event may be completed while the first alarm event is processed, thereby reducing the pressure of monitoring alarm handling.
The following describes the alarm event processing method provided in the embodiment of the present disclosure in detail.
According to operation S210, after acquiring the alarm data of the first alarm event and the second alarm event, the method includes: and cleaning and standardizing the alarm data of the first alarm event and the second alarm event.
According to operation S220, calculating the alarm guidance degree of the first alarm event includes operations S221 to S223.
In operation S221, an initial warning guidance degree is set.
In operation S222, it is sequentially determined whether a plurality of first key fields in the alarm data of the first alarm event meet conditions specified by the guidance degree calculation rule, where the first key fields are fields indicating environment, state, configuration, and maintenance conditions of the first alarm event.
In the disclosed embodiment, the guideline calculation rule may be a plurality of rules as shown in table 1.
TABLE 1 alarm event guidance degree calculation rule Table
Figure BDA0003327992340000111
In operation S223, when the first key field meets the condition specified by the guidance degree calculation rule, the initial warning guidance degree is subtracted by a corresponding value to obtain the warning guidance degree.
In this embodiment, assuming that the initial alarm guidance degree is 5.0, referring to the calculation rule shown in table 1, taking as an example that the IP address of the node generating the current first alarm event is null, the software generating the first alarm event is external unit hosting software, and the key fields of other alarm information in the first alarm event reference table 1 all meet the rule requirement, the alarm guidance degree of the first alarm event is 5.0-0.1-1= 3.9.
Since the customer transaction habits and characteristic influences, and the information system maintenance time rules, the accuracy rate of monitoring alarms is related to the alarm occurrence time and the current transaction fluctuation situation, for example, when the software is in an inactive state for a long time and no transaction is generated, when a user occasionally activates the software and executes a transaction, the transaction may be mistakenly identified as an alarm event, which is noise generated by transaction fluctuation, in the embodiment of the present disclosure, the noise probability is added to the guidance calculation rule shown in table 1 as a calculation index of the alarm guidance degree, specifically referring to rule 11. Therefore, calculating the warning guidance degree according to the guidance degree calculation rule includes operations S2221 to S2222.
In operation S2221, an alarm event noise probability of software generating a first alarm event is calculated.
Operation S2221 includes the steps of: constructing an alarm event noise probability fitting function which takes the transaction fluctuation rate and the alarm occurrence time of software as input and takes the noise probability of the software as output; and calculating the noise probability of the first alarm event based on the transaction fluctuation rate of the software and the alarm occurrence time when the first alarm event occurs.
Optionally, a maximum likelihood method may be used to fit the relationship between the transaction fluctuation rate of each software in a month, the alarm occurrence time, and the noise probability per minute obtained by expert judgment noise calculation in historical data to obtain a fitting function Nrate(a, t) based on the alarm data R0The corresponding software current transaction fluctuation rate a0And the alarm occurrence time t0And calculating to obtain a noise probability Nrate (a)0,t0) As one of the calculation rules of the alarm event guidance degree described below.
In operation S2222, the magnitude of the alarm event noise probability is used as one of the judgment rules of the guidance degree calculation rules to calculate the alarm guidance degree.
Referring to the rule 11 shown in table 1, the method for calculating the alarm guidance degree by using the noise probability includes the following steps: obtaining the attribute grade of the alarm event based on the noise probability of the alarm event; the initial warning guidance degree is subtracted by a value corresponding to the attribute level to calculate a warning guidance degree.
In this embodiment, the noise probability of the alarm event and the deduction value corresponding to each attribute level are shown in table 2, where each noise probability range corresponds to one attribute level, and the larger the value is, the higher the level is, the more the corresponding deduction value is.
TABLE 2 deduction rules for influence of noise probability on alarm event guidance
Figure BDA0003327992340000121
Figure BDA0003327992340000131
According to operation S230, the text similarity of the alarm data of the first alarm event and each of the second alarm events is calculated to obtain the second alarm event similar to the alarm text of the first alarm event.
In the embodiment of the present disclosure, the second key fields of the alarm summary, the event cause feedback, and the like describe the corresponding alarm event, and operation S230 specifically includes operation S231.
In operation S231, a text similarity between at least one second key field in the alert data of the first alert event and each second alert event is calculated.
A large amount of repeated and similar alarm data exist in an alarm system, and due to the alarm processing pressure, the problems of incapability of identifying similar alarms, misjudgment, processing omission and the like exist. Calculating the similarity among the alarm abstracts, the alarm handling actions and the alarm associated event single reasons to obtain an alarm similarity calculation result, and improving the accuracy of the priority of the first alarm event according to the alarm level of the second alarm event; or a second alarm event which is similar to the first alarm event and is already processed exists, and the processing mode of the second alarm event can be used as a reference for processing the first alarm event so as to improve the processing efficiency of the first alarm event.
Optionally, the algorithm for calculating the text similarity may be a TF-IDF algorithm.
In operation S230, operation S232 is further included.
In operation S232, the alert level of the second alert event with the highest text similarity is obtained for determining the processing priority of the first alert event.
In operation S240 of the present embodiment, the processing priority of the first alarm event is determined based on the alarm level of the second alarm event, however, the number of the second alarm events is large, and thus the alarm level of the second alarm event having the highest similarity to the first alarm event is selected for the priority determination. Optionally, a plurality of second alarm events with text similarity higher than a preset threshold may also be screened out, and the processing priority of the first alarm event is determined with the alarm levels of the plurality of second alarm events as references.
According to operation S230, the association relationship between the first alarm event and the alarm data of each second alarm event needs to be calculated, which may specifically include operation S233.
It should be noted that the alarm event for performing the association calculation should be a non-noise event, that is, the association between the alarm data is calculated by using the non-noise alarm data as the sample to be analyzed.
In the embodiment of the present disclosure, a decision tree is determined by using a plurality of fourth key fields and noise guidance degrees in the alarm data of the first alarm event as the denoising decision attribute, and whether the first alarm event is noise is determined, where table 3 schematically shows a denoising decision attribute list.
TABLE 3 De-noising decision Classification and Talkback attribute Table
Figure BDA0003327992340000141
Further, table 4 schematically shows an attribute value division list of the alarm guidance degree.
TABLE 4 alarm event guidance degree attribute value partition rule
Alarm event guidance G Attribute value
4.7<G<=5.0 Super high
4<G<=4.7 Height of
3.5<G<=4 Is higher than
2.5<G<=3.5 In
2<G<=2.5 Is lower than
1<G<=2 Is low in
0<G<=1 Extremely low
G=0 Zero
The environment, state, configuration and maintenance conditions of the alarm node can affect the authenticity and the credibility of the alarm, the index of 'alarm guidance degree' is added in the embodiment of the invention, the authenticity and the credibility of the alarm information are measured and monitored, and the attribute is added as a decision classification attribute. And training and optimizing a decision tree for the historical alarm data and the noise result judged and analyzed by the expert by using a C4.5 algorithm, and calculating the noise decision result of the alarm data through the trained decision tree.
Because the alarm information contains a large number of key fields, the calculation pressure of correlation analysis is increased, so that data needs to be preprocessed, software and position data are integrated, alarm data of unrecorded application information is eliminated, only a third key field reflecting the correlation relationship is reserved, and an example of the third key field is shown in table 5.
TABLE 5 data enumeration after alarm data processing
Figure BDA0003327992340000151
The software information combines the software name and the alarm position, divides the first alarm time and the last alarm time into two fields of date and time, and replaces continuous time data with discrete data. Replacing the time data with discrete data includes dividing the time into a plurality of time segments, each time segment corresponding to a time indicator, for example, time interval 0: 00: 00-0: 29: 59 corresponds to TFl, time interval 0: 30: 00-0: 59: 59 corresponds to TF2,(TF(n-1)≤TFn≤TE(n+1))∪(TL(n-1)≤TLn≤TL(n+1))。
In operation S233, minimum support degree scan calculation is performed on a plurality of third key fields in the alarm data of the first alarm event and all the second alarm events within the first preset time period to obtain an association relationship frequent n item set, where n is greater than or equal to 2, and n is an integer.
In the embodiment of the present disclosure, before obtaining the association relationship frequent n item set, the method further includes operations S2331-S2332.
In operation S2331, a link monitoring log of the software generating the first alarm event and the second alarm event is obtained, where the link monitoring log is link information of a transaction performed by the software within a second preset time period.
In operation S2332, the link monitoring log is flushed to generate a link frequency n item set of transactions performed by the software.
In this embodiment, association analysis is performed through an Apriori algorithm to determine support and confidence, and when minimum support scanning is performed, in addition to the frequent n-item set obtained by the (n-1) th (n is greater than or equal to 2) th scanning, the software service call relationship obtained after transaction link cleaning is added to the frequent n-item set, and subsequent multiple scanning and minimum support screening are continuously performed.
In the embodiment, an Apriori algorithm is used to realize event alarm correlation analysis, and the event alarm correlation analysis is used as a known frequent item set to be added into the scanning and calculation of the correlation algorithm through the combing of transaction links and resource configuration information, so that the correlation analysis accuracy and integrity are improved.
In operation S230, operations S234 to 235 are also included.
In operation S234, a list of second alarm events for which the first alarm event has the same frequent item set is obtained.
In operation S235, the second alarm event with the highest alarm level in the list is screened out, and the alarm level of the second alarm event is used to determine the processing priority of the first alarm event.
Based on Apriori algorithm, the frequent item set of the alarm data of all alarm events in the first preset time period can be obtained, so that the second alarm event with the same frequent item set as the first alarm event can be screened out.
According to operation S240, based on the alarm level of the first alarm event, the alarm level of the second alarm event whose text similarity and/or association satisfy the preset condition, and the alarm guidance, the alarm level and the alarm guidance are determined according to a preset priority determination rule, so as to obtain the processing priority of the first alarm event, wherein the higher the alarm level of the first alarm event is, the higher the alarm level of the second alarm event whose text similarity and/or association satisfy the preset condition is, the lower the alarm guidance is, the higher the priority of the first alarm event is, the higher the priority is, and the earlier the first alarm event is processed.
In this disclosure, operation S240 further includes participating in the determination of the priority determination rule with a noise determination result of the first alarm event, wherein when the first alarm event is noise, the priority is decreased by a preset level based on the alarm level of the first alarm event, the alarm level of the second alarm event, and the priority obtained by the alarm guidance degree.
Table 6 schematically shows the alarm priority determination rule.
TABLE 6 alarm priority decision rules
Figure BDA0003327992340000161
Figure BDA0003327992340000171
Wherein, the same alarm accords with the judgment conditions of different priorities and is processed highly.
In the embodiment of the present disclosure, after the processing priority of the first alarm event is obtained, according to operation S250, the operation and maintenance staff is enabled to process the first alarm event according to the priority.
In the embodiment of the present disclosure, after the processing priority of the first alarm event is obtained, the method further includes operation S260.
Operation S260, displaying the processing priority of the first alarm event, and displaying a second alarm event whose text similarity to the first alarm event is greater than a preset threshold and/or has an association relationship.
By displaying the priority of the first alarm event and the related alarm event, operation and maintenance personnel can visually acquire the priority of the alarm event and refer to the displayed alarm data to timely process the alarm event.
Alternatively, the text similarity result obtained in operation S230 may be displayed in a graph, and the text similarities calculated according to different key fields may be displayed in icons. As shown in fig. 3A and fig. 3B, presentation charts of text similarity calculated based on an event reason sheet and an alarm summary are schematically shown, respectively. The abscissa of the graph represents the occurrence time of the second alarm event, and the ordinate represents the text similarity.
In particular, whether a second alarm event corresponding to the text similarity has been processed may also be identified in the chart by a different color. For a second alarm event whose text similarity is greater than a preset threshold and which has been processed, the first alarm event may be processed with reference to its event processing report.
FIG. 4 schematically illustrates a flow chart of an alarm event auditing method according to an embodiment of the present disclosure.
As shown in fig. 4, an alarm event auditing method provided by the embodiment of the present disclosure includes operations S410 to S430.
In operation S410, a problem root analysis report of the first alarm event is obtained, and alarm data of all second alarm events in a preset time period are obtained, where the problem root analysis report is obtained after problem processing is performed on the basis of the alarm data of the first alarm event, and a key field of the problem root analysis report corresponds to a key field of the alarm data.
In operation S420, text similarity between the problem root cause analysis report and the alarm data of each second alarm event is calculated, and an association relationship between the first alarm event and each second alarm event is calculated.
In operation S430, a second alarm event whose text similarity and/or association relationship with the first alarm event satisfies a preset condition is counted.
According to the embodiment of the disclosure, after the first alarm event is processed, the related alarm event of the first alarm event can be audited at the same time, and by counting the second alarm event of which the text similarity and/or the association relation between the second alarm event and the first alarm event meet the preset conditions, the problems of incomplete related alarm discovery and untimely disposal of the production event can be discovered, so that operation and maintenance personnel can be prompted to deal with similar problems, and the alarm event discovery rate and the disposal rate can be effectively improved.
The problem root cause analysis report is obtained by modifying the alarm data of the first alarm event after the operation and maintenance personnel processes the first alarm event, for example, the problem root cause analysis report includes event root cause analysis of the alarm event, and the content included in the event reason return field in the original alarm data is more detailed and richer than that included in the event reason return field in the original alarm data.
In the embodiment of the present disclosure, the preset time period is a time period from the occurrence time of the first alarm event to the processing end time of the first alarm event. Because a certain time difference exists between two moments from the occurrence of the first alarm event to the processing of the first alarm event, a second alarm event which is the same as or similar to the first alarm event may occur in the first alarm event, after the first alarm event is ended, the second alarm event which has higher text similarity and has an association relation with the first alarm event in the time period is counted, so that operation and maintenance personnel can quickly process the events, and the processing efficiency is improved.
In operation S420, calculating the textual similarity between the problem root cause analysis report and the alert data for each second alert event includes operation S421.
In operation S421, a text similarity between the problem root cause analysis report and at least one second key field in the alarm data of each second alarm event is calculated, where the second key field is a field describing an alarm condition. This step is similar to operation S230 of the alarm processing method shown in fig. 2, and is not described herein again.
In operation S430, counting the second alarm event that the text similarity satisfies the preset condition specifically includes operation S431.
In operation S431, a second alarm event where the text similarity is greater than a preset threshold is counted.
Optionally, the preset threshold may be adjusted according to the current capability of processing the alarm event, if the resource of the current alarm event is sufficient, the preset threshold may be set relatively high, so that the operation and maintenance personnel can process each alarm event one by one, and if the resource of the current alarm event is not sufficient, the preset threshold may be set relatively low, and for similar problems, the operation and maintenance personnel firstly perform unified processing to solve a large fault problem, and then perform detailed solution one by one.
The method further includes operations S441 to S442.
In operation S441, a link monitoring log of the software that generates the first alarm event and the second alarm event is obtained, where the link monitoring log is link information of a transaction performed by the software within a second preset time period;
in operation S442, the link monitoring log is cleaned, and a link frequent n item set of the software for performing transactions is generated, where n is greater than or equal to 2 and is an integer.
Operation S422 is also included in operation S420.
At operation 422, a minimum support scan calculation is performed on the problem root cause analysis report and a plurality of third key fields in the alarm data of all second alarm events to obtain a frequent n-item set of incidence relations.
The link frequent n item sets are added except the incidence relation frequent n item sets obtained by the (n-1) th scanning of the object scanned each time, n is more than or equal to 2, and the third key field is a field with the incidence characteristic of the alarm event.
Similar to the method for calculating the association relationship in the alarm event processing method shown in fig. 2, S422 is similar to operation S233, and the Apriori algorithm is used to implement event alarm association analysis, and the analysis is added to the scanning and calculation of the association algorithm as a known frequent item set through combing the transaction link and the resource configuration information, so that the accuracy and the integrity of the association analysis can be improved.
In operation S430, the second alarm event whose statistical association satisfies the preset condition specifically includes operation S431.
In operation S431, a second alarm event having the same frequent item set as the first alarm event is counted.
According to the embodiment of the disclosure, through post audit analysis, data reference is provided for fault handling audit, event reasons and root cause alarm data in a problem analysis report are extracted, similarity calculation is carried out on the event reasons and the root cause alarm data and the total alarm data in a fault existence period, alarm information which is not processed in time is marked and displayed, and a data result is provided for audit.
Based on the alarm event processing method, the disclosure also provides an alarm event processing device. The apparatus will be described in detail below with reference to fig. 5.
Fig. 5 schematically shows a block diagram of an alarm event processing apparatus according to an embodiment of the present disclosure.
As shown in fig. 5, the alarm event processing apparatus 500 of this embodiment includes a data acquisition module 510, a guidance degree calculation module 520, a similarity and association calculation module 530, a priority determination module 540, and an event processing module 550.
The data obtaining module 510 is configured to obtain a first alarm event and alarm data thereof, and obtain all second alarm events and alarm data thereof within a first preset time period that includes an occurrence time of the first alarm event. In an embodiment, the data obtaining module 510 may be configured to perform the operation S210 described above, which is not described herein again.
The guidance degree calculation module 520 is configured to analyze the alarm data of the first alarm event based on a preset guidance degree calculation rule to calculate an alarm guidance degree of the first alarm event. In an embodiment, the data obtaining module 520 may be configured to perform the operation S220 described above, which is not described herein again.
The similarity and association calculation module 530 is configured to calculate text similarities and associations of the alarm data of the first alarm event and each second alarm event. In an embodiment, the data obtaining module 530 may be configured to perform the operation S230 described above, which is not described herein again.
The priority determination module 540 is configured to perform determination according to a predetermined priority determination rule based on the alarm level, the text similarity, and/or the alarm level and the alarm guidance of the second alarm event that the association relation satisfies the predetermined condition of the first alarm event, so as to obtain the processing priority of the first alarm event. In an embodiment, the data obtaining module 540 may be configured to perform the operation S240 described above, which is not described herein again.
The event processing module 550 is configured to process the first alarm event according to a priority order of the priority. In an embodiment, the data obtaining module 550 may be configured to perform the operation S250 described above, which is not described herein again.
FIG. 6 is a block diagram schematically illustrating the structure of an alarm event auditing apparatus according to an embodiment of the present disclosure.
As shown in fig. 6, the alarm event auditing apparatus 600 of this embodiment includes: a data acquisition module 610, a calculation module 620 and a statistics module 630.
The data obtaining module 610 is configured to obtain a problem root analysis report of a first alarm event and obtain alarm data of all second alarm events within a preset time period, where the problem root analysis report is obtained after problem processing is performed on the basis of the alarm data of the first alarm event, and a key field of the problem root analysis report corresponds to a key field of the alarm data. In an embodiment, the data obtaining module 610 may be configured to perform the operation S410 described above, which is not described herein again.
The calculation module 620 is configured to calculate text similarity between the problem root cause analysis report and the alarm data of each second alarm event, and calculate an association relationship between the first alarm event and each second alarm event. In an embodiment, the calculating module 620 may be configured to perform the operation S420 described above, which is not described herein again.
The statistic module 630 is configured to count a second alarm event whose text similarity and/or association relation with the first alarm event satisfies a preset condition. In an embodiment, the statistic module 630 may be configured to perform the operation S430 described above, which is not described herein again.
According to the embodiment of the present disclosure, any plurality of the data acquisition module 510, the guidance degree calculation module 520, the similarity and association relation calculation module 530, the priority determination module 540, the event processing module 550, and the data acquisition module 610, the calculation module 620, and the statistics module 630 may be combined and implemented in one module, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the data obtaining module 510, the guidance degree calculating module 520, the similarity and association relation calculating module 530, the priority judging module 540, the event processing module 550, and the data obtaining module 610, the calculating module 620, and the counting module 630 may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementation manners of software, hardware, and firmware, or by a suitable combination of any of them. Alternatively, at least one of the data acquisition module 510, the guidance degree calculation module 520, the similarity and association calculation module 530, the priority determination module 540 and the event processing module 550, and the data acquisition module 610, the calculation module 620 and the statistics module 630 may be at least partially implemented as a computer program module that, when executed, may perform a corresponding function.
FIG. 7 schematically illustrates a block diagram of an electronic device suitable for implementing an alarm event processing method and/or an alarm event auditing method according to an embodiment of the present disclosure.
As shown in fig. 7, an electronic device 700 according to an embodiment of the present disclosure includes a processor 701, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 705 into a Random Access Memory (RAM) 703. The processor 701 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 701 may also include on-board memory for caching purposes. The processor 701 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 703, various programs and data necessary for the operation of the electronic apparatus 700 are stored. The processor 701, the ROM 702, and the RAM 703 are connected to each other by a bus 704. The processor 701 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 702 and/or the RAM 703. It is noted that the programs may also be stored in one or more memories other than the ROM 702 and RAM 703. The processor 701 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
Electronic device 700 may also include input/output (I/O) interface 705, which input/output (I/O) interface 705 is also connected to bus 704, according to an embodiment of the present disclosure. The electronic device 700 may also include one or more of the following components connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 702 and/or the RAM 703 and/or one or more memories other than the ROM 702 and the RAM 703 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the item recommendation method provided by the embodiment of the disclosure.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 701. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted in the form of a signal on a network medium, distributed, downloaded and installed via the communication section 709, and/or installed from the removable medium 711. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program, when executed by the processor 701, performs the above-described functions defined in the system of the embodiment of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (25)

1. An alarm event processing method comprises the following steps:
acquiring a first alarm event and alarm data thereof, and acquiring all second alarm events and alarm data thereof in a first preset time period including the occurrence moment of the first alarm event;
analyzing the alarm data of the first alarm event based on a preset guidance degree calculation rule to calculate the alarm guidance degree of the first alarm event;
calculating text similarity and incidence relation of the alarm data of the first alarm event and each second alarm event;
judging according to a preset priority judgment rule based on the alarm level, the text similarity and/or the alarm level and the alarm guidance degree of the second alarm event of which the incidence relation meets the preset condition of the first alarm event to obtain the processing priority of the first alarm event;
and processing the first alarm event according to the priority order of the priority.
2. The method of claim 1, wherein analyzing the alarm data of the first alarm event based on a preset guidance degree calculation rule to calculate the alarm guidance degree of the first alarm event comprises:
setting an initial alarm guidance degree;
sequentially judging whether a plurality of first key fields in the alarm data of the first alarm event meet the conditions specified by the guidance degree calculation rule, wherein the plurality of first key fields are fields representing the environment, state, configuration and maintenance conditions of the first alarm event;
and when the first key field meets the condition specified by the guidance degree calculation rule, subtracting a corresponding numerical value from the initial warning guidance degree to obtain the warning guidance degree.
3. The method of claim 2, further comprising:
calculating an alarm event noise probability of software generating the first alarm event;
and taking the noise probability of the alarm event as one judgment rule of the guiding degree calculation rules to calculate the alarm guiding degree.
4. The method of claim 3, wherein calculating an alarm event noise probability for software generating the first alarm event comprises:
constructing an alarm event noise probability fitting function which takes the transaction fluctuation rate and the alarm occurrence time of the software as input and takes the noise probability of the software as output;
and calculating the noise probability of the first alarm event based on the transaction fluctuation rate and the alarm occurrence time of the software when the first alarm event occurs.
5. The method according to claim 3, wherein the calculating the alarm guiding degree according to the magnitude of the alarm event noise probability as one of the guiding degree calculation rules comprises:
obtaining the attribute grade of the alarm event based on the noise probability of the alarm event;
subtracting a value corresponding to the attribute level from the initial warning guidance degree to calculate the warning guidance degree.
6. The method of claim 1, wherein calculating the textual similarity between the alert data for the first alert event and each of the second alert events comprises:
and calculating the text similarity between the first alarm event and at least one second key field in the alarm data of each second alarm event, wherein the second key field is a field for describing alarm conditions.
7. The method of claim 6, comprising:
and acquiring the alarm level of the second alarm event with the highest text similarity so as to be used for judging the processing priority of the first alarm event.
8. The method of claim 1, further comprising:
acquiring a link monitoring log of software generating the first alarm event and the second alarm event, wherein the link monitoring log is link information of transaction of the software in a second preset time period;
and cleaning the link monitoring log, and generating a link frequent n item set of the software for transaction, wherein n is more than or equal to 2.
9. The method of claim 8, wherein the calculating the association between the first alarm event and the alarm data for each of the second alarm events comprises:
performing minimum support scanning calculation on a plurality of third key fields in the alarm data of the first alarm event and all the second alarm events in the first preset time period to obtain an association relationship frequent n item set;
the link frequent n item sets are added except the association frequent n item sets obtained by the (n-1) th scanning of the object to be scanned, n is more than or equal to 2, and the third key field is a field with the association characteristic of the alarm event.
10. The method of claim 9, further comprising:
acquiring a list of second alarm events of which the first alarm events have the same frequent item set;
and screening out a second alarm event with the highest alarm level in the list, and using the alarm level of the second alarm event to judge the processing priority of the first alarm event.
11. The method of claim 1, comprising:
the higher the alarm level of the first alarm event is, the higher the alarm level of the second alarm event of which the text similarity and/or the incidence relation meet preset conditions is, the lower the alarm guidance degree is, and the higher the priority of the first alarm event is;
the higher the priority, the earlier the first alarm event is processed.
12. The method of claim 1, further comprising:
taking a plurality of fourth key fields in the alarm data of the first alarm event and the noise guidance degree as a denoising decision attribute, and performing decision tree judgment to judge whether the first alarm event is noise;
and participating in the judgment of the priority judgment rule by using the noise judgment result of the first alarm event, wherein when the first alarm event is noise, the priority is reduced by a preset level on the basis of the alarm level of the first alarm event, the alarm level of the second alarm event and the priority obtained by the alarm guidance degree.
13. The method of claim 1, further comprising:
and cleaning and standardizing the alarm data of the first alarm event and the second alarm event.
14. The method of claim 1, further comprising:
and displaying the processing priority of the first alarm event, and displaying a second alarm event of which the text similarity with the first alarm event is greater than a preset threshold and/or has an association relation.
15. An alarm event auditing method, comprising:
the method comprises the steps of obtaining a problem root analysis report of a first alarm event and obtaining alarm data of all second alarm events in a preset time period, wherein the problem root analysis report is obtained after problem processing is carried out on the basis of the alarm data of the first alarm event, and key fields of the problem root analysis report correspond to key fields of the alarm data;
calculating text similarity between the problem root analysis report and the alarm data of each second alarm event, and calculating the incidence relation between the first alarm event and each second alarm event;
and counting a second alarm event of which the text similarity and/or the incidence relation with the first alarm event meet preset conditions.
16. The method of claim 15, wherein calculating the textual similarity between the problem root cause analysis report and the alarm data for each of the second alarm events comprises:
and calculating text similarity between the problem root cause analysis report and at least one second key field in the alarm data of each second alarm event, wherein the second key field is a field for describing alarm conditions.
17. The method of claim 16, comprising:
and counting the second alarm event of which the text similarity is greater than a preset threshold value.
18. The method of claim 15, wherein the method comprises:
acquiring a link monitoring log of software generating the first alarm event and the second alarm event, wherein the link monitoring log is link information of transaction of the software in a second preset time period;
and cleaning the link monitoring log, and generating a link frequent n item set of the software for transaction, wherein n is more than or equal to 2.
19. The method of claim 18, wherein calculating the correlation between the problem root cause analysis report and the alarm data for each of the second alarm events comprises:
performing minimum support scanning calculation on the problem root analysis report and a plurality of third key fields in the alarm data of all second alarm events to obtain a frequent n item set of incidence relations;
the link frequent n item sets are added except the association frequent n item sets obtained by the (n-1) th scanning of the object to be scanned, n is more than or equal to 2, and the third key field is a field with the association characteristic of the alarm event.
20. The method of claim 19, further comprising:
and counting a second alarm event with the same frequent item set as the first alarm event.
21. An alarm event processing apparatus comprising:
the data acquisition module is used for acquiring a first alarm event and alarm data thereof, and acquiring all second alarm events and alarm data thereof in a first preset time period including the occurrence moment of the first alarm event;
the guidance degree calculation module is used for analyzing the alarm data of the first alarm event based on a preset guidance degree calculation rule so as to calculate the alarm guidance degree of the first alarm event;
the similarity and incidence relation calculation module is used for calculating the text similarity and incidence relation of the alarm data of the first alarm event and each second alarm event;
the priority judging module is used for judging according to a preset priority judging rule based on the alarm level of the first alarm event, the alarm level of the second alarm event and the alarm guidance degree, wherein the text similarity and/or the incidence relation of the first alarm event meet preset conditions, so as to obtain the processing priority of the first alarm event;
and the event processing module is used for processing the first alarm event according to the priority order of the priority.
22. An alarm event auditing apparatus, comprising:
the data acquisition module is used for acquiring a problem root analysis report of a first alarm event and acquiring alarm data of all second alarm events in a preset time period, wherein the problem root analysis report is obtained after problem processing is carried out on the basis of the alarm data of the first alarm event, and key fields of the problem root analysis report correspond to key fields of the alarm data;
the calculation module is used for calculating text similarity between the problem root analysis report and the alarm data of each second alarm event and calculating the incidence relation between the first alarm event and each second alarm event;
and the statistical module is used for counting a second alarm event of which the text similarity and/or the incidence relation with the first alarm event meet preset conditions.
23. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-14 or 15-20.
24. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 14 or claims 15 to 20.
25. A computer program product comprising a computer program which, when executed by a processor, implements a method according to any one of claims 1 to 14 or claims 15 to 20.
CN202111279365.9A 2021-10-29 2021-10-29 Alarm event processing method, auditing method, device, equipment, medium and product Pending CN113961441A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111279365.9A CN113961441A (en) 2021-10-29 2021-10-29 Alarm event processing method, auditing method, device, equipment, medium and product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111279365.9A CN113961441A (en) 2021-10-29 2021-10-29 Alarm event processing method, auditing method, device, equipment, medium and product

Publications (1)

Publication Number Publication Date
CN113961441A true CN113961441A (en) 2022-01-21

Family

ID=79468581

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111279365.9A Pending CN113961441A (en) 2021-10-29 2021-10-29 Alarm event processing method, auditing method, device, equipment, medium and product

Country Status (1)

Country Link
CN (1) CN113961441A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115150249A (en) * 2022-06-29 2022-10-04 济南浪潮数据技术有限公司 Storage system warning method, device, equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115150249A (en) * 2022-06-29 2022-10-04 济南浪潮数据技术有限公司 Storage system warning method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
US10810107B2 (en) User interface for specifying data stream processing language programs for analyzing instrumented software
US9436535B2 (en) Integration based anomaly detection service
US20210035021A1 (en) Systems and methods for monitoring of a machine learning model
US20230205586A1 (en) Autonomous release management in distributed computing systems
US10613525B1 (en) Automated health assessment and outage prediction system
US20220215303A1 (en) Automated Rules Execution Testing And Release System
US11775504B2 (en) Computer estimations based on statistical tree structures
CN114238058A (en) Monitoring method, apparatus, device, medium, and program product
CN114238993A (en) Risk detection method, apparatus, device and medium
CN113961441A (en) Alarm event processing method, auditing method, device, equipment, medium and product
CN113420935A (en) Fault location method, apparatus, device and medium
CN115760013A (en) Operation and maintenance model construction method and device, electronic equipment and storage medium
CN114218283A (en) Abnormality detection method, apparatus, device, and medium
CN113037555B (en) Risk event marking method, risk event marking device and electronic equipment
CN113052509A (en) Model evaluation method, model evaluation apparatus, electronic device, and storage medium
CN113449886A (en) Data processing method, processing device, equipment and storage medium
CN111651753A (en) User behavior analysis system and method
CN115499292B (en) Alarm method, device, equipment and storage medium
US20230412452A1 (en) Detecting network anomalies by correlating multiple information sources
CN115686895A (en) Database abnormality diagnosis method, apparatus, device, medium, and program product
CN114756441A (en) Method, device, equipment and medium for processing logs of host system
CN116561635A (en) Training method, device and equipment for fault detection model under micro-service architecture
CN116932326A (en) Server fault monitoring method, device, equipment, medium and program product
CN115630960A (en) Information display method and device, electronic equipment and medium
CN116126831A (en) Training method of stability prediction model and database stability detection method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination