CN114301761A - Alarm method, alarm system, alarm device and storage medium - Google Patents
Alarm method, alarm system, alarm device and storage medium Download PDFInfo
- Publication number
- CN114301761A CN114301761A CN202111677740.5A CN202111677740A CN114301761A CN 114301761 A CN114301761 A CN 114301761A CN 202111677740 A CN202111677740 A CN 202111677740A CN 114301761 A CN114301761 A CN 114301761A
- Authority
- CN
- China
- Prior art keywords
- alarm
- statistical
- flow
- value
- alarm threshold
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
In order to improve or solve the technical problem that the conventional alarm method is not timely in alarm, embodiments of the present invention provide an alarm method, an alarm system, and a storage medium, where the alarm method includes: s1, acquiring flow data of a specified index of equipment; s2, sequencing according to the time sequence generated by the flow data of the designated index of the equipment in the statistical dimension to obtain the flow data of the statistical dimension, wherein the statistical dimension comprises different statistical granularities; s3, respectively counting the flow value of the existing flow data in each statistical granularity to obtain a statistical flow value; and S4, comparing the statistical flow value in each statistical granularity with the alarm threshold value, and respectively giving an alarm according to the alarm threshold value condition. The embodiment of the invention carries out statistical comparison on the existing flow data in each statistical granularity and carries out alarm respectively according to the corresponding alarm threshold conditions, thereby improving the timeliness and the accuracy of the alarm.
Description
Technical Field
The invention belongs to the field of abnormal alarm of computer flow, and particularly relates to an alarm method, an alarm system, an alarm device and a storage medium.
Background
There are a large number of devices in a network environment, and each device continuously generates data traffic greater than a certain value when it is operating normally and propagates through the network. If the equipment is abnormal, the flow generated by the abnormal equipment is reduced to be below a certain value.
The method is used for alarming when the flow abnormity occurs in the equipment. The prior art generally employs the following two methods.
First, data from the previous day were statistically analyzed on a daily basis.
The use scenario is as follows: statistical analysis of the offline data of the previous day on a daily basis generates a threshold alarm. The technical idea is as follows: and storing the data into a database, and analyzing the complete data of the previous day until the next day to generate an alarm when the threshold condition is met.
Technical analysis: the alarm flow is simple in logic, firstly, the data is waited to enter the database completely, then the data is subjected to one-time statistical analysis to match with the threshold condition to generate an alarm, the realization is easy, and meanwhile, the accuracy of the alarm log is also ensured. But the time at which the alarm is generated differs from the time at which the alarm actually occurs by a time of at most 24 hours.
The main disadvantages are that: the warning timeliness is poor, and the requirement of timely warning is difficult to meet. When an alarm event occurs, the management or operation and maintenance personnel can know the afterfeel.
And the second method comprises the following steps: current data is analyzed periodically.
The use scenario is as follows: and performing statistical analysis on the current data every other set period to generate an alarm.
The technical idea is as follows: in order to meet the requirement of timeliness, the existing data is analyzed every other time period, whether threshold value alarm can be triggered or not is judged, alarm is generated if the threshold value condition is met, and the next period is continuously waited if the threshold value condition is not met. The rule that the alarm condition is not satisfied all the time will end the next day.
Technical analysis: whether an alarm is generated or not is judged by regularly and actively counting the current data of the database and comparing the current data with the threshold value of the current rule, and compared with the first method, the timeliness of the alarm generation is improved to a certain extent. However, there is a significant problem that when the threshold condition is less than or equal to the threshold, the current statistical value is less than or equal to the threshold, but the final result may be greater than the threshold with the increase of the flow data, and if the alarm is generated, it is likely to be a false alarm, it is difficult to determine whether an alarm log should be generated.
The main disadvantages are that: compared with the first scheme, the method only improves the timeliness of alarming when the threshold condition is larger than the threshold value and the numerical value of the actual index is actually larger than the threshold value. But for a scenario that requires configuring a threshold condition to be less than or equal to a certain threshold, such as: in a stable network environment, the sum of data traffic of a certain TCP is always stable above 110M in each hour, and based on this, the network administrator can set a rule that the sum of data traffic of the certain TCP is less than or equal to 110M in each hour to trigger an alarm. There still exists the problem of false alarms or alarms that are not timely enough.
Disclosure of Invention
In order to improve or solve the technical problem that the conventional alarm method cannot alarm timely, embodiments of the present invention provide an alarm method, an alarm system, an alarm device, and a storage medium.
The embodiment of the invention is realized by the following technical scheme:
in a first aspect, an embodiment of the present invention provides an alarm method, including:
s1, acquiring flow data of a specified index of equipment;
s2, sequencing according to the time sequence generated by the flow data of the designated index of the equipment in the statistical dimension to obtain the flow data of the statistical dimension, wherein the statistical dimension comprises different statistical granularities;
s3, respectively counting the flow value of the existing flow data in each statistical granularity to obtain a statistical flow value;
and S4, comparing the statistical flow value in each statistical granularity with the alarm threshold value, and respectively giving an alarm according to the alarm threshold value condition.
Further, the alarm threshold condition is that the alarm is performed when the alarm threshold is greater than the alarm threshold and/or the alarm is performed when the alarm threshold is less than or equal to the alarm threshold.
Further, when the alarm threshold condition includes an alarm greater than the alarm threshold, comparing the statistical flow value with the alarm threshold, and giving an alarm according to the alarm threshold condition; the method comprises the following steps:
and comparing the statistical flow value in each statistical granularity with the alarm threshold value, and giving an alarm if the statistical flow value is greater than the alarm threshold value.
Further, when the alarm threshold condition includes an alarm smaller than or equal to the alarm threshold, comparing the statistical flow value with the alarm threshold, and giving an alarm according to the alarm threshold condition; the method comprises the following steps:
comparing the statistical flow value in each statistical granularity with the alarm threshold value, and if the statistical flow value is greater than the alarm threshold value, not generating an alarm; otherwise, judging whether the existing flow data in each statistical granularity is all the flow data in each statistical granularity, if not, returning to execute the steps S1-S4; if yes, comparing the statistical flow value in each statistical granularity with the alarm threshold value, and if the statistical flow value is smaller than or equal to the alarm threshold value, giving an alarm.
Further, the flow data is offline flow data.
In a second aspect, an embodiment of the present invention provides an alarm system, including:
the flow acquisition unit is used for acquiring flow data of a specified index of the equipment;
the time sequencing unit is used for sequencing according to the time sequence generated by the flow data of the specified index of the equipment in the statistical dimension to obtain the flow data of the statistical dimension, wherein the statistical dimension comprises different statistical granularities;
the statistical unit is used for respectively counting the flow value of the existing flow data in each statistical granularity to obtain a statistical flow value;
the comparison unit is used for comparing the statistical flow value in each statistical granularity with the alarm threshold value; and the alarm unit is used for respectively alarming according to the alarm threshold value conditions.
Further, the alarm unit further includes a warning unit configured to, when the alarm threshold condition includes that the alarm is greater than the alarm threshold, alarm if the statistical flow value is greater than the alarm threshold.
Further, the comparing unit further includes: the flow acquiring unit is used for judging whether the existing flow data in each statistical granularity is all the flow data in each statistical granularity or not when the alarm threshold condition comprises that the alarm is less than or equal to the alarm threshold and the statistical flow value is not greater than the alarm threshold, and if not, returning to the flow acquiring unit; if yes, comparing the statistical flow value in each statistical granularity with the alarm threshold value, and if the statistical flow value is smaller than or equal to the alarm threshold value, giving an alarm through an alarm unit.
The alarm unit is also used for not generating an alarm when the statistical flow value is not greater than the alarm threshold value when the alarm threshold value condition comprises that the alarm is less than or equal to the alarm threshold value; and if the existing flow data in each statistical granularity is all the flow data in each statistical granularity, and the statistical flow value is less than or equal to the alarm threshold value, generating an alarm.
In a third aspect, an embodiment of the present invention provides an alarm device, including: the alarm system comprises a memory, a processor and a transceiver which are sequentially communicated, wherein the memory is used for storing computer programs, the transceiver is used for receiving and transmitting messages, and the processor is used for reading the computer programs and executing the alarm method.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which instructions are stored, and when the instructions are executed on a computer, the method for alarming is executed.
Compared with the prior art, the embodiment of the invention has the following advantages and beneficial effects:
according to the alarming method, the alarming system, the alarming device and the storage medium, the flow data of the specified indexes of the equipment are sorted in the statistical dimension according to the time sequence generated by the flow data of the specified indexes, then statistical comparison is carried out in each statistical granularity, alarming is respectively carried out according to the alarm threshold conditions, the existing flow data in each statistical granularity are subjected to statistical comparison, and alarming is respectively carried out according to the corresponding alarm threshold conditions, so that the timeliness and the accuracy of alarming are improved.
Drawings
In order to more clearly illustrate the technical solutions of the exemplary embodiments of the present invention, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and that for those skilled in the art, other related drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a flow chart of an alarm method.
FIG. 2 is a flow diagram of an exemplary computer-implemented alarm method for an alarm threshold condition of an alarm greater than a threshold alarm.
FIG. 3 is a flow diagram of an exemplary computer-implemented alarm method with an alarm threshold condition of less than or equal to a threshold alarm.
Fig. 4 is a flow diagram of an alarm system.
Fig. 5 is a schematic flow chart of the warning device.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to examples and accompanying drawings, and the exemplary embodiments and descriptions thereof are only used for explaining the present invention and are not meant to limit the present invention.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. However, it will be apparent to one of ordinary skill in the art that: it is not necessary to employ these specific details to practice the present invention. In other instances, well-known structures, circuits, materials, or methods have not been described in detail so as not to obscure the present invention.
Throughout the specification, reference to "one embodiment," "an embodiment," "one example," or "an example" means: the particular features, structures, or characteristics described in connection with the embodiment or example are included in at least one embodiment of the invention. Thus, the appearances of the phrases "one embodiment," "an embodiment," "one example" or "an example" in various places throughout this specification are not necessarily all referring to the same embodiment or example. Furthermore, the particular features, structures, or characteristics may be combined in any suitable combination and/or sub-combination in one or more embodiments or examples. Further, those of ordinary skill in the art will appreciate that the illustrations provided herein are for illustrative purposes and are not necessarily drawn to scale. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
In the description of the present invention, the terms "front", "rear", "left", "right", "upper", "lower", "vertical", "horizontal", "upper", "lower", "inner", "outer", etc. indicate orientations or positional relationships based on those shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed in a particular orientation, and be operated, and therefore, should not be construed as limiting the scope of the present invention.
Examples
The inventor finds that in the prior art, because it is uncertain whether the later data will increase the statistical value of the current index, and in order to ensure that false alarm is not generated, whether the current data can be used as the condition for generating alarm or not can not be judged in time.
In order to improve or solve the technical problem that the conventional alarm method is not timely in alarm, embodiments of the present invention provide an alarm method, an alarm system, and a storage medium. In a first aspect, an embodiment of the present invention provides an alarm method, which is shown in fig. 1 and includes:
s1, acquiring flow data of a specified index of equipment;
one of the applicable scenes of the alarm method is as follows: there are a large number of devices in a network environment, and each device continuously generates data traffic greater than a certain value when it is operating normally and propagates through the network. If the equipment is abnormal, the equipment does not generate alarm information, but the flow generated by the abnormal equipment is reduced below a certain value. Therefore, an abnormal change of the device can be reflected by monitoring the abnormal change of the flow rate.
The alarm method of the embodiment of the invention is particularly suitable for a scene that the time sequence of the arrival of the flow data packet of a certain index of the equipment to the database is disordered.
When the flow data of the specified index of the equipment is taken as the index for reflecting whether the working state of the equipment is abnormal or not, an intermittent acquisition mode can be adopted, a real-time standby and ready-to-acquire mode can be adopted, and a timing acquisition mode can be adopted.
S2, sequencing according to the time sequence generated by the flow data of the designated index of the equipment in the statistical dimension to obtain the flow data of the statistical dimension, wherein the statistical dimension comprises different statistical granularities;
the time sequence of the acquired flow data of the specified indexes of the equipment is likely to be disordered, and false alarm is easy to generate without sequencing; therefore, step S2 needs to sort the received traffic data of the specified index of the device according to the chronological order.
In order to make the alarm more timely and accurately avoid the false alarm, the alarm method in step S2 of the embodiment of the present invention sets the statistical dimension and the statistical granularity, and by processing each statistical granularity, it is possible to timely and accurately determine how many statistical granularities are in the statistical dimension, and at what time of which statistical granularity the alarm is generated.
The following is an example of a statistical dimension of 24 hours and a statistical particle size of 60 minutes.
S3, respectively counting the flow value of the existing flow data in each statistical granularity to obtain a statistical flow value;
taking the statistical dimension of 24 hours and the statistical granularity of 60 minutes as an example, the statistical dimension can be divided into 24 statistical granularities, which can be numbered according to the serial numbers of 1, 2 and 3 … … 24, and each statistical granularity has a statistical time of 60 minutes; for example, in the acquired flow data of the specified index of the device, the first 15 minutes of data exist in the statistical granularity of the serial number 2, the first 5 minutes of data exist in the statistical granularity of the serial number 3, and the rest serial numbers have no data; then in step S3, the no-data statistical granularity is not processed; respectively processing the statistical granularity of the serial number 2 with the data of the previous 15 minutes and the statistical granularity of the serial number 3 with the data of the previous 5 minutes to respectively obtain corresponding statistical flow values; and continuously acquiring the flow data of the specified index of the equipment, and taking the data in the statistical granularity of each serial number at the end of the time of the statistical dimension as all the flow data in each statistical granularity when the time of the statistical dimension is ended.
And S4, comparing the statistical flow value in each statistical granularity with the alarm threshold value, and respectively giving an alarm according to the alarm threshold value condition.
The above example is carried out. Step S4, comparing the statistical flow values of the statistical granularity of the serial numbers 2 and 3 with an alarm threshold value, judging according to specific alarm threshold value conditions, and then carrying out corresponding alarm after judgment; the alarm process is gradually completed along with the gradual completion of the acquired flow data of the specified index of the equipment, namely, the alarm output result of the alarm process is immediately completed at the latest when the transmission of the acquired flow data of the specified index of the equipment is completed.
Therefore, the flow data of the specified indexes of the equipment are sorted in the statistical dimensions according to the time sequence generated by the flow data of the specified indexes, then statistical comparison is carried out in each statistical granularity, alarm is respectively carried out according to alarm threshold conditions, the existing flow data in each statistical granularity are subjected to statistical comparison, and alarm is respectively carried out according to the corresponding alarm threshold conditions, so that the timeliness and the accuracy of alarm are improved.
In order to further improve the timeliness and accuracy of the alarm, the alarm threshold conditions are respectively that the alarm is carried out when the alarm threshold is larger than the alarm threshold and/or the alarm is carried out when the alarm threshold is smaller than or equal to the alarm threshold.
Namely, the alarm threshold condition is classified into a case of alarming when it is greater than the alarm threshold and a case of alarming when it is less than or equal to the alarm threshold. And the alarm is respectively given according to the two situations, so that the alarm method can give an alarm more timely and accurately.
Specifically, when the alarm threshold condition is greater than the alarm threshold, the alarm is performed, that is, when the alarm threshold condition includes an alarm greater than the alarm threshold, the statistical flow value is compared with the alarm threshold, and an alarm is performed according to the alarm threshold condition; the method comprises the following steps:
and comparing the statistical flow value in each statistical granularity with the alarm threshold value, and giving an alarm if the statistical flow value is greater than the alarm threshold value.
The above example is carried out. And comparing the statistical flow value in each statistical granularity with the alarm threshold, if the statistical flow value of the statistical granularity of the serial number 2 of the data of the first 15 minutes is compared with the alarm threshold, directly alarming if the statistical flow value obtained by the serial number is greater than the alarm threshold, and judging after receiving all the data of 60 minutes in the statistical granularity of the serial number 2. If the statistical flow value larger than the threshold value appears at the moment, the situation larger than the statistical flow value appears subsequently, and the alarm result is not influenced; if the statistical flow value obtained by the data in the first 15 minutes does not appear later, the statistical flow value obtained by the data in the first 15 minutes is the maximum value, and the alarm result is not influenced.
Therefore, a large amount of time, resources and memory space required by the judgment process can be saved through the judgment mode, and the timeliness and the accuracy of the judgment process are improved.
Specifically, the alarm threshold condition is a situation where an alarm is made when it is less than or equal to the alarm threshold. When the alarm threshold condition comprises that the alarm is smaller than or equal to the alarm threshold, comparing the statistical flow value with the alarm threshold, and giving an alarm according to the alarm threshold condition; the method comprises the following steps:
comparing the statistical flow value in each statistical granularity with the alarm threshold value, and if the statistical flow value is greater than the alarm threshold value, not generating an alarm; otherwise
Judging whether the existing flow data in each statistical granularity is all the flow data in each statistical granularity, if not, returning to execute the steps S1-S4; if yes, comparing the statistical flow value in each statistical granularity with the alarm threshold value, and if the statistical flow value is smaller than or equal to the alarm threshold value, giving an alarm.
The above example is carried out. The data of the first 15 minutes were included in the statistical particle size of number 2, and the data of the first 5 minutes were included in the statistical particle size of number 3. If the statistical flow value obtained after the statistical granularity processing of the sequence number 2 is greater than the alarm threshold value, no alarm is generated; otherwise (namely, the statistical flow value is less than or equal to the alarm threshold value at this time), whether the data in the sequence number 2 is all the flow data in the statistical granularity of the sequence number 2 needs to be judged, and if the data in the sequence number 2 is not all the flow data in the statistical granularity of the sequence number 2, the alarm is given, so that a false alarm is generated; since the data in the last 45 minutes of sequence number 2 is likely to change the magnitude relation between the statistical flow value of sequence number 2 and the alarm threshold, a situation exceeding the alarm threshold may occur; therefore, it is necessary to accurately determine the traffic data in the statistical granularity when the existing traffic data is all the traffic data in each statistical granularity. Therefore, by the mode, the alarm error is avoided. The method completes the alarm immediately after the time of completing the transmission of the flow data of the designated index of the equipment at the latest; therefore, compared with the prior art, the alarm accuracy is improved, false alarm is prevented, meanwhile, the alarm time is shortened, and the alarm timeliness is also improved.
Further, the flow data is offline flow data.
The following computer example is shown with reference to fig. 2 and 3, in which the above-described method processes are implemented by a computer.
First, when the alarm threshold condition is less than or equal to the threshold, refer to fig. 2. The specific process comprises the following steps:
1. according to the statistical dimension of the Alarm rule, a data structure is created inside the system, and contains two key value pairs, namely Alarm (time, Statistics _ granularity; time _ granularity, Statistics _ index). Wherein:
the granularity is divided according to the time of a statistical dimension, and if the statistical dimension is hour, 24 groups exist, and if the statistical dimension is minute, 60 groups exist.
Statistics _ granularity represents the statistical granularity, which indicates how many minutes there are under the granularity, and if the statistical granularity is hour, the initial value is 60, and if the statistical granularity is minute, the initial value is 1.
time _ granularity represents the name of each group of corresponding granularity.
The Statistics _ index represents the value of the corresponding index, and the initial value is a threshold configured by the user.
The details are as follows:
taking granularity as hour, and taking alarm when the alarm threshold condition is that the statistical flow value is less than or equal to 100MB as an example, 24 groups of data are created, representing 24 hours in a day, 60 representing 60 minutes in 1 hour, and 100 is a set threshold 100M;
Alarm.put(’gran_1’,’60’;’hour_1’,’100’);
Alarm.put(’gran_2’,’60’;’hour_2’,’100’);
Alarm.put(’gran_3’,’60’;’hour_3’,’100’);
Alarm.put(’gran_4’,’60’;’hour_4’,’100’);
……
Alarm.put(’gran_23’,’60’;’hour_23’,’100’);
Alarm.put(’gran_24’,’60’;’hour_24’,’100’)。
2. actively reading data in a database every minute, counting the data of A minutes in each group of data every hour on the day (the specific values of A minutes in different groups can be the same or different), counting the numerical value B (namely the flow value) of a corresponding index in a corresponding hour, and processing each group of data according to the following rules;
when the value of B is larger than the Statistics _ index (100), no alarm log is generated, and only the group of contents is deleted (the group of contents is deleted to save computer resources and improve processing performance, the following similar operations are performed);
when the value of A is equal to the Statistics _ granularity value (60) and the value of B is less than or equal to the Statistics _ index (100), generating a corresponding alarm log and deleting the set of contents;
3. and (3) repeating the step (2), reading the data in the database, and only processing the rest groups until all the data groups are deleted, wherein at the moment, all the 24 groups of data are processed, the alarm is finished, and a corresponding alarm log is generated.
Secondly, when the alarm threshold condition is greater than the threshold, refer to fig. 3. The specific process comprises the following steps:
1. according to the statistical dimension of the Alarm rule, a data structure is created inside the system, and contains two key value pairs, namely Alarm (time, Statistics _ granularity; time _ granularity, Statistics _ index). Wherein:
the granularity is divided according to the time of a statistical dimension, and if the statistical dimension is hour, 24 groups exist, and if the statistical dimension is minute, 60 groups exist.
Statistics _ granularity represents the statistical granularity, which indicates how many minutes there are under the granularity, and if the statistical granularity is hour, the initial value is 60, and if the statistical granularity is minute, the initial value is 1.
time _ granularity represents the name of each group of corresponding granularity.
The Statistics _ index represents the value of the corresponding index, and the initial value is a threshold configured by the user.
The details are as follows:
taking granularity as hour, and taking alarm when the alarm threshold condition is that the statistical flow value is less than or equal to 100MB as an example, 24 groups of data are created, representing 24 hours in a day, 60 representing 60 minutes in 1 hour, and 100 is a set threshold 100M;
Alarm.put(’gran_1’,’60’;’hour_1’,’100’);
Alarm.put(’gran_2’,’60’;’hour_2’,’100’);
Alarm.put(’gran_3’,’60’;’hour_3’,’100’);
Alarm.put(’gran_4’,’60’;’hour_4’,’100’);
……
Alarm.put(’gran_23’,’60’;’hour_23’,’100’);
Alarm.put(’gran_24’,’60’;’hour_24’,’100’)。
2. actively reading data in a database every minute, counting the data of A minutes in each group of data every hour on the day (the specific values of A minutes in different groups can be the same or different), counting the numerical value B (namely the flow value) of a corresponding index in a corresponding hour, and processing each group of data according to the following rules;
when the value of B is greater than or equal to the Statistics _ index (100), generating an alarm log and deleting the group of contents (deleting the group of contents is for saving computer resources and improving processing performance, and the following similar operations are performed);
when the value of a is equal to the Statistics _ granularity value (60) and the value of B is less than the Statistics _ index (100), no alarm log is generated, and only the set of contents is deleted;
3. repeating the step 2, reading the data in the database and only processing the rest groups until all the data groups are deleted; at this time, all the 24 groups of data are processed, the alarm is completed and a corresponding alarm log is generated.
The computer example divides each alarm threshold condition into a plurality of parts according to the configured granularity to be executed respectively, the part which does not generate the alarm continuously runs, the part which generates the alarm stops running, and repeated alarm under the same time granularity is avoided.
The method uses two parameters of the number of minutes of the granularity appearing in the current day and the index value in the granularity to determine whether the statistic value of the rule under the granularity can be used as a judgment condition for generating an alarm and whether to continue running, thereby ensuring the accuracy and timeliness of the data.
In a second aspect, an embodiment of the present invention provides an alarm system, which is shown in fig. 4, and includes:
the flow acquisition unit is used for acquiring flow data of a specified index of the equipment;
the time sequencing unit is used for sequencing according to the time sequence generated by the flow data of the specified index of the equipment in the statistical dimension to obtain the flow data of the statistical dimension, wherein the statistical dimension comprises different statistical granularities;
the statistical unit is used for respectively counting the flow value of the existing flow data in each statistical granularity to obtain a statistical flow value; the comparison unit is used for comparing the statistical flow value in each statistical granularity with the alarm threshold value; and
and the alarm unit is used for respectively alarming according to the alarm threshold value conditions.
Further, the alarm unit further includes a warning unit configured to, when the alarm threshold condition includes that the alarm is greater than the alarm threshold, alarm if the statistical flow value is greater than the alarm threshold.
Further, the comparing unit further includes: the flow acquiring unit is used for judging whether the existing flow data in each statistical granularity is all the flow data in each statistical granularity or not when the alarm threshold condition comprises that the alarm is less than or equal to the alarm threshold and the statistical flow value is not greater than the alarm threshold, and if not, returning to the flow acquiring unit; if yes, comparing the statistical flow value in each statistical granularity with the alarm threshold value, and if the statistical flow value is smaller than or equal to the alarm threshold value, giving an alarm through an alarm unit.
The alarm unit is also used for not generating an alarm when the statistical flow value is not greater than the alarm threshold value when the alarm threshold value condition comprises that the alarm is less than or equal to the alarm threshold value; and if the existing flow data in each statistical granularity is all the flow data in each statistical granularity, and the statistical flow value is less than or equal to the alarm threshold value, generating an alarm.
The principle of the alarm system is the same as that of the alarm method, which is not described herein.
In a third aspect, an embodiment of the present invention provides an alarm device, shown in fig. 5, including: the alarm system comprises a memory, a processor and a transceiver which are sequentially communicated, wherein the memory is used for storing computer programs, the transceiver is used for receiving and transmitting messages, and the processor is used for reading the computer programs and executing the alarm method.
The principle of the alarm device is the same as that of the alarm method, which is not described herein.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which instructions are stored, and when the instructions are executed on a computer, the method for alarming is executed.
Therefore, the embodiment of the invention ensures the alarm accuracy of the alarm threshold condition under the condition that the time sequence of the arrival of the offline flow data packet at the database is disturbed. Two parameters of the number of minutes in which the granularity appears on the day in the database and the value of the index in the granularity are used for determining whether the statistic value of the rule at the granularity can be used as a judgment condition for alarm generation and continuous operation.
The method and the device ensure the warning timeliness under the condition of warning threshold under the condition that the time sequence of the off-line flow data packet arriving at the database is disturbed. On the premise that the alarm threshold value condition is larger than the threshold value, the alarm rule does not completely acquire all data of the time granularity, but an alarm can be generated in advance when the alarm threshold value is triggered; on the premise that the alarm threshold value condition is smaller than or equal to the threshold value, the alarm rule can generate an alarm when the alarm threshold value is judged to be really triggered after all data of the time granularity are completely acquired, and the error only comes from the time when the off-line data reaches the database.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. An alert method, comprising:
s1, acquiring flow data of a specified index of equipment;
s2, sequencing according to the time sequence generated by the flow data of the designated index of the equipment in the statistical dimension to obtain the flow data of the statistical dimension, wherein the statistical dimension comprises different statistical granularities;
s3, respectively counting the flow value of the existing flow data in each statistical granularity to obtain a statistical flow value;
and S4, comparing the statistical flow value in each statistical granularity with the alarm threshold value, and respectively giving an alarm according to the alarm threshold value condition.
2. The alarm method according to claim 1, wherein the alarm threshold condition is to alarm above an alarm threshold and/or to alarm below or equal to an alarm threshold, respectively.
3. The alarm method according to claim 2, wherein when the alarm threshold condition includes an alarm greater than an alarm threshold, the statistical flow value is compared with the alarm threshold value, and an alarm is performed according to the alarm threshold condition; the method comprises the following steps:
and comparing the statistical flow value in each statistical granularity with the alarm threshold value, and giving an alarm if the statistical flow value is greater than the alarm threshold value.
4. The alarm method according to claim 2, wherein when the alarm threshold condition includes an alarm less than or equal to an alarm threshold, the statistical flow value is compared with the alarm threshold value, and an alarm is performed according to the alarm threshold condition; the method comprises the following steps:
comparing the statistical flow value in each statistical granularity with the alarm threshold value, and if the statistical flow value is greater than the alarm threshold value, not generating an alarm; otherwise, judging whether the existing flow data in each statistical granularity is all the flow data in each statistical granularity, if not, returning to execute the steps S1-S4; if yes, comparing the statistical flow value in each statistical granularity with the alarm threshold value, and if the statistical flow value is smaller than or equal to the alarm threshold value, giving an alarm.
5. The alerting method of any one of claims 1-4 wherein the traffic data is offline traffic data.
6. An alarm system, comprising:
the flow acquisition unit is used for acquiring flow data of a specified index of the equipment;
the time sequencing unit is used for sequencing according to the time sequence generated by the flow data of the specified index of the equipment in the statistical dimension to obtain the flow data of the statistical dimension, wherein the statistical dimension comprises different statistical granularities;
the statistical unit is used for respectively counting the flow value of the existing flow data in each statistical granularity to obtain a statistical flow value;
the comparison unit is used for comparing the statistical flow value in each statistical granularity with the alarm threshold value; and the alarm unit is used for respectively alarming according to the alarm threshold value conditions.
7. The alarm system of claim 6, wherein the alarm unit further comprises means for alarming if the statistical flow value is greater than an alarm threshold when the alarm threshold condition comprises a greater than alarm threshold alarm.
8. The alarm system of claim 6, wherein the comparing unit further comprises: the flow acquiring unit is used for judging whether the existing flow data in each statistical granularity is all the flow data in each statistical granularity or not when the alarm threshold condition comprises that the alarm is less than or equal to the alarm threshold and the statistical flow value is not greater than the alarm threshold, and if not, returning to the flow acquiring unit; if yes, comparing the statistical flow value in each statistical granularity with the alarm threshold value, and if the statistical flow value is smaller than or equal to the alarm threshold value, giving an alarm through an alarm unit.
The alarm unit is also used for not generating an alarm when the statistical flow value is not greater than the alarm threshold value when the alarm threshold value condition comprises that the alarm is less than or equal to the alarm threshold value; and if the existing flow data in each statistical granularity is all the flow data in each statistical granularity, and the statistical flow value is less than or equal to the alarm threshold value, generating an alarm.
9. An alert device, comprising: the alarm system comprises a memory, a processor and a transceiver which are sequentially connected in a communication mode, wherein the memory is used for storing computer programs, the transceiver is used for transmitting and receiving messages, and the processor is used for reading the computer programs and executing the alarm method according to any one of claims 1-5.
10. A computer-readable storage medium having stored thereon instructions for performing the alerting method of any one of claims 1-5 when the instructions are run on a computer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111677740.5A CN114301761A (en) | 2021-12-31 | 2021-12-31 | Alarm method, alarm system, alarm device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111677740.5A CN114301761A (en) | 2021-12-31 | 2021-12-31 | Alarm method, alarm system, alarm device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114301761A true CN114301761A (en) | 2022-04-08 |
Family
ID=80975749
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111677740.5A Pending CN114301761A (en) | 2021-12-31 | 2021-12-31 | Alarm method, alarm system, alarm device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301761A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115174254A (en) * | 2022-07-22 | 2022-10-11 | 科来网络技术股份有限公司 | Flow abnormity warning method and device, electronic equipment and storage medium |
-
2021
- 2021-12-31 CN CN202111677740.5A patent/CN114301761A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115174254A (en) * | 2022-07-22 | 2022-10-11 | 科来网络技术股份有限公司 | Flow abnormity warning method and device, electronic equipment and storage medium |
| CN115174254B (en) * | 2022-07-22 | 2023-10-31 | 科来网络技术股份有限公司 | Flow abnormality warning method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105095048B (en) | A kind of monitoring system alarm association processing method based on business rule | |
| Xu et al. | Online system problem detection by mining patterns of console logs | |
| CN110995482B (en) | Alarm analysis method and device, computer equipment and computer readable storage medium | |
| CN112311617A (en) | Configured data monitoring and alarming method and system | |
| CN111881011A (en) | Log management method, platform, server and storage medium | |
| EP3988373A1 (en) | System and method for vehicle battery management, storage medium, and server system | |
| CN110188834A (en) | A kind of method for diagnosing faults of power telecom network, device and equipment | |
| CN112615742A (en) | Method, device, equipment and storage medium for early warning | |
| WO2023071761A1 (en) | Anomaly positioning method and device | |
| CN114338746A (en) | Analysis early warning method and system for data collection of Internet of things equipment | |
| CN112328425A (en) | Anomaly detection method and system based on machine learning | |
| CN114301761A (en) | Alarm method, alarm system, alarm device and storage medium | |
| CN112600719A (en) | Alarm clustering method, device and storage medium | |
| CN115544519A (en) | Method for carrying out security association analysis on threat information of metering automation system | |
| CN113472582A (en) | System and method for alarm correlation and alarm aggregation in information technology monitoring | |
| CN116668264A (en) | Root cause analysis method, device, equipment and storage medium for alarm clustering | |
| CN116974805A (en) | Root cause determination method, apparatus and storage medium | |
| CN115514627A (en) | Fault root cause positioning method and device, electronic equipment and readable storage medium | |
| CN115391148A (en) | Anomaly detection method and apparatus | |
| CN114661562A (en) | Data warning method, device, equipment and medium | |
| Makanju et al. | System state discovery via information content clustering of system logs | |
| CN114881112A (en) | System anomaly detection method, device, equipment and medium | |
| CN104346246A (en) | Failure prediction method and device | |
| CN113094241A (en) | Method, device and equipment for determining accuracy of real-time program and storage medium | |
| CN111506446B (en) | Interface fault detection method and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |