CN115081969A - Abnormal data determination method and related device - Google Patents
Abnormal data determination method and related device Download PDFInfo
- Publication number
- CN115081969A CN115081969A CN202211010956.0A CN202211010956A CN115081969A CN 115081969 A CN115081969 A CN 115081969A CN 202211010956 A CN202211010956 A CN 202211010956A CN 115081969 A CN115081969 A CN 115081969A
- Authority
- CN
- China
- Prior art keywords
- response time
- system response
- target
- alarm
- event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0639—Performance analysis of employees; Performance analysis of enterprise or organisation operations
- G06Q10/06393—Score-carding, benchmarking or key performance indicator [KPI] analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/20—Administration of product repair or maintenance
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/06—Buying, selling or leasing transactions
- G06Q30/0601—Electronic shopping [e-shopping]
Abstract
The embodiment of the application discloses an abnormal data determination method and a related device, wherein the method comprises the following steps: determining a plurality of alarm events; acquiring index data corresponding to each alarm event in a plurality of alarm events; generating a system response time sequence according to the system response time data corresponding to each alarm event; according to the base lines corresponding to the plurality of alarm events, correcting the system response time data corresponding to each alarm event to obtain a target system response time sequence corresponding to the system response time sequence; carrying out mutation detection on the response time sequence of the target system to screen out alarm events corresponding to the response time sequence of the target system with data mutation, so as to obtain a plurality of target alarm events; and carrying out root cause positioning on the index data corresponding to each target alarm event, and determining abnormal index data corresponding to a plurality of target alarm events. By adopting the embodiment of the application, the false alarm can be eliminated, and the efficiency and the accuracy of determining the abnormal data are improved.
Description
Technical Field
The present application relates to the field of data processing technologies, and in particular, to an abnormal data determining method and a related apparatus.
Background
With the development of internet technology and artificial intelligence, network transaction becomes a wide transaction mode for people, but with the increase of transaction data and the development of transaction monitoring technology, the number of detected faults of a transaction system is increased, and the cost of manpower consumed by manual one-by-one troubleshooting is high, so that the requirement for efficiently finding out abnormal data is high.
Disclosure of Invention
The embodiment of the application provides an abnormal data determination method and a related device, which are beneficial to improving the accuracy and efficiency of abnormal data determination.
In a first aspect, an embodiment of the present application provides an abnormal data determining method, which is applied to an electronic device, and the method includes:
determining a plurality of alarm events;
acquiring index data corresponding to each alarm event in the plurality of alarm events, wherein the index data comprises system response time data corresponding to each alarm event;
generating a system response time sequence according to the system response time data corresponding to each alarm event;
according to the base lines corresponding to the plurality of alarm events, correcting the system response time data corresponding to each alarm event to obtain a target system response time sequence corresponding to the system response time sequence;
carrying out mutation detection on the target system response time sequence to screen out alarm events corresponding to the target system response time sequence with data mutation, and obtaining a plurality of target alarm events;
and performing root cause positioning on the index data corresponding to each target alarm event, and determining abnormal index data corresponding to the plurality of target alarm events.
In a second aspect, an embodiment of the present application provides an abnormal data determining apparatus, which is applied to an electronic device, and the apparatus includes: a determining unit, an obtaining unit and a processing unit, wherein,
the determining unit is used for determining a plurality of alarm events;
the acquiring unit is configured to acquire index data corresponding to each alarm event in the plurality of alarm events, where the index data includes system response time data corresponding to each alarm event;
the processing unit is used for generating a system response time sequence according to the system response time data corresponding to each alarm event;
the processing unit is further configured to modify the system response time data corresponding to each alarm event according to the baseline corresponding to the plurality of alarm events, so as to obtain a target system response time sequence corresponding to the system response time sequence;
the processing unit is further configured to perform mutation detection on the target system response time sequence to screen out alarm events corresponding to the target system response time sequence with data mutation, so as to obtain a plurality of target alarm events;
the determining unit is further configured to perform root cause positioning on the index data corresponding to each of the target alarm events, and determine abnormal index data corresponding to the plurality of target alarm events.
In a third aspect, embodiments of the present application provide an electronic device, including a processor, a memory, a communication interface, and one or more programs, stored in the memory and configured to be executed by the processor, the programs including instructions for performing some or all of the steps described in any of the methods of the first aspect of the embodiments of the present application.
In a fourth aspect, the present application provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program for electronic data exchange, where the computer program makes a computer perform part or all of the steps described in any one of the methods of the first aspect of the present application.
It can be seen that, in the embodiment of the present application, the electronic device may determine a plurality of alarm events, and obtain each of the plurality of alarm events
Index data corresponding to the alarm events, wherein the index data comprises system response time data corresponding to each alarm event, and generating a system response time sequence according to the system response time data corresponding to each alarm event, and further generating a system response time sequence according to the base lines corresponding to a plurality of alarm events, the method comprises the steps of correcting system response time data corresponding to each alarm event to obtain a target system response time sequence corresponding to the system response time sequence, carrying out mutation detection on the target system response time sequence to screen out alarm events corresponding to the target system response time sequence with data mutation to obtain a plurality of target alarm events, and finally carrying out root cause positioning on index data corresponding to each target alarm event to determine abnormal index data corresponding to the plurality of target alarm events, thereby being beneficial to eliminating false alarm events and improving the accuracy and efficiency of determining the abnormal data.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic flowchart of an abnormal data determination method according to an embodiment of the present application;
FIG. 2a is a schematic diagram of a baseline and system response time provided by an embodiment of the present application;
FIG. 2b is a schematic diagram of another baseline and system response time provided by embodiments of the present application;
FIG. 2c is a schematic diagram of another baseline and system response time provided by embodiments of the present application;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 4 is a schematic diagram of an abnormal data determination apparatus according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions of the present application better understood, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first," "second," and the like in the description and claims of the present application and in the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
The electronic device according to the embodiments of the present disclosure may include various handheld devices, vehicle-mounted devices, wearable devices, computing devices or other processing devices connected to a wireless modem, and various forms of User Equipment (UE), Mobile Stations (MS), terminal devices (terminal device), and so on. For convenience of description, the above-mentioned devices are collectively referred to as electronic devices. In some examples, the electronic device may also be a server, and may specifically include an abnormal data determination server.
Referring to fig. 1, fig. 1 is a schematic flowchart of an abnormal data determining method applied to an electronic device according to an embodiment of the present application.
S101, determining a plurality of alarm events.
The electronic device may include a data processing (transaction) system and/or an abnormal data determination system. When the electronic device is a server, the server can be used for abnormal data determination, and the server corresponding to the data processing system is in communication connection to determine abnormal conditions in the system.
Wherein, the above abnormal data can be understood as: when the data processing system works, data corresponding to abnormal conditions are generated due to faults of configuration change, processing delay, network delay, system crash, system card machines and the like of the system.
Where an event is an action or occurrence within the system, the system may generate or trigger some signal when the event occurs and may provide a mechanism to automatically load the corresponding action.
For example, the electronic device may identify or monitor transaction or processing conditions of services in the data processing environment, and the like, and obtain services corresponding to a plurality of processing conditions in the system operation process in time; the service type may include at least one of: search services, transaction services, validation services, listening services, data deletion services, reminder services, and the like, without limitation.
When the electronic device processes the service corresponding to the service type, a plurality of events may be generated, which may include at least one of the following events: alarm events, verification events, reminder events, data deletion events, listening events, search events, and the like, without limitation; different service scenarios may generate different types of events.
And when the above-mentioned business takes place the abnormal situation, namely when the abnormal business type appears, for example, if appear searching the abnormal business, trade the abnormal business, monitor the abnormal situation of the business, will produce the abnormal data, the electronic equipment can be when the abnormal situation of system takes place, the monitoring unit of the system gives the alarm signal according to the abnormal situation, after giving the alarm signal, the electronic equipment can produce an alarm event.
When an abnormal condition occurs in the system, the electronic device may determine a plurality of alarm events within a preset time period (which may be default to the system or set by a user, but is not limited thereto).
It should be noted that, in the present application, a plurality may refer to two or more, and will not be described in detail later.
S102, acquiring index data corresponding to each alarm event in the plurality of alarm events, wherein the index data comprises system response time data corresponding to each alarm event.
The index is a unit or a method for measuring the development degree of an object, and can quantify the change condition corresponding to a certain object or measure an object in a digital form.
The index data may be quantized or represented in a digital form corresponding to the index when the index fluctuates.
The index may be a unit or a method for evaluating an abnormal condition of the system, and the index data may be specific data corresponding to the index acquired by the electronic device within a period of time. For example, the electronic device may receive a request instruction issued by a terminal device corresponding to a user for the transaction system, and when the request instruction is processed by a front-end platform of the transaction system a, the request instruction may generate a call instruction according to the request instruction, and pull or call each service corresponding to the transaction system a from a back-end platform according to the call instruction, so as to complete or execute the client request.
The data processing system corresponding to the electronic device may correspond to a plurality of front-end platforms and/or back-end platforms, and the response time abnormality of some front-end platforms may be caused by the response time abnormality of the back-end platform, but the relevance between the front-end platform and the back-end platform, and between the back-end platform and the back-end platform may change at any time; in the application, the electronic device may use the abnormal condition corresponding to the alarm event as an index, use system response time of the front-end platform or the back-end platform responding to the request instruction as index data, and each alarm event may correspond to one system response time, and may measure the abnormal condition of the data processing system corresponding to the electronic device through the system response time.
The index data corresponding to the alarm events may be a set of data that changes linearly or nonlinearly.
S103, generating a system response time sequence according to the system response time data corresponding to each alarm event.
In the application, because the electronic device corresponds to a plurality of front-end and/or back-end platforms, and the system response time of the alarm event corresponding to each platform is different, when a plurality of platforms exist, the sequence of the system response time of the plurality of platforms acquired by the electronic device is different, and when the number of the alarm events is large, the alarm time of the plurality of platforms acquired by the electronic device may be disordered; therefore, the electronic device can serialize the system response time data corresponding to the alarm event, and can arrange the system response times according to the time sequence to obtain the system response time sequence, so that the abnormal data can be determined according to the system response time, namely the reason for generating the abnormal condition in the system can be determined.
And S104, according to the base lines corresponding to the plurality of alarm events, correcting the system response time data corresponding to each alarm event to obtain a target system response time sequence corresponding to the system response time sequence.
The electronic device may preset a baseline, and the value or parameter corresponding to the baseline may be set by the user or may be defaulted by the system, which is not limited herein. The baseline can be obtained through historical experience learning, the baseline can correspond to a plurality of moments, the baseline value corresponding to each moment can be the same or different, different indexes can correspond to different baselines, and when the indexes are abnormal, the baseline corresponding to the response time data of the system in a period of time can be selected.
The baseline can be any one of preset standard baselines adopted in a current data processing process preselected by the electronic equipment, and can be used for judging or determining an alarm event in a plurality of events generated by the electronic equipment so as to detect abnormal data corresponding to the index data through the alarm event.
In the specific implementation, when the system configuration sends a change, the response time of the front-end platform and/or the back-end platform responding to the user request changes accordingly, and the front-end platform and/or the back-end platform moves or shifts integrally to exceed the range of the baseline, often the change of the baseline is delayed, and the determination of the alarm event is closely related to the baseline. Therefore, in the present application, the system response time data corresponding to each alarm event may be modified through the baselines corresponding to the plurality of alarm events to obtain effective index data, that is, a target system response time sequence, so that the target system response time sequence is matched with a correct response time, thereby avoiding or reducing an influence of a false alarm condition caused by a system configuration change on the determination of an abnormal condition of the entire system, and facilitating an improvement of accuracy of system abnormal data or abnormal condition positioning.
And S105, carrying out mutation detection on the target system response time sequence to screen out alarm events corresponding to the target system response time sequence with data mutation, so as to obtain a plurality of target alarm events.
Because the change time or time of the baseline of each front-end and/or back-end platform is different due to the hysteresis of the change of the baseline, the alarm events determined by the electronic equipment according to the baseline are different, and the corresponding system response times may also be different; thus, if the baseline differences of the two platforms are too large, when the electronic device determines that the evaluation criteria of a plurality of alarm events corresponding to a plurality of front-end and/or back-end platforms are different, a severe sudden change situation exists in a system response time sequence generated according to a plurality of system response time data, the whole system response time sequence is corrected through the correction steps, and a situation that a part of data sudden change limit is generated may be ignored, obviously, the part of system response time data is not wanted, and the difficulty in locating the association relationship between the alarm event and the abnormal situation is increased. Therefore, mutation detection can be continuously carried out on the target system response sequence to screen out the alarm event corresponding to the target system response time sequence with data mutation, so that the data deviation condition caused by error alarm can be further screened out, and the accuracy of the alarm event can be improved.
S106, performing root cause positioning on the index data corresponding to each target alarm event, and determining abnormal index data corresponding to the plurality of target alarm events.
After the system response time data of the false alarm condition of the plurality of system response time data is screened out, a plurality of target alarm events can be obtained, and root cause positioning is carried out according to the index data corresponding to the target alarm events, so that the abnormal index data corresponding to the target alarm events can be determined.
The abnormal index data may be response time data of a certain system, and an alarm event may be located by the response time data of the system, and then a specific system influence reason may be determined by the alarm event, for example, the alarm event may be generated by a system fault of one or more platforms, specifically, the alarm event may be generated by a network switch fault of the backend platform a, and may also be generated by a router fault of the backend platform B, so that a fault point may be accurately located, thereby implementing root cause location of abnormal data.
It can be seen that, in the embodiment of the present application, the electronic device may determine a plurality of alarm events, obtain index data corresponding to each alarm event in the plurality of alarm events, wherein, the index data comprises system response time data corresponding to each alarm event, and a system response time sequence is generated according to the system response time data corresponding to each alarm event, so as to generate a plurality of alarm events, correcting the system response time data corresponding to each alarm event to obtain a target system response time sequence corresponding to the system response time sequence, carrying out mutation detection on the target system response time sequence to screen out the alarm events corresponding to the target system response time sequence with data mutation to obtain a plurality of target alarm events, and finally carrying out root cause positioning on the index data corresponding to each target alarm event to determine abnormal index data corresponding to the plurality of target alarm events. Therefore, the condition of system false alarm can be eliminated by correcting the index data and detecting the mutation, so that the subsequent data preparation of root cause positioning is realized, and the accuracy and the efficiency of determining abnormal data are improved.
In one possible example, a plurality of alarm events are determined, and the method may include the steps of: acquiring corresponding first system response time data of each event in a plurality of events every other preset time period; comparing the first system response time data corresponding to each event to the baseline; and taking an event corresponding to the first system response time data exceeding the baseline preset times in the first system response time data as the alarm event to obtain a plurality of alarm events.
The base line includes an upper base line and a lower base line, the upper base line and the lower base line may correspond to a plurality of base line values, and each base line value may correspond to a time.
The preset time period and/or the preset times can be set by a user or defaulted by a system, and are not limited herein; the selection of the alarm event in the plurality of events can be constrained by the preset time period and the preset times and can be used as the selection standard of the alarm event. The preset number may be a minimum limit value exceeding the sum of the number of upper baselines and the number of lower baselines.
In a specific implementation, when comparing the first system response time data corresponding to each event with the baseline, the electronic device may select, as an alarm event, an event in the first system response time data that exceeds the upper baseline and an event in the first system response time data that exceeds the lower baseline and whose sum is greater than a preset number.
It should be noted that the upper baseline may correspond to a first preset number of times, and the lower baseline may correspond to a second preset number of times, that is, events exceeding the upper baseline or the lower baseline may also be constrained according to different preset numbers of times, and the implementation manner of the events is the same as that in this example, and details are not described herein.
For example, a predetermined time period may be defined to correspond to M minutes, where M may be in units of minutes, hours, seconds, etc.; the preset times are defined as N times, wherein M, N are positive integers which are more than 1. The electronic device may obtain first system response time data corresponding to each of a plurality of events corresponding to each M minutes, as shown in fig. 2a, which is a schematic diagram of a baseline and a system response time, the unit of the system response time series may be placed in the same unit standard as the baseline unit, the abscissa is the system response time, the event may include an event a (solid point) and an event B (open point), the electronic device may generate a first system response time series from a plurality of first system response time data, if M is 5 minutes, N is 3 times, as shown in the figure, if the first system response time data corresponding to the event a exceeds the upper baseline and the lower baseline 5 times in total, and the first system response time data corresponding to the event B exceeds the upper baseline and the lower baseline 2 times in total, the event a is considered to be an alarm event, and the event B is considered to be a non-alarm event.
It can be seen that in the present example, the preset time period and the preset number of times can be dynamically adjusted to determine the alarm event through the baseline, which is beneficial to accurately and sensitively determining the alarm event from a plurality of events.
In one possible example, if the baseline includes an upper baseline and a lower baseline; the method may further include the following steps of, based on the baseline corresponding to the plurality of alarm events, correcting the system response time data corresponding to each alarm event: determining a baseline mean sequence of the baseline according to the upper baseline and the lower baseline, wherein the baseline mean sequence corresponds to i baseline values, and i is a positive integer greater than 1; calculating the difference value between each numerical value corresponding to the i baseline values in the system response time sequence and the baseline value to obtain i difference values, wherein the i difference values form a difference value sequence; and correcting the system response time data corresponding to each alarm event according to the difference sequence.
Wherein each baseline value in the baseline mean sequence is an average of each baseline value of the corresponding upper and lower baselines.
The reason why the system response time data corresponding to the alarm event is corrected does not mean that the system response time data corresponding to the alarm event causes false alarm, but the change of the baseline is usually delayed and slower than the change of the system response time corresponding to the front-end platform, so that when the system response time data is detected by using the baseline and the alarm event is determined, false alarm is performed, and the change of the baseline is taken as a comparison standard for determining whether the event is the alarm event or not, the accuracy and reliability of the finally obtained result are reduced due to the change of the standard, so that the system response time data corresponding to the alarm event is selected to be corrected to determine abnormal index data in the subsequent step.
Wherein, the upper base line and/or the lower base line correspond to i numerical values, and i is a positive integer larger than 1. The value of i can be determined according to a preset correction time period P starting from the current time, and the value of i is closely related to the preset correction time period P.
Alternatively, in order to clearly describe the local features of the subsequent system response time sequence (i.e. the corresponding shape, wave direction, center position, peak value, etc. of the line graph or curve formed by the sequence, which is not limited herein), when the preset correction period P is less than or equal to an interval value a, the ratio of i/P may be dynamically adjusted to be larger, so that the value of i is relatively larger, i.e. when P is less than or equal to a, the value of i is increased. For example, if the interval value a is selected to be 6, if the time period within 10min is selected, i/P is 1/2; the value of i may be taken to be 5; if the selected time period is within 6min, i/P can be adjusted to 2/3, and the value of i can be selected to be 4. Therefore, the readability of the system response time sequence can be increased, and the probability of correcting the subsequent system response time data is improved.
Wherein, when the A sequence represents the baseline mean sequence, the baseline mean sequence formula is represented as:
It can be seen that, in this example, a difference sequence composed of a plurality of differences is obtained by calculating a difference between a value in the system response time sequence and a baseline value of the baseline at a corresponding time, and then system response time data corresponding to an alarm event is corrected according to the difference sequence, so that a comparison between a subsequent baseline and the corrected system time data can be realized, thereby eliminating a false alarm event caused by the hysteresis of baseline change, and facilitating improvement of accuracy of abnormal data determination.
In one possible example, the system response time data corresponding to each alarm event is modified according to the difference sequence, and the method may include the following steps: carrying out outlier filtering on the i difference values in the difference value sequence to obtain h target difference values; determining the mean value of the h target difference values to obtain a target change mean value, wherein h is a positive integer greater than 1; and determining the difference value between each value in the system response time sequence and the target variation mean value to obtain the target system response time sequence, wherein the target system response time sequence corresponds to i target values.
And h is smaller than or equal to i, and h is equal to i when no abnormal value exists in the i difference values.
The filtering of outliers for i difference values in the difference value sequence may be implemented by a clustering algorithm, for example: the method may include clustering i difference values by a clustering algorithm to obtain a clustering result, where the clustering result includes i points, where the i points correspond to the i difference values, and then classifying the clustering result according to a point density degree, and if two classifications are obtained, a first target clustering result and a second target clustering result, where the point density degree of the first target clustering result is greater than the point density degree of the second target clustering result, selecting a difference value corresponding to a point in the first target clustering result as a normal value, and filtering the difference value corresponding to a point in the second target clustering result as an abnormal value, to obtain h target difference values. The abnormal value may be determined by using a mean square error method, a box plot method, or the like, or the data may be artificially filtered according to an empirical judgment, which is not limited herein.
And calculating the difference value between each numerical value in the system response time sequence and the target change mean value, wherein the number of the obtained difference values is i, and the obtained difference values are in one-to-one correspondence with the target numerical values to form the target system response time sequence.
When the D sequence represents the target system response time sequence, the obtained target system response time sequence may be represented as D = C-B.
As shown in fig. 2b, which is another schematic diagram of a baseline and a system response time, a unit of a system response time sequence and a baseline unit may be placed in the same unit standard, and an abscissa is a system response time, after a system configuration is changed, the system response time sequence has been changed, and the baseline is not changed due to hysteresis of baseline change, some normal events may generate a situation as shown in fig. 2b, and at this time, comparing the baseline with the system response time may result in determining that a plurality of normal events are erroneously determined as alarm events. In order to eliminate the false alarm event and accurately find the abnormal data, the system response data of the alarm event is corrected according to the baseline, and a target system response time sequence is obtained after the correction, as shown in fig. 2c, at this time, the target system response time sequence is compared with the baseline, the event corresponding to the target system response time sequence which does not exceed the baseline by the preset number of times is screened out, and the event corresponding to the screened target system response time sequence is determined to be a normal event.
The event corresponding to the response time sequence of the screened target system is a false alarm event, and the reason for generating the false alarm is that the change of the baseline has hysteresis when the system configuration is changed.
Therefore, in the example, the system response time data corresponding to the alarm event is corrected, and the authenticity of the alarm event is determined by using the baseline, so that the false alarm event can be eliminated, and the abnormal data can be determined accurately in the follow-up process.
In one possible example, before the performing mutation detection on the target system response time sequence to screen out alarm events corresponding to the target system response time sequence with data mutation to obtain a plurality of target alarm events, the method may include the following steps: with a k time point as a reference, obtaining a first target system response time sequence before the k time point and a second target system response time sequence after the k time point, wherein the first target system response time sequence comprises n 1 A first target value, a second target system response time sequence including n 2 A second target value, wherein n 1 、n 2 Are all positive integers greater than or equal to 1; according to said n 1 A first target value and said n 2 Determining a first mean value, a second mean value, a first variance and a second variance corresponding to the first target system response time sequence and the second target system response time sequence respectively, wherein the first mean value and the first variance are the mean value and the variance of the first target system response time sequence, and the second mean value and the second variance are the mean value and the variance of the second target system response time sequence; determining a pre-contrast value according to the first mean, the second mean, the first variance and the second variance; determining a target critical value; and if the absolute value of the pre-alignment value is larger than the target critical value, determining that the target system response sequence has mutation.
The time points are selected one by one, the number of the selected time points is i-2, the number of the obtained pre-contrast values is i-2, and the time points are selected one by one from the 2 nd time point to the i-1 st time point.
Wherein n is 1 +n 2 =i-1, n 1 、n 2 Are all positive integers greater than or equal to 1.
Wherein, when t represents the pre-contrast value, the pre-contrast value calculation formula is shown as (1):
wherein x is 1 Is a value, x, corresponding to the first target system response time series 2 The calculation formula of S is shown in (2) for the corresponding values of the response time series of the second target system:
wherein S is 1 Is the first variance, S 2 Is the second variance.
Determining a target critical value, searching a t distribution table according to a significance level and a degree of freedom V, wherein the searched numerical value is the target critical value, the significance level can be preset manually or can be defaulted by a system, the significance level can be 95%, 90%, 85% and the like, and the formula of the degree of freedom V is represented as V = n 1 +n 2 -2。
After the absolute value of the pre-contrast value t is compared with a target critical value, and the mutation of the target system response sequence is determined, the alarm events corresponding to the mutated target system response sequence are screened out, and a plurality of target alarm events are obtained.
In the specific implementation, after a point at the time k is selected, the point is substituted into the first mean value, the second mean value, the first variance and the second variance according to the formula, a pre-comparison numerical value t is determined, a t distribution table is searched after the significance level and the degree of freedom are determined, a target critical value is determined, and if the absolute value of the pre-comparison numerical value is larger than the target critical value, the target system response sequence is determined to have mutation.
Therefore, in the example, whether the target system response sequence has mutation or not is determined by using the algorithm, and the alarm event corresponding to the target system response sequence having mutation is screened out, so that the method is favorable for further eliminating the false alarm event, and is favorable for accurately determining the abnormal data in the follow-up process.
In one possible example, the root cause locating is performed on the index data corresponding to each of the target alarm events, and the abnormal index data corresponding to the plurality of target alarm events is determined, where the method includes the following steps: acquiring back-end index data of a back-end platform corresponding to each target alarm event; clustering index data corresponding to each target alarm event and each corresponding back-end index data by using a clustering algorithm to obtain a plurality of clustering results; and determining the index data corresponding to the target alarm event corresponding to the clustering result with the outlier in the clustering results as the abnormal index data.
The backend platform index data may be system response time data corresponding to the backend platform.
The reason why the Pearson-based correlation coefficient is used as the distance measurement and the Spearman-based correlation coefficient is used as the distance measurement is that the determination of the abnormal index data is realized by clustering a target system response time sequence corresponding to a target alarm event and a system response time sequence corresponding to a rear-end platform, so that the Pearson-based correlation coefficient or the Spearman-based correlation coefficient is more suitable for the distance measurement, wherein the clustering algorithm can be a can dbs clustering algorithm, the clustering algorithm does not need to determine the number of classes in advance, and the clustering algorithm is suitable for determining the abnormal index data.
Wherein, the metric formula based on Pearson correlation coefficient can be expressed as (3)
(3)。
The Spearman correlation coefficient-based metric equation can be expressed as shown in (4):
(4)。
wherein CDS 1 、CDS 2 Respectively corresponding to the system response time sequence of the target alarm event and the corresponding back-end system response time sequence, CD, of the back-end platform 1i The i-th component, CD, of the system response time sequence corresponding to the target alarm event 2i Responding to the ith component of the time sequence for the corresponding backend platform's backend system, n being the length of the time sequence, RK 1 ,RK 2 Is CDS 1 、CDS 2 The component in (b) is converted into a sequence after a reduced order position, rk 1i ,rk 2i Is RK 1 ,RK 2 The ith component of (2).
Wherein, a plurality of sample points can be obtained through the clustering index data, and the clustering result comprises at least one of the following: the cluster comprises cluster clusters and outliers, wherein the cluster clusters are areas comprising a plurality of sample points, and the outliers are independent sample points which are not clustered.
In consideration of the fact that the transmission time of the abnormal index data from the front-end platform to the back-end platform may span minutes, that is, the front-end platform transmits the same abnormal index data to the back-end platform within two adjacent minutes, the CDS may be selected i With the CDS, respectively 2 The ith component is substituted into a formula to obtain two distance metric values, namely a first distance metric value and a second distance metric value, and the smaller value of the first distance metric value and the second distance metric value is selected as the ith distance metric value, so that the first distance metric value can be further increasedAnd the error is reduced, and the abnormal index data can be accurately determined.
In specific implementation, a Pearson-based correlation coefficient or a Spearman-based correlation coefficient is determined as distance measurement according to index data conditions corresponding to alarm events, and a system response time sequence corresponding to a target alarm event is used as CDS 1 The back-end system response time sequence of the back-end platform corresponding to the target alarm event is used as CDS 2 And clustering according to a corresponding distance measurement formula to obtain a clustering result, and if the obtained clustering result has outliers, determining the index data corresponding to the target alarm event as abnormal index data.
As can be seen, in this example, the clustering algorithm is used to determine the abnormal data for the system response time data corresponding to the target alarm event and the system response time data corresponding to the backend platform, which is beneficial to quickly determining the abnormal data.
In one possible example, after determining the plurality of alarm events, the method may include the steps of: determining an abnormal business event corresponding to each alarm event in the plurality of alarm events to obtain a plurality of abnormal business events, wherein each abnormal business event corresponds to at least one alarm event; determining a first probability corresponding to each alarm event corresponding to a first abnormal business event according to the plurality of alarm events, wherein the first abnormal business event is any one of the plurality of abnormal business events; determining a second probability of occurrence of each second abnormal service event in a plurality of second abnormal service events to obtain a plurality of second probabilities, wherein the second abnormal service event is any one abnormal service event except the first abnormal service event in the plurality of abnormal service events; determining a correlation probability relative value between the first abnormal service event and each second abnormal service event according to the first probability and each second probability to obtain a plurality of correlation probability relative values; according to the magnitude relation of the multiple correlation probability relative values, arranging the alarm events corresponding to the multiple second abnormal business events corresponding to the multiple correlation probability relative values from large to small to obtain multiple target alarm events; and selecting the index data corresponding to the target alarm event corresponding to the maximum relative value of the association probability from the plurality of target alarm events as the abnormal index data.
The abnormal service event may be an event corresponding to the abnormal service, multiple abnormal conditions may occur in the process of executing a service corresponding to the abnormal service, each abnormal condition may generate an alarm event, and one abnormal service event may correspond to multiple alarm events.
The first probability may be a conditional probability, and the relative value of the association probability is obtained according to a bayesian formula, which is expressed as follows: p (X) = P (Y/X) = P (Y) = P (X/Y), where X denotes an alarm event, Y denotes an abnormal traffic event, the probability of occurrence of the X event in a preset time period is P (X), the probability of occurrence of the Y event in the preset time period is P (Y), and the correlation probability relative value denotes P (X/Y)/P (X), and the larger the correlation probability relative value is, the higher the probability of occurrence of the abnormal traffic event caused by the alarm event is.
The above steps are performed after determining a plurality of alarm events, so as to determine which alarm event of the plurality of alarm events corresponding to an abnormal service event causes an abnormal service event. In addition, the root cause positioning is carried out on the index data corresponding to each target alarm event, abnormal index data corresponding to the target alarm events are determined to be first abnormal index data, the abnormal index data obtained through the steps are second abnormal index data, if the first abnormal index data and the second abnormal index data can be obtained at the same time, the first abnormal index data is selected to be real abnormal index data, and if only the second abnormal index data is obtained and the first abnormal index data is not obtained, the second abnormal index data is used as the real abnormal index data.
The electronic equipment respectively stores the alarm event and the abnormal service event which occur as historical alarm event data and historical abnormal service event data into a historical alarm event database and a historical abnormal service event database.
The historical alarm event data comprises a plurality of alarm events, the historical abnormal service event database comprises a plurality of abnormal service event databases, and the plurality of alarm events in the historical alarm event database corresponding to one abnormal service event in the historical abnormal service event database can be acquired through a second preset time period.
In the specific implementation, when an abnormal business event is Y and an alarm event is X, a plurality of alarm events in a second preset time period before the occurrence of the Y event are counted, the conditional probability P (X/Y), namely the first probability, of the occurrence of each alarm event is calculated, the probability of the occurrence of the X event in any preset time period, namely the second probability, is determined according to the stored historical alarm event data and the historical abnormal business event data, the relative value of the association probability of each alarm event and the abnormal business event is calculated according to a Bayesian formula, the plurality of alarm events are ranked from large to small according to the relative value of the association probability, and the index data corresponding to the alarm event with the largest association probability value is selected as the abnormal index data.
In this example, the association probability value can be calculated by using the algorithm of the present application to determine the association relationship between the alarm event and the abnormal service event, and further obtain the abnormal index data, which is beneficial to quickly determining the abnormal index data.
Referring to fig. 3, fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure, as shown, the electronic device includes a processor, a memory, a communication interface, and one or more programs, and the one or more programs are applied to the electronic device, where the one or more programs are stored in the memory, and the one or more programs are configured to be executed by the processor as instructions for:
determining a plurality of alarm events;
acquiring index data corresponding to each alarm event in the plurality of alarm events, wherein the index data comprises system response time data corresponding to each alarm event;
generating a system response time sequence according to the system response time data corresponding to each alarm event;
according to the base lines corresponding to the plurality of alarm events, correcting the system response time data corresponding to each alarm event to obtain a target system response time sequence corresponding to the system response time sequence;
carrying out mutation detection on the target system response time sequence to screen out alarm events corresponding to the target system response time sequence with data mutation to obtain a plurality of target alarm events;
and performing root cause positioning on the index data corresponding to each target alarm event, and determining abnormal index data corresponding to the plurality of target alarm events.
It can be seen that, in the embodiment of the present application, the electronic device may determine a plurality of alarm events, obtain index data corresponding to each alarm event in the plurality of alarm events, wherein, the index data comprises system response time data corresponding to each alarm event, and a system response time sequence is generated according to the system response time data corresponding to each alarm event, so as to generate a plurality of alarm events, correcting the system response time data corresponding to each alarm event to obtain a target system response time sequence corresponding to the system response time sequence, carrying out mutation detection on the target system response time sequence to screen out the alarm events corresponding to the target system response time sequence with data mutation to obtain a plurality of target alarm events, and finally carrying out root cause positioning on the index data corresponding to each target alarm event to determine abnormal index data corresponding to the plurality of target alarm events. Therefore, the condition of system false alarm can be eliminated by correcting the index data and detecting the mutation, so that the subsequent data preparation of root cause positioning is realized, and the accuracy and the efficiency of determining abnormal data are improved.
In one possible example, in determining the plurality of alarm events, the program includes instructions for performing the steps of:
acquiring first system response time data corresponding to each event in a plurality of events every preset time period;
comparing the first system response time data corresponding to each event to the baseline;
and taking an event corresponding to the first system response time data exceeding the baseline preset times in the first system response time data as the alarm event to obtain a plurality of alarm events.
In one possible example, if the baseline includes an upper baseline and a lower baseline; in terms of correcting the system response time data corresponding to each alarm event according to the baseline corresponding to the plurality of alarm events, the program includes instructions for performing the following steps:
determining a baseline mean sequence of the baseline according to the upper baseline and the lower baseline, wherein the baseline mean sequence corresponds to i baseline values, and i is a positive integer greater than 1;
calculating the difference value between each numerical value corresponding to the i baseline values in the system response time sequence and the baseline value to obtain i difference values, wherein the i difference values form a difference value sequence;
and correcting the system response time data corresponding to each alarm event according to the difference sequence.
In one possible example, in modifying the system response time data corresponding to each alarm event according to the difference sequence, the program includes instructions for:
carrying out outlier filtering on the i difference values in the difference value sequence to obtain h target difference values;
determining the mean value of the h target difference values to obtain a target change mean value, wherein h is a positive integer greater than 1;
and determining the difference value between each value in the system response time sequence and the target variation mean value to obtain the target system response time sequence, wherein the target system response time sequence corresponds to i target values.
In one possible example, before the performing mutation detection on the target system response time sequence to screen out alarm events corresponding to the target system response time sequence with data mutation to obtain a plurality of target alarm events, the program includes instructions for performing the following steps:
with a k time point as a reference, obtaining a first target system response time sequence before the k time point and a second target system response time sequence after the k time point, wherein the first target system response time sequence comprises n 1 A first target value, a second target system response time sequence including n 2 A second target value, wherein n 1 、n 2 Are all positive integers greater than or equal to 1;
according to said n 1 A first target value and said n 2 Determining a first mean value, a second mean value, a first variance and a second variance corresponding to the first target system response time series and the second target system response time series respectively, wherein the first mean value and the first variance are the mean value and the variance of the first target system response time series, and the second mean value and the second variance are the mean value and the variance of the second target system response time series;
determining a pre-contrast value according to the first mean, the second mean, the first variance and the second variance;
determining a target critical value;
and if the absolute value of the pre-alignment value is larger than the target critical value, determining that the target system response sequence has mutation.
In one possible example, in the aspect of performing root cause locating on the index data corresponding to each of the target alarm events and determining abnormal index data corresponding to the plurality of target alarm events, the program includes instructions for performing the following steps:
acquiring back-end index data of a back-end platform corresponding to each target alarm event;
clustering index data corresponding to each target alarm event and each corresponding back-end index data by using a clustering algorithm to obtain a plurality of clustering results;
and determining the index data corresponding to the target alarm event corresponding to the clustering result with the outlier in the clustering results as the abnormal index data.
In one possible example, after determining the plurality of alarm events, the program includes instructions for performing the steps of:
determining an abnormal business event corresponding to each alarm event in the plurality of alarm events to obtain a plurality of abnormal business events, wherein each abnormal business event corresponds to at least one alarm event;
determining a first probability corresponding to each alarm event corresponding to a first abnormal business event according to the plurality of alarm events, wherein the first abnormal business event is any one of the plurality of abnormal business events;
determining a second probability of occurrence of each second abnormal service event in a plurality of second abnormal service events to obtain a plurality of second probabilities, wherein the second abnormal service event is any one abnormal service event except the first abnormal service event in the plurality of abnormal service events;
determining a correlation probability relative value between the first abnormal service event and each second abnormal service event according to the first probability and each second probability to obtain a plurality of correlation probability relative values;
arranging the alarm events corresponding to the second abnormal business events corresponding to the correlation probability relative values from large to small according to the magnitude relation of the correlation probability relative values to obtain a plurality of target alarm events;
and selecting the index data corresponding to the target alarm event corresponding to the maximum correlation probability relative value from the plurality of target alarm events as the abnormal index data.
The above description has introduced the solution of the embodiment of the present application mainly from the perspective of the method-side implementation process. It is understood that the server includes hardware structures and/or software modules for performing the respective functions in order to implement the above-described functions. Those of skill in the art will readily appreciate that the present application is capable of hardware or a combination of hardware and computer software implementing the various illustrative elements and algorithm steps described in connection with the embodiments provided herein. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiment of the present application, the server may be divided into the functional units according to the above method example, for example, each functional unit may be divided corresponding to each function, or two or more functions may be integrated into one processing unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit. It should be noted that the division of the unit in the embodiment of the present application is schematic, and is only a logic function division, and there may be another division manner in actual implementation.
In the case of dividing each function module by corresponding functions, fig. 4 is a schematic diagram of an abnormal data determination apparatus, as shown in fig. 4, the apparatus is applied to an electronic device, and the abnormal data determination apparatus 400 may include: a determining unit 401, an obtaining unit 402, a generating unit 403, a correcting unit 404, a mutation detecting unit 405, and a root cause locating unit 406, wherein,
the determining unit 401 is configured to determine a plurality of alarm events;
the obtaining unit 402 is configured to obtain index data corresponding to each alarm event in the plurality of alarm events and corresponding system response time data;
the generating unit 403 is configured to generate a system response time sequence according to the system response time data corresponding to each alarm event;
the correcting unit 404 is configured to correct the system response time data corresponding to each alarm event according to the baseline corresponding to the multiple alarm events, so as to obtain a target system response time sequence corresponding to the system response time sequence;
the mutation detection unit 405 is configured to perform mutation detection on the target system response time sequence to screen out alarm events corresponding to the target system response time sequence with data mutation, so as to obtain a plurality of target alarm events;
the root cause positioning unit 406 is configured to perform root cause positioning on the index data corresponding to each target alarm event, and determine abnormal index data corresponding to the plurality of target alarm events.
It can be seen that, in the embodiment of the present application, the electronic device may determine a plurality of alarm events, obtain index data corresponding to each alarm event in the plurality of alarm events, wherein, the index data comprises system response time data corresponding to each alarm event, and a system response time sequence is generated according to the system response time data corresponding to each alarm event, so as to generate a plurality of alarm events, correcting the system response time data corresponding to each alarm event to obtain a target system response time sequence corresponding to the system response time sequence, carrying out mutation detection on the target system response time sequence to screen out the alarm events corresponding to the target system response time sequence with data mutation to obtain a plurality of target alarm events, and finally carrying out root cause positioning on the index data corresponding to each target alarm event to determine abnormal index data corresponding to the plurality of target alarm events. Therefore, the condition of system false alarm can be eliminated by correcting the index data and detecting the mutation, so that the subsequent data preparation of root cause positioning is realized, and the accuracy and the efficiency of determining abnormal data are improved.
In one possible example, in terms of determining multiple alarm events, the determining unit 401 is specifically configured to:
acquiring first system response time data corresponding to each event in a plurality of events within a preset time period;
comparing the first system response time data corresponding to each event with the baseline, wherein the baseline is a baseline corresponding to the preset time period selected from preset standard baselines;
and taking an event corresponding to the first response time data exceeding the baseline preset times in the first response time data as the alarm event to obtain a plurality of alarm events.
In one possible example, if the baseline includes an upper baseline and a lower baseline; in the aspect of correcting the system response time data corresponding to each alarm event according to the baseline corresponding to the plurality of alarm events, the correcting unit 404 is specifically configured to:
determining a baseline mean sequence of the baseline according to the upper baseline and the lower baseline, wherein the baseline mean sequence corresponds to i baseline values, and i is a positive integer greater than 1;
calculating the difference value between each numerical value corresponding to the i baseline values in the system response time sequence and the baseline value to obtain i difference values, wherein the i difference values form a difference value sequence;
and correcting the system response time data corresponding to each alarm event according to the difference sequence.
In a possible example, in terms of correcting the system response time data corresponding to each alarm event according to the difference sequence, the correcting unit 404 is specifically configured to:
carrying out outlier filtering on the i difference values in the difference value sequence to obtain h target difference values;
determining the mean value of the h target difference values to obtain a target change mean value, wherein h is a positive integer greater than 1;
and determining the difference value between each value in the system response time sequence and the target variation mean value to obtain the target system response time sequence, wherein the target system response time sequence corresponds to i target values.
In a possible example, before the mutation detection is performed on the target system response time sequence to screen out the alarm events corresponding to the target system response time sequence with data mutation, so as to obtain a plurality of target alarm events, the mutation detection unit 405 is specifically configured to:
taking a k time point as a reference, and obtaining a first target system response time sequence before the k time point and a second target system response time sequence after the k time pointA system response time sequence, wherein the first target system response time sequence comprises n 1 A first target value, a second target system response time sequence including n 2 A second target value, wherein n 1 、n 2 Are all positive integers greater than or equal to 1;
according to said n 1 A first target value and said n 2 Determining a first mean value, a second mean value, a first variance and a second variance corresponding to the first target system response time sequence and the second target system response time sequence respectively, wherein the first mean value and the first variance are the mean value and the variance of the first target system response time sequence, and the second mean value and the second variance are the mean value and the variance of the second target system response time sequence;
determining a pre-contrast value according to the first mean, the second mean, the first variance and the second variance;
determining a target critical value;
and if the absolute value of the pre-alignment value is larger than the target critical value, determining that the target system response sequence has mutation.
In a possible example, in terms of performing root cause positioning on the index data corresponding to each of the target alarm events and determining the abnormal index data corresponding to the plurality of target alarm events, the root cause positioning unit 406 is specifically configured to:
acquiring back-end index data of a back-end platform corresponding to each target alarm event;
clustering index data corresponding to each target alarm event and each corresponding back-end index data by using a clustering algorithm to obtain a plurality of clustering results;
and determining the index data corresponding to the target alarm event corresponding to the clustering result with the outlier in the clustering results as the abnormal index data.
In a possible example, after determining a plurality of alarm events, the determining unit 401 is specifically configured to:
determining a service event corresponding to each alarm event in the plurality of alarm events to obtain a plurality of service events, wherein each service event corresponds to at least one alarm event;
determining a first probability corresponding to each alarm event corresponding to a first service event according to the plurality of alarm events, wherein the first service event is any one of the plurality of service events;
determining a second probability of occurrence of each second service event in a plurality of second service events to obtain a plurality of second probabilities, wherein the second service event is any one service event except the first service event in the plurality of service events;
determining a correlation probability relative value between the first service event and each second service event according to the first probability and each second probability to obtain a plurality of correlation probability relative values;
according to the magnitude relation of the multiple correlation probability relative values, arranging the alarm events corresponding to the multiple second service events corresponding to the multiple correlation probability relative values from large to small to obtain multiple target alarm events;
and selecting the index data corresponding to the target alarm event corresponding to the maximum correlation probability relative value from the plurality of target alarm events as the abnormal index data.
It should be noted that all relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.
The electronic device provided by the embodiment is used for executing the abnormal data determination method, so that the same effect as the effect of the implementation method can be achieved.
Embodiments of the present application also provide a computer storage medium, wherein the computer storage medium stores a computer program for electronic data exchange, the computer program enables a computer to execute part or all of the steps of any one of the methods described in the above method embodiments, and the computer includes a server.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus may be implemented in other manners. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, the above-described division of the units is only one type of division of logical functions, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of some interfaces, devices or units, and may be an electric or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit may be stored in a computer readable memory if it is implemented in the form of a software functional unit and sold or used as a stand-alone product. Based on such understanding, the technical solution of the present application may be substantially implemented or a part of or all or part of the technical solution contributing to the prior art may be embodied in the form of a software product stored in a memory, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the above-mentioned method of the embodiments of the present application. And the aforementioned memory comprises: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by associated hardware instructed by a program, which may be stored in a computer-readable memory, which may include: flash memory disks, read-only memory, random access memory, magnetic or optical disks, and the like.
The foregoing detailed description of the embodiments of the present application has been presented to illustrate the principles and implementations of the present application, and the above description of the embodiments is only provided to help understand the method and the core concept of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. An abnormal data determination method applied to an electronic device is characterized by comprising the following steps:
determining a plurality of alarm events;
acquiring index data corresponding to each alarm event in the plurality of alarm events, wherein the index data comprises system response time data corresponding to each alarm event;
generating a system response time sequence according to the system response time data corresponding to each alarm event;
according to the base lines corresponding to the plurality of alarm events, correcting the system response time data corresponding to each alarm event to obtain a target system response time sequence corresponding to the system response time sequence;
carrying out mutation detection on the target system response time sequence to screen out alarm events corresponding to the target system response time sequence with data mutation to obtain a plurality of target alarm events;
and performing root cause positioning on the index data corresponding to each target alarm event, and determining abnormal index data corresponding to the plurality of target alarm events.
2. The method of claim 1, wherein determining a plurality of alarm events comprises:
acquiring first system response time data corresponding to each event in a plurality of events every preset time period;
comparing the first system response time data corresponding to each event to the baseline;
and taking an event corresponding to the first system response time data exceeding the baseline preset times in the first system response time data as the alarm event to obtain a plurality of alarm events.
3. The method of claim 1 or 2, wherein if the baseline comprises an upper baseline and a lower baseline; the modifying the system response time data corresponding to each alarm event according to the base line corresponding to the plurality of alarm events includes:
determining a baseline mean sequence of the baseline according to the upper baseline and the lower baseline, wherein the baseline mean sequence corresponds to i baseline values, and i is a positive integer greater than 1;
calculating the difference value between each numerical value corresponding to the i baseline values in the system response time sequence and the baseline value to obtain i difference values, wherein the i difference values form a difference value sequence;
and correcting the system response time data corresponding to each alarm event according to the difference sequence.
4. The method according to claim 3, wherein the modifying the system response time data corresponding to each alarm event according to the difference sequence comprises:
carrying out outlier filtering on the i difference values in the difference value sequence to obtain h target difference values;
determining the mean value of the h target difference values to obtain a target change mean value, wherein h is a positive integer greater than 1;
and determining the difference value between each value in the system response time sequence and the target variation mean value to obtain the target system response time sequence, wherein the target system response time sequence corresponds to i target values.
5. The method according to claim 1 or 4, wherein before the step of performing mutation detection on the target system response time sequence to screen out alarm events corresponding to the target system response time sequence with data mutation to obtain a plurality of target alarm events, the method further comprises:
with a k time point as a reference, obtaining a first target system response time sequence before the k time point and a second target system response time sequence after the k time point, wherein the first target system response time sequence comprises n 1 A first target value, a second target system response time sequence including n 2 A second target value, wherein n 1 、n 2 Are all positive integers greater than or equal to 1;
according to said n 1 A first target value and said n 2 Determining a first mean value, a second mean value, a first mean value corresponding to the first target system response time sequence and a second target system response time sequence, and a second target value corresponding to the second target system response time sequenceA variance and a second variance, wherein the first mean and the first variance are means and variances of the first target system response time series, and the second mean and the second variance are means and variances of the second target system response time series;
determining a pre-contrast value according to the first mean, the second mean, the first variance and the second variance;
determining a target critical value;
and if the absolute value of the pre-alignment value is larger than the target critical value, determining that the target system response sequence has mutation.
6. The method according to claim 1, wherein the performing root cause localization on the indicator data corresponding to each of the target alarm events and determining abnormal indicator data corresponding to the plurality of target alarm events comprises:
acquiring back-end index data of a back-end platform corresponding to each target alarm event;
clustering index data corresponding to each target alarm event and each corresponding back-end index data by using a clustering algorithm to obtain a plurality of clustering results;
and determining the index data corresponding to the target alarm event corresponding to the clustering result with the outlier in the clustering results as the abnormal index data.
7. The method of claim 1 or 6, wherein after determining the plurality of alarm events, the method further comprises:
determining an abnormal business event corresponding to each alarm event in the plurality of alarm events to obtain a plurality of abnormal business events, wherein each abnormal business event corresponds to at least one alarm event;
determining a first probability corresponding to each alarm event corresponding to a first abnormal business event according to the plurality of alarm events, wherein the first abnormal business event is any one of the plurality of abnormal business events;
determining a second probability of occurrence of each second abnormal service event in a plurality of second abnormal service events to obtain a plurality of second probabilities, wherein the second abnormal service event is any one abnormal service event except the first abnormal service event in the plurality of abnormal service events;
determining a correlation probability relative value between the first abnormal service event and each second abnormal service event according to the first probability and each second probability to obtain a plurality of correlation probability relative values;
arranging the alarm events corresponding to the second abnormal business events corresponding to the correlation probability relative values from large to small according to the magnitude relation of the correlation probability relative values to obtain a plurality of target alarm events;
and selecting the index data corresponding to the target alarm event corresponding to the maximum relative value of the association probability from the plurality of target alarm events as the abnormal index data.
8. An abnormal data determination device applied to an electronic device, the abnormal data determination device comprising: a determining unit, an obtaining unit, a generating unit, a correcting unit, a mutation detecting unit and a root cause positioning unit, wherein,
the determining unit is used for determining a plurality of alarm events;
the acquiring unit is configured to acquire index data corresponding to each alarm event in the plurality of alarm events, where the index data includes system response time data corresponding to each alarm event;
the generating unit is used for generating a system response time sequence according to the system response time data corresponding to each alarm event;
the correcting unit is used for correcting the system response time data corresponding to each alarm event according to the base lines corresponding to the alarm events to obtain a target system response time sequence corresponding to the system response time sequence;
the mutation detection unit is used for carrying out mutation detection on the target system response time sequence to screen out alarm events corresponding to the target system response time sequence with data mutation, so as to obtain a plurality of target alarm events;
and the root cause positioning unit is used for performing root cause positioning on the index data corresponding to each target alarm event and determining abnormal index data corresponding to the plurality of target alarm events.
9. An electronic device comprising a processor, a memory, a communication interface, and one or more programs stored in the memory and configured to be executed by the processor, the programs comprising instructions for performing the steps in the method of any of claims 1-7.
10. A computer-readable storage medium, characterized in that a computer program for electronic data exchange is stored, wherein the computer program causes a computer to perform the method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211010956.0A CN115081969B (en) | 2022-08-23 | 2022-08-23 | Abnormal data determination method and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211010956.0A CN115081969B (en) | 2022-08-23 | 2022-08-23 | Abnormal data determination method and related device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115081969A true CN115081969A (en) | 2022-09-20 |
| CN115081969B CN115081969B (en) | 2023-05-09 |
Family
ID=83245015
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211010956.0A Active CN115081969B (en) | 2022-08-23 | 2022-08-23 | Abnormal data determination method and related device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115081969B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115499246A (en) * | 2022-11-15 | 2022-12-20 | 阿里云计算有限公司 | Abnormal event processing and detecting method and processing system |
| CN116743637A (en) * | 2023-08-15 | 2023-09-12 | 中移(苏州)软件技术有限公司 | Abnormal flow detection method and device, electronic equipment and storage medium |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170124782A1 (en) * | 2015-10-30 | 2017-05-04 | Wipro Limited | Methods for detecting one or more aircraft anomalies and devices thereof |
| US20170148025A1 (en) * | 2015-11-24 | 2017-05-25 | Vesta Corporation | Anomaly detection in groups of transactions |
| CN108269189A (en) * | 2017-07-05 | 2018-07-10 | 中国中投证券有限责任公司 | Achievement data monitoring method, device, storage medium and computer equipment |
| CN109542740A (en) * | 2017-09-22 | 2019-03-29 | 阿里巴巴集团控股有限公司 | Method for detecting abnormality and device |
| CN110287078A (en) * | 2019-04-12 | 2019-09-27 | 上海新炬网络技术有限公司 | Abnormality detection and alarm method based on zabbix performance baseline |
| CN111506478A (en) * | 2020-04-17 | 2020-08-07 | 上海浩方信息技术有限公司 | Method for realizing alarm management control based on artificial intelligence |
| US20200267057A1 (en) * | 2019-02-15 | 2020-08-20 | Oracle International Corporation | Systems and methods for automatically detecting, summarizing, and responding to anomalies |
| CN111931860A (en) * | 2020-09-01 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Abnormal data detection method, device, equipment and storage medium |
| CN112395120A (en) * | 2019-08-14 | 2021-02-23 | 阿里巴巴集团控股有限公司 | Abnormal point detection method, device, equipment and storage medium |
| CN112463834A (en) * | 2020-12-02 | 2021-03-09 | 中国建设银行股份有限公司 | Method and device for automatically realizing root cause analysis in streaming processing and electronic equipment |
| US20210149789A1 (en) * | 2019-11-18 | 2021-05-20 | Bmc Software, Inc. | System and method for troubleshooting abnormal behavior of an application |
| US20210264375A1 (en) * | 2020-02-25 | 2021-08-26 | Hitachi, Ltd. | Time series data prediction apparatus and time series data prediction method |
-
2022
- 2022-08-23 CN CN202211010956.0A patent/CN115081969B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170124782A1 (en) * | 2015-10-30 | 2017-05-04 | Wipro Limited | Methods for detecting one or more aircraft anomalies and devices thereof |
| US20170148025A1 (en) * | 2015-11-24 | 2017-05-25 | Vesta Corporation | Anomaly detection in groups of transactions |
| CN108269189A (en) * | 2017-07-05 | 2018-07-10 | 中国中投证券有限责任公司 | Achievement data monitoring method, device, storage medium and computer equipment |
| CN109542740A (en) * | 2017-09-22 | 2019-03-29 | 阿里巴巴集团控股有限公司 | Method for detecting abnormality and device |
| US20200267057A1 (en) * | 2019-02-15 | 2020-08-20 | Oracle International Corporation | Systems and methods for automatically detecting, summarizing, and responding to anomalies |
| CN110287078A (en) * | 2019-04-12 | 2019-09-27 | 上海新炬网络技术有限公司 | Abnormality detection and alarm method based on zabbix performance baseline |
| CN112395120A (en) * | 2019-08-14 | 2021-02-23 | 阿里巴巴集团控股有限公司 | Abnormal point detection method, device, equipment and storage medium |
| US20210149789A1 (en) * | 2019-11-18 | 2021-05-20 | Bmc Software, Inc. | System and method for troubleshooting abnormal behavior of an application |
| US20210264375A1 (en) * | 2020-02-25 | 2021-08-26 | Hitachi, Ltd. | Time series data prediction apparatus and time series data prediction method |
| CN111506478A (en) * | 2020-04-17 | 2020-08-07 | 上海浩方信息技术有限公司 | Method for realizing alarm management control based on artificial intelligence |
| CN111931860A (en) * | 2020-09-01 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Abnormal data detection method, device, equipment and storage medium |
| CN112463834A (en) * | 2020-12-02 | 2021-03-09 | 中国建设银行股份有限公司 | Method and device for automatically realizing root cause analysis in streaming processing and electronic equipment |
Non-Patent Citations (2)
| Title |
|---|
| 李涛等著: "《数据挖掘的应用与实践 大数据时代的案例分析》", 31 October 2013 * |
| 郭胜召著: "《计算机网络关键技术研究》", 30 September 2018 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115499246A (en) * | 2022-11-15 | 2022-12-20 | 阿里云计算有限公司 | Abnormal event processing and detecting method and processing system |
| CN115499246B (en) * | 2022-11-15 | 2023-04-07 | 阿里云计算有限公司 | Abnormal event processing and detecting method and processing system |
| CN116743637A (en) * | 2023-08-15 | 2023-09-12 | 中移(苏州)软件技术有限公司 | Abnormal flow detection method and device, electronic equipment and storage medium |
| CN116743637B (en) * | 2023-08-15 | 2023-11-21 | 中移(苏州)软件技术有限公司 | Abnormal flow detection method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115081969B (en) | 2023-05-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115081969A (en) | Abnormal data determination method and related device | |
| CN113556258B (en) | Anomaly detection method and device | |
| CN107566163A (en) | A kind of alarm method and device of user behavior analysis association | |
| CN112188531A (en) | Abnormality detection method, abnormality detection device, electronic apparatus, and computer storage medium | |
| CN110457595B (en) | Emergency alarm method, device, system, electronic equipment and storage medium | |
| CN110457175B (en) | Service data processing method and device, electronic equipment and medium | |
| CN109257383B (en) | BGP anomaly detection method and system | |
| CN111538642A (en) | Abnormal behavior detection method and device, electronic equipment and storage medium | |
| CN109040084B (en) | Network flow abnormity detection method, device, equipment and storage medium | |
| US8710976B2 (en) | Automated incorporation of expert feedback into a monitoring system | |
| CN114997607A (en) | Anomaly assessment early warning method and system based on engineering detection data | |
| CN107451029B (en) | Information processing method, device and equipment | |
| CN115796708A (en) | Intelligent quality inspection method, system and medium for big data for engineering construction | |
| CN113765895B (en) | Method and device for auditing live broadcasting room | |
| CN114978877A (en) | Exception handling method and device, electronic equipment and computer readable medium | |
| CN111611519A (en) | Method and device for detecting personal abnormal behaviors | |
| CN114648316A (en) | Digital processing method and system based on inspection tag library | |
| CN112765003B (en) | Risk prediction method based on APP behavior log | |
| CN116743637B (en) | Abnormal flow detection method and device, electronic equipment and storage medium | |
| CN117076258A (en) | Remote monitoring method and system based on Internet cloud | |
| CN113708949A (en) | Alarm root cause positioning method and device | |
| CN115494431A (en) | Transformer fault warning method, terminal equipment and computer readable storage medium | |
| CN114355234A (en) | Intelligent quality detection method and system for power module | |
| CN115460056A (en) | Network detection method, electronic device and computer readable medium | |
| CN114443407A (en) | Detection method and system of server, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |