CN115514618A - Alarm event processing method and device, electronic equipment and medium - Google Patents
Alarm event processing method and device, electronic equipment and medium Download PDFInfo
- Publication number
- CN115514618A CN115514618A CN202211141544.0A CN202211141544A CN115514618A CN 115514618 A CN115514618 A CN 115514618A CN 202211141544 A CN202211141544 A CN 202211141544A CN 115514618 A CN115514618 A CN 115514618A
- Authority
- CN
- China
- Prior art keywords
- alarm
- alarm event
- data
- convergence
- event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0604—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Alarm Systems (AREA)
Abstract
The disclosure provides a method, a device, equipment, a storage medium and a program product for processing an alarm event, relates to the technical field of computers, and can be applied to the technical field of finance. The method comprises the following steps: acquiring target data information in response to receiving an instruction for outputting an alarm event; the target data information includes: the current generated real-time alarm data, alarm event convergence rules and alarm data convergence rules; respectively carrying out convergence processing on a plurality of alarm events in the real-time alarm data and the real-time alarm data based on an alarm event convergence rule and an alarm data convergence rule to obtain at least one candidate alarm event; determining at least one alarm event group according to the classification result of each candidate alarm event; and outputting the at least one target alarm event determined in each alarm event group.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and more particularly, to a method, an apparatus, a device, a medium, and a program product for processing an alarm event.
Background
At present, the monitoring objects of the centralized monitoring system of the intelligent operation and maintenance center are not only various, but also the number of monitoring points is still huge along with the expansion of the monitoring scale. The monitoring system has a complex network topology structure, and can cause alarms due to unstable transmission, equipment faults, junk data, error reports, flash reports and error codes, so that the alarm quantity is high. In the case of emergency response, the operation and maintenance personnel are often overwhelmed by the alert storm. The existing centralized monitoring system generally lacks an effective alarm convergence mechanism and still stays at the stage of manual judgment and manual processing. Operation and maintenance personnel need to continuously maintain convergence rules to complete de-duplication, convergence, silence and suppression of alarm events, and gather mass alarm events into a plurality of alarm event groups to be distributed to service personnel, so that the labor cost is high, the time and labor are consumed for processing, the alarm events cannot be responded in time, and the problems of important alarm omission, unresponse and the like can also exist. And the alarm recovery needs to manually judge the associated alarm, thereby greatly influencing the working efficiency of the alarm on duty.
Disclosure of Invention
In view of the above, the present disclosure provides a method, an apparatus, a device, a medium, and a program product for processing an alarm event, which may perform convergence processing on real-time alarm data and a plurality of alarm events in the real-time alarm data, respectively, based on an alarm event convergence rule and an alarm data convergence rule, to obtain at least one candidate alarm event; then, determining at least one alarm event group according to the classification result of each candidate alarm event; and at least one target alarm event determined in each alarm event group is output, so that intelligent convergence of the alarm events can be realized, the alarm convergence efficiency and effect are improved, and the cost for processing the alarm events is reduced.
According to a first aspect of the present disclosure, there is provided a method for processing an alarm event, including: acquiring target data information in response to receiving an instruction of outputting an alarm event; the target data information includes: the current generated real-time alarm data, alarm event convergence rules and alarm data convergence rules; based on the alarm event convergence rule and the alarm data convergence rule, respectively carrying out convergence processing on a plurality of alarm events in the real-time alarm data and the real-time alarm data to obtain at least one candidate alarm event; determining at least one alarm event group according to the classification result of each candidate alarm event; and outputting the at least one target alarm event determined in each alarm event group.
According to the embodiment of the present disclosure, the obtaining target data information in response to receiving an instruction to output an alarm event includes: determining an alarm event convergence rule based on alarm data and alarm convergence configuration data in a historical preset time period; generating an alarm knowledge graph corresponding to the alarm event convergence rule; and acquiring an alarm event convergence rule based on the alarm knowledge graph.
According to the embodiment of the present disclosure, the determining an alarm event convergence rule based on alarm data and alarm convergence configuration data in a historical predetermined time period includes: and determining an alarm event convergence rule through one or more of an association rule mining algorithm and an association analysis algorithm based on the alarm data and the alarm convergence configuration data in the historical preset time period.
According to the embodiment of the present disclosure, the obtaining target data information in response to receiving an instruction to output an alarm event includes: determining one or more of call relations and connection relations between software and hardware according to data information in a configuration management database; determining a software and hardware knowledge graph corresponding to the alarm data convergence rule according to one or more of the calling relation and the connection relation between the software and the hardware; and acquiring an alarm data convergence rule based on the software and hardware knowledge graph.
According to the embodiment of the present disclosure, the performing convergence processing on a plurality of alarm events in the real-time alarm data and the real-time alarm data respectively based on the alarm event convergence rule and the alarm data convergence rule to obtain at least one candidate alarm event includes: based on the alarm data convergence rule, carrying out convergence processing on the real-time alarm data to obtain converged real-time alarm data; and based on the alarm event convergence rule, carrying out convergence processing on a plurality of alarm events in the converged real-time alarm data to obtain at least one candidate alarm event.
According to the embodiment of the disclosure, the outputting at least one target alarm event determined in each alarm event group includes: and determining at least one target alarm event according to the output level of each candidate alarm event in each alarm event group, and outputting the at least one target alarm event.
According to an embodiment of the present disclosure, the method further comprises, before the outputting the at least one target alarm event determined in each alarm event group: determining whether the same alarm event as the at least one target alarm event has been output within a predetermined period of time; and stopping outputting the at least one target alarm event if it is determined that the same alarm event as the at least one target alarm event has been output within a predetermined period of time.
A second aspect of the present disclosure provides an apparatus for processing an alarm event, including: the data acquisition module is used for responding to a received instruction for outputting an alarm event and acquiring target data information; the target data information includes: the current generated real-time alarm data, alarm event convergence rules and alarm data convergence rules; a convergence processing module, configured to perform convergence processing on the real-time alarm data and multiple alarm events in the real-time alarm data respectively based on the alarm event convergence rule and the alarm data convergence rule, so as to obtain at least one candidate alarm event; the first determining module is used for determining at least one alarm event group according to the classification result of each candidate alarm event; and a second determination module for outputting the at least one target alarm event determined in each alarm event group.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of handling alarm events described above.
A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-mentioned method of handling an alarm event.
A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above method of handling an alarm event.
The method for processing an alarm event according to this embodiment may perform convergence processing on a plurality of alarm events in real-time alarm data and real-time alarm data, respectively, based on an alarm event convergence rule and an alarm data convergence rule, to obtain at least one candidate alarm event; then, determining at least one alarm event group according to the classification result of each candidate alarm event; and at least one target alarm event determined in each alarm event group is output, so that intelligent convergence of the alarm events can be realized, the alarm convergence efficiency and effect are improved, and the cost for processing the alarm events is reduced.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, taken in conjunction with the accompanying drawings of which:
FIG. 1 schematically illustrates an application scenario diagram of a method, apparatus, device, medium and program product for alarm event processing according to an embodiment of the disclosure;
FIG. 2 schematically illustrates a flow chart of a method of processing an alarm event according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates an execution diagram of determining a target alarm event according to an embodiment of the present disclosure;
FIG. 4 is a block diagram schematically illustrating an apparatus for processing an alarm event according to an embodiment of the present disclosure; and
fig. 5 schematically shows a block diagram of an electronic device adapted to implement a method of handling alarm events according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
In those instances where a convention analogous to "at least one of A, B, and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B, and C" would include but not be limited to systems that have A alone, B alone, C alone, A and B together, A and C together, B and C together, and/or A, B, and C together, etc.).
The embodiment of the disclosure provides a method and a device for processing an alarm event, which respond to the received instruction of outputting the alarm event and acquire target data information; the target data information includes: the current generated real-time alarm data, alarm event convergence rules and alarm data convergence rules; respectively carrying out convergence processing on a plurality of alarm events in the real-time alarm data and the real-time alarm data based on an alarm event convergence rule and an alarm data convergence rule to obtain at least one candidate alarm event; determining at least one alarm event group according to the classification result of each candidate alarm event; and outputting the at least one target alarm event determined in each alarm event group.
Fig. 1 schematically illustrates an application scenario diagram of a method, an apparatus, a device, a medium, and a program product for alarm event processing according to an embodiment of the present disclosure.
As shown in fig. 1, the application scenario 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104 and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have installed thereon various communication client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (for example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The backend management server may analyze and process the received data such as the user request, and feed back a processing result (for example, a web page, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that the method for processing the alarm event provided by the embodiment of the present disclosure may be generally executed by the server 105. Accordingly, the processing device for the alarm event provided by the embodiment of the present disclosure may be generally disposed in the server 105. The method for processing the alarm event provided by the embodiment of the present disclosure may also be executed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Correspondingly, the alarm event processing device provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster different from the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for an implementation.
The method for processing an alarm event according to the disclosed embodiment will be described in detail with reference to fig. 2 based on the scenario described in fig. 1.
Fig. 2 schematically shows a flow chart of a method of processing an alarm event according to an embodiment of the present disclosure.
As shown in fig. 2, the embodiment includes operations S210 to S240, and the method of processing the alarm event may be performed by a server.
In the technical scheme of the disclosure, the processing of data acquisition, collection, storage, use, processing, transmission, provision, disclosure, application and the like all conform to the regulations of relevant laws and regulations, necessary security measures are taken, and the customs of public sequences is not violated.
In operation S210, in response to receiving an instruction to output an alarm event, target data information is acquired; the target data information includes: the current generated real-time alarm data, the alarm event convergence rule and the alarm data convergence rule.
The data information is originated from the data layer, and the data layer is used for realizing the collection of multi-source data. The data information may include various types of operation and maintenance data, such as configuration management CMDB data, alarm data, log data, system performance index data, business system asset data, device resource asset information, device monitoring and performance data, database monitoring and performance data, middleware monitoring and performance data, open source software monitoring and performance data, and so on. By dividing and aggregating the data information, target data assets can be obtained, such as configuration management CMDB data, historical alarm data, real-time alarm data, alarm convergence configuration data and the like. For example, a software and hardware knowledge graph may be constructed by using the configuration management CMDB data, and the alarm data convergence rule may be acquired by the software and hardware knowledge graph. For example, the alarm knowledge graph may be constructed using historical alarm data and alarm convergence configuration data, and alarm event convergence rules may be obtained from the alarm knowledge graph. For example, alarm event stream data of different alarm sources, that is, currently generated real-time alarm data, may be obtained from the data layer; the alarm sources can include basic monitoring, application monitoring, an automatic scheduling platform, a log platform and the like. The processing and conversion of the multi-source data may include mapping the alarm fields of the alarm events of different alarm sources into a unified standard field, such as name, target, content, level, start _ time, etc. The mapping of the primary field (e.g., IP address) and the secondary field (e.g., resource pool name idc _ type) of the alert source.
In operation S220, based on the alarm event convergence rule and the alarm data convergence rule, convergence processing is performed on the real-time alarm data and a plurality of alarm events in the real-time alarm data, respectively, to obtain at least one candidate alarm event.
Alarm event convergence rules may be automatically generated based on mining of association rules; alarm data can be aggregated according to the actual service demand dimension or time window, and an alarm data convergence rule is generated. And then, combining the alarm event convergence rule and the alarm data convergence rule to carry out convergence processing on the real-time alarm data and a plurality of alarm events in the real-time alarm data, thereby converging the plurality of alarm events together to obtain one or a plurality of candidate alarm events meeting the convergence rule.
For example, by mining the historical alarm data, the relation of alarm event A- > alarm event B can be analyzed, and the relation indicates that B is a member of A, the time window can be divided according to the alarm time of the alarm record, the alarm in the same time window is processed into an alarm sample data, and in a certain time window, if the alarm event A and the alarm event B occur simultaneously, the alarm can be sent only by the alarm event A, but not by the alarm event B, so that the alarm frequency is reduced.
At least one alarm event group is determined according to the classification result of each candidate alarm event in operation S230.
It will be appreciated that in order to further rationalise the alarm. For each candidate alarm event, classification processing can be carried out; determining the same type of alarm event as for the type of each candidate alarm event; and aggregating the classified alarm events belonging to the same type into an alarm event group.
In operation S240, the at least one target alarm event determined in each alarm event group is output.
It is understood that, for a plurality of alarm events of the same type in one alarm event group, at least one target alarm event may be determined in each alarm event group according to requirements. For example, each alarm event has a corresponding output level, and the alarm events with higher levels can be output and the alarm events with lower levels can be ignored in any time window. Or only outputting the alarm event with the highest level in the alarm event group which can be output currently.
Fig. 3 schematically shows an execution diagram of determining a target alert event according to an embodiment of the present disclosure, see fig. 3. First, the user sends an instruction to output an alarm event through the client 310. The server 320 responds to receiving the instruction and forwards the instruction to the processing device 330 of the alarm event. The alarm event processing device 330 may obtain the target data information in response to receiving the instruction; then, based on the alarm event convergence rule and the alarm data convergence rule, carrying out convergence processing on a plurality of alarm events in the real-time alarm data and the real-time alarm data respectively to obtain at least one candidate alarm event; determining at least one alarm event group according to the classification result of each candidate alarm event; and outputting the at least one target alarm event determined in each alarm event group. That is, the processing device 330 of the alarm event may send the target alarm event to the client 310 to facilitate the fault handling and recovery corresponding to the alarm event; if the fault handling work order is generated according to the output alarm event, the fault handling work order is sent to a target object, such as a client of a certain operation and maintenance affair department; the handling and recovery of the failure is achieved by the target object.
The method for processing an alarm event according to this embodiment may perform convergence processing on a plurality of alarm events in real-time alarm data and real-time alarm data, respectively, based on an alarm event convergence rule and an alarm data convergence rule, to obtain at least one candidate alarm event; then, determining at least one alarm event group according to the classification result of each candidate alarm event; and at least one target alarm event determined in each alarm event group is output, so that intelligent convergence of the alarm events can be realized, the alarm convergence efficiency and effect are improved, and the cost for processing the alarm events is reduced.
In response to receiving an instruction to output an alarm event, target data information is acquired, including: determining an alarm event convergence rule based on alarm data and alarm convergence configuration data in a historical preset time period; generating an alarm knowledge graph corresponding to the alarm event convergence rule; and acquiring an alarm event convergence rule based on the alarm knowledge graph.
The alarm data in the historical predetermined time period contains a large number of correlation and causal relationships. For the related causal relationships in the historical alarm events, an intelligent alarm algorithm, such as a sequence pattern algorithm, such as an association rule mining algorithm and an association analysis algorithm, may be used. And constructing an alarm knowledge graph. And storing the alarm event convergence rules in the form of a graph database through an alarm knowledge graph for providing the alarm event convergence capability. Alarm convergence configuration data may be derived from accumulated operational data, such as alarm configuration data samples for a bank, and this data information may be stored in an alarm knowledge graph.
According to the method for processing the alarm event, the alarm event convergence rule is provided by using the alarm knowledge graph, so that the situation that operation and maintenance personnel need to continuously and manually maintain the convergence rule is avoided; by mining the alarm data and alarm convergence configuration data in the historical preset time period, the obtained alarm event convergence rule is more reasonable and reliable.
Determining an alarm event convergence rule based on alarm data and alarm convergence configuration data in a historical predetermined time period, comprising: and determining an alarm event convergence rule through one or more of an association rule mining algorithm and an association analysis algorithm based on the alarm data and the alarm convergence configuration data in the historical preset time period.
For example, association rule mining algorithms, such as the apriori algorithms, may find relationships between items in a data set. The conditional association rules may be found from the frequent itemsets using a downward closure property. An association analysis algorithm, such as FP-Growth, can mine a frequent set to find out association rules meeting the conditions.
For example, dimensions may be differentiated based on actual traffic demands, and within a certain time window, an association rule mining algorithm, such as Apriori, may be used; and analyzing the association conditions of different monitoring items by using an association analysis algorithm, such as an FP-Growth algorithm and the like. Taking an association rule mining algorithm Apriori algorithm as an example, the target of association analysis includes finding a frequent item set and finding an association rule. The input parameters of the Apriori algorithm comprise a minimum support degree minsupport and a data set, and are used for generating a frequent item set meeting the conditions. And after all frequent item sets are obtained, setting a minimum confidence level minconf, and generating an association rule meeting the conditions.
The method for processing an alarm event provided by this embodiment may determine the convergence rule of the alarm event through one or more of the association rule mining algorithm and the association analysis algorithm, which is beneficial to avoid that operation and maintenance personnel need to continuously and manually maintain the convergence rule; and the obtained alarm event convergence rule is more reasonable and reliable.
In response to receiving an instruction to output an alarm event, target data information is acquired, including: determining one or more of call relations and connection relations between software and hardware according to data information in a configuration management database; determining a software and hardware knowledge graph corresponding to the alarm data convergence rule according to one or more of the calling relation and the connection relation between the software and the hardware; and acquiring an alarm data convergence rule based on the software and hardware knowledge graph.
The software and hardware knowledge graph can show internal logics among applications, software, virtual machines and physical machines, call relations among systems and physical connection relations of network equipment in a global view. And the software and hardware knowledge graph can be called to inquire and acquire the asset data, so that the association between the warning source and the asset data is realized.
The entity nodes in the software and hardware knowledge graph include a system, a DU (deployment unit), a group (host instance group), software, a virtual machine, a physical machine, an access switch, a core switch, an aggregation switch, a router, and the like, and the relationship may include a consistence (composition), a call, a local (logical connection), a cluster, a ship (bearer), a host, a connect (physical connection), and the like. The data source constructed by the software and hardware knowledge graph mainly comes from the configuration management CMDB data, for example, the software and hardware knowledge graph is initialized based on off-line data, and then is regularly or periodically updated according to one or more of call relations and connection relations between software and hardware, so that the change and expansion of services are adapted, and the reasonable and reliable convergence rule of alarm data is maintained.
The alarm event processing method provided by the embodiment utilizes the strong knowledge expression capability of the knowledge graph, can obtain the alarm data convergence rule based on the software and hardware knowledge graph, and is favorable for avoiding the need of continuous manual maintenance on the convergence rule by operation and maintenance personnel; and the obtained alarm data convergence rule is more reasonable and reliable.
Based on the alarm event convergence rule and the alarm data convergence rule, performing convergence processing on a plurality of alarm events in the real-time alarm data and the real-time alarm data respectively to obtain at least one candidate alarm event, including: based on the alarm data convergence rule, carrying out convergence processing on the real-time alarm data to obtain converged real-time alarm data; and based on the alarm event convergence rule, carrying out convergence processing on a plurality of alarm events in the converged real-time alarm data to obtain at least one candidate alarm event.
For example, the alarm event includes fields such as an alarm ID, an alarm source, a department, a system name, a deployment unit, a device name, a device IP, an alarm identifier, an alarm level, an alarm content, and an alarm reporting time. The method can use a stream processing mechanism and combines an alarm data convergence rule determined by a software and hardware knowledge graph to realize the aggregation of alarm data according to service requirement dimension and a time window, and based on the alarm convergence rule, the method can converge the alarm events in the alarm data received in real time and aggregate a plurality of single alarm events into an alarm event group.
For example, slicing the alarm data according to a time window (such as 1 minute and 5 minutes), querying a topological relation on a software and hardware knowledge graph, determining a corresponding alarm data convergence rule, aggregating the alarm data on the associated physical machine and virtual machine to form a set of a plurality of alarm instances, further converging the alarms through an alarm event convergence rule obtained by the alarm knowledge graph to complete the aggregation of the alarm events, and obtaining candidate alarm events so as to generate an alarm event group.
The method for processing an alarm event according to this embodiment may perform convergence processing on real-time alarm data based on an alarm data convergence rule to obtain converged real-time alarm data; then, based on the alarm event convergence rule, carrying out convergence processing on a plurality of alarm events in the converged real-time alarm data to obtain at least one candidate alarm event, which is beneficial to processing massive alarm data and a plurality of single alarm events and improves the processing efficiency of determining the candidate alarm events.
Outputting the at least one target alarm event determined in each alarm event group, including: and determining at least one target alarm event according to the output level of each candidate alarm event in each alarm event group, and outputting at least one target alarm event.
The output rule can be configured, at least one target alarm event determined in each alarm event group is output, and the purposes of shielding, derivation, primary and secondary alarm, service alarm, abnormal information alarm and the like of the alarm event are favorably realized. The alarm event group can be output after alarm suppression operation and alarm silence operation. Alarm suppression may be output of high level alarm events, while ignoring low level alarm events for the same type of alarm event. For example, only the alarm events with high level in the group are output, and the alarm events with low level in the group are ignored.
The method for processing an alarm event according to this embodiment may determine at least one target alarm event according to the output level of each candidate alarm event in each alarm event group, which is beneficial to avoiding that too many alarm events are output in the same alarm event group and affecting fault processing efficiency, and meanwhile, only processing at least one output target alarm event is beneficial to reducing maintenance cost.
The method for processing alarm events further includes, prior to outputting the at least one target alarm event determined in each alarm event group: determining whether an alarm event identical to at least one target alarm event has been output within a predetermined period of time; and in the event that it is determined that the same alarm event as the at least one target alarm event has been output within the predetermined period of time, stopping outputting the at least one target alarm event.
It can be understood that, after a certain alarm event is output within a predetermined time period, if the same alarm event is received again, the output is not performed; therefore, the repeated output of the alarm event is avoided, the energy of the alarm event processing person is dispersed, and the timely response to the alarm event is facilitated.
Based on the method for processing the alarm event, the disclosure also provides a device for processing the alarm event. The apparatus will be described in detail below with reference to fig. 4.
Fig. 4 schematically shows a block diagram of a device for processing an alarm event according to an embodiment of the present disclosure.
As shown in fig. 4, the apparatus 400 for processing an alarm event of this embodiment includes an acquiring data module 410, a convergence processing module 420, a first determining module 430, and a second determining module 440.
An acquire data module 410, configured to acquire target data information in response to receiving an instruction to output an alarm event; the target data information includes: the current generated real-time alarm data, alarm event convergence rules and alarm data convergence rules; a convergence processing module 420, configured to perform convergence processing on the real-time alarm data and multiple alarm events in the real-time alarm data respectively based on the alarm event convergence rule and the alarm data convergence rule, so as to obtain at least one candidate alarm event; a first determining module 430, configured to determine at least one alarm event group according to the classification result of each candidate alarm event; and a second determining module 440 for outputting the at least one target alarm event determined in each alarm event group.
In some embodiments, the obtain data module is to: determining an alarm event convergence rule based on alarm data and alarm convergence configuration data in a historical preset time period; generating an alarm knowledge graph corresponding to the alarm event convergence rule; and acquiring an alarm event convergence rule based on the alarm knowledge graph.
In some embodiments, the determining an alarm event convergence rule based on the alarm data and the alarm convergence configuration data within the historical predetermined time period comprises: and determining an alarm event convergence rule through one or more of an association rule mining algorithm and an association analysis algorithm based on the alarm data and the alarm convergence configuration data in the historical preset time period.
In some embodiments, the obtain data module is to: determining one or more of call relations and connection relations between software and hardware according to data information in a configuration management database; determining a software and hardware knowledge graph corresponding to the alarm data convergence rule according to one or more of the calling relation and the connection relation between the software and the hardware; and acquiring an alarm data convergence rule based on the software and hardware knowledge graph.
In some embodiments, the convergence processing module is to: based on the alarm data convergence rule, carrying out convergence processing on the real-time alarm data to obtain converged real-time alarm data; and based on the alarm event convergence rule, carrying out convergence processing on a plurality of alarm events in the converged real-time alarm data to obtain at least one candidate alarm event.
In some embodiments, the second determination module is to: and determining at least one target alarm event according to the output level of each candidate alarm event in each alarm event group, and outputting the at least one target alarm event.
In some embodiments, the apparatus further comprises: an interception module for, prior to said outputting the at least one target alarm event determined in each alarm event group: determining whether the same alarm event as the at least one target alarm event has been output within a predetermined period of time; and stopping outputting the at least one target alarm event if it is determined that the same alarm event as the at least one target alarm event has been output within a predetermined period of time.
According to an embodiment of the present disclosure, any plurality of the first determining module 410, the second determining module 420, the third determining module 430, and the document recommending module 440 may be combined and implemented in one module, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the first determining module 410, the second determining module 420, the third determining module 430, and the document recommending module 440 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or in any one of three implementations of software, hardware, and firmware, or in any suitable combination of any of them. Alternatively, at least one of the first determining module 410, the second determining module 420, the third determining module 430 and the document recommending module 440 may be at least partially implemented as a computer program module that, when executed, may perform a corresponding function.
Fig. 5 schematically shows a block diagram of an electronic device adapted to implement a method of handling alarm events according to an embodiment of the present disclosure.
As shown in fig. 5, an electronic device 500 according to an embodiment of the present disclosure includes a processor 501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. The processor 501 may comprise, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 501 may also include onboard memory for caching purposes. Processor 501 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the disclosure.
In the RAM 503, various programs and data necessary for the operation of the electronic apparatus 500 are stored. The processor 501, the ROM502, and the RAM 503 are connected to each other by a bus 504. The processor 501 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM502 and/or the RAM 503. Note that the programs may also be stored in one or more memories other than the ROM502 and the RAM 503. The processor 501 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, electronic device 500 may also include an input/output (I/O) interface 505, input/output (I/O) interface 505 also being connected to bus 504. The electronic device 500 may also include one or more of the following components connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. A drive 510 is also connected to the I/O interface 505 as needed. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include ROM502 and/or RAM 503 and/or one or more memories other than ROM502 and RAM 503 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated by the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the method for processing the alarm event provided by the embodiment of the disclosure.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 501. The above described systems, devices, modules, units, etc. may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed in the form of a signal on a network medium, downloaded and installed through the communication section 509, and/or installed from the removable medium 511. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511. The computer program, when executed by the processor 501, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments of the present disclosure and/or the claims may be made without departing from the spirit and teachings of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (11)
1. A method for processing an alarm event comprises the following steps:
acquiring target data information in response to receiving an instruction for outputting an alarm event; the target data information includes: the current generated real-time alarm data, alarm event convergence rules and alarm data convergence rules;
based on the alarm event convergence rule and the alarm data convergence rule, respectively carrying out convergence processing on a plurality of alarm events in the real-time alarm data and the real-time alarm data to obtain at least one candidate alarm event;
determining at least one alarm event group according to the classification result of each candidate alarm event; and
outputting the at least one target alarm event determined in each alarm event group.
2. The method of claim 1, wherein the retrieving target data information in response to receiving an instruction to output an alarm event comprises:
determining an alarm event convergence rule based on alarm data and alarm convergence configuration data in a historical preset time period;
generating an alarm knowledge graph corresponding to the alarm event convergence rule; and
and acquiring an alarm event convergence rule based on the alarm knowledge graph.
3. The method of claim 2, wherein the determining an alarm event convergence rule based on alarm data and alarm convergence configuration data over a historical predetermined time period comprises:
and determining an alarm event convergence rule through one or more of an association rule mining algorithm and an association analysis algorithm based on the alarm data and the alarm convergence configuration data in the historical preset time period.
4. The method of claim 1, wherein the retrieving target data information in response to receiving an instruction to output an alarm event comprises:
determining one or more of call relations and connection relations between software and hardware according to data information in a configuration management database;
determining a software and hardware knowledge graph corresponding to the alarm data convergence rule according to one or more of the calling relation and the connection relation between the software and the hardware; and
and acquiring an alarm data convergence rule based on the software and hardware knowledge graph.
5. The method of claim 1, wherein the converging a plurality of alarm events in the real-time alarm data and the real-time alarm data respectively based on the alarm event convergence rule and the alarm data convergence rule to obtain at least one candidate alarm event comprises:
based on the alarm data convergence rule, carrying out convergence processing on the real-time alarm data to obtain converged real-time alarm data; and
and based on the alarm event convergence rule, carrying out convergence processing on a plurality of alarm events in the converged real-time alarm data to obtain at least one candidate alarm event.
6. The method of claim 1, wherein the outputting the at least one target alarm event determined in each alarm event group comprises:
and determining at least one target alarm event according to the output level of each candidate alarm event in each alarm event group, and outputting the at least one target alarm event.
7. The method of claim 1, further comprising, prior to the outputting the at least one target alarm event determined in each alarm event group:
determining whether the same alarm event as the at least one target alarm event has been output within a predetermined period of time; and
in a case where it is determined that the same alarm event as the at least one target alarm event has been output within a predetermined period of time, the output of the at least one target alarm event is stopped.
8. An alarm event processing apparatus, comprising:
the data acquisition module is used for responding to a received instruction for outputting an alarm event and acquiring target data information; the target data information includes: the current generated real-time alarm data, alarm event convergence rules and alarm data convergence rules;
a convergence processing module, configured to perform convergence processing on the real-time alarm data and multiple alarm events in the real-time alarm data respectively based on the alarm event convergence rule and the alarm data convergence rule, so as to obtain at least one candidate alarm event;
a first determining module, configured to determine at least one alarm event group according to a classification result of each candidate alarm event; and
and the second determining module is used for outputting at least one target alarm event determined in each alarm event group.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method recited in any of claims 1-7.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any one of claims 1 to 7.
11. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211141544.0A CN115514618A (en) | 2022-09-20 | 2022-09-20 | Alarm event processing method and device, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211141544.0A CN115514618A (en) | 2022-09-20 | 2022-09-20 | Alarm event processing method and device, electronic equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115514618A true CN115514618A (en) | 2022-12-23 |
Family
ID=84504467
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211141544.0A Pending CN115514618A (en) | 2022-09-20 | 2022-09-20 | Alarm event processing method and device, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115514618A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117560389A (en) * | 2023-10-13 | 2024-02-13 | 陕西小保当矿业有限公司 | Mine industrial Internet platform alarm fusion method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113268399A (en) * | 2021-06-15 | 2021-08-17 | 上海天正信息科技有限公司 | Alarm processing method and device and electronic equipment |
| CN113886182A (en) * | 2021-09-29 | 2022-01-04 | 深圳市金蝶天燕云计算股份有限公司 | Alarm convergence method and device, electronic equipment and storage medium |
| CN114564580A (en) * | 2022-02-15 | 2022-05-31 | 北京云集智造科技有限公司 | Self-adaptive alarm aggregation method based on knowledge graph |
-
2022
- 2022-09-20 CN CN202211141544.0A patent/CN115514618A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113268399A (en) * | 2021-06-15 | 2021-08-17 | 上海天正信息科技有限公司 | Alarm processing method and device and electronic equipment |
| CN113886182A (en) * | 2021-09-29 | 2022-01-04 | 深圳市金蝶天燕云计算股份有限公司 | Alarm convergence method and device, electronic equipment and storage medium |
| CN114564580A (en) * | 2022-02-15 | 2022-05-31 | 北京云集智造科技有限公司 | Self-adaptive alarm aggregation method based on knowledge graph |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117560389A (en) * | 2023-10-13 | 2024-02-13 | 陕西小保当矿业有限公司 | Mine industrial Internet platform alarm fusion method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9419917B2 (en) | System and method of semantically modelling and monitoring applications and software architecture hosted by an IaaS provider | |
| CN109257200B (en) | Method and device for monitoring big data platform | |
| CN108039959B (en) | Data situation perception method, system and related device | |
| US10747592B2 (en) | Router management by an event stream processing cluster manager | |
| CN105573824B (en) | Monitoring method and system for distributed computing system | |
| CN113268399B (en) | Alarm processing method and device and electronic equipment | |
| CN113704065A (en) | Monitoring method, device, equipment and computer storage medium | |
| CN111782672B (en) | Multi-field data management method and related device | |
| CN115529595A (en) | Method, device, equipment and medium for detecting abnormity of log data | |
| Solmaz et al. | ALACA: A platform for dynamic alarm collection and alert notification in network management systems | |
| CN115629933A (en) | Business system monitoring method, device, equipment and storage medium | |
| CN115514618A (en) | Alarm event processing method and device, electronic equipment and medium | |
| CN114443437A (en) | Alarm root cause output method, apparatus, device, medium, and program product | |
| CN110677271B (en) | Big data alarm method, device, equipment and storage medium based on ELK | |
| CN114756301B (en) | Log processing method, device and system | |
| CN115202973A (en) | Application running state determining method and device, electronic equipment and medium | |
| CN115408236A (en) | Log data auditing system, method, equipment and medium | |
| CN112994934B (en) | Data interaction method, device and system | |
| CN113900905A (en) | Log monitoring method and device, electronic equipment and storage medium | |
| CN114625763A (en) | Information analysis method and device for database, electronic equipment and readable medium | |
| CN113282455A (en) | Monitoring processing method and device | |
| CN116450465B (en) | Data processing method, device, equipment and medium | |
| CN116401138B (en) | Operating system running state detection method and device, electronic equipment and medium | |
| US11824750B2 (en) | Managing information technology infrastructure based on user experience | |
| CN117130812A (en) | System fault detection method, apparatus, device, medium and program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |