CN116010221A

CN116010221A - Alarm processing method and device

Info

Publication number: CN116010221A
Application number: CN202310159929.8A
Authority: CN
Inventors: 杨洪鑫; 范晓宁; 杜建明; 杜靖翀
Original assignee: Alipay Labs Singapore Pte Ltd
Current assignee: Advanced Nova Technology Singapore Holdings Ltd
Priority date: 2023-02-14
Filing date: 2023-02-14
Publication date: 2023-04-25

Abstract

The embodiment of the specification provides an alarm processing method and device, wherein the alarm processing method comprises the following steps: acquiring a plurality of alarm information, and respectively extracting entities from each alarm information to obtain alarm entity sets corresponding to each alarm information; calculating the similarity of multidimensional attributes between any two alarm entity sets; clustering a plurality of alarm entity sets according to the similarity of the multidimensional attribute between any two alarm entity sets to obtain a plurality of alarm aggregation classes; and screening out target alarm information from alarm information corresponding to each alarm aggregation class for release. By extracting the entity of the alarm information and clustering a plurality of alarm entity sets according to the multidimensional attribute information, the effective clustering of a large amount of alarm information is realized, the alarm quantity is obviously reduced, the service fault investigation cost is reduced, the alarm duplication removal efficiency is effectively improved, and the fault investigation efficiency of a task system is greatly improved by screening target alarm information and issuing.

Description

Alarm processing method and device

Technical Field

The embodiment of the specification relates to the technical field of computers, in particular to an alarm processing method.

Background

Currently, when a task system fails in operation and maintenance, a large number of alarms are often accompanied, and the alarms generally have related but different dimensions, for example, many alarm information come from different computing devices of the same client, and then the client and the device are two dimensions included in the alarm information. The staff processing the alarms needs to perform fault investigation on the corresponding entity service aiming at each piece of alarm information. In order to avoid workload caused by a large number of repeated alarms to staff handling alarms, it is generally necessary to perform duplicate and noise reduction on all alarms generated in a period of time, thereby reducing the number of alarms. Most of the alarm deduplication in the prior art is based on whether the title or alarm content is the same.

However, because the conditions of the same alarm title and the same alarm content are less among different alarm messages, a large number of alarms are de-duplicated only according to the similarity of the alarm content, so that the problem that the noise is reduced by mistake when the similarity threshold is too low and the noise reduction effect is very poor when the similarity threshold is too high is easily caused, and the staff for processing the alarms cannot timely and effectively troubleshoot the task system, so that the troubleshooting efficiency of the task system is low. Therefore, an efficient and accurate alarm duplication-removing method is needed to improve the troubleshooting efficiency of the task system and reduce the troubleshooting cost.

Disclosure of Invention

In view of this, the present embodiment provides an alarm processing method. One or more embodiments of the present specification relate to an alarm processing apparatus, a computing device, a computer-readable storage medium, and a computer program that solve the technical drawbacks of the related art.

According to a first aspect of embodiments of the present disclosure, there is provided an alarm processing method, including:

acquiring a plurality of alarm information, and respectively extracting entities from each alarm information to obtain alarm entity sets corresponding to each alarm information;

calculating the similarity of multidimensional attributes between any two alarm entity sets;

clustering a plurality of alarm entity sets according to the similarity of the multidimensional attribute between any two alarm entity sets to obtain a plurality of alarm aggregation classes;

and screening out target alarm information from alarm information corresponding to each alarm aggregation class for release.

According to a second aspect of embodiments of the present specification, there is provided an alarm processing apparatus, comprising:

the extraction module is configured to acquire a plurality of alarm information, and respectively carry out entity extraction on each alarm information to obtain alarm entity sets corresponding to each alarm information;

The computing module is configured to compute the similarity of the multidimensional attribute between any two alarm entity sets;

the clustering module is configured to cluster the plurality of alarm entity sets according to the similarity of the multidimensional attribute between any two alarm entity sets to obtain a plurality of alarm aggregation classes;

the issuing module is configured to screen out target alarm information from alarm information corresponding to each alarm aggregation class for issuing.

According to a third aspect of embodiments of the present specification, there is provided a computing device comprising:

a memory and a processor;

the memory is configured to store computer-executable instructions that, when executed by the processor, perform the steps of the alert processing method described above.

According to a fourth aspect of embodiments of the present specification, there is provided a computer readable storage medium storing computer executable instructions which, when executed by a processor, implement the steps of the alert processing method described above.

An embodiment of the specification realizes that a plurality of alarm information are acquired, entity extraction is respectively carried out on each alarm information, and an alarm entity set corresponding to each alarm information is obtained; calculating the similarity of multidimensional attributes between any two alarm entity sets; clustering a plurality of alarm entity sets according to the similarity of the multidimensional attribute between any two alarm entity sets to obtain a plurality of alarm aggregation classes; the method comprises the steps of screening target alarm information from alarm information corresponding to alarm aggregation classes for release, obtaining alarm entity sets corresponding to the alarm information respectively through entity extraction of the alarm information, not screening according to simple matching of the alarm information, but clustering a plurality of alarm entity sets through multidimensional attributes included in the alarm entity sets, so that effective clustering of a large number of alarm information is realized, and release of target alarm information is achieved through screening of the alarm information corresponding to the alarm aggregation classes, thereby remarkably reducing the alarm quantity, reducing service fault investigation cost, effectively improving alarm duplication removal efficiency and greatly improving fault investigation efficiency of a task system.

Drawings

FIG. 1 is a flow chart of an alarm processing method provided in one embodiment of the present disclosure;

FIG. 2 is a process flow diagram of an alarm processing method according to one embodiment of the present disclosure;

FIG. 3 is a process flow diagram of another alarm processing method provided by one embodiment of the present disclosure;

FIG. 4 is a schematic diagram of an alarm entity diagram in an alarm processing method according to an embodiment of the present disclosure;

FIG. 5 is a schematic diagram of screening target alarm information according to an intra-class alarm entity diagram according to an importance analysis algorithm in an alarm processing method according to an embodiment of the present disclosure;

FIG. 6 is a flowchart of a processing procedure of an alarm processing method applied to a distributed payment system according to an embodiment of the present disclosure;

FIG. 7 is a schematic diagram of an alarm processing device according to an embodiment of the present disclosure;

FIG. 8 is a block diagram of a computing device provided in one embodiment of the present description.

Detailed Description

In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present description. This description may be embodied in many other forms than described herein and similarly generalized by those skilled in the art to whom this disclosure pertains without departing from the spirit of the disclosure and, therefore, this disclosure is not limited by the specific implementations disclosed below.

The terminology used in the one or more embodiments of the specification is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the specification. As used in this specification, one or more embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used in one or more embodiments of the present specification refers to and encompasses any or all possible combinations of one or more of the associated listed items.

It should be understood that, although the terms first, second, etc. may be used in one or more embodiments of this specification to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first may also be referred to as a second, and similarly, a second may also be referred to as a first, without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.

First, terms related to one or more embodiments of the present specification will be explained.

An alarm entity: by the entity extraction method, the entity extracted from the alarm information can represent the attribute of the alarm information in each task dimension.

A set of alert entities: and the set consists of alarm entities extracted from the same alarm information.

Multidimensional attribute information: the multi-dimensional attribute information refers to attribute information in a plurality of dimensions such as a region, a client, a place, and equipment where faults occur, which are included in the alarm information, and whether different alarm information belongs to the same type of faults can be judged through the multi-dimensional attribute information.

Jaccard similarity coefficient (Jaccard similarity coefficient): for comparing similarity and variability between limited sample sets, the greater the jaccard similarity coefficient value, the higher the sample similarity.

Spearman correlation coefficient (spearman correlation coefficient): for comparison of the similarity between two digital sequences, the greater the value of the spin correlation coefficient, the greater the similarity between the two digital sequences.

In the present specification, an alarm processing method is provided, and the present specification relates to an alarm processing apparatus, a computing device, and a computer-readable storage medium, which are described in detail in the following embodiments one by one.

When the operation and maintenance are in fault, a large amount of alarms are often accompanied, in order to reduce the burden of staff for processing the alarms and improve the fault checking efficiency, most repeated alarms are duplicated based on whether the title or the alarm information is the same or not, but the noise reduction effect is poor due to the fact that the title and the alarm information are the same or not. Under the condition of huge business and channel quantity served by the task system, the duplicate removal effect is easily caused to be unobvious, so that the fault investigation efficiency of the task system is low and the fault investigation cost is too high.

Therefore, according to the alarm processing method provided by one embodiment of the specification, the alarm entity sets corresponding to the alarm information are obtained by extracting the entity of the alarm information, the alarm entity sets are not screened according to simple matching of the alarm information, but the alarm entity sets are clustered through the multidimensional attribute included in the alarm entity sets, so that effective clustering of a large number of alarm information is realized, the target alarm information is screened from the alarm information corresponding to each alarm aggregation class to be issued, the alarm quantity is obviously reduced, the service fault investigation cost is reduced, the alarm duplication removal efficiency is effectively improved, and the fault investigation efficiency of a task system is greatly improved.

Referring to fig. 1, fig. 1 shows a flowchart of an alarm processing method according to an embodiment of the present disclosure, which specifically includes the following steps.

Step 102: acquiring a plurality of alarm information, and respectively extracting entities from each alarm information to obtain alarm entity sets corresponding to each alarm information;

in the normal operation process of the task system, various anomalies are triggered due to various reasons such as network service fluctuation provided by a network operator, login of a large number of users at the same time, attack of hackers, update of software programs or hardware equipment of the system, excessively high background occupancy rate, large changes of ambient climate temperature and humidity and the like, and the system can give an alarm when the anomalies are triggered, so that staff responsible for alarm processing is reminded of carrying out fault investigation on the task system according to alarm information.

Specifically, the alarm information is information automatically sent by the task system according to a preset alarm triggering condition under the condition that any index of various indexes of the system is abnormal. The alarm entity extracted from the alarm information can represent the attribute of the alarm information in each task dimension. Illustratively, the content of the alert information is: the network communication of machine a in room 1 of customer a in asian regions is interrupted during the period of time from 14:22 pm at 5.2.2023 to 15:03 pm at 05.02.2023. The different task dimensions included in the section of alarm information are: region, customer, place, equipment, therefore, reading this section of alarm information, can extract alarm entity 1 from it: asian region, alarm entity 2: customer a, alerting entity 3: machine room 1, alarm entity 4: machine a. Furthermore, the four alarm entities extracted from the alarm information form an alarm entity set corresponding to the alarm information together.

When an operation and maintenance fault occurs, a large number of alarms are often accompanied, and certain correlation exists between different alarm information included in the alarms. For example, the alarm information of the alarm 1 shows that the CPU occupancy rate of the machine a in the machine room A is abnormal; the CPU occupancy rate abnormality of the machine b in the machine room A is displayed in the alarm information of the alarm 2, the CPU occupancy rate abnormality of the machine c in the machine room A is displayed in the alarm information of the alarm 3, so that the reason for the CPU occupancy rate abnormality of each machine is likely to be due to the fact that the whole machine room A has a large fault, and the better processing method is to directly conduct fault investigation on the whole machine room A, so that the CPU occupancy rate of each machine in the whole machine room A can be recovered to be normal in the same period of time. However, in the prior art, since clustering and deduplication of large-data-volume alarm information cannot be well realized, when actually performing fault investigation, a worker in charge of alarm processing can usually only perform fault investigation on the machine a, the machine b and the machine c according to the time sequence sent by the alarm 1, the alarm 2 and the alarm 3, so that abnormal conditions are not timely treated, repeated positioning investigation is often performed on the same type of faults, the service investigation efficiency is low, and time and labor are consumed.

Therefore, in order to improve the service investigation efficiency, an alarm processing method provided in an embodiment of the present disclosure includes the steps of: and acquiring a plurality of alarm information, and respectively extracting entities from each alarm information to obtain alarm entity sets corresponding to each alarm information.

Specifically, the alarm information comprises multi-dimensional attribute information, the multi-dimensional attribute information refers to attribute information of a plurality of dimensions such as a region, a client, a place, equipment and the like, which are included in the alarm information, and whether different alarm information belongs to the same type of fault can be judged through the multi-dimensional attribute information, so that unified fault investigation processing can be carried out on the type of fault, staff responsible for alarm processing is not required to carry out service investigation and fault processing one by one according to a large amount of alarm information, and the fault investigation efficiency is greatly improved.

Specifically, entity extraction is performed on each alarm information to obtain alarm entity sets corresponding to each alarm information, which can be realized by the following modes:

obtaining an alarm entity corresponding to the first alarm information according to the multidimensional attribute information of the first alarm information, wherein the first alarm information is any one of a plurality of alarm information;

And constructing an alarm entity set corresponding to the first alarm information according to the alarm entity.

Specifically, the first alarm information is any one of the acquired plurality of alarm information, one or more alarm entities corresponding to the first alarm information are extracted according to the multidimensional attribute information in the first alarm information, and the one or more alarm entities are constructed as an alarm entity set corresponding to the first alarm information.

Specifically, the step of obtaining the alarm entity corresponding to the first alarm information according to the multidimensional attribute information of the first alarm information may be implemented in the following two ways:

extracting alarm entities under different task dimensions corresponding to the first alarm information by using a regular expression according to a preset alarm configuration table;

or alternatively, the process may be performed,

and reading the alarm entities under different task dimensions from the first alarm information according to preset alarm configuration items.

Specifically, according to a preset alarm configuration table, the first implementation mode utilizes a regular expression to extract alarm entities corresponding to the first alarm information under different task dimensions.

In practical application, for a task system, a service developer or an operation and maintenance person can preset an alarm configuration table according to the attribute of the task system in different dimensions, after the first alarm information is acquired, the text content of the first alarm information can be preprocessed firstly to be in a form capable of automatically analyzing the text content by using a regular expression, then the preprocessed text content is analyzed by using the regular expression, and an alarm entity corresponding to a configuration item in the preset alarm configuration table is automatically generated.

Illustratively, extracting, according to a preset alarm configuration table, alarm entities in different task dimensions corresponding to the first alarm information by using a regular expression may be implemented in the following manner: and segmenting the text content of the first alarm information to obtain short sentences or phrases corresponding to the text content of the first alarm information. Labeling each short sentence or phrase according to a preset alarm configuration table, editing each short sentence or phrase with a label into a corresponding regular expression, extracting the word phrase without space connection with the label, deleting the label character in the word phrase, and obtaining the pure text word phrase as an alarm entity.

Specifically, according to a preset alarm configuration item, the second implementation mode reads alarm entities in different task dimensions from the first alarm information.

In practical application, for a task system, a service developer or an operation and maintenance person may preset alarm configuration items according to attributes of the service in different dimensions, for example, preset 5 alarm configuration items: territories, customers, sites, equipment, importance. After the first alarm information sent by the system is obtained, related staff can read attribute information corresponding to the alarm configuration item from text content of the first alarm information according to the preset alarm configuration item, and extract the attribute information to serve as an alarm entity corresponding to the first alarm information.

The step of obtaining the alarm entity corresponding to the first alarm information according to the multidimensional attribute information of the first alarm information may be further implemented in the following manner:

and carrying out vectorization processing on the text content of the acquired first alarm information, extracting one or more feature vectors of the first alarm information from the text content according to preset configuration information, and taking the extracted feature vectors as alarm entities corresponding to the first alarm information.

The text content can be automatically analyzed by a regular expression or feature vector extraction mode, attribute information contained in the alarm information under different task dimensions is automatically extracted, an alarm entity corresponding to the alarm information is obtained, the extraction efficiency of the alarm entity is improved, and the overall efficiency of fault investigation is improved; by means of the extraction mode of the alarm configuration items, relevant staff can directly read attribute information corresponding to each alarm configuration item from alarm information text content according to the preset alarm configuration items, the extraction accuracy of alarm entities is improved, and therefore the overall efficiency of fault investigation is improved.

In practical application, different alarm information may correspond to the same fault, or abnormal conditions corresponding to a plurality of alarm information can be solved simultaneously through one fault investigation, so after alarm entity sets corresponding to the alarm information respectively are obtained, clustering processing is needed to be carried out on each alarm entity set.

Step 104: calculating the similarity of multidimensional attributes between any two alarm entity sets;

in particular, the multi-dimensional attributes of the set of alert entities may include attributes such as task and time. The task attribute may include different task dimension attributes corresponding to each alarm entity included in the alarm entity set; the time attribute may include an anomaly index time sequence corresponding to each set of alert entities in the event of a triggering anomaly. Typically, the abnormality index time series is capable of characterizing a period of time during which an abnormality condition continues to occur.

By calculating the similarity of multidimensional attributes between any two alarm entity sets, clustering is carried out on the acquired plurality of alarm information instead of calculating the similarity between the alarm information according to text content, the similarity judgment can be carried out on the alarm information from multiple dimensions according to different preset thresholds corresponding to the similarity of different dimension attributes, the efficiency and accuracy of the alarm information clustering are improved, the efficient clustering of a large amount of data alarm information is realized, the follow-up de-duplication of the alarm information is more accurate and effective, and the overall efficiency of fault investigation is improved.

Specifically, the calculation of the similarity of the multidimensional attribute between any two alarm entity sets can be realized in the following manner:

and calculating the task similarity and the time sequence similarity between any two alarm entity sets.

Because the task system can serve a large number of different clients, the alarm information often includes attribute information in different task dimensions. For example, the alert information may include a region corresponding to the task system, a client that uses the task system and needs to perform important monitoring on the usage situation of the task system, a location where the task system is specifically deployed, and on which machine the task system is specifically deployed. The task similarity is used for representing the similarity degree of attribute information between two alarm entity sets, that is, the task similarity can represent the similarity degree between alarm entities respectively included by the two alarm entity sets.

In practical application, under the condition that the system gives an alarm, the abnormal condition is triggered in the system, and usually the abnormal condition does not occur instantaneously but can continuously occur for a certain period of time. The time sequence similarity is used for representing the similarity degree of the abnormal time periods between the two alarm entity sets, that is, the time similarity can represent the similarity of two abnormal index time sequences corresponding to the two alarm entity sets respectively.

Specifically, the step of calculating the task similarity between any two alert entity sets can be implemented as follows:

determining a first number of the same alarm entities and a second number of different alarm entities in any two alarm entity sets according to any two alarm entity sets;

and calculating the task similarity between any two alarm entity sets according to the first number and the second number.

Specifically, the task similarity between any two alarm entity sets may be obtained by comparing the same number of alarm entities and different number of alarm entities included in any two alarm entity sets. The task similarity between any two alarm entity sets can be calculated by calculating a jaccard similarity coefficient, wherein the jaccard similarity coefficient can represent the similarity degree of elements included between two limited sample sets, and the calculation method of the jaccard similarity coefficient is shown in the following formula (1):

Sim1＝|A∩B|/|A∪B| (1)

specifically, a represents a first set of alert entities, B represents a second set of alert entities, and A, B is any two of the plurality of sets of alert entities. Sim1 represents a task similarity between the first set of alarm entities a and the second set of alarm entities B. The i a n B represents a first number of identical alert entities in the first set of alert entities and the second set of alert entities. And A U B represents the second number of different alarm entities included in the first alarm entity set and the second alarm entity set. The task similarity Sim1 between the first alarm entity set a and the second alarm entity set B can be obtained by performing the operation of the first number and the second number.

Illustratively: the alarm entity set A comprises an alarm entity 1, an alarm entity 2 and an alarm entity 3; the alarm entity set B comprises an alarm entity 2, an alarm entity 3 and an alarm entity 4. And obtaining the task similarity between the alarm entity set A and the alarm entity set B to be 0.5 by calculating the jaccard similarity coefficient.

Task similarity between any two alarm entity sets is obtained by calculating jaccard similarity coefficients between any two alarm entity sets, so that the similarity between the two alarm entity sets can be judged in the service attribute dimension, and the accuracy and the effectiveness of the clustering of the alarm entity sets are improved.

Because the alarm entity sets not only comprise task dimensions, but also comprise other dimensions such as time, under the condition that the task similarity between any two alarm entity sets is calculated, the similarity between any two alarm entity sets in the time dimension is calculated, whether the two alarm entity sets can be aggregated into the same class is judged through the multidimensional similarity, and the effectiveness and the accuracy of alarm information clustering can be further improved.

Specifically, the step of calculating the time sequence similarity between any two alarm entity sets can be implemented by the following manner:

Determining an abnormal index time sequence corresponding to a first alarm entity set according to alarm information corresponding to the first alarm entity set, wherein the first alarm entity set is any one of a plurality of alarm entity sets;

and calculating the time sequence similarity between any two alarm entity sets according to the abnormal index time sequence corresponding to any two alarm entity sets respectively.

In practical application, an alarm sent by a task system usually corresponds to a fault, alarm information of the alarm includes alarm entities under different task dimensions, each alarm entity basically corresponds to an index time sequence, the index time sequence where the fault occurs correspondingly shows an abnormal condition, and because the abnormal condition usually continuously occurs in a certain time period, the abnormal index time sequence is a numerical sequence corresponding to a time period under normal conditions. For example, the abnormal condition is that the CPU occupancy exceeds eighty percent, the duration of the abnormal condition is from 17:00 pm on day 1 of 2023, 2 months, to 17:30 pm on the same day, and the corresponding abnormal index time sequence can be 202302011700.202302011730.

Specifically, the first alarm entity set is any one of a plurality of alarm entity sets, and an abnormal index time sequence corresponding to an abnormal index is read from alarm information corresponding to the first alarm entity set. According to the abnormal index time sequence corresponding to any two alarm entity sets respectively, calculating the time sequence similarity between any two alarm entity sets, and calculating the spline correlation coefficient. The correlation coefficient of the spharman can represent the correlation between two digital sequences, and the similarity of the abnormal index time sequences corresponding to the two alarm entity sets respectively, namely the time sequence similarity between any two alarm entity sets, can be obtained by calculating the correlation coefficient of the spharman. The spline correlation can be calculated by the following formula (2):

specifically, x represents an abnormal index time sequence corresponding to the first alarm entity set, and y represents an abnormal index time sequence corresponding to the second alarm entity set. Sim2 represents a temporal similarity between the first set of alert entities and the second set of alert entities.

By calculating the spline correlation coefficient between any two alarm entity sets, the time sequence similarity between any two alarm entity sets is obtained, the similarity between the two alarm entity sets can be judged in the time attribute dimension, and the accuracy and the effectiveness of the clustering of the alarm entity sets are improved.

After the similarity of the multidimensional attribute between any two alarm entity sets is obtained by calculating the similarity of any two alarm entity sets in a plurality of different dimensions such as task dimension, time dimension and the like, clustering is carried out on the alarm entity sets according to different preset thresholds corresponding to the different dimensions and preset matching conditions.

Step 106: clustering a plurality of alarm entity sets according to the similarity of the multidimensional attribute between any two alarm entity sets to obtain a plurality of alarm aggregation classes;

specifically, the step of clustering the plurality of alarm entity sets according to the similarity of the multidimensional attribute between any two alarm entity sets to obtain a plurality of alarm aggregation classes can be realized by the following modes:

judging whether any two alarm entity sets accord with a preset matching condition according to a first preset threshold corresponding to the task similarity and a second preset threshold corresponding to the time sequence similarity;

and dividing the alarm entity set meeting the preset matching condition into the same alarm aggregation class.

The first preset threshold corresponding to the task similarity is used for representing whether the two alarm entity sets have similarity in the task dimension, and the second preset threshold corresponding to the time sequence similarity is used for representing whether the two alarm entity sets have similarity in the time dimension. Alternatively, the preset matching condition may be: the task similarity of any two alarm entity sets is higher than a first preset threshold value and the time sequence similarity is higher than a second preset threshold value.

In practical application, the clustering processing of the plurality of alarm entities can be completed by judging whether the task similarity and the time sequence similarity of any two alarm entity sets respectively reach respective corresponding preset thresholds. Since the text contents corresponding to different alarm information are often not completely the same, the first preset threshold value corresponding to the task similarity is preferably 0.3, so that the situation that similar alarm entity sets are judged to be dissimilar and the alarm entity sets with insufficient similarity are gathered into one type to influence the duplicate removal effect of subsequent alarm information can be avoided. Since the anomalies triggered in the same time range may be the same fault, and the judgment on the condition of the same time range in practical application is more strict, the second preset threshold corresponding to the time sequence similarity is preferably 0.9. For example, two alarm entity sets A, B are selected from the plurality of alarm entity sets, the task similarity and the time sequence similarity between the alarm entity set a and the alarm entity set B are respectively 0.4 and 0.98, and the task similarity and the time sequence similarity between the alarm entity set a and the alarm entity set B are obtained through judgment and are greater than a first preset threshold corresponding to the task similarity and a second preset threshold corresponding to the time sequence similarity, so that the alarm entity set a and the alarm entity set B meet preset matching conditions and can be classified into the same alarm aggregation class.

In practical applications, when different types of faults are subjected to the investigation, the dimension attribute of emphasis may be different, for example, when a certain type of fault is subjected to the investigation, the investigation is more focused on a certain client (such as a network connection fault of a VIP client) with important monitoring, then task similarity can occupy higher weight for the fault, and for example, when a certain type of fault is subjected to the investigation, the investigation is more focused on monitoring whether abnormality (such as a double eleven early morning payment fault) occurs in a certain time period, then time sequence similarity can occupy higher weight for the fault, and therefore, different similarity weight parameters can be set for different types of faults. Optionally, the preset matching condition may further be: and carrying out weighted operation on the task similarity and the time sequence similarity of any two alarm entity sets, wherein an obtained operation result accords with a third preset threshold.

By setting preset thresholds under different dimensions and judging whether the attribute similarity of two alarm entity sets under different dimensions meets preset matching conditions, the similarity evaluation can be carried out on the alarm entity sets from multiple dimensions, and the problems that important fault treatment is not timely and the overall efficiency of fault investigation is low due to the fact that workers for treating alarms are required to conduct business investigation one by one aiming at a large number of alarm information due to poor duplicate removal effect under a single dimension are avoided, and meanwhile, the problem that important alarm information is not released to the workers for treating alarms due to duplicate removal can be avoided, so that unpredictable results are caused.

The plurality of alarm entity sets are clustered through preset matching conditions, the obtained plurality of alarm aggregation classes can represent different types of faults, and alarm information corresponding to each alarm entity set in the same alarm aggregation class can be regarded as the same fault. Therefore, the target alarm information is screened from the alarm aggregation classes and released, so that the effective duplication removal of the fault information with large data volume can be realized.

Optionally, clustering of a plurality of alarm information is achieved through a deep learning model besides the fact that similarity of multidimensional attributes between any two alarm entity sets is calculated, and alarm information with highest importance is selected to be released. Specifically, the alarm information corresponding to the same fault type is modeled into two categories which are similar or dissimilar, a large amount of high-quality marking data is used as training corpus, and a supervised deep learning model is trained by using labeled data, and can learn high-dimensional representation of the alarms according to representation among the alarms, judge similarity according to the distance between the representation spaces, and automatically screen important alarm information according to the distance between the representation centers.

Optionally, the alarm information is clustered, and the method can be judged based on the abnormal time point. Specifically, the time sequences corresponding to the entity indexes are read from the alarm information, the occurrence time of the abnormal indexes in the alarm is judged, a short period of time is set as a preset threshold according to the deep understanding of related tasks, the alarm information which occurs in the same time range and accords with the preset threshold is aggregated into faults under the same type, and the alarm information with earliest abnormal triggering time is screened out for release.

Step 108: and screening out target alarm information from alarm information corresponding to each alarm aggregation class for release.

Specifically, each alarm aggregation class obtained through multi-dimensional attribute similarity matching among alarm entity sets can represent different types of faults. In practical application, one or more items of alarm information can be selected from each alarm aggregation class at first to be released, so that operators for processing alarms can timely conduct investigation processing on various faults, and then each alarm information is released to the operators for processing alarms in sequence according to the time sequence of the alarm sent by the system, and the comprehensiveness of task system fault investigation is guaranteed.

Aiming at each alarm aggregation class, one or more pieces of alarm information are screened out for release, so that the number of alarm information released to staff handling alarms is greatly reduced, the duplication removal of large-data-volume alarm information is realized, the staff handling alarms can timely handle different faults, and the problem that a large amount of time is consumed for troubleshooting repeated faults to cause system potential safety hazards of untimely troubleshooting is avoided.

When the existing task system issues the alarm information to the staff handling the alarms, the alarm information is generally issued according to the sequence of faults or the alarm information is issued randomly, so that the staff handling the alarms often consume a great deal of time to conduct repeated investigation on the faults of the same type, important alarm information cannot be handled in time, and immeasurable potential safety hazards are caused to the task system. In order to make the important alarm information in each alarm aggregation class be issued preferentially and perform fault investigation, the method can be implemented by screening out the target alarm information from the alarm information corresponding to each alarm aggregation class for issuing, wherein the method comprises the following steps:

for a first alarm aggregation class, calculating alarm weights respectively corresponding to alarm entity sets in the first alarm aggregation class, wherein the first alarm aggregation class is any one of a plurality of alarm aggregation classes;

And screening out target alarm information from the alarm information corresponding to the first alarm aggregation class according to the alarm weight, and publishing the target alarm information.

Specifically, the first alarm aggregation class is any one of a plurality of alarm aggregation classes, and in the first alarm aggregation class, different alarm entity sets respectively correspond to respective alarm weights. The alarm weight can represent the probability that the alarm entity set is likely to be abnormal under the fault type, and the greater the probability is, the more important the alarm information corresponding to the alarm entity set is likely to be. Therefore, one or more pieces of alarm information corresponding to the alarm entity set with high weight value can be screened out according to the alarm weight corresponding to the alarm entity set, and released.

In order to perform more comprehensive fault investigation on the task system, the potential safety hazard of the system caused by missed alarm information is avoided, and after one or more alarm information corresponding to the alarm entity set with high weight value is issued, the system can issue the rest of alarm information in sequence or issue the rest of alarm information randomly according to the time sequence generated by each alarm.

By calculating the alarm weights corresponding to the alarm entity sets respectively, the alarm information with higher importance can be screened out and released, so that important faults can be timely checked and processed, and the safety and stability of the system are guaranteed.

Because a section of complete alarm information corresponding to the alarm entity set may include a plurality of alarm entities, when the alarm information is screened, the fault probability corresponding to each alarm entity in the alarm entity set corresponding to the alarm information should be integrally predicted and evaluated, so that the alarm weights corresponding to each alarm entity set in the first alarm aggregation class are calculated, and the method can be implemented as follows:

according to the intra-class alarm entity diagram corresponding to the first alarm aggregation class, calculating alarm probabilities respectively corresponding to alarm entities in the intra-class alarm entity diagram through an importance analysis algorithm;

and according to the alarm probabilities respectively corresponding to the alarm entities in the alarm entity diagram in the class, respectively carrying out alarm probability summation on each alarm entity set in the first alarm aggregation class to obtain alarm weights respectively corresponding to each alarm entity set in the first alarm aggregation class.

Specifically, the first alarm aggregation class is any one of a plurality of alarm aggregation classes, and the intra-class alarm entity graph is a graph constructed according to alarm entities included in the first alarm aggregation class and relationships between the alarm entities. The importance analysis algorithm can be a PageRank algorithm, and the alarm probability corresponding to each alarm entity in the alarm entity diagram in the class can be calculated by carrying out iterative processing on the alarm entity diagram in the class according to the PageRank algorithm. And respectively carrying out alarm probability summation on each alarm entity set in the first alarm aggregation class to obtain alarm weights respectively corresponding to each alarm entity set in the first alarm aggregation class.

In practical application, since different task dimensions have different importance degrees during abnormal evaluation, different alarm entities can also correspond to different weight parameters, for example, a region is a wider dimension, in contrast, a certain machine in a certain machine room relates to a specific place and equipment, so that the dimension corresponding to the place and equipment is generally higher than the dimension corresponding to the region in terms of importance degree and probability of easily generating abnormality. Therefore, after the fault probabilities corresponding to different alarm entities are calculated, the fault probabilities can be weighted according to the corresponding weight parameters to obtain the alarm probabilities corresponding to the alarm entities.

By calculating the alarm probabilities corresponding to the alarm entities in the alarm entity diagram in the class, the alarm information corresponding to the alarm entity set can be predicted more accurately according to the probability of faults of the alarm entities, the alarm information with higher alarm importance is screened out, the alarm duplication eliminating effectiveness is improved, and the timeliness of fault detection is improved.

By carrying out intra-class composition on the alarm aggregation class, the probability of faults of each alarm entity and the association relation among different alarm entities can be simulated more accurately, and the alarm probability calculated by an importance scoring algorithm can be more accurate, so before the alarm probabilities respectively corresponding to each alarm entity in the intra-class alarm entity diagram are calculated by an importance analysis algorithm according to the intra-class alarm entity diagram corresponding to the first alarm aggregation class, the method further comprises the following steps:

Determining the number of alarms corresponding to each alarm entity and the association relation between the alarm entities in the first alarm aggregation class;

and obtaining an intra-class alarm entity diagram corresponding to the first alarm aggregation class according to the alarm entities, the alarm quantity and the association relation in the first alarm aggregation class.

Specifically, the number of alarms corresponding to each alarm entity may refer to the number of times any alarm entity appears in the same alarm aggregation class. For example, the first alarm aggregation class includes 3 alarm entity sets, and the alarm entity set 1 includes an alarm entity 1, an alarm entity 2 and an alarm entity 3; the alarm entity set 2 comprises an alarm entity 2, an alarm entity 3 and an alarm entity 4; the alarm entity set 3 comprises an alarm entity 1 and an alarm entity 4. The number of occurrences of the alerting entity 1 is 2, the number of occurrences of the alerting entity 2 is 2, and the number of occurrences of the alerting entity 3 is 2. That is, the number of alarms corresponding to the alarm entities 1, 2, 3 is 2, respectively. The association relationship between the alarm entities may refer to the number of times any two alarm entities are included in the same alarm entity set in the same alarm aggregation class. Along the above example, the number of times that the alarm entity 1 and the alarm entity 2 are included in the same alarm entity set is 1, the number of times that the alarm entity 1 and the alarm entity 3 are included in the same alarm entity set is 1, the number of times that the alarm entity 1 and the alarm entity 4 are included in the same alarm entity set is 1, the number of times that the alarm entity 2 and the alarm entity 3 are included in the same alarm entity set is 2, the number of times that the alarm entity 2 and the alarm entity 4 are included in the same alarm entity set is 1, and the number of times that the alarm entity 3 and the alarm entity 4 are included in the same alarm entity set is 1.

According to the alarm entity, the alarm quantity and the association relation in the first alarm aggregation class, obtaining an intra-class alarm entity diagram corresponding to the first alarm aggregation class can be realized in the following manner:

and constructing an undirected weighted graph according to the alarm entities, the alarm quantity and the association relations in the first alarm aggregation class, wherein each alarm entity is used as a node of the undirected weighted graph, the alarm quantity/2 corresponding to each alarm entity is used as a weight value corresponding to each node, and the association relations among the alarm entities are used as edges of the undirected weighted graph.

By constructing an intra-class alarm entity diagram corresponding to the first alarm aggregation class according to the alarm entities, the alarm quantity and the association relation in the first alarm aggregation class, alarm information corresponding to an alarm entity set with higher importance can be automatically screened out according to an importance analysis algorithm, and the efficiency of importance analysis is improved, so that the screening and publishing efficiency of the alarm information is improved.

An embodiment of the specification realizes that a plurality of alarm information are acquired, entity extraction is respectively carried out on each alarm information, and an alarm entity set corresponding to each alarm information is obtained; calculating the similarity of multidimensional attributes between any two alarm entity sets; clustering a plurality of alarm entity sets according to the similarity of the multidimensional attribute between any two alarm entity sets to obtain a plurality of alarm aggregation classes; the method comprises the steps of screening target alarm information from alarm information corresponding to alarm aggregation classes for release, obtaining alarm entity sets corresponding to the alarm information respectively through entity extraction of the alarm information, not screening the alarm information according to simple matching of the text content of the alarm information, but clustering a plurality of alarm entity sets through multidimensional attributes included in the alarm entity sets, so that effective clustering of a large number of alarm information is realized, the number of alarms is obviously reduced, the service fault investigation cost is reduced, the alarm deduplication efficiency is effectively improved, and the fault investigation efficiency of a task system is greatly improved.

The following describes, with reference to fig. 2, an example of application of the alarm processing method provided in the present specification to a distributed payment system. Fig. 2 is a flowchart of a processing procedure of an alarm processing method according to an embodiment of the present disclosure, which specifically includes the following steps.

Step 202: and acquiring all alarm information sent by the distributed payment system in the near two days.

Illustratively, the alert information text content of alert 1 is: machine a in room 1 of customer a in asia was less than twenty percent successful in paying for a period of time from 14:22 pm at 2 nd month 5 pm in 2023 to 15:03 pm at 02 nd month 05 pm. The text content of the alarm information of the alarm 2 is: machine b in room 2 of asian customer a paid less than eighteen percent for a period of time from 14:22 pm at 5.2.3 to 15:03 pm at 05.02.3.

Step 204: according to a preset alarm configuration table, extracting alarm entities under different task dimensions corresponding to each alarm information respectively through a regular expression, and constructing alarm entity sets corresponding to each alarm information respectively according to the extracted alarm entities.

Illustratively, the alarm configuration table preset by the distributed payment system comprises the following configuration items: territories, clients, sites, devices. Along with the above example, by regular expressions, the alarm entities extracted from the alarm information 1 include: entity 1: asian region, entity 2: customer a, entity 3: machine room 1, entity 4: machine a; the alarm entity extracted from the alarm information 2 includes: entity 1: asian region, entity 2: customer a, entity 3: machine room 1, entity 4: machine b.

Specifically, in all the alarm information, after any alarm information is subjected to entity extraction through the regular expression, one or more alarm entities can be obtained, and one or more alarm entities form an alarm entity set corresponding to the alarm information. Thus, the alarm entity extracted from the alarm information 1 comprises: entity 1: asian region, entity 2: customer a, entity 3: machine room 1, entity 4: machine a, these 4 entities form the alarm entity set 1 corresponding to the alarm information 1; the alarm entity extracted from the alarm information 2 includes: entity 1: asian region, entity 2: customer a, entity 3: machine room 1, entity 4: and a machine b, wherein the 4 entities form an alarm entity set 2 corresponding to the alarm information 2.

Step 206: according to any two alarm entity sets, determining a first number of the same alarm entities and a second number of different alarm entities in any two alarm entity sets, and taking results obtained by the quotient of the first number and the second number as task similarity between any two alarm entity sets.

Illustratively, the same alarm entity in alarm entity set 1 and alarm entity set 2 has 3: entity 1: asian region, entity 2: customer a, entity 3: a machine room 1; there are 5 different alert entities: entity 1: asian region, entity 2: customer a, entity 3: machine room 1, entity 4: machine a, entity 5: machine b, therefore, the task similarity between the set of alert entities 1 and the set of alert entities 2 is 0.6.

Step 208: and reading the abnormal index time sequence from the alarm information corresponding to the alarm entity sets, and calculating the time sequence similarity between any two alarm entity sets according to the abnormal index time sequence corresponding to any two alarm entity sets respectively and the spline correlation coefficient.

For example, the alarm information 1 corresponding to the alarm entity set 1 has a payment success rate of less than twenty percent in a period from 14:22 pm at 2 months 5 in 2023 to 15:03 pm at 02 months 05 in 2023, and the alarm information 2 corresponding to the alarm entity set 2 has a payment success rate of less than eighteen percent in a period from 14:22 pm at 2 months 5 in 2023 to 15:03 pm at 02 months 05 in 2023. Then, the abnormality index time series read from the alarm information 1 may be 2023020514221503, and the abnormality index time series read from the alarm information 2 may be 2023020514221503. And calculating according to the spline correlation coefficient to obtain the time sequence similarity between the alarm entity set 1 and the alarm entity set 2 as 1.

Step 210: judging whether task similarity between any two alarm entity sets is greater than 0.3 and whether time sequence similarity is greater than 0.9, if so, dividing the two alarm entity sets into the same alarm aggregation class.

For example, the task similarity between the alert entity set 1 and the alert entity set 2 is 0.6, greater than a preset threshold value of 0.3, and the time sequence similarity is 1, greater than a preset threshold value of 0.9, so that the alert entity set 1 and the alert entity set 2 are divided into the same alert aggregation class.

Step 212: and optionally publishing one item of target alarm information from the alarm information corresponding to each alarm aggregation class.

Specifically, after the alarm entity sets corresponding to all alarm information in two days of the distributed payment system are clustered, each type of alarm aggregation type can represent the same type of faults, one alarm information is selected from among the alarm information to be issued according to each type of faults, duplicate removal of the alarm information can be effectively realized, repeated work of workers is avoided, and in addition, investigation processing can be timely conducted according to different types of fault alarms.

The following describes the application of the alarm processing method provided in the present specification to a distributed payment system with reference to fig. 3 as an example. Fig. 3 is a flowchart of a processing procedure of another alarm processing method according to an embodiment of the present disclosure, which specifically includes the following steps.

Step 302: and acquiring all alarm information sent by the distributed payment system in the near two days.

Step 304: according to a preset alarm configuration table, extracting alarm entities under different task dimensions corresponding to each alarm information respectively through a regular expression, and constructing alarm entity sets corresponding to each alarm information respectively according to the extracted alarm entities.

Step 306: according to any two alarm entity sets, determining a first number of the same alarm entities and a second number of different alarm entities in any two alarm entity sets, and taking results obtained by the quotient of the first number and the second number as task similarity between any two alarm entity sets.

Step 308: and reading the abnormal index time sequence from the alarm information corresponding to the alarm entity sets, and calculating the time sequence similarity between any two alarm entity sets according to the abnormal index time sequence corresponding to any two alarm entity sets respectively and the spline correlation coefficient.

Step 310: judging whether task similarity between any two alarm entity sets is larger than a first preset threshold value and whether time sequence similarity is larger than a second preset threshold value, and if so, dividing the two alarm entity sets into the same alarm aggregation class.

Step 312: aiming at any alarm aggregation class, taking all alarm entities included in the class as nodes, taking the association relation among alarm entities included in the class as edges, and constructing an undirected weighted graph as an alarm entity graph in the class, wherein the weight of the nodes is the number of alarms corresponding to the entities, and the weight of the edges is the times that two alarm entities are included in the same alarm entity set.

Fig. 4 is a schematic diagram of an alarm entity diagram in a construction class according to an alarm aggregation class in an alarm processing method according to an embodiment of the present disclosure. The first alarm aggregation class shown in fig. 4 is any one of alarm aggregation classes, and the first alarm aggregation class includes alarm entity sets 1, 2 and 3, wherein the alarm entity set 1 includes an alarm entity 1, an alarm entity 2 and an alarm entity 3; the alarm entity set 2 comprises an alarm entity 2, an alarm entity 3 and an alarm entity 4; the alarm entity set 3 comprises an alarm entity 1 and an alarm entity 4. According to step 312, the method for constructing the intra-class alarm entity diagram corresponding to the first alarm aggregation class includes: the alarm entities included in the first alarm aggregation class are determined to be: an alarm entity 1, an alarm entity 2, an alarm entity 3, and an alarm entity 4; the alarm number corresponding to each alarm entity is: the number of alarms of the alarm entity 1 is 2, the number of alarms of the alarm entity 2 is 2, the number of alarms of the alarm entity 3 is 2, and the number of alarms of the alarm entity 4 is 2; the association relation between the alarm entities is as follows: the number of times that the alarm entity 1 and the alarm entity 2 are included in the same alarm entity set is 1, the number of times that the alarm entity 1 and the alarm entity 3 are included in the same alarm entity set is 1, the number of times that the alarm entity 1 and the alarm entity 4 are included in the same alarm entity set is 1, the number of times that the alarm entity 2 and the alarm entity 3 are included in the same alarm entity set is 2, the number of times that the alarm entity 2 and the alarm entity 4 are included in the same alarm entity set is 1, and the number of times that the alarm entity 3 and the alarm entity 4 are included in the same alarm entity set is 1; according to the analysis, the alarm entities 1, 2, 3 and 4 are taken as nodes; the weights corresponding to the nodes 1, 2, 3 and 4 are 1, 1 and 1 respectively; one edge is respectively connected among the nodes 1, 2, 3 and 4, the weight of the edge between the nodes 1 and 2 is 1, the weight of the edge between the nodes 1 and 3 is 1, the weight of the edge between the nodes 1 and 4 is 1, the weight of the edge between the nodes 2 and 3 is 2, the weight of the edge between the nodes 2 and 4 is 1, and the weight of the edge between the nodes 3 and 4 is 1. According to the method, the intra-class alarm entity diagram corresponding to the first alarm aggregation class shown in fig. 4 can be obtained.

Step 314: according to the intra-class alarm entity diagram corresponding to any alarm aggregation class, determining the probability of each node occurrence in the calculated undirected weighted diagram as the alarm probability of the alarm entity corresponding to the node through a PageRank algorithm.

Specifically, a physical node is randomly initialized through a PageRank algorithm, the probability normalized by the edge node is transferred to the next entity, the probability of each node is calculated, the transition is continued until the maximum iteration number is reached, or the probability of each node is converged.

As shown in fig. 5, fig. 5 shows a schematic diagram of screening target alarm information by using an importance analysis algorithm according to an intra-class alarm entity diagram in an alarm processing method according to an embodiment of the present disclosure, and calculating, according to an intra-class alarm entity diagram corresponding to a first alarm aggregation class, an alarm probability of 0.21 for an alarm entity 1 by using a PageRank algorithm; the alarm probability of the alarm entity 2 is 0.26; the alarm probability of the alarm entity 3 is 0.26; the alarm probability of the alarm entity 4 is 0.25.

Step 316: and respectively carrying out alarm probability summation on each alarm entity set in the first alarm aggregation class according to the alarm probabilities respectively corresponding to each alarm entity to obtain alarm weights respectively corresponding to each alarm entity set in the first alarm aggregation class, wherein the first alarm aggregation class is any one of a plurality of alarm aggregation classes.

In the first alarm aggregation class, the alarm weight corresponding to the alarm entity set 1 is the sum of alarm probabilities corresponding to the alarm entities 1, 2 and 3, i.e. the alarm weight corresponding to the alarm entity set 1 is 0.21+0.26+0.26=0.73; the alarm weight corresponding to the alarm entity set 2 is the sum of alarm probabilities corresponding to the alarm entities 2, 3 and 4 respectively, namely the alarm weight corresponding to the alarm entity set 2 is 0.26+0.26+0.25=0.77; the alarm weight corresponding to the alarm entity set 3 is the sum of the alarm probabilities corresponding to the alarm entities 1 and 4 respectively, that is, the alarm weight corresponding to the alarm entity set 3 is 0.21+0.25=0.46.

Step 318: aiming at different alarm aggregation classes, the alarm information corresponding to one alarm entity set with the highest alarm weight in each alarm aggregation class is issued.

In the first alarm aggregation class, the alarm weights corresponding to the alarm entity sets 1, 2 and 3 are respectively 0.73, 0.77 and 0.46, that is, the alarm weight corresponding to the alarm entity set 2 is the highest, so that the alarm information 2 corresponding to the alarm entity set 2 is screened out and issued as a target alarm in the first alarm aggregation class.

The method has the advantages that through entity extraction of the alarm information, alarm entity sets corresponding to the alarm information are obtained, the alarm information is not screened according to simple matching of the text content of the alarm information, but a plurality of alarm entity sets are clustered through multidimensional attributes included in the alarm entity sets, so that effective clustering of a large amount of alarm information is realized, subsequent screening and deduplication of the alarm information based on alarm aggregation classes are facilitated, in the alarm aggregation classes, alarm weights corresponding to the alarm entity sets are calculated according to an importance analysis algorithm in a mode of constructing an intra-class alarm entity diagram, alarm information with higher importance can be automatically screened and released, the alarm quantity is remarkably reduced, timeliness and effectiveness of alarm information release are improved, service fault troubleshooting cost is reduced, alarm deduplication efficiency is effectively improved, and fault troubleshooting efficiency of a task system is greatly improved.

The alarm processing method corresponding to steps 302 to 308 included in fig. 3 is further described below with reference to fig. 6. As shown in fig. 6, fig. 6 is a flowchart illustrating a processing procedure of an alarm processing method applied to a distributed payment system according to an embodiment of the present disclosure. The flow of carrying out alarm processing on the distributed payment system can be divided into four stages, namely an alarm entity extraction stage, an alarm similarity clustering stage, an intra-class alarm entity composition stage and an intra-class alarm importance scoring stage.

Specifically, the alarm entity extraction stage may correspond to the steps 302 to 304, and the alarm entity set corresponding to each alarm information is obtained by obtaining all the alarm information recently and extracting the alarm information.

The alarm similarity clustering stage may correspond to the steps 306-310, and by calculating task similarity and time sequence similarity between any two alarm entity sets, similarity matching and clustering are performed between all alarm entity sets according to a preset matching condition, so as to obtain alarm aggregation classes respectively corresponding to different fault types.

The intra-class alarm entity composition stage may correspond to the step 312, and the intra-class alarm entity graphs a to N corresponding to the alarm aggregation class a to N respectively are obtained by performing intra-class alarm entity composition on the alarm aggregation class a to N in the respective alarm aggregation classes.

The in-class alarm importance scoring stage may correspond to the steps 314-318, and for each alarm aggregation class, according to the alarm entity diagram, the alarm entity sets a to N with the highest importance corresponding to each alarm aggregation class are respectively calculated by using a PageRank importance scoring algorithm, and the alarm information a to N corresponding to the alarm entity sets a to N with the highest importance are respectively issued as the main alarms in each alarm aggregation class.

The method has the advantages that through the four phases of the alarm entity extraction phase, the alarm similarity clustering phase, the intra-class alarm entity composition phase and the intra-class alarm importance scoring phase, the obtained recent total alarm information can be accurately de-duplicated to the greatest extent, the alarm information issued to the staff for alarm processing is greatly reduced, the fault checking efficiency of a task system is improved, the alarm information with the highest importance can be processed preferentially, and the timeliness of fault checking is improved.

Corresponding to the above method embodiments, the present disclosure further provides an embodiment of an alarm processing apparatus, and fig. 7 shows a schematic structural diagram of an alarm processing apparatus according to one embodiment of the present disclosure. As shown in fig. 7, the apparatus includes:

The extraction module 702 is configured to obtain a plurality of alarm information, and perform entity extraction on each alarm information to obtain an alarm entity set corresponding to each alarm information;

a calculation module 704 configured to calculate a similarity of the multidimensional attribute between any two of the alert entity sets;

a clustering module 706, configured to cluster the plurality of alarm entity sets according to the similarity of the multidimensional attribute between any two alarm entity sets, so as to obtain a plurality of alarm aggregation classes;

the publishing module 708 is configured to screen out the target alarm information from the alarm information corresponding to each alarm aggregation class for publishing.

Specifically, the alert information includes multi-dimensional attribute information, and the extraction module 702 is further configured to include an attribute information extraction module 702 and an entity set construction module.

The attribute information extraction module 702 is configured to obtain an alarm entity corresponding to the first alarm information according to the multidimensional attribute information of the first alarm information, where the first alarm information is any one of the plurality of alarm information;

the entity set construction module is configured to construct an alarm entity set corresponding to the first alarm information according to the alarm entity.

Specifically, the attribute information extraction module 702 is further configured to extract, according to a preset alarm configuration table, alarm entities under different task dimensions corresponding to the first alarm information by using a regular expression;

Or alternatively, the process may be performed,

The computing module 704 is further configured to include a task similarity module and a timing similarity module.

The task similarity module is configured to determine a first number of the same alarm entities and a second number of different alarm entities in any two alarm entity sets according to the any two alarm entity sets;

The time sequence similarity module is configured to determine an abnormal index time sequence corresponding to the first alarm entity set according to alarm information corresponding to the first alarm entity set, wherein the first alarm entity set is any one of a plurality of alarm entity sets;

The clustering module 706 is further configured to determine, according to a first preset threshold corresponding to the task similarity and a second preset threshold corresponding to the time sequence similarity, whether the any two alarm entity sets meet a preset matching condition;

A publication module 708 further configured to include a weight calculation module 704 and a first publication module 708;

the weight calculating module 704 is configured to calculate, for a first alarm aggregation class, alarm weights corresponding to each alarm entity set in the first alarm aggregation class, where the first alarm aggregation class is any one of the alarm aggregation classes.

The first distribution module 708 is configured to screen out the target alarm information from the alarm information corresponding to the first alarm aggregation class according to the alarm weight for distribution.

In particular, the weight calculation module 704 is further configured to,

The publishing module 708, further configured to further include an intra-class composition module,

The in-class composition module is configured to determine the alarm quantity corresponding to each alarm entity and the association relation between the alarm entities in the first alarm aggregation class;

The foregoing is a schematic solution of an alarm processing apparatus of this embodiment. It should be noted that, the technical solution of the alarm processing apparatus and the technical solution of the alarm processing method belong to the same concept, and details of the technical solution of the alarm processing apparatus, which are not described in detail, can be referred to the description of the technical solution of the alarm processing method.

Fig. 8 illustrates a block diagram of a computing device 800 provided in accordance with one embodiment of the present description. The components of computing device 800 include, but are not limited to, memory 810 and processor 820. Processor 820 is coupled to memory 810 through bus 830 and database 880 is used to store data.

Computing device 800 also includes an access device 840 that enables computing device 800 to communicate via one or more networks 880. Examples of such networks include public switched telephone networks (PSTN, public Switched Telephone Network), local area networks (LAN, local Area Network), wide area networks (WAN, wide Area Network), personal area networks (PAN, personal Area Network), or combinations of communication networks such as the internet. Access device 840 may include one or more of any type of network interface, wired or wireless, such as a network interface card (NIC, network interface controller), such as an IEEE802.11 wireless local area network (WLAN, wireless Local Area Network) wireless interface, a worldwide interoperability for microwave access (Wi-MAX, worldwide Interoperability for Microwave Access) interface, an ethernet interface, a universal serial bus (USB, universal Serial Bus) interface, a cellular network interface, a bluetooth interface, near field communication (NFC, near Field Communication).

In one embodiment of the present description, the above-described components of computing device 800, as well as other components not shown in FIG. 8, may also be connected to each other, such as by a bus. It should be understood that the block diagram of the computing device illustrated in FIG. 8 is for exemplary purposes only and is not intended to limit the scope of the present description. Those skilled in the art may add or replace other components as desired.

Computing device 800 may be any type of stationary or mobile computing device, including a mobile computer or mobile computing device (e.g., tablet, personal digital assistant, laptop, notebook, netbook, etc.), mobile phone (e.g., smart phone), wearable computing device (e.g., smart watch, smart glasses, etc.), or other type of mobile device, or a stationary computing device such as a desktop computer or personal computer (PC, personal Computer). Computing device 800 may also be a mobile or stationary server.

Wherein the processor 820 is configured to execute computer-executable instructions that, when executed by the processor, perform the steps of the data processing method described above. The foregoing is a schematic illustration of a computing device of this embodiment. It should be noted that, the technical solution of the computing device and the technical solution of the alarm processing method belong to the same concept, and details of the technical solution of the computing device, which are not described in detail, can be referred to the description of the technical solution of the alarm processing method.

An embodiment of the present disclosure also provides a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, implement the steps of the alert processing method described above.

The above is an exemplary version of a computer-readable storage medium of the present embodiment. It should be noted that, the technical solution of the storage medium and the technical solution of the alarm processing method belong to the same concept, and details of the technical solution of the storage medium which are not described in detail can be referred to the description of the technical solution of the alarm processing method.

The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

The computer instructions include computer program code that may be in source code form, object code form, executable file or some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth. It should be noted that the computer readable medium contains content that can be appropriately scaled according to the requirements of jurisdictions in which such content is subject to legislation and patent practice, such as in certain jurisdictions in which such content is subject to legislation and patent practice, the computer readable medium does not include electrical carrier signals and telecommunication signals.

It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of combinations of actions, but it should be understood by those skilled in the art that the embodiments are not limited by the order of actions described, as some steps may be performed in other order or simultaneously according to the embodiments of the present disclosure. Further, those skilled in the art will appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily all required for the embodiments described in the specification.

In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.

The preferred embodiments of the present specification disclosed above are merely used to help clarify the present specification. Alternative embodiments are not intended to be exhaustive or to limit the invention to the precise form disclosed. Obviously, many modifications and variations are possible in light of the teaching of the embodiments. The embodiments were chosen and described in order to best explain the principles of the embodiments and the practical application, to thereby enable others skilled in the art to best understand and utilize the invention. This specification is to be limited only by the claims and the full scope and equivalents thereof.

Claims

1. An alarm processing method, comprising:

acquiring a plurality of alarm information, and respectively extracting entities from each alarm information to obtain alarm entity sets corresponding to each alarm information respectively;

2. The alert processing method according to claim 1, the alert information comprising multi-dimensional attribute information;

the entity extraction is performed on each alarm information to obtain an alarm entity set corresponding to each alarm information, including:

obtaining an alarm entity corresponding to first alarm information according to the multidimensional attribute information of the first alarm information, wherein the first alarm information is any one of the plurality of alarm information;

3. The alarm processing method according to claim 2, wherein the obtaining, according to the multidimensional attribute information of the first alarm information, the alarm entity corresponding to the first alarm information includes:

or alternatively, the process may be performed,

4. The alert processing method according to claim 1, wherein the calculating the similarity of the multidimensional attribute between any two alert entity sets includes:

5. The alert processing method according to claim 4, wherein the calculating task similarity between any two alert entity sets comprises:

6. The alert processing method according to claim 4, the calculating the temporal similarity between any two alert entity sets, comprising:

7. The alarm processing method according to any one of claims 4-6, wherein clustering the plurality of alarm entity sets according to the similarity of the multidimensional attribute between the any two alarm entity sets to obtain a plurality of alarm aggregation classes includes:

judging whether any two alarm entity sets accord with a preset matching condition or not according to a first preset threshold corresponding to the task similarity and a second preset threshold corresponding to the time sequence similarity;

8. The alarm processing method according to claim 1 or 4, wherein the step of screening the target alarm information from the alarm information corresponding to each alarm aggregation class for release includes:

for a first alarm aggregation class, calculating alarm weights respectively corresponding to all alarm entity sets in the first alarm aggregation class, wherein the first alarm aggregation class is any one of the alarm aggregation classes;

and screening out target alarm information from the alarm information corresponding to the first alarm aggregation class according to the alarm weight for release.

9. The alarm processing method according to claim 8, wherein the calculating the alarm weights corresponding to the alarm entity sets in the first alarm aggregation class includes:

10. The alarm processing method according to claim 9, further comprising, before the calculating, according to the intra-class alarm entity map corresponding to the first alarm aggregation class, alarm probabilities corresponding to the alarm entities in the intra-class alarm entity map by an importance analysis algorithm:

11. An alarm processing apparatus comprising:

12. A computing device, comprising:

a memory and a processor;

the memory is configured to store computer executable instructions, and the processor is configured to execute the computer executable instructions, which when executed by the processor, implement the steps of the alarm processing method of any one of claims 1 to 10.

13. A computer readable storage medium storing computer executable instructions which when executed by a processor implement the steps of the alarm processing method of any one of claims 1 to 10.