CN116132263B - Alarm solution recommending method and device, electronic equipment and storage medium - Google Patents

Alarm solution recommending method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN116132263B
CN116132263B CN202310160733.0A CN202310160733A CN116132263B CN 116132263 B CN116132263 B CN 116132263B CN 202310160733 A CN202310160733 A CN 202310160733A CN 116132263 B CN116132263 B CN 116132263B
Authority
CN
China
Prior art keywords
alarm
event
recommended
alarm event
historical
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310160733.0A
Other languages
Chinese (zh)
Other versions
CN116132263A (en
Inventor
胡伟
刘淦
梁玫娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Youtejie Information Technology Co ltd
Original Assignee
Beijing Youtejie Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Youtejie Information Technology Co ltd filed Critical Beijing Youtejie Information Technology Co ltd
Priority to CN202310160733.0A priority Critical patent/CN116132263B/en
Publication of CN116132263A publication Critical patent/CN116132263A/en
Application granted granted Critical
Publication of CN116132263B publication Critical patent/CN116132263B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/35Clustering; Classification
    • G06F16/355Class or cluster creation or modification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • G06F16/367Ontology

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Animal Behavior & Ethology (AREA)
  • Computational Linguistics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the application discloses an alarm solution recommending method, an alarm solution recommending device, electronic equipment and a storage medium. The method comprises the following steps: under the condition of receiving alarm information to be recommended, acquiring all alarm events within a preset time length before the alarm information to be recommended; judging whether the alarm information to be recommended belongs to a cluster corresponding to any target alarm event in all alarm events or not; if so, adding the alarm information to be recommended to the target alarm event to obtain the alarm event to be recommended; comparing the historical alarm event in the knowledge base obtained in advance with the alarm event to be recommended, and determining the historical alarm event with the comparison result meeting the preset comparison condition as the historical alarm event to be compared; based on the historical alarm event to be compared with the alarm event to be recommended in the knowledge base, recommending a solution. The application improves the comparison efficiency and accuracy, and further improves the solution recommendation efficiency and accuracy.

Description

Alarm solution recommending method and device, electronic equipment and storage medium
Technical Field
The embodiment of the application relates to the technical field of alarm processing, in particular to an alarm solution recommending method, an alarm solution recommending device, electronic equipment and a storage medium.
Background
With the rapid development of informatization, computer systems have become an integral part of work and life, especially in enterprises, in order to improve office efficiency and realize informatization, computer systems inside the enterprises are usually deployed, and are maintained by special operation and maintenance personnel, so as to ensure that the computer systems can normally operate.
After the computer system fails, the computer system can give an alarm, and in order to diagnose the alarm in time, an alarm diagnosis technology is developed. In the existing alarm diagnosis technology, the historical alarm information and the corresponding solutions are usually collected in advance, the historical alarm information and the corresponding solutions are mapped and stored in a database, and when a new alarm occurs, the new alarm is subjected to similarity matching with the historical alarm information in the database, so that the solutions corresponding to the similar historical alarm information are recommended.
The similarity matching in the prior art generally needs to mine keywords in the alarm content, so that the similarity matching is performed based on the keywords. However, only a few common words exist in the related alarms, and most words in the content of the related alarms may be completely different, so that the current common keyword mining method may not be capable of capturing the fuzzy general semantic information.
In addition, the existing similarity analysis method has a lot of errors due to complexity of alarm generation. These two drawbacks may lead to an inability to find similar historical alert information accurately, which may have an adverse effect on the solution recommendation.
Disclosure of Invention
The embodiment of the application provides an alarm solution recommending method, an alarm solution recommending device, electronic equipment and a storage medium, so as to improve the efficiency and accuracy of alarm solution recommending.
In a first aspect, an embodiment of the present application provides an alarm solution recommendation method, where the method includes:
under the condition of receiving alarm information to be recommended, acquiring all alarm events within a preset time length before the alarm information to be recommended;
judging whether the alarm information to be recommended belongs to a cluster corresponding to any target alarm event in all alarm events or not;
if so, adding the alarm information to be recommended to the target alarm event to obtain the alarm event to be recommended;
comparing the historical alarm event in the knowledge base obtained in advance with the alarm event to be recommended, and determining the historical alarm event with the comparison result meeting the preset comparison condition as the historical alarm event to be compared;
and recommending a solution based on the historical alarm event to be compared and the alarm event to be recommended in the knowledge base.
In a second aspect, an embodiment of the present application provides an alarm solution recommendation apparatus, including:
the acquisition module is used for acquiring all alarm events within a preset time length before the alarm information to be recommended under the condition that the alarm information to be recommended is received;
the judging module is used for judging whether the alarm information to be recommended belongs to a cluster corresponding to any target alarm event in all alarm events;
the event updating module is used for adding the alarm information to be recommended to the target alarm event if the alarm information to be recommended belongs to the target alarm event to obtain the alarm event to be recommended;
the comparison module is used for comparing the historical alarm event in the knowledge base obtained in advance with the alarm event to be recommended, and determining the historical alarm event with the comparison result meeting the preset comparison condition as the historical alarm event to be compared;
and the recommending module is used for recommending a solution based on the to-be-compared historical alarm event and the to-be-recommended alarm event in the knowledge base.
In a third aspect, an embodiment of the present application further provides an electronic device, including:
one or more processors;
storage means for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement an alert solution recommendation method as provided by any of the embodiments of the present application.
In a fourth aspect, an embodiment of the present application further provides a computer readable storage medium, on which a computer program is stored, wherein the program, when executed by a processor, implements an alarm solution recommendation method as provided in any embodiment of the present application.
According to the technical scheme, under the condition that the alarm information to be recommended is received, all alarm events in the preset time length before the alarm information to be recommended are acquired; judging whether the alarm information to be recommended belongs to a cluster corresponding to any target alarm event in all alarm events or not; if so, adding the alarm information to be recommended to the target alarm event to obtain the alarm event to be recommended; comparing the historical alarm event in the knowledge base obtained in advance with the alarm event to be recommended, and determining the historical alarm event with the comparison result meeting the preset comparison condition as the historical alarm event to be compared; and recommending a solution based on the historical alarm event to be compared and the alarm event to be recommended in the knowledge base. Based on the method, the historical alarm information is divided into clusters in advance, then the alarm information to be recommended is added to the target alarm event corresponding to the cluster, the alarm event to be recommended obtained after the adding is compared with the historical alarm event in the knowledge base, so that a solution to be recommended is obtained.
Drawings
FIG. 1 is a flowchart of an alarm solution recommendation method according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an alert solution recommendation provided in accordance with an embodiment of the present application;
fig. 3 is a schematic structural diagram of an alarm solution recommending apparatus according to a second embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to a third embodiment of the present application.
Detailed Description
The application is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present application are shown in the drawings.
Example 1
Fig. 1 is a flowchart of an alarm solution recommendation method according to an embodiment of the present application, where the method is applicable to a scenario of alarm solution recommendation, and the method is described from a first platform end. The method can be executed by an alarm solution recommending device, the device can be realized in a hardware and/or software mode, and can be generally integrated in electronic equipment such as a computer with data operation capability, and the like, and the method specifically comprises the following steps:
step 101, under the condition that the alarm information to be recommended is received, acquiring all alarm events within a preset time length before the alarm information to be recommended.
It should be noted that the previous preset time period may be defined by an operator, for example, may be 10 minutes, 20 minutes, etc., and may be generally referred to as a time window. All alarm events in the previous preset time length are obtained by dividing historical alarm information in the previous preset time length.
In addition, in order to reduce the occurrence of the event of losing the history alarm information, step sizes may be set on the basis of the foregoing time window, and specifically, refer to fig. 2, where fig. 2 is a schematic diagram of dividing the alarm information item set according to the first embodiment of the present application.
It should be noted that, the alarm information items are divided according to the types of alarms, so that the historical alarm information can be classified first, and when the historical alarm information is classified, the historical alarm information with the same convergence mark can be classified into one type according to the preset convergence mark. Specifically, the convergence identifier may be a monitoring ID, an alarm type, and the like.
Before classification, after the historical alarm information is collected in a concentrated mode, the historical alarm information can be formatted for unification of formats and extracted into a K-V structure.
As shown in fig. 2, 9 pieces of history alarm information appear on the time axis, and after each piece of history alarm information is classified, the pieces of history alarm information are A, B, C, A, D, B, C, E, D in turn. Setting a time window as 10 and a step length as 7, and obtaining 3 item sets, namely T1 [ ABC ], T2 [ AD ] and T3 [ BCDE ].
In order to reduce invalid workload of unimportant alarm information in subsequent process, the historical alarm information category can be filtered, for example, various categories can be determined firstAnd determining the type meeting the support degree condition, and performing subsequent operations only on the type meeting the support degree condition. Specifically, the support degree calculation mode of the type a may be:
then, constructing an undirected weighted graph by using the types meeting the support degree conditions, wherein whether an edge exists between the two types can be determined by whether the confidence degree between the two types meets the confidence degree conditions, specifically, taking A and B as examples, the confidence degree between A and B can be:
in addition, the support degree condition may be set such that the support degree is greater than or equal to a preset support degree threshold value, and the confidence degree condition is set such that the confidence degree is greater than or equal to a preset confidence degree threshold value. In one specific example, the support rich threshold may be 0.001 and the confidence threshold may be 0.1.
If there is an edge between the two types, the confidence may be determined as a weight value of the edge.
After the undirected weighted graph is constructed, the nodes in the undirected weighted graph can be divided by using a community discovery algorithm louvia, so as to obtain clusters to which different alarm categories belong, and it should be noted that the division process of the community discovery algorithm louvia can refer to related technologies, which are not described herein.
Step 102, judging whether the alarm information to be recommended belongs to a cluster corresponding to any target alarm event in all alarm events.
In this step, the alarm information to be recommended is classified first, and classified according to the same convergence identifier in the foregoing process.
Specifically, the alarm information to be recommended may be classified according to a preset convergence identifier, and then whether the alarm information to be recommended belongs to a cluster corresponding to any target alarm event in all alarm events is judged based on the type of the alarm information to be recommended.
In the process of determining whether the alarm information to be recommended belongs to the cluster corresponding to any target alarm event in all alarm events, the cluster corresponding to each alarm event can be acquired first, wherein the cluster is obtained by dividing the alarm information within a preset time length by using a community discovery algorithm in advance, and any cluster comprises at least one piece of alarm information; for any cluster, determining whether alarm information to be recommended and alarm information in the cluster meet preset conditions; if yes, determining the cluster as the cluster corresponding to the target alarm event to which the alarm information to be recommended belongs.
It should be noted that, each cluster divided above forms an alarm event, where the alarm event includes alarm information corresponding to each type in the cluster, and the preset condition refers to a condition that needs to be met when the alarm information to be recommended can be divided into the cluster.
Specifically, the preset condition may be that the alarm information in the cluster has the same type of alarm information as the alarm information to be recommended. In a specific example, the alarm information in a certain cluster may have A, B, D types, and the type of the alarm information to be recommended is B, which indicates that the cluster contains the alarm information of the same type as the alarm information to be recommended, so as to meet the preset condition, and the alarm information to be recommended may be added to the alarm event corresponding to the cluster.
In order to more accurately judge whether the alarm information to be recommended belongs to the cluster corresponding to any target alarm event in all alarm events, the preset condition can be that the modularity between the alarm information to be recommended and the alarm information in the cluster can be stable.
It should be noted that, the method for calculating the modularity mainly uses the relevant characteristics of the modularity in the community discovery algorithm, and the method for calculating the modularity may refer to the relevant technology, which is not described herein. In general, the alarm information can be considered to belong to the same cluster if the modularity is stable.
If the clusters corresponding to the target alarm events do not exist, the semantic similarity of the alarm information to be recommended and the historical alarm information in each cluster is compared, and the historical alarm event corresponding to the cluster to which the target historical alarm information with the similarity meeting the first preset condition belongs is determined to be the first similar historical alarm event; and adding the alarm information to be recommended into the first similar alarm event to obtain the alarm event to be recommended.
The absence of a cluster corresponding to the target alarm event refers to the fact that a cluster meeting a preset condition cannot be found in the process, and at the moment, the target alarm event is absent, and the cluster corresponding to the target alarm event is absent. In this case, the semantic similarity may also be used to find the cluster to which the most similar historical alert information belongs, where the alert event corresponding to the cluster is the first similar alert event.
Specifically, when the semantic similarity between the warning information to be recommended and any historical warning information is determined, the context information of each word in the warning information to be recommended and the historical warning information is obtained through a CBOW algorithm, the important words are subjected to semantic weighting through IDF, and the contribution degree is calculated.
Weighted final semantics can be expressed asWherein (1)>Context information for any word, < +.>Is the contribution degree.
After the final semantics of the alarm information to be recommended and the history alarm information are obtained, the final semantics are taken as input, and the similarity is calculated. It should be noted that there may be many methods for calculating the similarity, such as euclidean distance, and the like, which are not described herein.
In addition, if the target historical alarm information corresponding to the similarity meeting the first preset condition is not met, generating an alarm event to be recommended based on the alarm information to be recommended. Specifically, the alarm information to be recommended is taken as the only alarm information in the alarm event to be recommended at this time, new alarm information may be added in the subsequent process, and the number of alarm information in the alarm event to be recommended may be increased.
And step 103, if the alarm information to be recommended belongs to the target alarm event, adding the alarm information to be recommended to the target alarm event to obtain the alarm event to be recommended.
In this step, since the target alarm event includes a plurality of alarm information, the target alarm event can be regarded as a set of the plurality of alarm information, and therefore, the alarm information to be recommended is added to the target alarm event, that is, the alarm information to be recommended can be added to the set, and the new set is the alarm event to be recommended.
And 104, comparing the historical alarm event in the obtained knowledge base with the alarm event to be recommended, and determining the historical alarm event with the comparison result meeting the preset comparison condition as the historical alarm event to be compared.
In this step, in order to improve the accuracy of the comparison, the alarm event may be sliced. Specifically, an alarm event to be recommended can be mapped into an event vector through a minimum hash algorithm, and then the event vector is subjected to segmentation processing to obtain an event slice set corresponding to the alarm event to be recommended.
Before that, feature extraction can be performed on the alarm information in the alarm event, specifically, mask digital processing can be performed on the source of the alarm information to obtain new_source, and template extraction is performed on the alarm information by a dry method to obtain template_id, where all alarm information in the alarm event can be represented by "new_source+template_id".
In a specific example, a certain alarm event may be [ new_source1+template_id1, new_source2+template_id2, new_source 3+template_id3 ].
According to the method, the feature extraction is carried out on the alarm information in the alarm event to be recommended and the historical alarm event. And then mapping the alarm event according to the characteristics through a minimum hash algorithm (minihash) to obtain respective corresponding event vectors of each alarm event (which can be an alarm event to be recommended or any historical alarm event).
In a specific example, an event of an alarm event is obtainedVector is = [ i ] 1 ,i 2 ,i 3 ,i 4 ,...i 128 ]It should be noted that the vector dimension is 128, and the vector dimension can be configured in a self-defined manner according to actual requirements.
After the mapping is completed, the event vector is split, and the size of each part is set to be s, and b parts are co-split, and b=128/s, taking the vector dimension as 128 as an example. Wherein the first slice may be [ i ] 1 ,i 2 ,i 3 ,i 4 ,...i s ]。
It should be noted that, the s value is determined by a similarity threshold set by the user, specifically, a certain number of historical alarm event samples can be obtained, and the Jacquard similarity between the samples is calculated; and setting a plurality of s values, mapping each historical alarm event, and then segmenting according to the s values to obtain slice groups of different s values corresponding to each historical alarm event (wherein each s value corresponds to one slice group for each historical alarm event, and if b s values exist, b slice groups exist for each historical alarm event).
For any sample, querying a similar sample corresponding to any slice of the sample that is the same as or similar to the same slice at the same s value; determining a ratio of Jacquard similarity between a similar sample and the any sample to be greater than a preset similarity threshold.
And finally, determining the s value with the highest proportion as the s value used in the step.
Based on the above procedure, each alarm event corresponds to a set of event slices. And then searching whether a target slice equal to any event slice in the event slice set exists or not from a knowledge base obtained in advance, and if so, determining a historical alarm event corresponding to the target slice as a historical alarm event to be compared.
It should be noted that, after the knowledge base obtains the clusters, each cluster is determined as a historical alarm event, and the obtained library is mapped and stored in combination with a historical solution or a solution given by an expert.
In order to improve the recommendation efficiency, the embodiment can slice the historical alarm event after the historical alarm event is obtained, and map and store the slice into a library. When searching is carried out in the step, the searching is directly carried out.
Step 105, recommending a solution based on the historical alarm event to be compared with the alarm event to be recommended in the knowledge base.
In the foregoing step, a plurality of to-be-compared historical alert events are obtained, and in this step, event similarity between each to-be-compared historical alert event and the to-be-recommended alert event can be determined, and the to-be-compared historical alert event corresponding to the event similarity satisfying the second preset condition is determined as the second similar historical alert event; and then acquiring and recommending an alarm solution corresponding to the second similar historical alarm event in the knowledge base.
It should be noted that, the similarity of this step may be determined by the Jacquard exact similarity calculation method. In order to improve the accuracy of the recommendation, the second preset condition may be that 3 to-be-compared historical alarm events with the similarity exceeding 0.5 and the highest similarity are second similarity historical alarm events.
In this embodiment, under the condition of receiving alarm information to be recommended, all alarm events within a preset time period before the alarm information to be recommended are acquired; judging whether the alarm information to be recommended belongs to a cluster corresponding to any target alarm event in all alarm events or not; if so, adding the alarm information to be recommended to the target alarm event to obtain the alarm event to be recommended; comparing the historical alarm event in the knowledge base obtained in advance with the alarm event to be recommended, and determining the historical alarm event with the comparison result meeting the preset comparison condition as the historical alarm event to be compared; based on the historical alarm event to be compared with the alarm event to be recommended in the knowledge base, recommending a solution. Based on the method, the historical alarm information is divided into clusters in advance, then the alarm information to be recommended is added to the target alarm event corresponding to the cluster, the alarm event to be recommended obtained after the adding is compared with the historical alarm event in the knowledge base, so that a solution to be recommended is obtained.
Example two
Fig. 3 is a schematic structural diagram of an alarm solution recommending apparatus according to a second embodiment of the present application. The alarm solution recommending device provided by the embodiment of the application can execute the alarm solution recommending method provided by any embodiment of the application, and has the corresponding functional modules and beneficial effects of the executing method. The device can be implemented in a software and/or hardware mode, as shown in fig. 3, and the alarm solution recommending device specifically comprises: an acquisition module 301, a judgment module 302, an event updating module 303, a comparison module 304 and a recommendation module 305.
The acquisition module is used for acquiring all alarm events within a preset time length before the alarm information to be recommended under the condition that the alarm information to be recommended is received;
the judging module is used for judging whether the alarm information to be recommended belongs to a cluster corresponding to any target alarm event in all alarm events;
the event updating module is used for adding the alarm information to be recommended to the target alarm event if the alarm information to be recommended belongs to the target alarm event to obtain the alarm event to be recommended;
the comparison module is used for comparing the historical alarm event in the knowledge base obtained in advance with the alarm event to be recommended, and determining the historical alarm event with the comparison result meeting the preset comparison condition as the historical alarm event to be compared;
and the recommending module is used for recommending a solution based on the historical alarm event to be compared with the alarm event to be recommended in the knowledge base.
Further, the judging module includes:
the classifying unit is used for classifying the alarm information to be recommended according to a preset convergence mark;
the judging unit is used for judging whether the alarm information to be recommended belongs to a cluster corresponding to any target alarm event in all alarm events or not based on the type of the alarm information to be recommended.
Further, the judging unit includes:
the cluster acquisition subunit is used for acquiring clusters corresponding to all the alarm events, wherein the clusters are obtained by dividing alarm information within a preset time length in advance by using a community discovery algorithm, and any cluster comprises at least one piece of alarm information;
a determining subunit, configured to determine, for any cluster, whether alarm information to be recommended and alarm information in the cluster meet a preset condition;
and the cluster determining subunit is used for determining the cluster as the cluster corresponding to the target alarm event to which the warning information to be recommended belongs if the warning information to be recommended is satisfied.
Further, the apparatus further comprises:
the first similar historical alarm event determining module is used for comparing semantic similarity of the alarm information to be recommended and the historical alarm information in each cluster if the cluster corresponding to the target alarm event does not exist, and determining the historical alarm event corresponding to the cluster to which the target historical alarm information with the similarity meeting the first preset condition belongs as the first similar historical alarm event;
and the information adding module is used for adding the alarm information to be recommended into the first similar alarm event to obtain the alarm event to be recommended.
Further, the apparatus further comprises:
and the alarm event to be recommended generation module is used for generating an alarm event to be recommended based on the alarm information to be recommended if the target historical alarm information corresponding to the similarity meeting the first preset condition is not met.
Further, the comparison module includes:
the hash mapping unit is used for mapping the alarm event to be recommended into an event vector through a minimum hash algorithm, and then carrying out segmentation processing on the event vector to obtain an event slice set corresponding to the alarm event to be recommended;
and the slicing unit is used for searching whether a target slice which is equal to any event slice in the event slice set exists from a knowledge base which is obtained in advance, and if so, determining the historical alarm event corresponding to the target slice as the historical alarm event to be compared.
Further, the recommendation module includes:
the second similar historical alarm event determining unit is used for determining event similarity between each to-be-compared historical alarm event and the to-be-recommended alarm event, and determining to-be-compared historical alarm event corresponding to the event similarity meeting a second preset condition as a second similar historical alarm event;
and the scheme recommending unit is used for acquiring and recommending the alarm solution corresponding to the second similar historical alarm event in the knowledge base.
Example III
Fig. 4 is a schematic structural diagram of an electronic device according to a third embodiment of the present application, as shown in fig. 4, the electronic device includes a processor 410, a memory 420, an input device 430 and an output device 440; the number of processors 410 in the electronic device may be one or more, one processor 410 being taken as an example in fig. 4; the processor 410, memory 420, input device 430, and output device 440 in the electronic device may be connected by a bus or other means, for example in fig. 4.
The memory 420 is used as a computer readable storage medium for storing software programs, computer executable programs and modules, such as program instructions/modules corresponding to the alarm solution recommendation method in the embodiment of the present application. The processor 410 executes various functional applications and data processing of the electronic device by running software programs, instructions and modules stored in the memory 420, i.e. implements the alert solution recommendation method described above:
under the condition of receiving alarm information to be recommended, acquiring all alarm events within a preset time length before the alarm information to be recommended;
judging whether the alarm information to be recommended belongs to a cluster corresponding to any target alarm event in all alarm events or not;
if so, adding the alarm information to be recommended to the target alarm event to obtain the alarm event to be recommended;
comparing the historical alarm event in the knowledge base obtained in advance with the alarm event to be recommended, and determining the historical alarm event with the comparison result meeting the preset comparison condition as the historical alarm event to be compared;
and recommending a solution based on the historical alarm event to be compared and the alarm event to be recommended in the knowledge base.
Based on the method, the historical alarm information is divided into clusters in advance, then the alarm information to be recommended is added to the target alarm event corresponding to the cluster, the alarm event to be recommended obtained after the adding is compared with the historical alarm event in the knowledge base, so that a solution to be recommended is obtained.
Memory 420 may include primarily a program storage area and a data storage area, wherein the program storage area may store an operating system, at least one application program required for functionality; the storage data area may store data created according to the use of the terminal, etc. In addition, memory 420 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, memory 420 may further include memory remotely located relative to processor 410, which may be connected to the electronic device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Example IV
A fourth embodiment of the present application also provides a storage medium containing computer-executable instructions, which when executed by a computer processor, are for performing an alarm solution recommendation method, the method comprising:
under the condition of receiving alarm information to be recommended, acquiring all alarm events within a preset time length before the alarm information to be recommended;
judging whether the alarm information to be recommended belongs to a cluster corresponding to any target alarm event in all alarm events or not;
if so, adding the alarm information to be recommended to the target alarm event to obtain the alarm event to be recommended;
comparing the historical alarm event in the knowledge base obtained in advance with the alarm event to be recommended, and determining the historical alarm event with the comparison result meeting the preset comparison condition as the historical alarm event to be compared;
and recommending a solution based on the historical alarm event to be compared and the alarm event to be recommended in the knowledge base.
Based on the method, the historical alarm information is divided into clusters in advance, then the alarm information to be recommended is added to the target alarm event corresponding to the cluster, the alarm event to be recommended obtained after the adding is compared with the historical alarm event in the knowledge base, so that a solution to be recommended is obtained.
Of course, the storage medium containing the computer executable instructions provided in the embodiments of the present application is not limited to the above method operations, and may also perform the related operations in the alarm solution recommendation method provided in any embodiment of the present application.
From the above description of embodiments, it will be clear to a person skilled in the art that the present application may be implemented by means of software and necessary general purpose hardware, but of course also by means of hardware, although in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, etc., including several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to execute the method of the embodiments of the present application.
It should be noted that, in the above-mentioned embodiments of the search apparatus, each unit and module included are only divided according to the functional logic, but not limited to the above-mentioned division, as long as the corresponding functions can be implemented; in addition, the specific names of the functional units are also only for distinguishing from each other, and are not used to limit the protection scope of the present application.
Note that the above is only a preferred embodiment of the present application and the technical principle applied. It will be understood by those skilled in the art that the present application is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the application. Therefore, while the application has been described in connection with the above embodiments, the application is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the application, which is set forth in the following claims.

Claims (9)

1. An alert solution recommendation method, the method comprising:
under the condition of receiving alarm information to be recommended, acquiring all alarm events within a preset time length before the alarm information to be recommended;
judging whether the alarm information to be recommended belongs to a cluster corresponding to any target alarm event in all alarm events or not;
if so, adding the alarm information to be recommended to the target alarm event to obtain the alarm event to be recommended;
comparing the historical alarm event in the knowledge base obtained in advance with the alarm event to be recommended, and determining the historical alarm event with the comparison result meeting the preset comparison condition as the historical alarm event to be compared;
recommending a solution based on the historical alarm event to be compared and the alarm event to be recommended in the knowledge base;
comparing the historical alarm event in the obtained knowledge base with the alarm event to be recommended, and determining the historical alarm event with the comparison result meeting the preset comparison condition as the historical alarm event to be compared, wherein the method comprises the following steps:
mapping the alarm event to be recommended into an event vector through a minimum hash algorithm, and then carrying out segmentation processing on the event vector to obtain an event slice set corresponding to the alarm event to be recommended;
searching whether a target slice equal to any event slice in the event slice set exists or not from a knowledge base obtained in advance, and if so, determining a historical alarm event corresponding to the target slice as a historical alarm event to be compared.
2. The method of claim 1, wherein the determining whether the alarm information to be recommended belongs to a cluster corresponding to any target alarm event of the all alarm events comprises:
classifying the alarm information to be recommended according to a preset convergence mark;
judging whether the alarm information to be recommended belongs to a cluster corresponding to any target alarm event in all alarm events or not based on the type of the alarm information to be recommended.
3. The method according to claim 2, wherein the determining whether the alarm information to be recommended belongs to the cluster corresponding to any target alarm event of the all alarm events based on the type of the alarm information to be recommended includes:
obtaining clusters corresponding to all alarm events, wherein the clusters are obtained by dividing alarm information in the preset time length in advance by using a community discovery algorithm, and any cluster comprises at least one piece of alarm information;
for any cluster, determining whether the alarm information to be recommended and the alarm information in the cluster meet preset conditions;
if yes, determining the cluster as a cluster corresponding to the target alarm event to which the alarm information to be recommended belongs.
4. The method according to claim 1, wherein the method further comprises:
if the clusters corresponding to the target alarm events do not exist, the semantic similarity of the alarm information to be recommended and the historical alarm information in each cluster is compared, and the historical alarm event corresponding to the cluster to which the target historical alarm information with the similarity meeting the first preset condition belongs is determined to be the first similar historical alarm event;
and adding the alarm information to be recommended into the first similar historical alarm event to obtain the alarm event to be recommended.
5. The method according to claim 4, wherein the method further comprises:
and if the target historical alarm information corresponding to the similarity meeting the first preset condition is not met, generating an alarm event to be recommended based on the alarm information to be recommended.
6. The method of claim 1, wherein the recommending a solution based on the historical alert event to be compared with the alert event to be recommended in the knowledge base comprises:
determining event similarity between each to-be-compared historical alarm event and each to-be-recommended alarm event, and determining to-be-compared historical alarm event corresponding to the event similarity meeting a second preset condition as a second similar historical alarm event;
and acquiring and recommending an alarm solution corresponding to the second similar historical alarm event in the knowledge base.
7. An alarm solution recommendation device, the device comprising:
the acquisition module is used for acquiring all alarm events within a preset time length before the alarm information to be recommended under the condition that the alarm information to be recommended is received;
the judging module is used for judging whether the alarm information to be recommended belongs to a cluster corresponding to any target alarm event in all alarm events;
the event updating module is used for adding the alarm information to be recommended to the target alarm event if the alarm information to be recommended belongs to the target alarm event to obtain the alarm event to be recommended;
the comparison module is used for comparing the historical alarm event in the knowledge base obtained in advance with the alarm event to be recommended, and determining the historical alarm event with the comparison result meeting the preset comparison condition as the historical alarm event to be compared;
the recommending module is used for recommending a solution based on the to-be-compared historical alarm event and the to-be-recommended alarm event in the knowledge base;
the comparison module is specifically used for:
mapping the alarm event to be recommended into an event vector through a minimum hash algorithm, and then carrying out segmentation processing on the event vector to obtain an event slice set corresponding to the alarm event to be recommended;
searching whether a target slice equal to any event slice in the event slice set exists or not from a knowledge base obtained in advance, and if so, determining a historical alarm event corresponding to the target slice as a historical alarm event to be compared.
8. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the alert solution recommendation method of any one of claims 1-6.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements an alarm solution recommendation method according to any one of claims 1-6.
CN202310160733.0A 2023-02-24 2023-02-24 Alarm solution recommending method and device, electronic equipment and storage medium Active CN116132263B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310160733.0A CN116132263B (en) 2023-02-24 2023-02-24 Alarm solution recommending method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310160733.0A CN116132263B (en) 2023-02-24 2023-02-24 Alarm solution recommending method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN116132263A CN116132263A (en) 2023-05-16
CN116132263B true CN116132263B (en) 2023-09-19

Family

ID=86309994

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310160733.0A Active CN116132263B (en) 2023-02-24 2023-02-24 Alarm solution recommending method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116132263B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116860578A (en) * 2023-07-07 2023-10-10 广州守恶网络科技有限公司 Network and information security log management system and method
CN116991620B (en) * 2023-08-03 2024-02-23 北京优特捷信息技术有限公司 Solution determining method, device, equipment and medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110519264A (en) * 2019-08-26 2019-11-29 奇安信科技集团股份有限公司 Tracking source tracing method, device and the equipment of attack
CN111082966A (en) * 2019-11-01 2020-04-28 平安科技(深圳)有限公司 Positioning method and device based on batch alarm events, electronic equipment and medium
CN114116414A (en) * 2021-11-19 2022-03-01 中国工商银行股份有限公司 Alarm method, alarm device, nonvolatile storage medium and electronic equipment
CN114168435A (en) * 2021-10-29 2022-03-11 济南浪潮数据技术有限公司 Alarm processing recommendation method, device, equipment and readable storage medium
CN114707834A (en) * 2022-03-24 2022-07-05 中国银行股份有限公司 Alarm reminding method and device and storage medium
CN115189961A (en) * 2022-07-05 2022-10-14 中汽创智科技有限公司 Fault identification method, device, equipment and storage medium
CN115514619A (en) * 2022-09-20 2022-12-23 建信金融科技有限责任公司 Alarm convergence method and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110519264A (en) * 2019-08-26 2019-11-29 奇安信科技集团股份有限公司 Tracking source tracing method, device and the equipment of attack
CN111082966A (en) * 2019-11-01 2020-04-28 平安科技(深圳)有限公司 Positioning method and device based on batch alarm events, electronic equipment and medium
CN114168435A (en) * 2021-10-29 2022-03-11 济南浪潮数据技术有限公司 Alarm processing recommendation method, device, equipment and readable storage medium
CN114116414A (en) * 2021-11-19 2022-03-01 中国工商银行股份有限公司 Alarm method, alarm device, nonvolatile storage medium and electronic equipment
CN114707834A (en) * 2022-03-24 2022-07-05 中国银行股份有限公司 Alarm reminding method and device and storage medium
CN115189961A (en) * 2022-07-05 2022-10-14 中汽创智科技有限公司 Fault identification method, device, equipment and storage medium
CN115514619A (en) * 2022-09-20 2022-12-23 建信金融科技有限责任公司 Alarm convergence method and system

Also Published As

Publication number Publication date
CN116132263A (en) 2023-05-16

Similar Documents

Publication Publication Date Title
CN116132263B (en) Alarm solution recommending method and device, electronic equipment and storage medium
EP3846048A1 (en) Online log analysis method, system, and electronic terminal device thereof
CN111125268B (en) Network alarm analysis model creation method, alarm analysis method and device
CN103513983B (en) method and system for predictive alert threshold determination tool
CN111930547A (en) Fault positioning method and device and storage medium
CN113282461B (en) Alarm identification method and device for transmission network
CN113449098A (en) Log clustering method, device, equipment and storage medium
CN114465874A (en) Fault prediction method, device, electronic equipment and storage medium
CN113254255A (en) Cloud platform log analysis method, system, device and medium
CN114327964A (en) Method, device, equipment and storage medium for processing fault reasons of service system
CN109993391B (en) Method, device, equipment and medium for dispatching network operation and maintenance task work order
CN112600719A (en) Alarm clustering method, device and storage medium
CN113326173B (en) Method, device and equipment for processing alarm message
WO2015165230A1 (en) Social contact message monitoring method and device
CN114418226A (en) Fault analysis method and device of power communication system
CN117221087A (en) Alarm root cause positioning method, device and medium
CN112306820A (en) Log operation and maintenance root cause analysis method and device, electronic equipment and storage medium
CN116668264A (en) Root cause analysis method, device, equipment and storage medium for alarm clustering
CN107729206A (en) Real-time analysis method, system and the computer-processing equipment of alarm log
WO2023039973A1 (en) Abnormal false alarm processing method and apparatus, and storage medium and terminal
CN115098679A (en) Method, device, equipment and medium for detecting abnormality of text classification labeling sample
CN116155692B (en) Alarm solution recommending method and device, electronic equipment and storage medium
Date et al. Test and evaluation of data association algorithms in hard+ soft data fusion
CN114528909A (en) Unsupervised anomaly detection method based on flow log feature extraction
CN112418449A (en) Generation method, positioning method and device of power supply line fault positioning model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant