JP2015153078A - Employment history analysis device, method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To perform classification for every employment history whose factor portion is common, with respect to employment histories whose users are not classified in detail.SOLUTION: The invention is configured so that: when a range of employment histories which requires classification of employment history is given, an aggregate of the employment histories corresponding to the range is acquired from an employment history DB storing the employment histories which were written in the past about employment object equipment, and a feature amount is extracted from the respective employment history, and the aggregate of the employment histories is classified based on similarity of the feature amount for every same factor portion.

Description

  The present invention relates to an operation history analysis apparatus, method, and program, and more particularly, to an operation history analysis apparatus, method, and program for analyzing the business content of an operator in system operation.

  Today, for the purpose of accumulating operator's work trail and operator's knowledge, the situation and response work at the time of incident occurrence in system operation are recorded in the operation history and integrated management is performed. The accumulated operation history is used for examining the response when the same incident occurs by searching the past similar history when a new incident occurs and referring to the past response example. Therefore, it is useful to classify the operation history for each identical incident.

  In this specification, a location where an incident has occurred is defined as a cause location in a system that is a target of operation management. For example, in the case of an IT system, "cable", "CPU", "interface card", etc. can be cited as examples of possible causes. Since the operation history is also used for statistical analysis of the type and frequency of incidents that occur in a system to be managed, there are many needs to classify the operation history for each cause. However, the cause location is not always recorded as an item in the operation history.

  Under such circumstances, there is a system that classifies operation history for each keyword using the similarity of words included in the operation history work record, and simultaneously labels the keywords for each class of classification (for example, non-patented). Reference 1).

  Also, for the purpose of statistical analysis of operational history, etc., after extracting the word that will be the keyword, what each keyword indicates is “cause location”, “method of identifying the failure”, “method of solving the failure”, etc. There is a method of manually assigning a label to each keyword by using the label as to whether it corresponds (for example, see Non-Patent Document 2).

Amelie Medem, Marc-Ismael Akodjenou, and Renata Teixeira, "TroubleMiner: Mining network trouble tickets", Integrated Network Management-Workshops, 113-119, 2009 Potharaju Rahul, Navendu Jain, and Cristina Nita-Rotaru. "Juggling the jigsaw: Towards automated problem inference from network trouble tickets." Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation. 2013. MeCab: Yet Another Part-of-Speech and Morphological Analyzer, http://mecab.googlecode.com/svn/trunk/mecab/doc/index.html) Tatsuaki Kimura, Watanabe, Go Toyono, Ken Nishimatsu, Kohei Shiomoto. "Online template extraction method for large-scale network log information". Society Conference of IEICE, 2013.

  However, the classification according to Non-Patent Document 1 described above is based on keywords that represent common points of operation histories included in a class (interface card, cable, etc.), “failure occurrence device” (router, switch, etc.), “reason for occurrence” ( Maintenance, power outages, etc.), so the types of common points and the granularity of information are different for each class and are not used for statistical analysis.

  Further, in the method of Non-Patent Document 2, a load on the user due to manual intervention and an additional work load when introducing a new model are unavoidable.

  The present invention has been made in view of the above points, and an operation history in which a user can perform classification for each operation history having a common cause with respect to an operation history in which detailed classification is not performed. An object is to provide an analysis apparatus, method, and program.

According to one aspect, there is an operation history analysis device that classifies each operation history having a common cause of an incident from a set of operation histories in which the operations performed by the operator corresponding to the incident of the operation target device are recorded,
When a range of operation history requiring operation history classification is given, an operation history corresponding to the range is obtained from an operation history DB storing operation history described in the past for the operation target device, and the operation history is obtained from the operation history. A feature quantity extracting means for extracting a feature quantity;
There is provided an operation history analyzing apparatus having classification means for classifying the set of operation histories according to the similarity of the feature amounts for the same cause location.

  According to one aspect, by classifying operation history that has not been classified in detail for each operation history having a common cause, the load on the user can be reduced and preventive storage of a network system or the like It is possible to manage such operations.

It is an example of system configuration in a 1st embodiment of the present invention. It is a flowchart of the operation log | history analysis apparatus in the 1st Embodiment of this invention. It is an example of system configuration in a 2nd embodiment of the present invention. It is an example of the system configuration | structure in the 3rd Embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  The present invention classifies each operation history having a common cause from various data associated with the operation history.

[First Embodiment]
In the present embodiment, a case will be described in which the past operation history is classified for each cause location, and the classification result is presented to the user or output as an additional item of the past operation history.

  FIG. 1 shows an example of a system configuration in the first embodiment of the present invention.

The system shown in FIG. 1 includes a monitoring system 1, an operation target device group including operation target devices 2 ₁ to 2 _n , an operation history DB 3, a system state information DB 4, a user (terminal) 5, and an operation history analysis device 10a.

The monitoring system 1 collects operation information from each of the operation target devices 2 ₁ to 2 _n and outputs it to the system status information DB 4. The monitoring system 1 also outputs an alarm message output log to the operation history analyzer 1a when the system is abnormal.

  The operation history DB 3 stores an operation history that records the work performed by the operator.

  The system status information DB 4 stores information represented by character strings such as alarm messages issued from the monitoring system 1 to the user (terminal) 5 and syslog output from the operation target device 2.

  The operation history analysis apparatus 10 a includes a feature amount acquisition unit 11, a classification unit 12, and a user interface 13.

  Hereinafter, the process of the operation history analyzer 10a will be described with reference to the flowchart of FIG.

  It is assumed that the operation history of the operation target device p to be operated is stored in the operation history DB 3 in advance, and the system state information regarding the incident is stored in the system state information DB 4.

  Step 101) When an operation history range (for example, No. 0020 to No. 0040) requiring classification of the operation history specified by the user 5 is specified from the user interface unit 13, the feature quantity acquisition unit 11 Information is read from either or both of the operation history DB 3 and the system status information DB 4.

  Step 102) First, the case of acquiring feature values from the operation history DB 3 will be described.

In the description of summary information such as operation history titles and event names, the cause is often described, and since summary information exists in all operation histories, using summary information for all operation histories There is an advantage that enables classification. Therefore, in this embodiment, summary information is used as a feature amount as an example. Of the operation histories to be classified, the k-th operation history is T _k . When the sentence of the event name of T _k is S _k , a set of words W _k = {w _k1 , w _k2 ,..., W _kn } is included in S _k , and feature quantity D (T _k ) = W _k To do. Acquisition of W _k from S _k is the morphological analyzer Mecab (e.g., Non-Patent Document 3) is used or the like.

  In addition, other items described in the operation history of the operation history DB 3 can be used as the feature amount. For example, an incident occurrence model of the operation target device p, a location where the incident occurred, a service name where the incident occurred, and the like. Thereby, classification with an arbitrary granularity becomes possible.

  Step 103) Next, a case where a feature amount is acquired from the system state information DB 4 will be described.

System status information is output to the user (terminal) 5 by the operation target devices p _{1 to pn} themselves to be operated or the monitoring system 1. Examples of the system status information include alarm messages, syslog, MIB (Management Information Base) information, etc. of the monitoring system 1 and are stored in the system status information DB 4. The system state information is output according to the state of the cause part and is robust information that does not depend on the user 5 describing the operation history. Therefore, the system state at the time of incident occurrence is used as a feature amount.

  Specifically, there are 1) a method for acquiring a feature value using a system message and 2) a method for acquiring a feature value using system numerical information.

1) When acquiring feature values using system messages:
Of the set of operation histories classified by the operation history DB 3, the k-th operation history is set as T _k, and the set M _{k of} system messages in the failure described in T _k is used as a feature amount. The system message is observed as a character string, such as an alarm message of the monitoring system or a syslog output from a component device of the operation target system. As a system message acquisition method, a system message description field in the operation history of the operation history DB 3 is used, or a system message output within t minutes before and after the incident time described in the operation history is acquired. Conceivable. The user defines the time span t. The method of using a system message as a feature value uses the method of using a word included in the system message as a feature value, the log template creation method of Non-Patent Document 4, and the like, similar to the method of obtaining the feature value of the operation history described above. In other words, a method may be considered in which the same ID is assigned to system messages representing the same meaning, and a set of IDs is used as a feature amount. When the ID is used as a feature value, a method using a set of system message IDs corresponding to T _k as a feature value can be considered. When the ID is a feature amount, a set of system message IDs corresponding to T _k is MID _k, and D (T _k ) = MID _k .

2) When acquiring feature values using system numerical information:
System numerical information to be operated in the system state information DB 4 is used as a feature amount. The system numerical information is information observed as numerical values in the system status information such as “number of packets”, “response time” in the case of a network system, and “number of connected users” in the case of an IT system.

  Step 104) When the feature amount acquisition unit 11 acquires the feature value of the operation history, the classification unit 12 classifies the set of operation history for each of the same cause locations. Any operation history classification method may be used. In the following (1) to (3), a case where hierarchical clustering is used will be described. A set having one or more operation histories as elements is called a “class”. In the present invention, a set of operation histories to be classified is classified into classes.

(1) Class centroid definition:
Let the i-th class in the set of classes be C _i . In order to calculate the similarity in the connection between classes, a centroid that is a representative value of the class is defined. When the operation history belonging to the class C _i is C _i = {T _i1 , T _i2 , ..., T _iK }, the definition of the centroid Cd _i of C _i is the case of a collective feature such as a system message For example, the following can be considered.

Cd _i = D (T _i1 ) ∪D (T _i2 ) ∪… ∪D (T _iK )
Further, in the case of a numerical feature quantity such as system numerical information, the following may be considered.

Cd _i = (Σn (D (t _in )) / K
(2) Definition of similarity between classes:
Using centroid, to define a class of pairs (C _i, C _j) between the similarity _{sim (C i, C j)} . For sim (C _i , C _j ), for the collective feature quantity, for example, the following definition based on the Jaccard coefficient can be considered.

sim (C _i , C _j ) = | Cd _i ∩Cd _j | / | Cd _i ∪Cd _j |
Further, in the case of a numerical feature quantity, the following can be considered.

sim (C _i , C _j ) = √Σ (Cd _i −Cd _j ) ²
(3) Implementation of classification:
Hierarchical clustering is performed using all operation histories to be classified.

For all operation histories, get a class that contains only one operation history. Using the similarity between the classes in the operation history defined in (2) above, the pair (C _{p ′} , C _{q ′} ) of the class with the highest similarity among the pairs of all classes and the similarity sim ( C _{p ′} , C _{q ′} ). If the threshold defined in advance is ε, and sim (C _{p ′} , C _{q ′} ) <ε, all existing classes are transferred to step 105 as classification results. On the other hand, if sim (C _{p ′} , C _{q ′} ) ≧ ε, C _{p ′} and C _{q ′} are removed from the set of classes, and a new class C _{p′q ′} '= C _{p ′} ∪C _q' create. Thereafter, the process returns to the calculation of the similarity and the process of obtaining the class pair having the highest similarity, and the process is repeated until the number of existing classes becomes 1 or the maximum similarity is less than the threshold value and the process is terminated.

  Step 105) When the process of Step 104 is completed, the classification result is output to the user (terminal) 5 via the user interface 13. The user 5 uses this as an input for statistical analysis.

[Second Embodiment]
In the first embodiment described above, the past operation history is classified and used as an input for statistical analysis. However, in this embodiment, new incidents that occurred in the operation target device are classified and new The case where the past operation history classified into the same class as the incident that occurred is presented.

  FIG. 3 shows an example of a system configuration in the second embodiment of the present invention. In the figure, the same components as those in FIG.

  In the present embodiment, the user (terminal) 5 or the monitoring system 1 gives the system status information (alarm message) to the operation history analyzer 10b for the incident newly generated in the operation target device 2, and the system status information is the most. The case where the similar operation history class and the included operation history are presented to the user (terminal) 5 is shown. In the system configuration of FIG. 3, since the system state information is given from the monitoring system 1 to the feature amount acquisition unit 11, the system state information DB 4 becomes unnecessary.

  In this case, the operation history analysis apparatus 10b is designated with a range of past operation history to be classified from the user (terminal) 5 via the user interface 13, and system state information regarding a failure newly generated from the monitoring system 1 Is entered. Although this newly generated incident does not necessarily have a format of operation history, classification is possible from system state information in classification, so data with no operation history or only incomplete system state information is used as operation history. Treat equally. This assumes the case of referring to a similar operation history when dealing with a newly occurring incident. The incident that is being handled may not have a complete operation history. In this case, classification is performed only from "system status information" such as alarm messages. The classification unit 12 of the operation history analysis apparatus 10b receives the range input from the user (terminal) 5 and uses the same method as in step 103-2) of the first embodiment to specify the system state information in the specified range. In the classification result, the operation history belonging to the same class as the incident newly generated in the operation target device p is presented to the user (terminal) 5.

[Third Embodiment]
In the first and second embodiments described above, classification is performed including incidents that are both targeted, and the results are used. However, in this embodiment, the operation history is classified in advance and a new incident is created. A case will be described in which classes with high similarity are acquired in order, and operation history with high relevance is sequentially referred to and used for root cause analysis of incidents.

  FIG. 4 is a system configuration example according to the third embodiment of the present invention.

  In the figure, the same components as those in FIG.

  A class DB 6 is provided in the configuration of FIG. The class DB 6 stores a result of previously classifying the operation information in the operation information DB 3 by an arbitrary method (for example, the process of step 104 in FIG. 2 in the first embodiment).

  The feature quantity acquisition unit 11 of the operation history analysis apparatus 10 c converts the input system state information into a feature quantity and outputs it to the classification unit 12.

  When the system state information of a new incident is input from the user (terminal) 5, the classification unit 12 of the operation history analysis apparatus 10 c calculates the similarity with each class of the class DB 6, and starts from the class with a high similarity. The information is presented to the user (terminal) 5 in order.

  In addition, the processing of each component of the operation history analysis apparatuses 10a, 10b, and 10c shown in FIGS. 1, 3 and 4 is constructed as a program and installed in a computer used as the operation history analysis apparatus, or is executed. It is possible to distribute through a network.

  The present invention is not limited to the above-described embodiments, and various modifications and applications are possible within the scope of the claims.

1 Monitoring System 2 Operation Target Device 3 Operation History DB
4 System status information DB
5 users (terminals)
6 Class DB
10a, 10b, 10c Operation history analyzer 11 Feature amount acquisition unit 12 Classification unit 13 User interface

Claims (7)

An operation history analyzer that classifies each operation history that has a common cause of an incident from a set of operation histories that record the operations performed by the operator corresponding to the incident of the operation target device.
When a range of operation history that requires operation history classification is given, an operation history set corresponding to the range is acquired from the operation history DB storing operation history described in the past for the operation target device, and each operation history is acquired. Feature amount extraction means for extracting feature amounts from
Classifying means for classifying the operation history set by the similarity of the feature amount for each same cause location;
An operation history analyzing apparatus characterized by comprising: The feature amount extraction means includes:
The operation history analysis apparatus according to claim 1, further comprising means for extracting a feature quantity of system state information given from the operation target device or a system that monitors the operation target device in addition to the operation history. The feature amount extraction means includes:
The operation history analysis apparatus according to claim 1, further comprising means for extracting the feature amount from summary information of the operation history. The feature amount extraction means includes:
The operation history analysis apparatus according to claim 2, further comprising means for extracting the feature amount using a system message of the system state information or system numerical information of the operation target device. The classification means includes
5. The operation history analysis apparatus according to claim 1, further comprising means for classifying according to the similarity of the feature amount using hierarchical clustering. An operation history analysis method for classifying each operation history having a common cause of an incident from a set of operation histories in which the operations performed by the operator corresponding to the incident of the operation target device are recorded,
When a range of operation history that requires operation history classification is given, an operation history set corresponding to the range is acquired from the operation history DB storing operation history described in the past for the operation target device, and each operation history is acquired. A feature extraction step for extracting a feature from
A classification step of classifying the operation history set according to the similarity of the feature amount for each same cause location;
An operational history analysis method characterized by: Computer
The operation history analysis program for functioning as each means of the operation history analysis apparatus of any one of Claims 1 thru | or 5.

Images