JP2017173941A - Incident management system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To rapidly recognize, when a help desk person receives a telephone communication from an end user, the presence or absence of an incident whose factor overlaps that of the received incident, and timely provide detailed information of the incident to a user.SOLUTION: An incident management system determines an occurrence event classification and possibility index using a system name and a keyword included in the content of an incident on the basis of incident information registered in an incident DB, groups, as an incident due to the same factor, an incident of the same occurrence event classification occurring in the same system using a mapping DB, and displays also another incident in the same group when receiving a display request commanding one incident.SELECTED DRAWING: Figure 1

Description

  In the present invention, when a help desk person (hereinafter referred to as a user) manages incident information, an incident having a duplicate cause can be efficiently recognized regardless of the type of cloud, and timely delivery to end users can be realized. It is a system that implements information provision.

  Some incidents received at the help desk generate multiple inquiries for one event (about 50 in many cases). In addition, when a hybrid cloud that combines a private cloud and a public cloud has been introduced recently, the content of messages from incident monitoring alerts may differ depending on the individual cloud environment, which tends to complicate information management. It is in.

  There may be multiple help desk personnel who accept inquiries from customers, and even if the cause of the accepted incident overlaps with the cause of other incidents, the help desk personnel will recognize when the inquiry is accepted It has become difficult to do.

  In some cases, the cause of the accepted incident has already been investigated by the response of another incident, and the cause and response status may be registered in the incident DB. Even in such a case, if the help desk person cannot recognize that it is a duplicate incident, it is handled as a new incident, which is once managed and the user is informed that it will be contacted later. That is, there is a problem that the latest information on incident response cannot be provided to the user in a timely manner.

JP 2013-54530 A

  Patent Document 1 includes an incident information holding unit, an extraction condition holding unit, an extracting unit, and an extraction result holding unit, and the incident information holding unit holds and extracts information on a plurality of incidents generated in the information processing system. The condition holding unit holds extraction conditions predetermined by the user in order to extract incidents to be notified to the user, and the extraction unit extracts incidents based on the extraction conditions, notifies the user of the information, and extracts this time The system which compares the result of this and the past extraction result hold | maintained at an extraction result holding | maintenance part, and notifies the user of the information of the incident contained only in one side is disclosed.

  Although it has been described that incidents can be managed efficiently by automating the addition and deletion of incidents using the system of Patent Document 1, it is considered that there is no duplication in registered incidents. Not.

  In the present invention, when a help desk person receives a telephone call from an end user, it quickly recognizes whether there is an incident whose cause is the same as the incident, and provides more detailed information about the incident to the user in a timely manner. The task is to do.

  An incident registration processing unit that accepts incident identifiers, incident contents, and occurrence system identifiers, and registers incidents in the incident database, and rules for classifying incidents using keywords and occurrence system identifiers included in the received incident contents Search the stored selection DB, search the mapping DB based on the obtained classification and system identifier, the classification processing unit that calculates the obtained classification and probability index indicating the probability of classification, and the corresponding combination If there is a mapping processing unit that adds the incident identifier and the calculated possibility index to the combination found in the mapping DB search, and an output request for the incident content with the incident identifier specified, the mapping DB is referenced and accepted. The same system identifier as the incident identifier It is solved by an incident management system including an output unit that outputs other incident identifiers in association with each other.

  A more detailed configuration will be clarified in the examples.

  Reducing incident duplication can reduce the incident response load of response help desk personnel.

It is an example of the system block diagram concerning the Example of this invention. It is an example of the block diagram of the incident management server which concerns on the Example of this invention. It is an example of the block diagram of a system cloud based on the Example of this invention. It is an example of the mapping database of the incident in response based on the Example of this invention. It is an example of the incident database based on the Example of this invention. It is an example of the selection database of occurrence event classification based on the Example of this invention. It is an example of the occurrence event keyword database based on the Example of this invention. It is an example of the monitoring message keyword database based on the Example of this invention. It is an example of the flowchart of an incident registration process based on the Example of this invention. It is an example of the duplication incident notification screen based on the Example of this invention.

  Embodiments of the present invention will be described below with reference to the drawings.

  FIG. 1 is an example of a diagram showing a system configuration. The cloud system 10 includes a plurality of cloud systems. In this example, the cloud system 10 includes three clouds, that is, cloud A, cloud B, and cloud C. As one of the clouds, a customer on-premises computer may be included. These clouds include different types of clouds such as private clouds and public clouds. The customer application system is composed of at least two or more cloud systems or on-premises systems.

  The cloud system is monitored by the monitoring tool 20. In this example, monitoring is performed by three monitoring tools: monitoring tool A, monitoring tool B, and monitoring tool C. The monitoring tool may be software installed in the cloud, or may be a tool that accesses and monitors the cloud system from the outside.

  FIG. 2 is a configuration diagram of the incident management server. Connected to the monitoring tool 20 via a network, incidents detected by the monitoring tool 20 can be automatically registered.

  Furthermore, the incident server 100 is connected to the operator terminal 200 operated by the help desk operator via the network, and registers incidents received by the help desk operator from the user.

  The incident management server 100 includes a CPU 110 that performs arithmetic processing, a memory 120 that is used for temporary storage of processing programs and processing data, an I / O interface 130 that is connected to a network, and an external storage device 191 that stores various databases. Is done.

The external storage device 191 stores a corresponding incident mapping DB 200, an incident DB 300, an occurrence event classification selection DB 400, an occurrence event keyword DB 500, and a monitoring message keyword DB 600.
An input device such as a keyboard and a mouse and an output device such as a display may be connected to the I / O interface.

  Memory 120 includes user terminal transmission / reception unit 140, incident registration processing execution unit 150, incident mapping processing execution unit 160, occurrence event category selection execution unit 170, duplicate incident notification screen display unit 175, occurrence event category selection logic 180, and correspondence The middle incident mapping logic 181 and the incident data connection interface 190 are stored as software modules (hereinafter referred to as modules) and executed by the CPU 110.

  The user terminal transmission / reception unit 140 performs data transmission / reception with the operator terminal 101 connected via the network. More specifically, the help desk operator receives data input through an input device such as a keyboard connected to the operator terminal 101, performs a transfer process to another module, and the processing result from the other module. Processing to transmit to the user terminal 101 is performed.

  The incident registration processing execution unit 150, the incident mapping processing execution unit 160, the occurrence event classification selection execution unit 170, the duplicate incident notification screen display unit 175, and the incident data connection interface 190 are modules that execute incident management in this system. The incident registration process execution unit 150 stores the information input from the operator terminal 101 by the help desk operator 102 through the above-described process in the incident DB 300. The occurrence event category selection execution unit 170 connects the incident DB 300 stored in the incident management server 100 and the occurrence event category selection DB 400 by the above-described processing, and enables the occurrence event category. The incident mapping process execution unit 160 reflects information in the corresponding incident mapping DB 200 via the incident data connection interface 190 based on a command from the operator terminal 101. The duplicate incident notification screen display unit 175 displays the duplicate incident notification screen 1000 on the operator terminal based on the mapping result by the above-described processing.

  The occurrence event category selection logic 180 monitors the status of the occurrence event category selection execution unit 170 instructed by the user through the user terminal 101, and determines the processing status of the database.

  FIG. 3 is a configuration diagram of the system cloud. A plurality of servers are installed on the cloud environment, and applications are operating on the servers. In this example, the application B is executed on the server B1 and the server B2, and the server B1 is in the cloud A, but the server B2 is in the cloud B. In such a case, even if the message is related to the same application B, if the server B1 is stopped, the message “B1 server is out of function” is output from the cloud A, and if the server B2 is stopped, the message is sent from the cloud B. The message “B2 server down” may be output and it may be difficult to detect that the server is down.

  FIG. 4 shows the configuration of the mapping DB 200. Stores information related to incidents entered from operator terminals or automatically registered from monitoring system messages, including the cloud system name 201 where the incident occurred, incorrect display, processing delay, connection not possible, etc. Are stored, and an incident number 203 assigned to the incident, and a probability index 204 indicating the probability of the generated event classification 202 are stored.

  FIG. 5 shows a configuration of an incident DB 300 that stores incidents input by an operator and incidents extracted from messages of the monitoring tool 20.

  In this example, incident numbers IM00001 to IM0003 are incidents input by the operator, and incident numbers IM00004 to IM00006 are incidents extracted from the message of the monitoring tool 20.

  In the incident DB 300, the assigned incident number 301, the cloud system name 302, the received contents (user inquiry) 303 received from the user by the operator, the monitored message contents 304 received from the monitoring tool 20, and whether or not the processing for the incident has been completed. Status 305 to be displayed, trigger 306 indicating whether the inquiry is from the user or a report from the monitoring tool 20, reception date and time 307 indicating the time when the incident management system incident was received, and incidents that are considered to be the same on the mapping DB 200 The related incident No. 308 for storing the incident No. is included.

  FIG. 6 shows an occurrence event category selection DB that stores a rule for converting received content (user inquiry) 303 or monitoring message content 304 registered in the incident DB 300 into an occurrence event category.

  Occurrence event classification selection DB 400 has one rule for each row, and confirms whether it is included in the incident reception contents (user inquiry) 303 entered in the incident DB 300 from the cloud system name 401 and the operator terminal 200 Occurrence event keyword 402, monitoring message keyword 403 to check whether it is included in the monitoring message sent from the monitoring tool 20 and registered in the incident DB, occurrence event classification 404 indicating the type of the occurrence event that has been classified, occurrence When the keyword registered in the event keyword 402 and the monitoring message keyword 403 is included, the generated event classification 404 includes a possibility index 405 indicating a correct probability.

  The rule on the first line is a rule that, when the keyword “login” and “impossible” are included in the contents entered by the operator in system A, it is determined that “connection is impossible” with a 100% possibility index.

  Based on the system name 302 registered in the incident DB 300 and the received content (user inquiry) 303 or the monitoring message content 304, the generated event category selection execution unit 170 selects and registers the generated event category 404 and the possibility index 405. . The occurrence event classification 404 and the possibility index 405 are calculated and defined based on a correlation result analyzed based on past incident information. The past incident information is analyzed periodically, and the probability of the possibility index can be improved by updating the occurrence event classification 404 and the possibility index 405 as needed.

  FIG. 7 shows the contents of the occurrence event keyword DB 500 in which keywords are collected and stored in advance from the inquiry contents notified from the end user to the help desk operator.

  FIG. 8 shows a monitoring message keyword DB 600 in which keywords are collected and stored in advance from message contents sent from the monitoring tool.

  FIG. 9 is a flowchart illustrating a process for performing an incident registration process in the incident management server.

  Step 701: First, the incident registration processing execution unit 150 stores the incident information in the incident DB 300 by inputting a message from the monitoring tool or inputting an incident content from the operator terminal 101.

  Step 702: It is determined whether the incident registration is an incident registration from an operator terminal.

  Step 703: In the case of incident registration from the operator terminal (702 Yes), the keywords included in the received contents (user inquiry) 303 of the incident DB 300 based on the keywords of the generated event keyword DB 400 by the generated event classification selection execution unit 170 To extract.

  Step 704: The occurrence event category selection execution unit 170 matches the system name 302 of the incident DB 300 with the system name 401 of the occurrence event category selection DB 400, and the keyword extracted from the incident DB is the occurrence event of the occurrence event category selection DB 400 It is checked whether there is a rule that matches the keyword 402. When there is a rule that matches, the occurrence event classification of the rule and the possibility index 405 are selected.

  Step 705: If the incident registration is registration from the monitoring tool 20 (702 No), the occurrence classification selection execution unit 170 is included in the monitoring message content 304 of the incident DB 300 based on the keyword of the monitoring message keyword DB 600 Extract keywords.

  Step 706: The incident event classification selection execution unit 170 monitors the incident event classification selection DB 4000 when the system name 302 of the incident DB 300 matches the system name 401 of the incident event classification selection DB 400 and the keyword extracted from the incident DB is It is checked whether there is a rule that matches the message keyword 403. When there is a rule that matches, the occurrence event classification of the rule and the possibility index 405 are selected.

  Step 707: Selection of occurrence event classification Based on the system name 401 and occurrence event classification 404 in the DB 400, the system name 201 and occurrence event classification 202 in the mapping DB 200 are searched to find a combination that matches the system name and occurrence event classification.

  Step 708: It is determined whether or not an incident is registered in the combination of the system name 201 and the occurrence event classification 202 found by the mapping DB 200 search.

  Step 709: If no incident is registered, the incident No 301 being processed and the possibility index 405 are registered in the incident No 203 and possibility index 204 corresponding to the combination of the mapping DB 200 found by the search.

  Step 710: When information on other incidents is stored in incident No203 of the combination of mapping DB200 found in the search (708 No), it is possible that the incident No301 remains with other incident numbers and possibility indexes remaining. Add index 405 to the same cell.

  Step 711: The duplicate incident notification screen 1000 is displayed on the operator terminal.

  In this way, it is possible to know how many incidents have to be handled by grouping incidents using the mapping DB 200 so that the incidents are caused by the same cause. When there is a handling incident that overlaps with the registered incident, the operator terminal is notified at the same time as the incident registration, so that the operator can check the response status of the incident at that time.

  FIG. 10 shows a screen displayed on the operator terminal at the same time as the incident registration when there is a handling incident that overlaps with the registered incident. At the time of incident registration by a help desk person in charge, the contents of the mapping DB 200 are output to the operator terminal, so that it is possible to check whether there is an incident that overlaps with the registered incident. At that time, it is possible to reduce the possibility of giving a misunderstanding that a plurality of different incidents are generated due to differences in transmission information from monitoring tools, which are different for each cloud environment.

  In addition, when there is a duplicate incident, the help desk staff can recognize the presence, and can notify the user based on the registered information about the response status at that time.

  100 Incident management server, 101 Operator terminal, 102 Help desk operator, 110 CPU, 120 memory, 130 I / O interface, 140 User terminal transmission / reception unit, 150 Incident registration processing execution unit, 160 Incident mapping processing execution unit, 170 Occurrence classification Selection Execution Unit, 175 Duplicate Incident Notification Screen, 180 Occurrence Event Classification Selection Logic, 181 Incident Response Mapping Logic, 190 Incident Data Connection Interface, 200 Mapping DB, 300 Incident DB, 400 Occurrence Event Classification Selection DB, 500 Occurrence event keyword DB, 600 Monitoring message keyword DB, 700 Incident registration processing, 1000 Duplicate incident notification screen

Claims (3)

An incident registration processing unit that accepts an incident identifier, an incident content, and an identifier of an occurrence system, and registers the incident in the incident DB;
A classification process that searches the selection DB that stores the rules for classifying incidents using the keywords included in the received incident content and the identifier of the system in which the incident occurred, and obtains a probability index indicating the obtained classification and the probability of classification And
A mapping processing unit that searches the mapping DB based on the obtained classification and system identifier, and adds the incident identifier and the obtained possibility index to the combination found by the mapping DB search if there is a corresponding combination;
When an output request for an incident content with an incident identifier specified is received, an output unit is provided that outputs the corresponding system identifier and other incident identifier of the same classification as the received incident identifier by referring to the mapping DB Incident management system. The incident registration processing part registers the incident content received from the operator as the incident content and the error message received from the monitoring tool,
2. The incident management system according to claim 1, wherein the classification processing unit uses a keyword used for classification of error messages different from a keyword used for classification of incident contents received from an operator. When the incident registration processing unit registers an incident, the mapping processing unit determines whether there is duplication of incident information,
The incident management system according to claim 2, wherein the screen display unit displays duplicate incident information on an operator terminal.

Images