JP2018081403A - Incident management system, incident management method and computer program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technique to support efficient management of an incident which has occurred in an information processing system.SOLUTION: An incident management system 100 includes: a data holding unit 30 which holds an incident and at least a piece of operation state information related to the incident showing an operation state of an information processing system in association with each other per incident which has occurred in the information processing system; and an identification unit 21 which identifies a similar incident which is similar to a selected incident which is selected from among a plurality of incidents. When a plurality of pieces of operation state information are associated with the selected incident, the identification unit 21 identifies an incident associated with a plurality of pieces of operation state information which are associated with the selected incident among a plurality of incidents as the similar incident.SELECTED DRAWING: Figure 4

Description

  The present invention relates to data processing technology, and more particularly to technology for supporting incident management of an information processing system.

  IT service management is becoming more important than ever as IT infrastructure is being used by a wide range of users. Regarding IT service management, the Office of Government Commerce (OGC) has published a collection of best practices called Information Technology Infrastructure Library (ITIL) (registered trademark). Recently, an increasing number of companies are working to improve IT service management according to ITIL.

  Service support is one of the cores of ITIL. Service support is described in terms of daily system operation and user support, and consists of one function and five processes. As functions, a service desk that serves as a contact point for inquiries from users, and incident management, problem management, change management, release management, and configuration management are defined as processes.

  In the service desk business, various inquiries such as what kind of inquiries are received from end users, how they are responded to, and whether the inquiries have been processed and closed are recorded. In order to support such service desk work, an incident management system that accumulates inquiries from end users as incidents has been put into practical use (for example, Patent Document 1).

JP 2008-129973 A

  When the incident occurs, the person in charge of the operation department who performs the service desk business specifies an incident similar to the incident (hereinafter also referred to as “similar incident”). Here, the similar incident refers to an incident that may have the same root cause. When there is a similar incident, the person in charge can use the response content described in the progress information of the similar incident as information (that is, knowledge information) for progressing the incident toward the end. Therefore, if similar incidents can be accurately identified, incidents can be rapidly advanced toward containment.

  The present invention has been made in view of these problems, and a main object thereof is to provide a technique for supporting efficient management of incidents occurring in an information processing system.

  In order to solve the above-described problem, an incident management system according to an aspect of the present invention includes at least one operation state information indicating an incident and an operation state of the information processing system for each incident occurring in the information processing system, A data holding unit that holds and associates at least one operation state information related to the incident and a node of the information processing system that outputs each of the at least one operation state information, and is selected from a plurality of incidents A specifying unit that specifies a similar incident similar to the selected incident. When the plurality of operation state information output from one or a plurality of nodes is associated with the selected incident, the specific unit is associated with a plurality of operation state information identical to the selected incident among the plurality of incidents. In addition, incidents that match the nodes that output the plurality of pieces of operation state information may be identified as similar incidents.

  Another aspect of the present invention is an incident management method. This method is an incident management method that is executed by an incident management system including a data holding unit and a specifying unit, and the data holding unit performs an incident and an information processing system for each incident that occurs in the information processing system. At least one piece of operation state information indicating the operation state, and at least one piece of operation state information related to the incident and the node of the information processing system that outputs each of the at least one piece of operation state information are stored in association with each other. The incident management method includes a step of identifying a similar incident similar to a selected incident selected from a plurality of incidents. In the identifying step, when a plurality of operation state information output from one or a plurality of nodes is associated with the selected incident, a plurality of operation state information identical to the selected incident is associated among the plurality of incidents. The incidents that match the nodes that output the plurality of pieces of operation state information are identified as similar incidents.

  It should be noted that any combination of the above-described constituent elements and a conversion of the expression of the present invention between a computer program, a recording medium storing the computer program, and the like are also effective as an aspect of the present invention.

  According to the present invention, it is possible to support efficient management of incidents that occur in an information processing system.

It is a figure which shows the structure of the operation management system of embodiment. It is a figure which shows an incident information screen. It is a figure which shows a similar incident list screen. It is a block diagram which shows the function structure of an incident management system. It is a figure which shows the data structure of the operation state information holding | maintenance part of FIG. It is a figure which shows the data structure of the node information holding part of FIG. It is a figure which shows the operation state information extracted by the morphological analysis.

  FIG. 1 shows a configuration of an operation management system 700 according to the embodiment. The first information processing system 400a, the second information processing system 400b, the third information processing system 400c,..., Which are collectively referred to as the information processing system 400, include backbone systems and information systems of various companies. The operation management system 700 is a computer system built in an IT service company (for example, an SI company). The operation management system 700 provides an operation management service for a plurality of information processing systems 400. In other words, the operation management system 700 supports the operation management work by the operation department of the IT service company.

  The operation management system 700 provides an operation management service for the information processing system 400. The operation management system 700 includes an incident management system 100, a monitoring device 200, and an operation staff terminal 300. The incident management system 100 manages information related to incidents transmitted from the monitoring device 200 and the operator terminal 300. A detailed functional configuration of the incident management system 100 will be described later with reference to FIG.

  The monitoring device 200 monitors the operating state of the information processing system 400, and executes, for example, life and death monitoring processing or hardware resource usage status monitoring processing. When the operation state of the information processing system 400 becomes a predetermined abnormal state, the monitoring apparatus 200 issues a new incident and transmits the incident information to the incident management system 100. In addition, when the operating state of the information processing system 400 that has issued an incident changes, the monitoring apparatus 200 transmits update information of the incident to the incident management system 100.

  The operation person in charge terminal 300 is an information processing terminal operated by a person in charge in the operation department (hereinafter referred to as “operation person”), and is provided with an incident information screen and a similar incident list screen provided from the incident management system 100 ( (Both described later) are displayed on a predetermined display. The operation staff terminal 300 accepts input of information related to an incident that has occurred in the information processing system 400 (for example, incident draft information and update information input to the incident information screen) from the operation staff. Then, the information is transmitted to the incident management system 100.

  FIG. 2 shows an incident information screen. The incident information screen displays various attribute information related to the incident held in the incident management system 100. The person in charge of operation inputs the basic information 800 and the detailed information 802 on the incident information screen and issues a new incident. The person in charge of operation sequentially adds the progress information 801 on the incident information screen as the incident is examined and the work progresses, and appropriately changes the status of the incident. Although not shown, the person in charge of operation may arbitrarily add a tag (hereinafter referred to as “history tag”) to the progress information 801, and the history tag is based on a combination of a keyword and a history tag stored in advance. You may make it give automatically. Information transmitted from the monitoring device 200 to the incident management system 100 is also various attribute information of the incident shown in FIG. In the incident information screen of FIG. 2, information on one incident (hereinafter also referred to as “selected incident”) selected by the operation person among a plurality of incidents held in the incident attribute information holding unit 31 (described later) is displayed. Is displayed. A similar incident button 803 is pressed when searching for (identifying) a similar incident similar to the selected incident.

  FIG. 3 shows a similar incident list screen. The similar incident list screen is a screen that is displayed when the similar incident button 803 on the incident information screen is pressed, and a list of similar incidents is displayed in the order of similar scores (described later). In the incident ID column 810, an ID for uniquely identifying an incident and an incident ID of the identified similar incident is displayed. The title column 814 displays the titles of similar incidents. In the similar score column 812, a score indicating the similarity of similar incidents is displayed. The title column 814 displays the titles of similar incidents. The title column 814 is linked to the title, and when the user presses the title, the incident information screen of the similar incident is displayed.

  Although not shown, a tag for identifying an incident (hereinafter referred to as “incident management tag”) may be displayed instead of the incident ID. For example, an incident ID and an incident management tag may be registered in association with each other in advance, and an incident management tag that uniquely identifies an incident based on the predetermined combination may be displayed on the similar incident list screen.

  FIG. 4 is a block diagram illustrating a functional configuration of the incident management system 100. Each of these blocks can be realized in hardware by an element such as a CPU of a computer or a mechanical device, and is realized in software by a computer program or the like, but here, functions realized by their cooperation. Draw a block. Therefore, those skilled in the art will understand that these functional blocks can be realized in various forms by a combination of hardware and software.

  Incident management system 100 includes a communication processing unit 10, a data processing unit 20, and a data holding unit 30. The communication processing unit 10 is in charge of an interface with the operation staff terminal 300. The communication processing unit 10 is also in charge of communication processing with the monitoring device 200. The data processing unit 20 executes various data processing based on the data acquired by the communication processing unit 10 and the data stored in the data storage unit 30. The data processing unit 20 also serves as an interface between the communication processing unit 10 and the data holding unit 30. The data holding unit 30 holds various setting data prepared in advance and data received from the communication processing unit 10 or the data processing unit 20.

  The communication processing unit 10 includes an input unit 11, a display control unit 12, and an incident information reception unit 13. The input unit 11 receives an input from a person in charge of operation. The display control unit 12 displays various information generated by a screen generation unit 24 (described later) on the screen. For example, the display control unit 12 displays an incident information screen on the display of the operator terminal 300.

  The incident information receiving unit 13 receives from the monitoring apparatus 200 incident incident information and update information that specify various incident attribute information. The incident information receiving unit 13 receives incident attribute information input on the incident information screen from the operation staff terminal 300 as incident draft information and update information. The incident attribute information received from the monitoring device 200 and the operation staff terminal 300 is stored in the incident attribute information holding unit 31 (described later).

  The data holding unit 30 includes an incident attribute information holding unit 31, an operation state information holding unit 32, and a node information holding unit 33. The data holding unit 30 is mainly composed of an arbitrary recording medium such as a memory or a hard disk.

  The incident attribute information holding unit 31 holds attribute information related to a plurality of incidents that occurred in each of the plurality of information processing systems 400. This attribute information is various information items shown on the incident information screen in FIG. 2, and includes, for example, an incident ID, a system name, a status, a priority, and the like.

  The operation state information holding unit 32 holds operation state information that may be related to an incident. The operation state information includes nodes (network devices, servers, storages) included in the information processing system 400, OS, middleware, or application software (hereinafter referred to as “components” of the information processing system 400) operating on the nodes. (Also referred to as “operating state”). FIG. 5 shows a data structure of the operation state information holding unit 32. The operation state information holding unit 32 holds the incident ID 32a, the node 32b, and the operation state information 32c in association with each other. The incident ID 32a is an ID for uniquely identifying an incident, and corresponds to the incident ID on the incident information screen in FIG. 2 and the incident ID on the similar incident list screen in FIG. A node 32 b indicates a node of the information processing system 400. The operation state information 32c is operation state information of components of the information processing system 400, and indicates operation state information extracted from the log by the registration unit 23 as described later. For example, the incident with the incident ID “0002” (hereinafter referred to as incident (0002)) includes the operation state information extracted from the A server 01 or the OS operating on the server A, the B router, The operating state information extracted from the operating OS or the like operating on that is associated.

  FIG. 6 shows the data structure of the node information holding unit 33. The node information holding unit 33 holds the node name 33a and the similarity determination node name 33b in association with each other. The node name 33a is a node name that uniquely identifies the node. The similarity determination node name 33b is a node name used when a similar incident is specified by the specifying unit 21 (described later). In the example of FIG. 6, the similarity determination node name of both the A server 01 and the A server 02 is “A server”. Therefore, the specifying unit 21 handles the A server 01 and the A server 02 as the same node when specifying a similar incident.

  Returning to FIG. 4, the data processing unit 20 includes a specifying unit 21, a registration unit 23, and a screen generation unit 24. For each incident, the registration unit 23 registers operation state information that may be related to the incident in the operation state information holding unit 32. Specifically, the registration unit 23 acquires a log of each component of the information processing system 400 in a predetermined period before and after the occurrence of the incident (for example, 10 minutes before and after the incident occurrence time), and a log output rule for each component (For example, using a keyword for each component as a key), the operation state information is extracted from the log. Then, the registration unit 23 registers the extracted operation state information in the operation state information holding unit 32.

  The specifying unit 21 refers to the operation state information holding unit 32 and specifies a similar incident similar to the selected incident. The identifying unit 21 treats nodes having the same similarity determination node name in the node information holding unit 33 as the same node when identifying a similar incident. For example, the specifying unit 21 treats a node (A server 01) and a node (A server 02) whose similarity determination node names are both “A server” as the same node. Note that the method of determining the nodes handled by the specifying unit 21 as the same node is not limited to this. For example, when the node name is a combination of a character string representing the type of the node and a number, the specifying unit 21 may determine to treat the same name by removing the number from the node name as the same node. .

  Specifically, when one piece of operation state information is associated with the selected incident, the specifying unit 21 associates the same operation state information with the operation state information, and the node that has output the operation state information Identify matching incidents as similar incidents.

  For example, when the selected incident is the incident (0008), the identifying unit 21 identifies the incident (0001) and the incident (0005) in which “Diskusedover 70%” is detected in the “D server” in the same manner as the selected incident (0008). Identify as a similar incident.

  Further, when a plurality of operation state information output from one or a plurality of nodes is associated with the selected incident, the specifying unit 21 associates a plurality of operation state information that is the same as the plurality of operation state information. The incidents that match the nodes that output the plurality of pieces of operation state information are identified as similar incidents.

  For example, when the selected incident is the incident (0012), the identifying unit 21 detects “CPUuserdover90%” in the “A server 01” or “A server 02” in the same manner as the selected incident (0012), and the “B router”. Incident (0002), incident (0005), and incident (0010) in which “NWcheckedNG” is detected are identified as similar incidents.

  The identifying unit 21 also identifies the similarity (similarity score) of the identified similar incident. For example, the specifying unit 21 specifies that an incident in which more operation state information different from one or more operation state information associated with the selected incident is associated is a similar incident with a lower similarity. In the present embodiment, the specifying unit 21 deducts points from the similarity score “100 points” by the amount associated with the operation state information different from the selected incident (for example, by assigning −20 points for each), thereby making the similarity Specify the degree.

  For example, when the operation state information is the state of FIG. 5, the similarity scores of incident (0002), incident (0005), and incident (0010) that are similar incidents of the selected incident (0012) are 100 points, 80 points, and 60 points, respectively. It becomes a point.

  The screen generator 24 generates various screens such as an incident information screen and a similar incident list screen.

  With respect to the incident management system 100 configured as described above, an operation when a similar incident is specified will be described. When a similar incident search button (similar incident button 803 in FIG. 2) is pressed on the incident information screen of the selected incident, the specifying unit 21 specifies a similar incident. The screen generation unit 24 generates a similar incident list screen on which the similar incidents specified by the specifying unit 21 are displayed. The display control unit 12 displays the similar incident list screen generated by the screen generation unit 24 on the screen. The user clicks the link attached to the title of the similar incident list screen to display the incident information screen of similar incidents. The user utilizes the response content described in the displayed progress information of the similar incident as information (that is, knowledge information) for advancing the selected incident toward the end.

  According to the incident management system 100 of the embodiment described above, when a plurality of operation state information output (detected) by one or a plurality of nodes is associated with a selected incident, a plurality of operations identical to the selected incident Incidents that are associated with state information and that match the nodes that output the plurality of pieces of operation state information are identified as similar incidents. Here, in the information processing system 400, a large number of components may be affected in a chain manner by a failure caused by one cause. On the other hand, in the incident management system 100 according to the embodiment, as described above, incidents in which the associated “plurality” of operation state information matches and nodes that output the plurality of operation state information respectively match each other are detected. Since the incident is identified as a similar incident, it is possible to identify a similar incident with high accuracy even if it is an incident in which a failure occurs in a component, and the knowledge of the similar incident can be used. That is, efficient management of incidents can be supported.

  Further, according to the incident management system 100 of the embodiment, information extracted from the log of the information processing system 400 is associated with an incident as operation state information, and a similar incident is specified based on the associated operation state information. Here, in the conventional incident management system, similar incidents are specified based on summary information input by the person in charge of operations. Depending on the person in charge of operation, for example, there are those who input the summary information that “the CPU usage rate is rising”, for example, and those who input the summary information that “the response is slow”, even for the same event. That is, the summary information input by the person in charge of operation can be different even for the same event. Of course, even if the person in charge of the operation is the same, different summary information can be input depending on the timing when the event occurs. Therefore, in the conventional incident management system, there are cases where the same event is not identified as a similar incident. On the other hand, it is conceivable to associate logs directly as incident-related information so that input information does not differ for each person in charge of operation, but this is not realistic because the data capacity becomes enormous. On the other hand, in the incident management system 100 according to the embodiment, the operation state information extracted from the log as described above is associated with the incident, and similar incidents are identified based on the operation state information. Identify incidents.

(Modification 1)
In the embodiment, the registration unit 23 obtains a log of each component of the information processing system 400, considers a log output rule for each component (for example, using a keyword for each component as a key), and logs from the log. Although the case where operation state information is extracted has been described, the present invention is not limited to this. The registration unit 23 may extract the operation state information by decomposing the log acquired from each component into character strings. As an example, the registration unit 23 decomposes the acquired log into morphemes, performs a morphological analysis to determine a utilization form, original form, and part of speech for each element, and extracts an element determined as a noun as operation state information Good.

  FIG. 7 shows operation state information extracted by morphological analysis. FIG. 7 corresponds to FIG. In FIG. 7, the extracted elements (operation state information) are displayed separated by parentheses ([]). “-” Indicates that there was no log output during a predetermined period before and after the incident occurred when the operation state information was not extracted.

  The specifying unit 21 specifies a similar incident similar to the selected incident based on the operation state information extracted by morphological analysis. In the present modification, the specifying unit 21 first extracts the operation state information of each node associated with the selected incident one by one, and creates a combination of the operation state information with brute force. Similarly, for the incidents other than the selected incident held in the incident attribute information holding unit 31, the specifying unit 21 takes out the operation state information of each associated node one by one, and sets the combination of the operation state information in a brute force manner. create. Then, the specifying unit 21 specifies an incident having a combination of operation state information that matches the combination of operation state information of the selected incident as a similar incident.

For example, when the selected incident is incident (0005), the specifying unit 21 extracts the operation states of two associated nodes one by one and combines them in a brute force manner to generate the following 20 combinations of operation state information. .
A server: MODULE001 x B router: 2016/08/14
A server: MODULE001 × B router: NIC01
A server: MODULE001 × B router: NWchecked OK
A server: MODULE001 × B router: NIC02
A server: MODULE001 × B router: NWcheckedNG
A server: Status005 × B router: 08/14/2016
A server: Status005 × B router: NIC01
A server: Status005 × B router: NWchecked OK
A server: Status005 × B router: NIC02
A server: Status005 × B router: NWcheckedNG
A server: CPUused 90% x B router: 2016/08/14
A server: CPUusedover90% × B router: NIC01
A server: CPUusedover90% × B router: NWchecked OK
A server: CPUusedover90% × B router: NIC02
A server: CPUusedover90% × B router: NWcheckedNG
A server: IO ERR × B router: 2016/08/14
A server: IO ERR × B router: NIC01
A server: IO ERR × B router: NWchecked OK
A server: IO ERR × B router: NIC02
A server: IO ERR × B router: NWcheckedNG

Similarly, the identifying unit 21 generates a combination of operation state information for incidents other than the selected incident. Then, the identifying unit 21 checks whether each incident has a combination of operation state information that matches the combination on the operation state of the selected incident, and identifies an incident that has a combination of the matching operation state information as a similar incident. For example, when the selected incident is the incident (0005), the specifying unit 21 sets the incident (0001) having the following two combinations of the operation state information that matches the combination of the operation state information of the selected incident (0005) as the similar incident. Identify.
A server: CPUusedover90% × B router: NWchecked NG
A server: IO ERR × B router: NWcheckedNG

Further, the specifying unit 21 specifies an incident (0003) having one combination of the following operation state information that matches the combination of operation state information of the selected incident (0005) as a similar incident.
A server: CPUusedover90% × B router: NWchecked NG

  The identifying unit 21 also identifies the similarity (similarity score) of the identified similar incident. The identifying unit 21 identifies a similar incident with a higher degree of similarity as the number of combinations of operating state information that matches the operating state information combination of the selected incident increases. Further, the specifying unit 21 specifies that an incident associated with operation state information of a node different from the selected incident is a similar incident having a lower similarity. Specifically, the specifying unit 21 adds points (for example, +20 points for each) to the similarity score by the number of combinations of the same operation state information as the selected incident, and the operation state information of a node different from the selected incident is associated. If the number of different nodes is different, the similarity score is specified by deducting points from the similarity score (for example, -5 points per one).

  According to this modification, the same operational effects as the operational effects achieved by the incident management system 100 of the embodiment are exhibited. In addition, according to this modification, the specifying unit 21 can specify the similar incident based on the operation state information extracted from the log by the registration unit 23 through the morphological analysis. In this case, since it is not necessary for the user to understand the log output rule for each component, the burden on the user is reduced.

(Modification 2)
Although not particularly mentioned in the embodiment, for an incident for which the response has been completed, a recovery process executed to advance the incident toward the end may be registered as a script. In this case, when the incident is issued and the operation state information is associated with the incident, the specifying unit 21 automatically specifies the similar incident and specifies the similarity score. If the similarity score of the similar incident is equal to or greater than a predetermined threshold and a script is registered for the similar incident, the specifying unit 21 automatically executes the script. According to the present modification, it is possible to reduce the burden on the operation staff by saving the trouble of executing the operation for identifying the similar incident, confirming the similar incident, and executing the recovery process similar to the similar incident. Note that the script may be created and registered by the person in charge of the operation, or may be automatically created and registered from the log when the incident is handled.

(Modification 3)
In the embodiment, the case has been described in which the person in charge of operation can specify one selected incident and specifies a similar incident similar to the selected one selected incident, but the present invention is not limited to this. The operations staff may be able to specify multiple selected incidents. For example, the person in charge of operation can designate a plurality of selected incidents by designating a plurality of incidents from the incident list on an incident list screen (not shown). In this case, for example, the specifying unit 21 may specify similar incidents for each selected incident, and a sum of them may be used as similar incidents of a plurality of selected incidents.

  When a plurality of selected incidents are selected, for example, two (hereinafter referred to as “selected incident 1” and “selected incident 2”, respectively), both selected incident 1 and selected incident 2 are displayed on the similar incident list screen. Similar incidents identified as being similar to the above may be displayed at the top, and similar incidents similar to either the selected incident 1 or the selected incident 2 may be displayed below the similar incident.

  In addition, when selecting a plurality of incidents, time series selection can also be performed. For example, when a plurality of selected incidents, for example, two (hereinafter referred to as “selected incident 1” and “selected incident 2”, respectively) are selected, and the incident 2 occurs after the incident 1, the specifying unit 21 Based on the time-series relationship that incident 2 occurs after incident 1 (in addition to the time-series context, the occurrence time difference can also be added to the evaluation target), the incident 1 It is also possible to search whether there is a similar incident group in which an incident 2 ′ similar to the incident 2 occurs after the incident 1 ′ similar to.

(Modification 4)
Although not specifically mentioned in the embodiment and the above-described modified example, among the similar incidents identified by the identifying unit 21, for the similar incidents that the user has identified as similar incidents, the user The authorization may be fed back (for example, flagged by a check box). The incident management system 100 may receive the feedback and associate and store the selected incident and the similar incident identified as the similar incident by the identifying unit 21 and recognized as the similar incident by the user. For example, as one of the attribute information of the incident attribute information holding unit 31, an incident ID of a similar incident certified by the user may be held. The user can use the association relationship stored in this way. For example, when referring to a past incident extracted by searching for a past incident, it is possible to further refer to an incident having a similar relationship with the past incident. Further, for example, it is possible to make it possible to refer to an incident having a similar relationship with the similar incident extracted when a similar incident similar to the selected incident is searched. In particular, in general, past incidents with a large number of similar relationships are incidents that are often referred to, and have a high value as past knowledge.

  21 Identification part, 30 Data holding part, 31 Incident attribute information holding part, 32 Operation state information holding part, 100 Incident management system, 400 Information processing system.

Claims (4)

For each incident that occurs in the information processing system, the incident and at least one operation state information indicating the operation state of the information processing system, at least one operation state information related to the incident, and at least one operation state information A data holding unit that holds the information processing system nodes that output the
A specific unit that identifies a similar incident similar to a selected incident selected from a plurality of incidents, and
In the case where a plurality of operation state information output from one or a plurality of nodes is associated with a selected incident, the specifying unit associates a plurality of operation state information identical to the selected incident among the plurality of incidents. And an incident management system that identifies incidents that match the nodes that output the plurality of pieces of operation state information as similar incidents.   2. The incident management system according to claim 1, wherein the specifying unit specifies an incident having a lower degree of similarity as an incident associated with more operation state information or node information different from the selected incident. . An incident management method for causing an incident management system comprising a data holding unit and a specific unit to execute,
The data holding unit includes, for each incident that occurs in the information processing system, an incident and at least one operation state information indicating an operation state of the information processing system, and at least one operation state information related to the incident; A node of an information processing system that outputs each of at least one piece of operation state information,
The incident management method includes a step of identifying a similar incident similar to a selected incident selected from a plurality of incidents,
In the identifying step, when a plurality of operation state information output from one or a plurality of nodes is associated with the selected incident, a plurality of operation state information identical to the selected incident is associated among the plurality of incidents. And an incident that matches the nodes that output the plurality of pieces of operating state information, respectively, is identified as a similar incident. For each incident that occurs in the information processing system, the incident and at least one operation state information indicating the operation state of the information processing system, at least one operation state information related to the incident, and at least one operation state information A function of associating and holding the nodes of the information processing system that output each of the
A computer with the ability to identify similar incidents similar to the selected incident selected from multiple incidents,
In the case where a plurality of operation state information output from one or a plurality of nodes is associated with a selected incident, the function to be identified is associated with a plurality of operation state information identical to the selected incident among the plurality of incidents. And a computer program characterized by identifying similar incidents as incidents that match the nodes that output the plurality of pieces of operation state information.

Images