JP2019133246A - Order control program, order control method, and information processing apparatus - Google Patents

Abstract

To provide an order control program capable of suppressing the occurrence of a problem due to a delay in anomaly event response.SOLUTION: An order control program causes a computer to execute processing of: performing an anomaly event detection process for detecting an anomaly event occurring in any of a plurality of machines based on monitoring data of the plurality of machines included in a system; referring to a storage unit storing information indicating relations between a plurality of services executed in the system when the plurality of anomaly events are detected to specify the number of other services having a specific relationship with the service executed on the machine for each machine causing the occurrence of each of the detected plurality of anomaly events; and displaying information on the detected plurality of anomaly events on a display unit in an order corresponding to the specified number of the other services.SELECTED DRAWING: Figure 12

Description

  This case relates to an order control program, an order control method, and an information processing apparatus.

  Information and Communication Technology (ICT) systems including server devices, storage devices, network devices, and the like are known. In addition, for example, an observation apparatus that collects time-series data related to the usage status of a central processing unit (CPU) or a memory from a server device and displays a temporal change in the usage status in a graph is also known. In particular, a technique is known in which an observation device detects an anomaly event of an ICT system and displays the occurrence status of the anomaly event on a monitor (see, for example, Patent Document 1).

JP 2017-072882 A

  By the way, when a large number of anomaly events are detected, the ICT system operator or administrator (hereinafter simply referred to as an operator) must determine the priority of response to the anomaly event and respond to the anomaly event. Is required. In particular, the operator is required to determine a priority order within a period of time from when an anomaly event is detected until a problem due to the anomaly event occurs, and to respond to the anomaly event.

  If the operator makes a mistake in the priority order and the response to the anomaly event is delayed, a problem due to the anomaly event occurs. For example, when an anomaly event that may cause a system failure is detected, a system failure may occur if the operator makes a mistake in determining the priority of the response to the anomaly event. If a system failure actually occurs, many users who use the ICT system may be affected.

  Therefore, an object of one aspect is to provide a sequence control program, a sequence control method, and an information processing apparatus that can suppress the occurrence of a problem due to a delay corresponding to an anomaly event.

  In one embodiment, the sequence control program performs an anomaly event detection process for detecting an anomaly event occurring in any of the plurality of machines based on monitoring data of a plurality of machines included in the system, and a plurality of anomaly events. Is detected for each machine that has generated each of the detected anomaly events with reference to a storage unit that stores information indicating a relationship between a plurality of services executed in the system. The number of other services having a specific relationship with the service executed in the above is specified, and the information regarding the detected anomaly events is displayed in an order according to the number of the specified other services. The computer executes the process displayed on the screen.

  In one embodiment, the sequence control program performs an anomaly event detection process for detecting an anomaly event that has occurred for any of the plurality of monitoring targets based on monitoring data of the plurality of monitoring targets included in the system, and When an anomaly event is detected, the detection frequency of the anomaly event that has occurred for the monitored object is calculated for each of the monitored objects of the detected anomaly events, and the detected anomaly events are related to the detected anomaly event The computer displays the information on the display unit in the order corresponding to the calculated detection frequency.

  It is possible to suppress the occurrence of a problem due to a delay in anomaly event response.

FIG. 1 is an example of an information processing system. FIG. 2 is an example of a CMDB. FIG. 3 shows an example of the hardware configuration of the analysis server. FIG. 4A is an example of a block diagram of the analysis server. FIG. 4B is an example of the data storage unit. FIG. 5 is an example of the first data management table. FIG. 6A is an example of the second data management table and the third data management table. FIG. 6B is an example of the fourth data management table. FIG. 7 is an example of the fifth data management table. FIG. 8 is a flowchart illustrating an example of the first process executed by the data collection unit. FIG. 9 is a flowchart illustrating an example of the second process executed by the anomaly detection unit and the display order control unit. FIG. 10 is a diagram illustrating an example of display priority. FIG. 11 is a flowchart illustrating an example of the third process executed by the data visualization unit. FIG. 12 shows an example of the anomaly list screen. FIG. 13 shows an example of the anomaly detail screen. FIG. 14 shows another example of the anomaly list screen. FIG. 15 shows another example of the anomaly list screen. FIG. 16 shows another example of the anomaly detail screen.

  Hereinafter, an embodiment for carrying out this case will be described with reference to the drawings.

(First embodiment)
FIG. 1 shows an example of the information processing system S. FIG. 2 is an example of the Configuration Management Database (CMDB) 140. The information processing system S includes a monitoring target system 100, a configuration collection server 130, and a CMDB 140 as a storage unit. The CMDB 140 may be included in the configuration collection server 130. In addition, the information processing system S includes a performance monitoring server 150 and an event monitoring server 170. Further, the information processing system S includes a management server 190, an analysis server 200 as an information processing apparatus, and an operation terminal 300.

  Note that at least one of the monitoring target system 100, the configuration collection server 130, the CMDB 140, the performance monitoring server 150, the event monitoring server 170, and the operation terminal 300 may be excluded from the components of the information processing system S. That is, the information processing system S only needs to include at least the management server 190 and the analysis server 200. As shown in FIG. 1, the operation terminal 300 can be realized by a personal computer (PC) including an input unit 310, a display unit 320, and a control unit (not shown). The operation terminal 300 may be realized by a smart device such as a tablet terminal. The operation terminal 300 is operated by an operator.

  The monitoring target system 100 includes a plurality of host machines 110. Some or all of the plurality of host machines 110 are connected to each other. The plurality of host machines 110 are connected to the configuration collection server 130, the performance monitoring server 150, and the event monitoring server 170 via the communication network NW. Examples of the communication network NW include the Internet and a local area network (LAN). The host machine 110 corresponds to various server devices such as a Web server, an application server, a database server, and a virtualization server, a storage device, and a network device. Therefore, the monitoring target system 100 may be called a computer system or an ICT system. A user (not shown) who is an end user of the information processing system S or the monitoring target system 100 accesses the monitoring target system 100 and executes or provides (hereinafter simply referred to as execution) the monitoring target system 100. You can use the service. Examples of the plurality of services include services related to business support such as a data processing service and an imaging service.

  Note that a software group (for example, Open Stack) that builds a cloud platform or a cloud environment (hereinafter simply referred to as a cloud platform) is installed in the monitoring target system 100. More specifically, software called Keystone is installed on the host machine 110 described above. Keystone performs authentication functions such as user management and access control. Some host machines 110 are equipped with software called Nova. Nova has a compute function to run virtual machines. Other software such as Swift, Glance, and Cinder are also known. The monitoring target system 100 realizes a cloud platform by cooperation of these software.

  The configuration collection server 130 accesses a plurality of host machines 110, dynamically collects various configuration information possessed by each host machine 110, and stores them in the CMDB 140. The configuration information includes information related to the hardware configuration of the host machine 110 (specifically, the name and IP address of the host machine), information related to the virtual environment (specifically, the version number of the hypervisor, CPU and memory usage). Situation). The configuration information also includes information related to the operating system (OS) and application software (hereinafter simply referred to as an application), information related to patch application status, and parameter setting status of the application. In addition, the configuration collection server 130 identifies the service executed by the accessed host machine 110, the one-generation service and the one-generation service related to the service, and stores them as configuration information. Further, the configuration collection server 130 specifies a parent-child relationship or a master-slave relationship (hereinafter simply referred to as “parent-child relationship”) of a plurality of host machines 110 and stores it as configuration information.

  As a result, the CMDB 140 stores the configuration information of each host machine 110 for each host machine 110 as shown in FIG. For example, the host machine 110 having the name “host 2” has a parent relationship with the host machine 110 having the name “host 1”, and the host machine 110 having the name “host 3” has a child relationship. Further, the host machine 110 having the name “host 2” executes the service 3, the service 4, and the service 5. On the other hand, as services related to the service executed by the host machine 110 having the name “host 2”, the service 1 and the service 2 executed by the host machine 110 having a parent relationship and the name “host 3” are provided. There is a service 6 executed by the host machine 110. As described above, the services 1 to 6 have a specific relationship associated with the parent-child relationship of the host machine 110. Therefore, for example, when a failure occurs in the host machine 110 having the name “host 2”, the execution of the services 3 to 5 and the service 6 under the first generation is stopped, but the execution of the services 1 and 2 over the first generation is continued. To do. The operation terminal 300 may store the configuration information in the CMDB 140 by performing an operation for storing the configuration information in the CMDB 140 by the operator.

  The performance monitoring server 150 monitors each host machine 110 and the resources of each host machine 110 via the communication network NW. Specifically, the performance monitoring server 150 monitors hardware resources (for example, CPU and memory). The performance monitoring server 150 may monitor software resources. The performance monitoring server 150 acquires data such as performance and load from the resources to be monitored as monitoring data. The monitoring data includes CPU usage rate, memory usage rate, disk throughput, and the like as resource performance and load. The performance monitoring server 150 manages the acquired monitoring data in comparison with various angles.

  The event monitoring server 170 monitors various events (events) that occur in the monitoring target system 100 via the communication network NW. For example, when an event that may cause a decrease in the service level of a plurality of services executed in the monitored system 100 occurs, the event monitoring server 170 detects the occurrence of the event, and incident information (hereinafter referred to as an INC ticket). ) To notify the management server 190. Although details will be described later, the INC ticket includes a ticket identifier, a ticket issuance date and time, a name of a service related to the event that has occurred, a name of the host machine 110 that executes the service, a content of the event that has occurred, and the like. .

  The management server 190 includes a ticket DB (not shown), and stores and manages the INC ticket notified from the event monitoring server 170 by the ticket DB. Also, the management server 190 stores and manages the INC ticket issued and notified by a user terminal (not shown) and the change request ticket issued and notified by the operation terminal 300 in the ticket DB. The user terminal is a terminal device used by the user. The INC ticket issued by the user terminal includes inquiries regarding the monitoring target system 100 in addition to the ticket identification information and the ticket issuance date / time. On the other hand, the change request ticket issued by the operation terminal 300 includes a ticket identifier, a ticket issuance date and time, a name of the service affected by the change of the host machine 110, a name of the host machine 110 that executes the service, a modification or a correction. The contents of changes are included.

  The analysis server 200 is connected to the CMDB 140, the performance monitoring server 150, the management server 190, and the operation terminal 300. As shown in FIG. 1, the analysis server 200 may be directly connected to the CMDB 140, the performance monitoring server 150, the management server 190, and the operation terminal 300, or the CMDB 140, the performance monitoring server via the communication network NW. 150, the management server 190, and the operation terminal 300 may be indirectly connected.

  The analysis server 200 collects the monitoring data acquired by the performance monitoring server 150, and executes an anomaly event detection process based on the collected monitoring data. The anomaly event detection process is a process of analyzing the monitoring data and detecting a state different from the normal state, normal state, or steady state (hereinafter simply referred to as normal time) of the host machine 110 and its resources. If a state different from the normal state is detected by the anomaly event detection processing, a problem may occur in the host machine 110, its resources, and the monitoring target system 100 including the host machine 110.

  The analysis server 200 determines the display order of the anomaly information related to the anomaly event based on the monitoring data (hereinafter referred to as anomaly data) in which the anomaly event is detected and the configuration information stored in the CMDB 140. The analysis server 200 may determine the display order of the anomaly information based on the anomaly data and the detection frequency of the anomaly event. The detection frequency may be the number of continuous detections in which anomaly events are detected continuously, or the number of detections per unit time. In the present embodiment, description will be made using the number of continuous detections as an example of the detection frequency.

  Furthermore, the analysis server 200 may determine the display order of the anomaly event information based on the anomaly data, the configuration information, the anomaly event detection frequency, and the number of issued INC tickets managed by the management server 190. . By using the number of issued INC tickets when determining the display order, the accuracy of the possibility of a problem due to an anomaly event is improved. For example, if no INC ticket is issued, it is assumed that even if an anomaly event is detected, there is a low possibility that a problem due to the anomaly event will occur. Although details will be described later, when the analysis server 200 receives various requests and instructions from the operation terminal 300, the analysis server 200 displays the anomaly information on the display unit 320 of the operation terminal 300 in the determined display order.

  Next, the hardware configuration of the analysis server 200 will be described with reference to FIG. The plurality of host machines 110, configuration collection server 130, CMDB 140, performance monitoring server 150, event monitoring server 170, management server 190, and operation terminal 300 described above have basically the same hardware configuration as the analysis server 200. Therefore, the description is omitted.

  FIG. 3 shows an example of the hardware configuration of the analysis server 200. As shown in FIG. 3, the analysis server 200 includes at least a CPU 200A as a hardware processor, a random access memory (RAM) 200B, a read only memory (ROM) 200C, and a network I / F (interface) 200D. The analysis server 200 may include at least one of a hard disk drive (HDD) 200E, an input I / F 200F, an output I / F 200G, an input / output I / F 200H, and a drive device 200I as necessary. The CPU 200A to the drive device 200I are connected to each other by an internal bus 200J. That is, the analysis server 200 can be realized by a computer. Note that a micro processing unit (MPU) may be used as a hardware processor instead of the CPU 200A.

  An input device 710 is connected to the input I / F 200F. Examples of the input device 710 include a keyboard and a mouse. A display device 720 is connected to the output I / F 200G. An example of the display device 720 is a liquid crystal display. A semiconductor memory 730 is connected to the input / output I / F 200H. Examples of the semiconductor memory 730 include a universal serial bus (USB) memory and a flash memory. The input / output I / F 200 </ b> H reads programs and data stored in the semiconductor memory 730. The input I / F 200F and the input / output I / F 200H include, for example, a USB port. The output I / F 200G includes a display port, for example.

  A portable recording medium 740 is inserted into the drive device 200I. Examples of the portable recording medium 740 include a removable disk such as a Compact Disc (CD) -ROM and a Digital Versatile Disc (DVD). The drive device 200I reads a program and data recorded on the portable recording medium 740. The network I / F 200D includes, for example, a LAN port. The network I / F 200D is connected to the CMDB 140, the performance monitoring server 150, the management server 190, and the operation terminal 300 described above.

  In the above-described RAM 200B, a program stored in the ROM 200C or the HDD 200E is temporarily stored by the CPU 200A. In the RAM 200B, the program recorded on the portable recording medium 740 is temporarily stored by the CPU 200A. When the stored program is executed by the CPU 200A, the CPU 200A realizes various functions described later and executes various processes described later. In addition, what is necessary is just to make a program according to the flowchart mentioned later.

  Next, the functional configuration of the analysis server 200 will be described with reference to FIGS.

  FIG. 4A is an example of a block diagram of the analysis server 200. FIG. 4B is an example of the data storage unit 220. FIG. 5 is an example of the first data management table T1. FIG. 6A is an example of the second data management table T2 and the third data management table T3. FIG. 6B is an example of the fourth data management table T4. FIG. 7 is an example of the fifth data management table T5. As shown in FIG. 4A, the analysis server 200 includes a data collection unit 210, an anomaly detection unit 230, a display order control unit 240, and a data visualization unit 250 as processing units. The analysis server 200 includes a data storage unit 220. As shown in FIG. 4B, the data storage unit 220 includes a first data management table T1, a second data management table T2, a third data management table T3, a fourth data management table T4, and a fifth data management table. Various data managed by T5 are stored.

  The data collection unit 210 can be realized by the CPU 200A executing a known log collection / transfer tool (for example, software such as Fluentd or Logstash) and a first process described later. The data storage unit 220 can be realized by the CPU 200A executing a distributed search real-time analysis engine (for example, software such as Elasticsearch) of Open Source Software (OSS) and cooperating with the HDD 200E. The anomaly detection unit 230 and the display order control unit 240 can be realized by the CPU 200A executing a second process described later. The data visualization unit 250 can be realized by the CPU 200A executing a known data visualization tool (for example, software such as kibana) and a third process described later.

  The data collection unit 210 collects monitoring data from the performance monitoring server 150. More specifically, the data collection unit 210 periodically accesses the performance monitoring server 150 in units of minutes to tens of minutes, and the performance monitoring server 150 collects monitoring data acquired from each of the plurality of host machines 110. When the data collection unit 210 collects the monitoring data, it stores the collected monitoring data in the data storage unit 220. Thereby, the data storage unit 220 stores the monitoring data. In particular, the monitoring data is managed by the first data management table T1.

  Here, as shown in FIG. 5, the first data management table T1 manages a plurality of monitoring data for each combination of the host machine 110 and the monitoring target resource. The first data management table T1 has a plurality of fields such as collection date / time, host machine, monitoring target resource, data value, unit, anomaly analysis result, and anomaly detection date / time. The date and time when monitoring data is collected is registered in the collection date and time field. The name or identifier of the host machine 110 is registered in the host machine field. The name of the monitoring target resource is registered in the monitoring target resource field. In the data value and unit fields, an actual value representing the performance of the monitoring data and a symbol or character representing the unit of the actual value are registered. For example, when the unit “%” is registered for the monitoring target resource “CPU”, the data value “78” represents the CPU usage rate. Similarly, when the unit “%” is registered for the monitored resource “memory”, the data value “64” represents the memory usage rate.

  In the field of the anomaly analysis result, an identification flag for identifying whether or not an anomaly event has been detected is registered. For example, the identification flag “1” indicates that an anomaly event has been detected, and the identification flag “0” indicates that an anomaly event has not been detected. The date and time when an anomaly event was detected is registered in the field of anomaly detection date and time. The date and time when the anomaly event is detected is registered with respect to the monitoring data in which the identification flag “1” is registered (hereinafter referred to as anomaly data), and the monitoring data in which the identification flag “0” is registered (hereinafter referred to as non-anomaly data). Is not registered. Thus, a plurality of anomaly data and non-anomaly data are managed for each combination of the host machine 110 and the monitoring target resource by the first data management table T1.

  Further, the data collection unit 210 collects the INC ticket and the change request ticket from the management server 190. More specifically, the data collection unit 210 periodically accesses the management server 190 in units of minutes to tens of minutes, and collects INC tickets and change request tickets managed by the management server 190. When the data collection unit 210 collects the INC ticket and the change request ticket, the data collection unit 210 stores the collected INC ticket and the change request ticket in the data storage unit 220. As a result, the data storage unit 220 stores the INC ticket and the change request ticket. The INC ticket is managed for each issuer by the second data management table T2 and the third data management table T3. The change request ticket is managed by the fourth data management table T4.

  Here, as shown in FIG. 6A, the second data management table T2 manages a plurality of INC tickets issued by the event monitoring server 170. The third data management table T3 manages a plurality of INC tickets issued by the user terminal. The second data management table T2 has a plurality of fields such as ticket ID, issue date / time, service name, host machine, and title. An identifier for identifying the INC ticket is registered in the ticket ID field. In the issue date field, the issue date of the INC ticket is registered. In the service name field, the name of the service related to the event that occurred is registered. The name or identifier of the host machine 110 that executes the service is registered in the host machine field. The content of the event that occurred is registered in the title field. Since the third data management table T3 is basically the same as the second data management table T2, detailed description thereof is omitted.

  On the other hand, as shown in FIG. 6B, the fourth data management table T4 manages a plurality of change request tickets issued by the operation terminal 300. The fourth data management table T4 has a plurality of fields such as ticket ID, issue date / time, service name, host machine, and title. In the ticket ID field, an identifier for identifying the change request ticket is registered. In the issue date field, the issue date of the change request ticket is registered. In the service name field, the name of the service affected by the change of the host machine 110 is registered. The name or identifier of the host machine 110 that executes the service is registered in the host machine field. Changes such as alterations and modifications are registered in the title field.

  The anomaly detection unit 230 acquires monitoring data from the data storage unit 220 and executes an anomaly event detection process on the acquired monitoring data. For example, the anomaly detection unit 230 generates a normal distribution of monitoring data (specifically, the data value of monitoring data) for each combination of the host machine 110 and the monitoring target resource based on the monitoring data acquired from the data storage unit 220. Then, monitoring data that is 2σ or more away from the average value μ of the normal distribution is detected as an anomaly event. The anomaly detection unit 230 registers the identification flag “1” as an analysis result in the field of the anomaly analysis result included in the first data management table T1 for the monitoring data in which the anomaly event is detected. The anomaly detection unit 230 registers the detection date and time in the anomaly detection date and time field included in the first data management table T1 for the monitoring data that has detected the anomaly event. On the other hand, the anomaly detection unit 230 registers the identification flag “0” as the analysis result in the anomaly analysis result included in the first data management table T1 for the monitoring data that has not detected the anomaly event. That is, the anomaly detection unit 230 classifies the monitoring data into anomaly data and non-anomaly data.

  The display order control unit 240 controls the display order of anomaly information. More specifically, when the anomaly detection unit 230 classifies the monitoring data into anomaly data and non-anomaly data, the display order control unit 240 acquires the anomaly data, the INC ticket, and the change request ticket from the data storage unit 220. In particular, the display order control unit 240 acquires both the INC ticket issued by the event monitoring server 170 and the INC ticket issued by the user terminal. When the display order control unit 240 acquires the anomaly data, the INC ticket, and the change request ticket, the display order control unit 240 refers to the configuration information stored in the CMDB 140, and performs various processes based on the anomaly data, the INC ticket, the change request ticket, and the configuration information. To determine the display order of the anomaly information. Details of processing executed by the display order control unit 240 will be described later. When the display order is determined, the display order control unit 240 generates display target data in which the display order is registered and stores it in the data storage unit 220. The display target data is managed by the fifth data management table T5.

  Here, as shown in FIG. 7, the fifth data management table T5 has a plurality of fields such as anomaly ID, detection date and time, elapsed time, host machine, and monitoring target resource. An identifier for identifying display target data is registered in the anomaly ID field. The anomaly ID is given by the display order control unit 240 every time display target data is generated. The anomaly detection date / time of anomaly data is registered in the detection date / time field. The elapsed time from the anomaly detection date to the current date is registered in the elapsed time field. That is, the elapsed time represents the difference between the anomaly detection date and time and the current date and time. The name or identifier of the anomaly data host machine 110 is registered in the host machine field. The name of the monitoring target resource of the anomaly data is registered in the monitoring target resource field.

  Further, as shown in FIG. 7, the fifth data management table T5 has a plurality of fields such as the number of INC tickets (server issue), the number of change request tickets, and the number of INC tickets (user issue). In the field of the number of INC tickets (server issue), the number of INC tickets issued by the event monitoring server 170 is registered. The number of change request tickets issued by the operation terminal 300 is registered in the change request ticket number field. The number of INC tickets issued by the user terminal is registered in the INC ticket number (user issued) field. Note that since each INC ticket issued by the event monitoring server 170 and the user terminal includes the name of the host machine 110, the number of INC tickets can be specified for each host machine 110. . Further, since the name of the host machine 110 is also included in the change request ticket, the number of change request tickets can be specified for each host machine 110.

  Furthermore, as shown in FIG. 7, the fifth data management table T5 has a plurality of fields such as the number of continuous detections, the number of related services, and the display order. In the field of the number of continuous detections, the number of times that an anomaly event that has occurred for the monitored resource is detected continuously is registered. For example, when an anomaly event that has occurred for a monitored resource is detected continuously for 4 minutes at 1-minute intervals, a numerical value “4” is registered in the field of the number of continuous detections. The number of continuous detections is an example of the detection frequency, and the number of times an anomaly event is detected per unit time may be used as the detection frequency. In the related service number field, the number of other services related to the service executed by the host machine 110 is registered. For example, based on the configuration information (see FIG. 2), the host machine 110 having the name “host 1” executes two services, service 1 and service 2, and the host machine 110 having the name “host 2” Three of service 3 to service 5 are executed. Therefore, as shown in FIG. 7, a numerical value “3” is registered in the field of the number of related services corresponding to the host machine 110 having the name “Host 1”. In the display order field, the display order determined by the display order control unit 240 based on the anomaly data, the INC ticket, the change request ticket, and the configuration information is registered. In the present embodiment, 123 pieces of display target data are managed by the fifth data management table T5.

  When receiving the screen display request for requesting the display of the anomaly list screen from the operation terminal 300, the data visualization unit 250 acquires the display target data from the data storage unit 220, and visualizes the acquired display target data. For example, the data visualization unit 250 rearranges the acquired display target data based on the display order, and generates anomaly information that excludes the display order field from the rearranged display target data. When the data visualization unit 250 generates the anomaly information, the data visualization unit 250 displays an anomaly list screen including the generated anomaly information on the display unit 320 of the operation terminal 300.

  Next, the operation of the analysis server 200 will be described.

  FIG. 8 is a flowchart illustrating an example of the first process executed by the data collection unit 210. The data collection unit 210 periodically executes the first process every predetermined time. First, the data collection unit 210 collects monitoring data from the performance monitoring server 150 (step S101), and stores the collected monitoring data in the data storage unit 220 (step S102). When the processing in step S102 is completed, the data collection unit 210 collects various tickets from the management server 190 (step S103), and stores the collected tickets in the data storage unit 220 (step S104). That is, the data collection unit 210 collects each INC ticket and change request ticket from different issuers, and stores the collected INC ticket and change request ticket in the data storage unit 220. The data collection unit 210 may collect and store the monitoring data after collecting and storing the ticket. When the process of step S104 is completed, the data collection unit 210 ends the process.

  FIG. 9 is a flowchart illustrating an example of the second process executed by the anomaly detection unit 230 and the display order control unit 240. FIG. 10 is a diagram illustrating an example of display priority. The anomaly detector 230 and the display order controller 240 periodically execute the second process. First, as shown in FIG. 9, the anomaly detection unit 230 determines whether or not a set time has arrived (step S201). The set time is longer than the predetermined time described above (for example, several hours such as one hour). For example, the data collection unit 210 collects monitoring data and various tickets every 10 minutes and stores them in the data storage unit 220. The anomaly detection unit 230 determines whether or not to execute the processing after step S201 every hour. Judging.

  For example, when the set time has not arrived since the anomaly detection unit 230 performed the process after the process of step S201 last time (step S201: NO), the processes of the subsequent steps S202 to S213 are skipped. As a result, the data collection unit 210 collects the monitoring data and the various tickets and stores them in the data storage unit 220 every time 10 minutes have elapsed since the collection of the monitoring data and the various tickets. As a result, time-series monitoring data and various tickets are accumulated in the data storage unit 220.

  On the other hand, when the set time has arrived since the anomaly detection unit 230 previously executed the processing after step S201 (step S201: YES), the anomaly detection unit 230 acquires monitoring data from the data storage unit 220. (Step S202). When the process of step S202 is completed, the anomaly detection unit 230 executes an anomaly event detection process (step S203), and registers the analysis result and the detection date and time in the first data management table T1 (step S204). Thereby, the monitoring data is classified into anomaly data and non-anomaly data.

  When the process of step S204 is completed, the display order control unit 240 then acquires anomaly data from the data storage unit 220 (step S205), and then acquires various tickets (step S206). When the process of step S204 is completed, the display order control unit 240 then refers to the configuration information stored in the CMDB 140 (step S207) and specifies the number of related services (step S208). When the process of step S208 is completed, the display order control unit 240 then calculates the number of continuous detections (step S209) and specifies the number of tickets (step S210). In particular, the display order control unit 240 specifies the number of tickets for each host machine 110 for each type of ticket. Thus, the number of INC tickets issued by the event monitoring server 170 to the specific host machine 110, the number of INC tickets issued by the user terminal to the specific host machine 110, and the operation terminal 300 The number of change request tickets issued to the host machine 110 is specified.

  When the process of step S210 is completed, the display order control unit 240 measures the elapsed time (step S211), and then determines the display order (step S212). More specifically, the display order control unit 240 determines the number of related services, the number of continuous detections, the number of INC tickets issued by the event monitoring server 170, the number of INC tickets issued by the user terminal, the elapsed time, and the predetermined time. The display order of the anomaly information is determined based on the display priority. The display order control unit 240 may use the number of change request tickets issued by the operation terminal 300 when determining the display order.

  Here, as shown in FIG. 10, the highest display priority is determined by the number of related services. The display priority is determined in the order of the number of consecutive detections, the number of INC tickets issued by the user terminal, and the number of INC tickets issued by the event monitoring server 170, and the lowest display priority is determined for the elapsed time. ing. These priorities may be determined according to, for example, the magnitude of influence when a problem occurs. Therefore, for example, the display target data in which the numerical value “5” is registered in the number of related services and the numerical value “1” is registered in the number of continuous detections, the numerical value “3” is registered in the number of related services, and the numerical value “ 9 ”is displayed, the anomaly information corresponding to the former display target data is displayed higher than the anomaly information corresponding to the latter display target data.

  In addition, the number of related services, the number of continuous detections, the number of INC tickets issued by the user terminal, and the number of INC tickets issued by the event monitoring server 170 are all increased as the number increases. Anomaly information corresponding to is displayed at the top. Conversely, the number of related services, the number of consecutive detections, the number of INC tickets issued by the user terminal, and the number of INC tickets issued by the event monitoring server 170 are all displayed as the number decreases. Anomaly information corresponding to the data is displayed at the lower level. For example, when there are two pieces of display target data in which the number “3” is registered in the number of related services, the number “9” is registered in the number of continuous detections in one display target data, and the other display target data When the numerical value “7” is registered as the number of continuous detections, the anomaly information corresponding to the former display target data is displayed higher than the anomaly information corresponding to the latter display target data.

  However, regarding the elapsed time, the shorter the elapsed time, the higher the anomaly information is displayed. An anomaly event having a shorter time from the detection of the anomaly event to the current time is required to be dealt with more quickly by the operator. This is because it is assumed that no problem has occurred with respect to the anomaly event having a long time from the detection of the anomaly event to the current time.

  Returning to FIG. 9, when the process of step S212 is completed, the display order control unit 240 generates display target data in which the determined display order is registered, and stores the generated display target data in the data storage unit 220 (step S213). . As a result, the data storage unit 220 stores the display target data managed by the fifth data management table T5 (see FIG. 7). When the process of step S213 is completed, the anomaly detection unit 230 and the display order control unit 240 end the process. The anomaly detection unit 230 and the display order control unit 240 dynamically and repeatedly execute the processes described above. In particular, since the display order control unit 240 periodically determines the display order based on the number of related services, the number of continuous detections, the number of various INC tickets, and the like, the display order changes dynamically.

  FIG. 11 is a flowchart illustrating an example of the third process executed by the data visualization unit 250. FIG. 12 shows an example of the anomaly list screen. FIG. 13 shows an example of the anomaly detail screen. Note that the screen layouts of the anomaly list screen and the anomaly detail screen may be changed as appropriate.

  First, as shown in FIG. 11, the data visualization unit 250 waits until a screen display request is received from the operation terminal 300 (step S301: NO). When the data visualization unit 250 receives a screen display request (step S301: YES), the data visualization unit 250 displays an anomaly list screen (step S302). More specifically, the data visualization unit 250 displays the display within the specified time (for example, 24 hours) that is the difference between the anomaly detection date and time and the current date and time from the display target data stored in the data storage unit 220. Target data is extracted, and an anomaly list screen is generated and displayed based on the extracted display target data.

  As shown in FIG. 12, the anomaly list screen includes a number of anomaly events detected and a list of a plurality of anomaly information arranged in priority order. In FIG. 12, the top anomaly information is shown, but the lower anomaly information may be displayed by providing a vertical scroll bar. In addition, the anomaly list screen includes a pie chart indicating the ratio of elapsed time and a breakdown of the elapsed time, a pie chart indicating the ratio of the host machine 110 and a breakdown of the name of the host machine 110, and a pie chart indicating the ratio of the monitoring target resource and monitoring. Contains a breakdown of the name of the target resource. In particular, the names of the host machines 110 and the names of monitored resources are displayed in descending order of the number of detected anomaly events. When the name of the host machine 110 and the name of the monitoring target resource are specified, the data visualization unit 250 narrows and displays the anomaly information including the specified name from the displayed list of anomaly information. In this way, even if a large number of anomaly events are detected, anomaly information related to these anomaly events is displayed side by side in order of priority, so the operator is less likely to make a mistake in determining the priority of the response to the anomaly event To do. As a result, it is possible to suppress the occurrence of a problem due to a delay in the response to the anomaly event. In addition, since information related to the anomaly information is also displayed, the possibility of erroneous determination of priority is further reduced.

  Returning to FIG. 11, when the processing of step S302 is completed, the data visualization unit 250 then waits until accepting designation of anomaly information from the operation terminal 300 (step S303: NO). When the data visualization unit 250 receives designation of anomaly information (step S303: YES), the data visualization unit 250 displays an anomaly detail screen (step S304). More specifically, the data visualization unit 250 displays an anomaly detail screen related to the designated anomaly information.

  For example, as shown in FIG. 12, when any one piece of anomaly information is designated and designated (eg, click or tap) from a plurality of anomaly information displayed on the anomaly detail screen with a pointer Pt, the data visualization unit 250 is displayed. Accepts specification of anomaly information. In the present embodiment, the anomaly information of the anomaly ID “88” is designated by the pointer Pt. When receiving the designation of the anomaly information, the data visualization unit 250 displays an anomaly detail screen related to the designated anomaly information as shown in FIG.

  In particular, the data visualization unit 250 extracts and graphs monitoring data including these names from the data storage unit 220 based on the name of the host machine 110 and the name of the monitoring target resource included in the specified anomaly information. The graph GR1 representing the converted monitoring data is displayed in the anomaly detail screen. Since the extracted monitoring data includes both anomaly data and non-anomaly data, the data visualization unit 250 gives a mark M1 to the graphed portion of the anomaly data and highlights it.

  Further, the data visualization unit 250 extracts all the related service names associated with the name from the CMDB 140 based on the name of the host machine 110 included in the designated anomaly information, and displays it in the anomaly detail screen. Further, based on the name of the host machine 110 included in the designated anomaly information, the data visualization unit 250 extracts the INC ticket and the change request ticket including the name from the data storage unit 220 and displays them in the anomaly detail screen. . In particular, the data visualization unit 250 extracts the INC ticket and the change request ticket in which the issue date and time within one hour before and after the anomaly event detection date and time are registered and displays them in the anomaly detail screen. Although FIG. 13 shows the INC ticket issued by the event monitoring server 170, the INC ticket issued by the user terminal may be used.

  As described above, according to the first embodiment, the analysis server 200 includes the anomaly detection unit 230, the display order control unit 240, and the data visualization unit 250. The anomaly detection unit 230 executes an anomaly event detection process for detecting an anomaly event occurring in any of the plurality of host machines 110 based on the monitoring data of the plurality of host machines 110 included in the monitoring target system 100. When a plurality of anomaly events are detected, the display order control unit 240 refers to the CMDB 140 that stores configuration information indicating relationships among a plurality of services executed in the monitoring target system 100. Then, the display order control unit 240 determines, for each host machine 110 that has generated each of the detected anomaly events, the number of other services having a specific relationship with the service executed on the host machine 110. Specify the number of related services. The data visualization unit 250 displays the anomaly information related to the detected plurality of anomaly events on the display unit 320 of the operation terminal 300 in the display order corresponding to the specified number of related services. Thereby, it is possible to suppress the occurrence of a problem due to a delay in response to the anomaly event.

  Further, the anomaly detection unit 230 executes an anomaly event detection process for detecting an anomaly event that has occurred in any of the plurality of monitoring target resources based on the monitoring data of the plurality of monitoring target resources included in the monitoring target system 100. When a plurality of anomaly events are detected, the display order control unit 240 calculates, for each monitored resource that is the source of each of the detected plurality of anomaly events, the number of consecutively detected anomaly events that have occurred for the monitored resource. . The data visualization unit 250 displays the anomaly information regarding the detected plurality of anomaly events on the display unit 320 of the operation terminal 300 in the display order corresponding to the calculated number of consecutive detections. Similarly, such a process can suppress the occurrence of a problem due to a delay in response to an anomaly event.

(Second Embodiment)
Next, a second embodiment of the present case will be described with reference to FIGS.

  14 and 15 are other examples of the anomaly list screen. FIG. 16 shows another example of the anomaly detail screen. In the second embodiment, when a plurality of anomaly events are detected, the display order control unit 240 identifies the host machine 110 that is the source of each of the detected plurality of anomaly events. On the other hand, when the data visualization unit 250 determines that the host machines 110 identified by the display order control unit 240 are common and the difference in the detection date and time of the anomaly event occurring in the identified host machine 110 is within the threshold time The representative anomaly information obtained by aggregating the anomaly information regarding the detected anomaly events is displayed.

  As a result, as shown in FIG. 14, regarding the anomaly information of two common host machines 110 having the name “host 5”, if the difference in detection date and time is within a threshold time (for example, 5 minutes), data The visualization unit 250 displays an aggregation mark G1 that indicates that anomaly information can be aggregated and displayed. When the aggregation mark G1 is designated and instructed by the pointer Pt, the data visualization unit 250, based on the instruction, as shown in FIG. 15, the lower anomaly information is added to the higher anomaly information. And anomaly information with a higher priority is displayed as representative anomaly information.

  Then, the data visualization unit 250 displays the representative anomaly information and displays the representative anomaly information with the aggregation mark G2. When the aggregation mark G2 is designated and instructed by the pointer Pt, the data visualization unit 250 expands representative anomaly information based on the instruction as shown in FIG. When anomaly information is aggregated, the data visualization unit 250 displays all the names of the monitoring target resources before aggregation, but for display items other than the monitoring target resources (for example, the number of continuous detections and the number of related services), The display items of the representative anomaly information are displayed with priority.

  On the other hand, as shown in FIG. 15, when the remaining area excluding the display area of the aggregation mark G2 from the display area of the anomaly information on which the aggregation mark G2 is displayed is designated and designated by the pointer Pt, the data visualization unit 250 Accepts the designation of the designated anomaly information. When receiving the designation of the anomaly information, the data visualization unit 250 displays an anomaly detail screen related to the designated anomaly information as shown in FIG. In this case, the anomaly detail screen extracts and graphs the respective monitoring data of the monitoring target resources before aggregation, and displays the graphs GR1 and GR2 representing the graphed monitoring data in the anomaly detail screen. As described in the first embodiment, since the extracted monitoring data includes both anomaly data and non-anomaly data, the data visualization unit 250 adds marks M1 and M2 to the graphed portion of the anomaly data for emphasis. And display. As a result, the operator can collectively respond to a plurality of anomaly events occurring in the common host machine 110.

  If the data visualization unit 250 refers to the CMDB 140 that stores configuration information and determines that there is a specific relationship between services executed on each of the identified host machines 110, the data visualization unit 250 has a specific relationship. Anomaly information related to anomaly events that occurred in each host machine 110 that executes the determined service may be displayed side by side. The specific relationship includes, for example, the presence / absence of a related service and whether or not the detection date / time is within a threshold time.

  Thereby, for example, the service executed by the host machine 110 having the name “host 5” and the service executed by the host machine 110 having the name “host 4” are related, and the difference between the detection dates and times is the threshold time. If it is within (for example, 5 minutes), the data visualization unit 250 determines that there is a specific relationship, and as shown in FIG. 14, the anomaly information having the name “host 5” and the “host 4” Anomaly information having names is displayed side by side in a higher priority order. In addition, when displaying anomaly information side by side, the anomaly information before arrangement | sequence may be left and you may exclude from a display target. In this embodiment, the anomaly information having the name “host 4” is left and displayed. As a result, the operator can collectively respond to a plurality of anomaly events related to the service.

  The preferred embodiments of the present invention have been described in detail above, but the present invention is not limited to the specific embodiments according to the present invention, and various modifications are possible within the scope of the gist of the present invention described in the claims.・ Change is possible. For example, at least one of the first to third processes described above may be executed by various servers other than the analysis server 200, such as the management server 190, or may be executed by the operation terminal 300.

In addition, the following additional notes are disclosed regarding the above description.
(Supplementary Note 1) Based on monitoring data of a plurality of machines included in the system, an anomaly event detection process for detecting an anomaly event occurring in any of the plurality of machines is performed, and when a plurality of anomaly events are detected, With reference to a storage unit that stores information indicating a relationship between a plurality of services executed in the system, for each machine that is a source of each of the detected anomaly events, a service executed on the machine The number of other services having a specific relationship is specified, and information on the detected anomaly events is displayed on the display unit in an order corresponding to the number of the specified other services. A sequence control program that is executed by the program.
(Appendix 2) When anomaly event detection processing is performed to detect an anomaly event that occurred for any of the plurality of monitoring targets based on monitoring data of a plurality of monitoring targets included in the system, and a plurality of anomaly events are detected Calculating the detection frequency of the anomaly event generated for the monitored object for each monitored object of the detected plurality of anomaly events, and calculating the information regarding the detected anomaly events A sequence control program that causes a computer to execute processing that is displayed on a display unit in an order according to frequency.
(Supplementary Note 3) The number of incident information based on an event that may cause a decrease in service levels of a plurality of services executed in the system is specified, and the information about the detected anomaly events is specified as the incident information. The order control program according to appendix 1 or 2, wherein the processing is executed in such a manner that the processes are displayed in an order corresponding to the number of the items.
(Additional remark 4) The time which passed since detecting the said anomaly event is measured, and the process which displays the information regarding these detected anomaly events in the order according to the said measured time is performed. 4. The sequence control program according to any one of supplementary notes 1 to 3, which is characterized.
(Supplementary note 5) The order control program according to supplementary note 4, wherein the processing is executed such that the shorter the measured time is, the higher the information regarding the detected anomaly events is displayed.
(Supplementary note 6) When a plurality of anomaly events are detected, a machine that generates each of the detected anomaly events is specified, and information indicating a relationship between a plurality of services executed in the system is stored. When it is determined that there is a specific relationship between services executed on each of the specified machines by referring to the storage unit, the error occurred on each machine that executes the service determined to have the specific relationship. 6. The sequence control program according to any one of appendices 1 to 5, wherein a process is executed to display information on anomaly events side by side.
(Supplementary note 7) When a plurality of anomaly events are detected, the machine from which each of the detected anomaly events is identified is specified, the specified machines are common, and the anomaly that has occurred in the specified machine Appendices 1 to 6, wherein when it is determined that the difference between the detection times of the events is within a threshold time, processing is executed to display representative information obtained by aggregating information on the detected anomaly events. The sequence control program according to any one of the above.
(Supplementary Note 8) Based on monitoring data of a plurality of machines included in the system, an anomaly event detection process for detecting an anomaly event occurring in any of the plurality of machines is performed, and when a plurality of anomaly events are detected, With reference to a storage unit that stores information indicating a relationship between a plurality of services executed in the system, for each machine that is a source of each of the detected anomaly events, a service executed on the machine The number of other services having a specific relationship is specified, and information on the detected anomaly events is displayed on the display unit in an order corresponding to the number of the specified other services. The order control method characterized by performing.
(Supplementary note 9) When anomaly event detection processing is performed to detect an anomaly event occurring for any of the plurality of monitoring targets based on monitoring data of a plurality of monitoring targets included in the system, and a plurality of anomaly events are detected Calculating the detection frequency of the anomaly event generated for the monitored object for each monitored object of the detected plurality of anomaly events, and calculating the information regarding the detected anomaly events A sequence control method, wherein a computer executes a process of displaying on a display unit in an order corresponding to a frequency.
(Supplementary Note 10) Based on monitoring data of a plurality of machines included in the system, an anomaly event detection process for detecting an anomaly event occurring in any of the plurality of machines is performed, and when a plurality of anomaly events are detected, With reference to a storage unit that stores information indicating a relationship between a plurality of services executed in the system, for each machine that is a source of each of the detected anomaly events, a service executed on the machine The number of other services having a specific relationship is identified, and information regarding the detected anomaly events is displayed on the display unit in an order corresponding to the number of the identified other services. An information processing apparatus comprising a processing unit.
(Supplementary Note 11) When anomaly event detection processing is performed to detect an anomaly event that occurs for any of the plurality of monitoring targets based on monitoring data of a plurality of monitoring targets included in the system, and a plurality of anomaly events are detected Calculating the detection frequency of the anomaly event generated for the monitored object for each monitored object of the detected plurality of anomaly events, and calculating the information regarding the detected anomaly events An information processing apparatus having a processing unit for executing processing, which is displayed on a display unit in an order according to frequency.
(Additional remark 12) The processing unit specifies the number of incident information based on an event that can cause a decrease in service levels of a plurality of services executed in the system, and information on the detected anomaly events, The information processing apparatus according to appendix 10 or 11, wherein the information is displayed in an order corresponding to the number of the identified incident information.
(Additional remark 13) The said process part measures the time which passed since the said anomaly event was detected, and displays the information regarding the detected anomaly event in the order according to the measured said time. 13. The information processing apparatus according to any one of appendices 10 to 12, characterized by:
(Supplementary note 14) The information processing apparatus according to supplementary note 13, wherein the processing unit displays information related to the detected anomaly events at a higher level as the measured time is shorter.
(Supplementary Note 15) When a plurality of anomaly events are detected, the processing unit identifies a machine that is a source of each of the detected anomaly events, and indicates a relationship between a plurality of services executed in the system. When it is determined that there is a specific relationship between the services executed on each of the specified machines with reference to the storage unit that stores the information to be shown, the service determined to have the specific relationship is executed 15. The information processing apparatus according to any one of supplementary notes 10 to 14, wherein information on anomaly events occurring in each machine is displayed side by side.
(Supplementary Note 16) When a plurality of anomaly events are detected, the processing unit specifies a machine that is the source of each of the detected anomaly events, the specified machines are common, and the specified If the difference in detection time of the anomaly event occurring in the machine is determined to be within the threshold time, representative information obtained by aggregating information on the detected anomaly events is displayed. The information processing apparatus according to any one of 15.

S Information processing system 100 Monitoring target system 110 Host machine 130 Configuration collection server 140 CMDB
DESCRIPTION OF SYMBOLS 150 Performance monitoring server 170 Event monitoring server 190 Management server 200 Analysis server 210 Data collection part 220 Data storage part 230 Anomaly detection part 240 Display order control part 250 Data visualization part 300 Operation terminal

Claims (11)

Based on monitoring data of a plurality of machines included in the system, an anomaly event detection process for detecting an anomaly event occurring in any of the plurality of machines is performed,
When a plurality of anomaly events are detected, referring to a storage unit that stores information indicating relations between a plurality of services executed in the system, for each machine that has generated each of the detected anomaly events To determine the number of other services that have a particular relationship to the services running on the machine,
Displaying information on the detected anomaly events on the display unit in an order according to the number of the specified other services;
A sequence control program that causes a computer to execute processing. Based on the monitoring data of a plurality of monitoring targets included in the system, an anomaly event detection process for detecting an anomaly event that occurred for any of the plurality of monitoring targets is performed,
When a plurality of anomaly events are detected, for each monitored object of the detected plurality of anomaly events, calculate the detection frequency of the anomaly event that occurred for the monitored object,
Information on the detected anomaly events is displayed on the display unit in an order according to the calculated detection frequency.
A sequence control program that causes a computer to execute processing. Identifying the number of incident information based on events that can cause a decrease in service levels of multiple services executed in the system;
Displaying information on the detected anomaly events in an order corresponding to the number of identified incident information;
The sequence control program according to claim 1 or 2, wherein the process is executed. Measure the time elapsed since the detection of the anomaly event,
Displaying information on the detected anomaly events in an order corresponding to the measured time,
The sequence control program according to any one of claims 1 to 3, wherein the process is executed. The shorter the measured time, the higher the information regarding the detected anomaly events is displayed.
The sequence control program according to claim 4, wherein the process is executed. If a plurality of anomaly events are detected, identify the machine that originated each of the detected anomaly events,
When it is determined that there is a specific relationship between services executed on each of the specified machines with reference to a storage unit that stores information indicating a relationship between a plurality of services executed in the system, the specification Displays information about anomaly events that occurred on each machine that executes a service that is determined to have the relationship
6. The sequence control program according to claim 1, wherein the sequence control program is executed. If a plurality of anomaly events are detected, identify the machine that originated each of the detected anomaly events,
If the identified machines are common and if the difference in detection time of anomaly events occurring on the identified machines is determined to be within a threshold time, a representative that aggregates information on the detected anomaly events. Display information,
The sequence control program according to claim 1, wherein the process is executed. Based on monitoring data of a plurality of machines included in the system, an anomaly event detection process for detecting an anomaly event occurring in any of the plurality of machines is performed,
When a plurality of anomaly events are detected, referring to a storage unit that stores information indicating relations between a plurality of services executed in the system, for each machine that has generated each of the detected anomaly events To determine the number of other services that have a particular relationship to the services running on the machine,
Displaying information on the detected anomaly events on the display unit in an order according to the number of the specified other services;
A sequence control method, wherein a computer executes a process. Based on the monitoring data of a plurality of monitoring targets included in the system, an anomaly event detection process for detecting an anomaly event that occurred for any of the plurality of monitoring targets is performed,
When a plurality of anomaly events are detected, for each monitored object of the detected plurality of anomaly events, calculate the detection frequency of the anomaly event that occurred for the monitored object,
Information on the detected anomaly events is displayed on the display unit in an order according to the calculated detection frequency.
A sequence control method, wherein a computer executes a process. Based on monitoring data of a plurality of machines included in the system, an anomaly event detection process for detecting an anomaly event occurring in any of the plurality of machines is performed,
When a plurality of anomaly events are detected, referring to a storage unit that stores information indicating relations between a plurality of services executed in the system, for each machine that has generated each of the detected anomaly events To determine the number of other services that have a particular relationship to the services running on the machine,
Displaying information on the detected anomaly events on the display unit in an order according to the number of the specified other services;
An information processing apparatus having a processing unit for executing processing. Based on the monitoring data of a plurality of monitoring targets included in the system, an anomaly event detection process for detecting an anomaly event that occurred for any of the plurality of monitoring targets is performed,
When a plurality of anomaly events are detected, for each monitored object of the detected plurality of anomaly events, calculate the detection frequency of the anomaly event that occurred for the monitored object,
Information on the detected anomaly events is displayed on the display unit in an order according to the calculated detection frequency.
An information processing apparatus having a processing unit for executing processing.

Images