JP6311329B2 - Information processing apparatus, monitoring method, and program - Google Patents

Description

  The present invention relates to an information processing apparatus, a monitoring method, and a program.

  In recent years, the construction of systems using cloud computing called SaaS (Software as a Service) and PaaS (Platform as a Service) has become widespread. In a cloud computing environment, fluctuations in the load on the system are absorbed by increasing or decreasing resources such as virtual machines according to the number of users and the amount of data using virtualization technology. In a cloud computing environment, a billing system for resource use is often a pay-per-use charge. For this reason, it is required to quickly increase / decrease resources according to load fluctuations while keeping the resource usage to a minimum.

  For example, when a business system that communicates via a service bus as disclosed in Non-Patent Document 1 is constructed using cloud computing, resources that configure the service bus according to the load on the service bus Increase / decrease is performed. In this case, the monitoring device or the like measures and monitors the load of the service bus, and allocates resources so as to satisfy the request TAT and the request throughput for the service bus according to the result. However, the method of simply increasing / decreasing resources according to the increase / decrease of the load cannot respond immediately to the sudden increase in load, and may not satisfy the required TAT (Turn Around Time) and the required throughput. is there. For this reason, for example, it is required to detect in advance a sign of an increase in service bus load and add resources before the load increases.

  Thus, an example of a monitoring device that detects a precursor of a specific event in a system to be monitored is disclosed in Patent Document 1. When the characteristics of the time-series data collected from the monitoring target system match the selection condition to be detected as a precursor of a failure, the monitoring device disclosed in Patent Literature 1 displays the characteristics and time-series data in the past. Store metadata and time-series data in association with each other. Then, when the feature of the current time-series data meets the selection condition, the monitoring device refers to the time-series data associated with the past metadata that matches the feature, and the future change of the current time-series data Expect.

JP 2009-289221 A

"Function details: SOA-based WebOTX Enterprise Service Bus", NEC Corporation, [online], [searched January 16, 2014], Internet <URL: http://www.nec.co.jp/WebOTX/ integration / function / index.html>

  However, in the technique described in Patent Document 1, it is necessary for an administrator or the like to set the characteristics of time-series data to be detected as a sign of failure as selection conditions in advance.

  An object of the present invention is to solve the above-mentioned problems and to easily detect a precursor without an administrator or the like setting conditions for detecting a precursor of a specific event in a monitored system.

  The information processing apparatus according to the present invention includes a message log storage unit that stores a log of an input message of a monitoring target system that performs a predetermined process on an input message, and a predetermined number in the monitoring target system based on the log. The analysis means for generating the collation definition representing the characteristics of the input message in the period before the period of occurrence of the event, the characteristics of the input message of the monitored system in the new period and the collation definition are compared, and the monitoring Collating means for determining the presence or absence of a precursor of the predetermined event in the target system.

  The monitoring method of the present invention stores a log of an input message of a monitoring target system that performs predetermined processing on an input message, and a period during which a predetermined event occurs in the monitoring target system based on the log Generating a collation definition representing the characteristics of the input message in the previous period, comparing the characteristics of the input message of the monitored system with the collation definition in the new period, and indicating the precursor of the predetermined event in the monitored system The presence or absence of is determined.

  The program of the present invention stores a log of an input message of a monitoring target system that performs predetermined processing on an input message in a computer, and a predetermined event occurs in the monitoring target system based on the log Generating a collation definition that represents the characteristics of the input message in the period before the selected period, comparing the characteristics of the input message of the monitored system in the new period with the collation definition, and the predetermined event in the monitored system The process of determining the presence or absence of a sign is executed.

  The effect of the present invention is that a precursor of a specific event in the monitored system can be easily detected.

It is a block diagram which shows the characteristic structure of embodiment of this invention. It is a block diagram which shows the structure of the business system in embodiment of this invention. It is a figure which shows the example of the message which the service bus 200 receives in embodiment of this invention. It is a flowchart which shows a message process in embodiment of this invention. It is a flowchart which shows the analysis process in embodiment of this invention. It is a figure which shows the example of the message log in embodiment of this invention. It is a figure which shows the example of the analysis definition file 321 in embodiment of this invention. It is a figure which shows the example of the message log set 311 in embodiment of this invention. It is a figure which shows the example of the calculation result of average TAT and throughput in embodiment of this invention. It is a figure which shows the example of the calculation result of the feature information in embodiment of this invention. It is a figure which shows the example of the collation definition file 341 in embodiment of this invention. It is a flowchart which shows the collation process in embodiment of this invention. It is a figure which shows the other example of the message log set 311 in embodiment of this invention. It is a figure which shows the other example of the calculation result of the feature information in embodiment of this invention. It is a figure which shows the further another example of the message log set 311 in embodiment of this invention. It is a figure which shows the further another example of the calculation result of the feature information in embodiment of this invention. It is a figure which shows the example of the collation history table 361 in embodiment of this invention.

  Next, an embodiment of the present invention will be described.

  First, the configuration of the embodiment of the present invention will be described. FIG. 2 is a block diagram showing the configuration of the business system in the embodiment of the present invention.

  Referring to FIG. 2, the business system in the embodiment of the present invention includes one or more service systems 100, a service bus 200, a monitoring device 300, and a resource control device 400. The service bus 200 is an embodiment of the monitoring target system of the present invention. The monitoring device 300 is an embodiment of the information processing device of the present invention.

  Each of the one or more service systems 100 provides various services in the business system. The service system 100 is realized by a program executed on one or more computers, for example.

  The service bus 200 is connected to one or more service systems 100. The service bus 200 transfers the message received from the request source service system 100 to another service system 100, and returns the processing result by the other service system 100 as a response message to the request source service system 100. Here, the service bus 200 also performs message protocol conversion, data format conversion, and the like between the service systems 100. In the embodiment of the present invention, the transfer, protocol conversion, data format conversion, and the like executed on the message received by the service bus 200 are referred to as predetermined processing of the service bus 200. The service bus 200 is realized by a program executed on one or more virtual machines, for example.

  The service bus 200 includes a master 210 and one or more slaves 220. The master 210 distributes the load by distributing the message received from the service system 100 to one of the one or more slaves 220. Each slave 220 performs the predetermined processing described above. Each slave 220 is enabled / disabled (added / deleted) by the resource control device 400.

  FIG. 3 is a diagram showing an example of a message received by the service bus 200 in the embodiment of the present invention. The message includes a messagetype element, a body, and an element under the request element.

  The monitoring device 300 detects a precursor of a high load state in the service bus 200 (predicts that the service bus 200 will be in a high load state). The monitoring apparatus 300 instructs the resource control apparatus 400 to enable / disable the slave 220 according to whether or not the precursor is detected.

  The monitoring device 300 includes a message log storage unit 310, an analysis definition storage unit 320, an analysis unit 330, a collation definition storage unit 340, a collation unit 350, and a collation history storage unit 360.

  The message log storage unit 310 stores a message log set 311. The message log set 311 is a time series of logs (message logs) of messages input to and output from the service bus 200.

  FIG. 6 is a diagram showing an example of a message log in the embodiment of the present invention. The message log includes a message reception date and time, a message length, a transmission source, a transmission destination, a message body, and a reply date and time. Here, the reception date / time indicates the reception date / time of the message from the requesting service system 100. The reply date / time indicates the transmission date / time of the response message to the service system 100 of the request source.

  FIG. 8 is a diagram showing an example of the message log set 311 in the embodiment of the present invention. The message log set 311 includes a time series of message logs.

  The analysis definition storage unit 320 stores an analysis definition file 321. The analysis definition file 321 defines settings related to analysis and verification of the message log 311.

  FIG. 7 is a diagram showing an example of the analysis definition file 321 in the embodiment of the present invention. The analysis definition file 321 includes an analysis interval, a statistical interval, an inspection target, a maximum allowable TAT, a minimum allowable throughput, an average message length margin, a message ratio margin, and an allowable number of prediction failures. Here, the analysis interval indicates an interval for performing an analysis process described later. The statistical interval indicates an interval at which collation processing described later is performed. The inspection object indicates an element in the message body that is an object to be inspected in the collation process. The maximum allowable TAT and the minimum allowable throughput indicate an allowable range of TAT and throughput for determining whether or not the service bus 200 is in a high load state. The average message length margin and the message ratio margin indicate margins that are applied when comparing the average message length and the message ratio, which are message feature information, in the verification process. The allowable number of prediction failures indicates an allowable range of the number of prediction failures. A prediction failure is a case where a high load state does not actually occur in response to detection of a precursor of a high load state (prediction of a high load state).

  The analysis unit 330 detects a statistical period (period for each statistical interval) in which the service bus 200 is in a high load state based on the message log. Then, the analysis unit 330 generates a collation definition file 341 that defines the characteristics of the message received by the service bus 200 in the statistical period immediately before the statistical period in the high load state.

  The collation definition storage unit 340 stores a collation definition file 341.

  FIG. 11 is a diagram showing an example of the collation definition file 341 in the embodiment of the present invention. The collation definition file 341 includes a collation definition ID (Identifier), an average message length, and a message ratio.

  The collation unit 350 compares the characteristics of the message input to the service bus 200 in the new statistical period with the collation definition file 341, and determines whether there is a sign of a high load state in the service bus 200.

  The verification history storage unit 360 stores a verification history table 361. The collation history table 361 shows information related to the detected sign of the high load state. FIG. 17 is a diagram showing an example of the collation history table 361 according to the embodiment of the present invention. The collation history table 361 includes a collation definition ID, a collation date and time, and a prediction success / failure. The collation definition ID indicates the collation definition ID of the collation definition file 341 used when a precursor of a high load state is detected. The collation date and time indicates a statistical period in which a precursor of a high load state is detected. The prediction success / failure indicates by “OK” or “NG” whether or not a high load state actually occurred (prediction was successful) in response to detection of a precursor of a high load state (prediction of a high load state).

  The resource control device 400 validates / invalidates the slave 220 in accordance with an instruction from the monitoring device 300. The resource control device 400 may be included in the monitoring device 300.

  Note that the monitoring device 300 may be a computer that includes a CPU (Central Processing Unit) and a storage medium that stores a program, and that operates by control based on the program. Further, the message log storage unit 310, the analysis definition storage unit 320, the collation definition storage unit 340, and the collation history storage unit 360 may be configured as individual storage media or a single storage medium.

  Next, the operation of the embodiment of the present invention will be described.

  First, message processing in the embodiment of the present invention will be described.

  FIG. 4 is a flowchart showing message processing in the embodiment of the present invention.

  The requesting service system 100 transmits a message to the service bus 200 (step S101).

  The master 210 of the service bus 200 transmits the received message to one of the activated slaves 220 (step S102).

  The slave 220 that has received the message performs predetermined processing on the message (step S103), and returns a response message to the master 210 (step S104).

  The master 210 transmits the received response message to the requesting service system 100 (step S105).

  In addition, the master 210 generates a message log and transmits it to the monitoring device 300 (step S106).

  For example, the master 210 transmits a message log as shown in FIG.

  Next, analysis processing in the embodiment of the present invention will be described.

  Here, it is assumed that an analysis definition file 321 as shown in FIG. 7 is set by an administrator or the like and stored in the analysis definition storage unit 320. Further, it is assumed that a message log set 311 as shown in FIG. 8 is stored in the message log storage unit 310 based on the message log received from the service bus 200. Furthermore, a collation history table 361 (before collation date “9/8 00:50 to 01:00”) as shown in FIG. 17 generated by the collation process described later is stored in the collation history storage unit 360. Assume.

  FIG. 5 is a flowchart showing the analysis processing in the embodiment of the present invention.

  The analysis processing is executed at an analysis interval defined in the analysis definition file 321.

  The analysis unit 330 acquires the analysis definition file 321 from the analysis definition storage unit 320 (step S201).

  For example, the analysis unit 330 acquires an analysis definition file 321 as shown in FIG.

  The analysis unit 330 acquires the message log set 311 from the message log storage unit 310 (step S202).

  For example, the analysis unit 330 acquires a message log set 311 as illustrated in FIG.

  The analysis unit 330 selects one statistical period within the period included in the message log set 311 acquired in step S202 (step S203). Here, the selected statistical period is called a target analysis period.

  Based on the message log in the target analysis period, the analysis unit 330 determines whether or not the service bus 200 was in a high load state in the target analysis period (step S204).

  Here, the analysis unit 330 calculates an average TAT and throughput of predetermined processing executed in the service bus 200 for the message in the target analysis period. The analysis unit 330 calculates the TAT for processing each message based on the difference between the message log reception time and the reply time, and calculates an average value for the messages in the target analysis period. The analysis unit 330 calculates the throughput by dividing the number of messages processed in the target analysis period by the statistical interval.

  Then, the analysis unit 330 uses the calculated average TAT and throughput and the maximum allowable TAT and minimum allowable throughput defined in the analysis definition file 321 to determine whether or not the service bus 200 was in a high load state during the target analysis period. The determination is as follows. When the average TAT is within the allowable range of the maximum allowable TAT and the throughput is within the allowable range of the minimum allowable throughput, the analysis unit 330 determines that the load is not high. On the other hand, when the average TAT is out of the range of the maximum allowable TAT or the throughput is out of the range of the minimum allowable throughput, the analysis unit 330 determines that the load is high.

  FIG. 9 is a diagram illustrating an example of calculation results of average TAT and throughput in the embodiment of the present invention.

  For example, when the target analysis period is “9/8 00:40 to 00:50”, the average TAT “10 ms” in the calculation result of FIG. 9 is within the allowable range of the maximum allowable TAT “100 ms”. Further, the throughput “10 messages / sec” is outside the allowable range of the minimum allowable throughput “50 messages / sec”, but the number of received messages is “10 messages / sec”, so it is considered that there is no problem. Therefore, in this case, the analysis unit 330 determines that the load is not high. When the target analysis period is “9/8 00: 50-01: 00”, the average TAT “75 ms” is within the allowable range of the maximum allowable TAT, and the throughput “75 cases / sec” is also the minimum allowable throughput. It is within the allowable range. Therefore, also in this case, the analysis unit 330 determines that the load is not high. On the other hand, when the target analysis period is “9/8 01:00 to 01:10”, the average TAT “200ms” is outside the allowable range of the maximum allowable TAT, and the throughput “25 cases / sec” is also the allowable allowable minimum throughput. Out of range. Therefore, in this case, the analysis unit 330 determines that the load is high.

  If it is determined in step S204 that the load is high (step S204 / Y), the analysis unit 330 generates feature information of the input message in the statistical period immediately before the target analysis period (step S205).

  Here, the analysis unit 330 calculates an average message length and a message ratio as the feature information. The analysis unit 330 calculates the average message length received by the service bus 200 during the immediately preceding statistical period as the “average message length”. Further, the analysis unit 330 calculates, as a “message ratio”, the ratio of each character string of the element to be inspected defined in the analysis definition file 321 used in the message received by the service bus 200 in the immediately preceding statistical period. .

  FIG. 10 is a diagram illustrating an example of the calculation result of the feature information in the embodiment of the present invention.

  For example, when the target analysis period is “9/8 01:00 to 01:10”, the analysis unit 330 performs the characteristics as shown in FIG. 10 for the immediately preceding statistical period “9/8 00:50 to 01:00”. Generate information.

  The analysis unit 330 generates the collation definition file 341 based on the feature information of the input message of the immediately preceding statistical period generated in step S205 (step S206).

  Here, the analysis unit 330 sets a value obtained by multiplying the average message length of the feature information by the message length margin defined in the analysis definition file 321 as the “average message length” in the collation definition file 341. Further, the analysis unit 330 sets a value obtained by adding / subtracting the message ratio margin defined in the analysis definition file 321 to the “message ratio” of the feature information as the “message ratio” in the collation definition file 341. When the value obtained by adding the margin exceeds 100%, the calculation result may be “100%”. Also, when the value obtained by subtracting the margin is less than 0%, the calculation result may be “0%”.

  For example, based on the feature information in FIG. 10 and each margin in the analysis definition file 321 in FIG. 7, the analysis unit 330 performs the analysis for the target analysis period “9/8 01:00 to 01:10” in FIG. In this way, the collation definition file 341 assigned with the collation definition ID “201309080100” is generated.

  Furthermore, the analysis unit 330 refers to the matching history table 361 and determines whether or not a precursor of a high load state has been detected in the matching process (described later) performed in advance in the statistical period immediately before the target analysis period. (Step S207). Here, if there is a record in the collation history table 361 whose collation date / time is the immediately preceding statistical period, this indicates that a precursor has been detected. When the precursor has been detected (step S207 / Y), the analysis unit 330 sets “OK” to the prediction success / failure of the record related to the precursor in the verification history table 361 (step S208).

  For example, when the target analysis period is “9/8 01:00 to 01:10”, the collation history table 361 in FIG. 17 has a record of the collation date “9/8 00:50 to 01:00”. As shown in FIG. 17, the analysis unit 330 sets “OK” to the prediction success / failure of the record.

  The analysis unit 330 proceeds to the process of step S213.

  On the other hand, when it is determined in step S204 that the high load state has not been reached (step S204 / N), the analysis unit 330 determines whether or not a precursor of the high load state has been detected, similarly to step S207 (step S209). ). When the precursor has been detected (step S209 / Y), the analysis unit 330 sets “NG” to the prediction success / failure of the record related to the precursor in the verification history table 361 (step S210).

  Further, the analysis unit 330 obtains, in the matching history table 361, the same matching definition file 341 as the record for which the prediction success / failure “NG” is set in step S210 and the number of records for which the prediction success / failure “NG” is set. . Then, it is determined whether the obtained number exceeds the allowable number of prediction failures defined in the analysis definition file 321 (step S211). When the allowable number of prediction failures is exceeded (step S211 / Y), the analysis unit 330 deletes the matching definition file 341 from the matching definition storage unit 340 (step S212). Thereby, the inappropriate collation definition file 341 is deleted, and the collation definition file 341 with high prediction accuracy remains. Also, when the pattern of a message received from the service system 100 changes, the old collation definition file 341 is deleted. Therefore, even if there is no setting change by the administrator or the like, the prediction accuracy by the collation definition file 341 is improved.

  The analysis unit 330 repeats the processing from step S203 for all statistical periods included in the message log set 311 acquired in step S202 (step S213).

  The analysis unit 330 stores the generated collation definition file 341 in the collation definition storage unit 340 (step S214).

  Note that the analysis unit 330 may duplicate the generated collation definition file 341 and output it to an external storage device or another monitoring device. In this case, another monitoring apparatus may monitor other service buses in the business system or service buses of other business systems using the output collation definition file 341.

  The analysis unit 330 deletes the analyzed message log from the message log set 311 (step S215).

  Next, collation processing in the embodiment of the present invention will be described.

  Here, it is assumed that an analysis definition file 321 as shown in FIG. 7 is set by an administrator or the like and stored in the analysis definition storage unit 320. Further, it is assumed that the collation definition file 341 in FIG. 11 is stored in the collation definition storage unit 340 by the analysis processing. Furthermore, it is assumed that a collation history table 361 (before collation date “9/8 00:50 to 01:00”) as shown in FIG. 17 is stored in the collation history storage unit 360.

  FIG. 12 is a flowchart showing the collation process in the embodiment of the present invention.

  The collation process is executed at a statistical interval defined in the analysis definition file 321.

  The collation unit 350 acquires the analysis definition file 321 from the analysis definition storage unit 320 and all the collation definition files 341 from the collation definition storage unit 340 (step S301).

  The collation unit 350 acquires the message log of the latest statistical period from the message log set 311 in the message log storage unit 310 (step S302). Here, the latest statistical period is referred to as a target verification period.

  The collation unit 350 generates the feature information of the message in the target collation period by the same method as in step S205 (step S303).

  The collation unit 350 selects one collation definition file 341 (step S304).

  The collation unit 350 compares the feature information of the message in the target collation period generated in step S303 with the collation definition file 341 selected in step S304. Then, the collation unit 350 determines whether there is a precursor of a high load state in the service bus 200 (step S305).

  Here, the collation unit 350 uses the feature information of the message in the target collation period and the collation definition file 341 to determine whether or not there is a sign of a high load state as follows. When the average message length of the feature information is within the range of the average message length of the verification definition file 341 and the message ratio of the feature information is within the range of the message ratio of the verification definition file 341, the verification unit 350 determines that there is a precursor. judge. On the other hand, when the average message length of the feature information is outside the range of the average message length of the verification definition file 341, or the message ratio of the feature information is outside the range of the message ratio of the verification definition file 341, the verification unit 350 has no warning. Is determined.

  When there is a sign of a high load state (step S305 / Y), the collation unit 350 adds a record of the target collation period to the collation history table 361 (step S306). Here, the collation unit 350 sets the collation definition ID of the collation definition file 341 used for the comparison to the collation definition ID of the record. The collation unit 350 sets the target collation period to the collation date and time of the record. The prediction success or failure in the record is set in steps S208 and S210 of the analysis process (described above).

  FIG. 13 is a diagram showing another example of the message log set 311 in the embodiment of the present invention. FIG. 14 is a diagram showing another example of the calculation result of the feature information in the embodiment of the present invention.

  For example, the collation unit 350 calculates feature information as shown in FIG. 14 for the target collation period “9/9 01:40 to 01:50” in the message log set 311 in FIG.

  When the feature information of FIG. 14 is compared with the collation definition file 341 of FIG. 11, the average message length “1101” in the feature information is outside the range of the average message length “1323 to 1617” in the collation definition file 341. Further, the average message ratio “TYPE1: 60%, TYPE2: 40%” in the feature information is also outside the range of the message ratio “TYPE1: 10% to 30%, TYPE2: 70% to 90%” in the collation definition file 341. Therefore, in this case, the collation unit 350 determines that there is no sign of a high load state.

  FIG. 15 is a diagram showing still another example of the message log set 311 in the embodiment of the present invention. FIG. 16 is a diagram showing still another example of the calculation result of the feature information in the embodiment of the present invention.

  For example, the collation unit 350 calculates feature information as shown in FIG. 16 for the target collation period “9/9 01:50 to 02:00” in the message log set 311 in FIG.

  When the feature information of FIG. 16 and the collation definition file 341 of FIG. 11 are compared, the average message length “1615” in the feature information is within the range of the average message length in the collation definition file 341. Further, the average message ratio “TYPE1: 20%, TYPE2: 80%” in the feature information is also within the range of the message ratio in the collation definition file 341. Therefore, in this case, the collation unit 350 determines that there is a sign of a high load state. Then, as shown in FIG. 17, the collation unit 350 records records in which the identifier “201309080100” and the target collation period “9/9 01:50 to 02:00” of the collation definition file 341 in FIG. It adds to the collation history table 361.

  The collation unit 350 repeats steps S304 to S306 for all the collation definition files 341 (step S307).

  When a precursor is detected for any of the collation definition files 341 in steps S304 to S307 (step S308 / Y), the collation unit 350 instructs the resource control device 400 to validate the slave 220 ( Step S309). The resource control apparatus 400 enables (adds) one slave 220 using, for example, a virtual machine in the resource pool. Note that the resource control device 400 does not validate the slaves 220 when the number of slaves 220 has reached a predetermined upper limit value.

  On the other hand, if no precursor is detected for any collation definition file 341 (step S308 / N), the collation unit 350 determines whether the service bus 200 was in a high load state during the target collation period, as in step S204. It is determined whether or not (step S310). When the load is not high (step S310 / N), the collation unit 350 instructs the resource control device 400 to invalidate the slave 220 (step S311). The resource control device 400 invalidates (deletes) one slave 220. Note that the resource control device 400 does not invalidate the slaves 220 when the number of slaves 220 has reached a predetermined lower limit value.

  Thus, the operation of the embodiment of the present invention is completed.

  Next, a characteristic configuration of the embodiment of the present invention will be described. FIG. 1 is a block diagram showing a characteristic configuration of an embodiment of the present invention.

  The information processing apparatus (monitoring apparatus 300) of the present invention includes a message log storage unit 310, an analysis unit 330, and a verification unit 350. The message log storage unit 310 stores a log of input messages of the monitoring target system (service bus 200) that performs predetermined processing on the input messages. Based on the log, the analysis unit 330 generates a collation definition (collation definition file 341) representing the characteristics of the input message in the period before the period in which the predetermined event has occurred in the monitoring target system. The collation unit 350 compares the characteristics of the input message of the monitoring target system in the new period with the collation definition, and determines whether there is a precursor of a predetermined event in the monitoring target system.

  According to the embodiment of the present invention, it is possible to easily detect a precursor of a specific event in the monitored system. The reason is that the analysis unit 330 generates a collation definition file 341 that represents the characteristics of the input message in the period before the period in which the predetermined event occurs, and the collation unit 350 collates with the characteristics of the input message in the new period. This is for comparing with the definition file 341 and determining the presence or absence of a precursor.

  Further, according to the embodiment of the present invention, it is possible to minimize the amount of resources used in the monitoring target system. The reason is that the resource control device 400 adds or deletes resources of the monitoring target system according to whether or not a precursor of a predetermined event is detected.

  Further, according to the embodiment of the present invention, it is possible to determine the presence or absence of a sign without degrading the performance of the monitored system. The reason is that the monitoring device 300 outside the monitoring target system generates the collation definition file 341 based on the log of the input message of the monitoring target system and whether there is a precursor using the generated collation definition file 341 This is for making the determination.

  In addition, according to the embodiment of the present invention, the sign of a specific event can be efficiently detected even in a large-scale distributed environment including a plurality of similar monitoring target systems or in another similar environment including a similar monitoring target system. Can be detected. The reason is that the analysis unit 330 duplicates the collation definition file 341 and outputs it to an external storage device or another monitoring device.

  Further, according to the embodiment of the present invention, it is possible to predict the occurrence of a specific event with higher accuracy than in the case where only the TAT and throughput of the monitoring target system are monitored. This is because the monitoring apparatus 300 determines the presence or absence of a precursor of a specific event based on the statistics of the characteristics of the input message of the monitoring target system such as the average message length and the message ratio.

  While the present invention has been described with reference to the embodiments, the present invention is not limited to the above embodiments. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.

  For example, in the embodiment of the present invention, an event that is a detection target of a warning is set to a high load state of the service bus 200, and a control target according to the presence or absence of detection of a warning is a resource (slave 220) for load distribution. However, the event that is the detection target of the precursor and the control target according to the presence or absence of the detection of the precursor may be another event or the control target. For example, an event that is a detection target of a sign may be a resource such as a hard disk that is necessary for receiving a predetermined message, such as a large message, and a target that is detected according to whether or not a sign is detected. In this case, the analysis unit 330 generates the collation definition file 341 based on the feature information in the statistical period immediately before the statistical period in which the service bus 200 receives the predetermined message. Then, the collation unit 350 detects a precursor of receiving a predetermined message using the generated collation definition file 341, and adds a hard disk. As a result, for example, when the capacity of the hard disk is temporarily required for processing a large message such as several hundred MB or several GB, the sign of reception of the large message can be detected and the capacity of the hard disk can be increased in advance. .

  Further, in the embodiment of the present invention, the monitoring apparatus 300 uses the average message length and the message ratio as the message feature information. However, if the precursor of the detection target event can be detected, the monitoring apparatus 300 may use other information related to the message as the feature information. For example, the monitoring apparatus 300 may use, as the feature information, the ratio of each value (including text) set in other data items in the message such as the message transmission source and the transmission destination.

  In the embodiment of the present invention, the analysis unit 330 generates the collation definition file 341 based on the characteristic information of the statistical period immediately before the statistical period in which the detection target event has occurred. However, if the precursor of the detection target event can be detected, the analysis unit 330 generates the matching definition file 341 based on the feature information of the statistical period prior to the immediately preceding statistical period, such as the statistical period of a predetermined time, for example. May be.

  Further, in the embodiment of the present invention, the analysis unit 330 determines the success or failure of the prediction depending on whether or not the event to be detected has occurred in the statistical period immediately after the statistical period in which the precursor of the event to be detected has been detected. did. However, the analysis unit 330 may determine the success or failure of the prediction depending on whether or not the detection target event has occurred before the statistical period immediately after the statistical period immediately after, such as each statistical period until a predetermined time.

  In the embodiment of the present invention, the monitoring target system is the service bus 200. However, the system to be monitored may be a system other than the service bus 200 as long as it can detect a precursor of a specific event from the characteristics of input / output messages.

  The present invention can be applied to a business system in which the amount of processing greatly increases or decreases depending on the season or time zone, such as a system related to railways, airlines, and ward offices.

100 Service System 200 Service Bus 210 Master 220 Slave 300 Monitoring Device 310 Message Log Storage Unit 311 Message Log Set 320 Analysis Definition Storage Unit 321 Analysis Definition File 330 Analysis Unit 340 Verification Definition Storage Unit 341 Verification Definition File 350 Verification Unit 360 Verification History Storage 361 Matching history table 400 Resource control device

Claims (10)

Message log storage means for storing a log of an input message to a monitoring target system that performs predetermined processing on the input message;
Analyzing means for generating a collation definition representing characteristics of an input message to the monitored system in a period before a period in which a predetermined event has occurred in the monitored system based on the log;
Comparing means for comparing the characteristics of the input message to the monitoring target system in the new period and the matching definition, and determining the presence or absence of a precursor of the predetermined event in the monitoring target system;
Equipped with a,
The input message characteristics of the monitored system include at least one of an average message length and a ratio of values set in predetermined data items in the message.
Information processing device. Further, it comprises resource control means for adding or deleting resources of the monitoring target system according to whether or not a precursor of the predetermined event has been detected.
The information processing apparatus according to claim 1. The monitored system includes a plurality of subsystems, and a message input to the monitored system is processed by any of the plurality of subsystems.
The resource control means adds or deletes the subsystem according to the presence or absence of detection of a precursor of the predetermined event.
The information processing apparatus according to claim 2. The analysis means, when it is determined that there is a precursor of the predetermined event in the new period, the number of times that the predetermined event has not occurred in a period after the new period is greater than or equal to a predetermined threshold , Delete the matching definition,
The information processing apparatus according to any one of claims 1 to 3. Said predetermined event is the monitored system is that in a high load state, the information processing apparatus according to any one of claims 1 to 4. Said predetermined event is the an input of a predetermined message to the monitored system, information processing apparatus according to any one of claims 1 to 4. Store a log of input messages to the monitored system that performs predetermined processing on the input messages,
Based on the log, generate a collation definition that represents the characteristics of the input message to the monitored system in the period before the period in which the predetermined event occurred in the monitored system ,
Comparing the characteristics of the input message to the monitored system in the new period with the matching definition to determine the presence or absence of a precursor of the predetermined event in the monitored system;
A monitoring method,
The input message characteristics of the monitored system include at least one of an average message length and a ratio of values set in predetermined data items in the message.
Monitoring method. Furthermore, depending on whether or not a precursor of the predetermined event is detected, the resource of the monitored system is added or deleted,
The monitoring method according to claim 7 . On the computer,
Store a log of input messages to the monitored system that performs predetermined processing on the input messages,
Based on the log, generate a collation definition that represents the characteristics of the input message to the monitored system in the period before the period in which the predetermined event occurred in the monitored system ,
Comparing the characteristics of the input message to the monitored system in the new period with the matching definition to determine the presence or absence of a precursor of the predetermined event in the monitored system;
A program for executing processing ,
The input message characteristics of the monitored system include at least one of an average message length and a ratio of values set in predetermined data items in the message.
program. Further, depending on whether or not a precursor of the predetermined event has been detected, a process for adding or deleting the resource of the monitoring target system is executed.
The program according to claim 9.

Images