JP7027912B2 - Order control program, order control method, and information processing device - Google Patents

Description

This case relates to an order control program, an order control method, and an information processing apparatus.

Information and Communication Technology (ICT) systems including server devices, storage devices, network devices, etc. are known. Further, for example, an observation device that collects time-series data related to the usage status of a Central Processing Unit (CPU) or a memory from a server device and displays the time change of the usage status on a monitor as a graph is also known. In particular, there is also known a technique in which an observation device detects an anomaly event in an ICT system and displays the occurrence status of the anomaly event on a monitor (see, for example, Patent Document 1).

Japanese Unexamined Patent Publication No. 2017-072882

By the way, when a large number of anomaly events are detected, the operator or administrator of the ICT system (hereinafter, simply referred to as an operator) should determine the priority of the response to the anomaly event and respond to the anomaly event. Is required. In particular, the operator is required to determine the priority within the time from the detection of the anomaly event to the occurrence of the problem caused by the anomaly event and respond to the anomaly event.

If the operator makes a mistake in determining the priority and the response to the anomaly event is delayed, a problem caused by the anomaly event occurs. For example, if an anomaly event that may cause a system failure is detected and the operator makes a mistake in determining the priority of response to the anomaly event, a system failure may occur. If a system failure actually occurs, many users of the ICT system may be affected.

Therefore, in one aspect, it is an object of the present invention to provide an order control program, an order control method, and an information processing apparatus capable of suppressing the occurrence of a problem due to a delay in responding to an anomaly event.

In one embodiment, the sequence control program performs anomaly event detection processing for detecting anomaly events occurring in any of the plurality of machines based on monitoring data of a plurality of machines included in the system, and performs anomaly event detection processing, and the plurality of anomaly events. When is detected, the machine refers to a storage unit that stores information indicating the relationship between the plurality of services executed by the system, and the machine is used for each of the detected machines that generate the plurality of anomaly events. The number of other services that have a specific relationship to the service executed in is specified, the time elapsed since the detection of the plurality of anomaly events is measured, and the information regarding the detected multiple anomaly events is measured. Is displayed on the display unit in the order corresponding to the number of the specified other services, and the shorter the measured time, the higher the information about the detected plurality of anomaly events is displayed on the computer. Let me.

In one embodiment, the sequence control program performs anomaly event detection processing for detecting anomaly events that have occurred in any of the plurality of monitoring targets based on the monitoring data of the plurality of monitoring targets included in the system, and a plurality of monitoring targets. When an anomaly event is detected, the detection frequency of the anomaly event that occurred for the monitored object is calculated for each monitoring target of the source of each of the plurality of detected anomaly events, and the plurality of anomaly events are detected. The time elapsed from the measurement is measured, and the information regarding the detected plurality of anomaly events is displayed on the display unit in the order corresponding to the calculated detection frequency. The shorter the measured time, the more the plurality of detected events are detected. Anomaly Causes the computer to perform a process that displays information about the event at the top .

It is possible to suppress the occurrence of problems due to delays in responding to anomaly events.

FIG. 1 is an example of an information processing system. FIG. 2 is an example of CMDB. FIG. 3 is an example of the hardware configuration of the analysis server. FIG. 4A is an example of a block diagram of the analysis server. FIG. 4B is an example of a data storage unit. FIG. 5 is an example of the first data management table. FIG. 6A is an example of the second data management table and the third data management table. FIG. 6B is an example of the fourth data management table. FIG. 7 is an example of the fifth data management table. FIG. 8 is a flowchart showing an example of the first process executed by the data collection unit. FIG. 9 is a flowchart showing an example of the second process executed by the anomaly detection unit and the display order control unit. FIG. 10 is a diagram illustrating an example of display priority. FIG. 11 is a flowchart showing an example of the third process executed by the data visualization unit. FIG. 12 is an example of the anomaly list screen. FIG. 13 is an example of an anomaly detail screen. FIG. 14 is another example of the anomaly list screen. FIG. 15 is another example of the anomaly list screen. FIG. 16 is another example of the anomaly detail screen.

Hereinafter, a mode for carrying out this case will be described with reference to the drawings.

(First Embodiment)
FIG. 1 is an example of the information processing system S. FIG. 2 is an example of the Configuration Management Database (CMDB) 140. The information processing system S includes a monitoring target system 100, a configuration collection server 130, and a CMDB 140 as a storage unit. The CMDB 140 may be included in the configuration collection server 130. Further, the information processing system S includes a performance monitoring server 150 and an event monitoring server 170. Further, the information processing system S includes a management server 190, an analysis server 200 as an information processing device, and an operation terminal 300.

At least one of the monitoring target system 100, the configuration collection server 130, the CMDB 140, the performance monitoring server 150, the event monitoring server 170, and the operation terminal 300 may be excluded from the components of the information processing system S. That is, the information processing system S may include at least a management server 190 and an analysis server 200. Further, as shown in FIG. 1, the operation terminal 300 can be realized by a personal computer (PC) including an input unit 310, a display unit 320, and a control unit (not shown). The operation terminal 300 may be realized by a smart device such as a tablet terminal. The operation terminal 300 is operated by the operator.

The monitored system 100 includes a plurality of host machines 110. Some or all of the plurality of host machines 110 are connected to each other. The plurality of host machines 110 are connected to the configuration collection server 130, the performance monitoring server 150, and the event monitoring server 170 via the communication network NW. The communication network NW includes, for example, the Internet and a Local Area Network (LAN). The host machine 110 corresponds to, for example, various server devices such as a Web server, an application server, a database server, and a virtualization server, a storage device, a network device, and the like. Therefore, the monitored system 100 may be referred to as a computer system or an ICT system. A user (not shown) who is an end user of the information processing system S or the monitored system 100 accesses the monitored system 100 and executes or provides the monitored system 100 (hereinafter, simply referred to as execution). You can use the service. As a plurality of services, there are services related to business support such as a data processing service and an imaging service.

The monitored system 100 is equipped with a cloud platform or a software group (for example, Open Stack) for constructing a cloud environment (hereinafter, simply referred to as a cloud platform). More specifically, some of the host machines 110 described above implement software called Keystone. Keystone demonstrates authentication functions such as user management and access control. Further, depending on the host machine 110, software called Nova is implemented. Nova has the ability to compute the ability to run virtual machines. Other software such as Swift, Glance, and Cinder are also known. By linking these softwares with each other, the monitored system 100 realizes a cloud platform.

The configuration collection server 130 accesses a plurality of host machines 110, dynamically collects various configuration information possessed by each host machine 110, and stores them in the CMDB 140. The configuration information includes information on the hardware configuration of the host machine 110 (specifically, the name and IP address of the host machine, etc.) and information on the virtual environment (specifically, the version number of the hypervisor, CPU and memory usage). Situation etc.). Further, the configuration information includes information on the Operating System (OS) and application software (hereinafter, simply referred to as an application), patch application status, and application parameter setting status. In addition, the configuration collection server 130 identifies the service executed by the accessed host machine 110, the service one generation higher and the service one generation lower related to the service, and stores the service as configuration information. Further, the configuration collection server 130 identifies a parent-child relationship or a master-slave relationship (hereinafter, simply referred to as a parent-child relationship) of a plurality of host machines 110 and stores them as configuration information.

As a result, the CMDB 140 stores the configuration information of each host machine 110 for each host machine 110, as shown in FIG. For example, the host machine 110 having the name "host 2" has a parent relationship with the host machine 110 having the name "host 1", and the host machine 110 having the name "host 3" has a child relationship. Further, the host machine 110 having the name of "host 2" executes the service 3, the service 4, and the service 5. On the other hand, as services related to the service executed by the host machine 110 having the name "host 2", the services 1 and 2 executed by the host machine 110 having a parental relationship and the name "host 3" are included. There is a service 6 executed by the host machine 110. As described above, the plurality of services 1 to 6 have a specific relationship associated with the parent-child relationship of the host machine 110. Therefore, for example, if a failure occurs in the host machine 110 having the name "host 2", the execution of services 3 to 5 and the service 6 one generation below is stopped, but the execution of services 1 and 2 one generation above continues. do. The operator may perform an operation to store the configuration information in the CMDB 140, and the operation terminal 300 may store the configuration information in the CMDB 140.

The performance monitoring server 150 monitors the resources of each host machine 110 and each host machine 110 via the communication network NW. Specifically, the performance monitoring server 150 monitors hardware resources (for example, CPU, memory, etc.). The performance monitoring server 150 may monitor software resources. The performance monitoring server 150 acquires data such as performance and load from the resource to be monitored as monitoring data. The monitoring data includes CPU usage rate, memory usage rate, disk throughput, etc. as resource performance and load. The performance monitoring server 150 manages the acquired monitoring data by comparing them at various angles.

The event monitoring server 170 monitors various events (events) that occur in the monitored system 100 via the communication network NW. For example, when an event that can cause a decrease in the service level of a plurality of services executed by the monitored system 100 occurs, the event monitoring server 170 detects the occurrence of the event and causes incident information (hereinafter referred to as INC ticket). ) Is issued to notify the management server 190. Although details will be described later, the INC ticket includes the ticket identifier, the ticket issuance date and time, the name of the service related to the event that occurred, the name of the host machine 110 that executes the service, the content of the event that occurred, and the like. ..

The management server 190 includes a ticket DB (not shown), and stores and manages the INC ticket notified from the event monitoring server 170 by the ticket DB. Further, the management server 190 stores and manages the INC ticket issued and notified by the user terminal (not shown) and the change request ticket issued and notified by the operation terminal 300 in the ticket DB. The user terminal is a terminal device used by the user. The INC ticket issued by the user terminal includes ticket identification information, the ticket issuance date and time, and inquiries regarding the monitored system 100. On the other hand, in the change request ticket issued by the operation terminal 300, the identifier of the ticket, the issue date and time of the ticket, the name of the service affected by the change of the host machine 110, the name of the host machine 110 that executes the service, modification or modification. It includes changes such as.

The analysis server 200 is connected to the CMDB 140, the performance monitoring server 150, the management server 190, and the operation terminal 300. As shown in FIG. 1, the analysis server 200 may be directly connected to the CMDB 140, the performance monitoring server 150, the management server 190, and the operation terminal 300, or the CMDB 140 and the performance monitoring server via the communication network NW. It may be indirectly connected to the 150, the management server 190, and the operation terminal 300.

The analysis server 200 collects the monitoring data acquired by the performance monitoring server 150, and executes the anomaly event detection process based on the collected monitoring data. The anomaly event detection process is a process of analyzing monitoring data and detecting a state different from the normal time, normal time, or steady state (hereinafter, simply referred to as normal time) of the host machine 110 and its resources. If a state different from the normal state is detected by the anomaly event detection process, a problem may occur in the monitored system 100 including the host machine 110, its resources, and the host machine 110.

Further, the analysis server 200 determines the display order of the anomaly information regarding the anomaly event based on the monitoring data in which the anomaly event is detected (hereinafter referred to as anomaly data) and the configuration information stored in the CMDB 140. The analysis server 200 may determine the display order of the anomaly information based on the anomaly data and the detection frequency of the anomaly event. The detection frequency may be the number of continuous detections in which anomaly events are continuously detected, or may be the number of detections per unit time. In this embodiment, the number of continuous detections will be described as an example of the detection frequency.

Further, the analysis server 200 may determine the display order of the anomaly event information based on the anomaly data, the configuration information, the detection frequency of the anomaly event, and the number of INC tickets issued by the management server 190. .. By using the number of INC tickets issued when determining the display order, the probability that a problem due to an anomaly event will occur is improved. For example, if no INC ticket is issued, even if an anomaly event is detected, it is unlikely that a problem caused by the anomaly event will occur. Although the details will be described later, when the analysis server 200 receives various requests and instructions from the operation terminal 300, the analysis server 200 displays the anomaly information on the display unit 320 of the operation terminal 300 in the determined display order.

Next, the hardware configuration of the analysis server 200 will be described with reference to FIG. The plurality of host machines 110, the configuration collection server 130, the CMDB 140, the performance monitoring server 150, the event monitoring server 170, the management server 190, and the operation terminal 300 described above basically have the same hardware configuration as the analysis server 200. Therefore, the description is omitted.

FIG. 3 is an example of the hardware configuration of the analysis server 200. As shown in FIG. 3, the analysis server 200 includes at least a CPU 200A as a hardware processor, a Random Access Memory (RAM) 200B, a Read Only Memory (ROM) 200C, and a network I / F (interface) 200D. The analysis server 200 may include at least one of a Hard Disk Drive (HDD) 200E, an input I / F200F, an output I / F200G, an input / output I / F200H, and a drive device 200I, if necessary. The CPU 200A to the drive device 200I are connected to each other by an internal bus 200J. That is, the analysis server 200 can be realized by a computer. A Micro Processing Unit (MPU) may be used as a hardware processor instead of the CPU 200A.

An input device 710 is connected to the input I / F 200F. The input device 710 includes, for example, a keyboard and a mouse. A display device 720 is connected to the output I / F 200G. The display device 720 includes, for example, a liquid crystal display. A semiconductor memory 730 is connected to the input / output I / F 200H. Examples of the semiconductor memory 730 include a Universal Serial Bus (USB) memory and a flash memory. The input / output I / F 200H reads programs and data stored in the semiconductor memory 730. The input I / F 200F and the input / output I / F 200H include, for example, a USB port. The output I / F 200G includes, for example, a display port.

A portable recording medium 740 is inserted into the drive device 200I. Examples of the portable recording medium 740 include removable discs such as Compact Disc (CD) -ROM and Digital Versatile Disc (DVD). The drive device 200I reads programs and data recorded on the portable recording medium 740. The network I / F200D includes, for example, a LAN port. The network I / F200D is connected to the CMDB 140, the performance monitoring server 150, the management server 190, and the operation terminal 300 described above.

In the RAM 200B described above, the program stored in the ROM 200C or the HDD 200E is temporarily stored by the CPU 200A. The program recorded on the portable recording medium 740 is temporarily stored in the RAM 200B by the CPU 200A. When the CPU 200A executes the stored program, the CPU 200A realizes various functions described later and also executes various processes described later. The program may be adapted to the flowchart described later.

Next, the functional configuration of the analysis server 200 will be described with reference to FIGS. 4 to 7.

FIG. 4A is an example of a block diagram of the analysis server 200. FIG. 4B is an example of the data storage unit 220. FIG. 5 is an example of the first data management table T1. FIG. 6A is an example of the second data management table T2 and the third data management table T3. FIG. 6B is an example of the fourth data management table T4. FIG. 7 is an example of the fifth data management table T5. As shown in FIG. 4A, the analysis server 200 includes a data collection unit 210, an anomaly detection unit 230, a display order control unit 240, and a data visualization unit 250 as processing units. Further, the analysis server 200 includes a data storage unit 220. As shown in FIG. 4B, the data storage unit 220 includes a first data management table T1, a second data management table T2, a third data management table T3, a fourth data management table T4, and a fifth data management table. Stores various data managed by T5.

The data collection unit 210 can be realized by the CPU 200A executing a known log collection / transfer tool (for example, software such as Fluentd or Logstash) and the first process described later. The data storage unit 220 can be realized by the CPU 200A executing a distributed search real-time analysis engine (for example, software such as Elasticsearch) of Open Source Software (OSS) and cooperating with the HDD 200E. The anomaly detection unit 230 and the display order control unit 240 can be realized by the CPU 200A executing the second process described later. The data visualization unit 250 can be realized by the CPU 200A executing a known data visualization tool (for example, software such as kibana) and a third process described later.

The data collection unit 210 collects monitoring data from the performance monitoring server 150. More specifically, the data collection unit 210 periodically accesses the performance monitoring server 150 in units of several minutes to ten and several minutes, and the performance monitoring server 150 collects monitoring data acquired from each of the plurality of host machines 110. When the data collection unit 210 collects the monitoring data, the collected monitoring data is stored in the data storage unit 220. As a result, the data storage unit 220 stores the monitoring data. In particular, the monitoring data is managed by the first data management table T1.

Here, as shown in FIG. 5, the first data management table T1 manages a plurality of monitoring data for each combination of the host machine 110 and the monitored resource. The first data management table T1 has a plurality of fields such as a collection date and time, a host machine, a monitored resource, a data value, a unit, an anomaly analysis result, and an anomaly detection date and time. The date and time when the monitoring data was collected is registered in the collection date and time field. The name or identifier of the host machine 110 is registered in the field of the host machine. The name of the monitored resource is registered in the field of the monitored resource. In the data value and unit fields, the measured value indicating the performance of the monitoring data and the symbol or character indicating the unit of the measured value are registered, respectively. For example, when the unit "%" is registered for the monitored resource "CPU", the data value "78" represents the CPU usage rate. Similarly, when the unit "%" is registered for the monitored resource "memory", the data value "64" represents the memory usage rate.

An identification flag that identifies whether or not an anomaly event has been detected is registered in the field of the anomaly analysis result. For example, the identification flag "1" indicates that an anomaly event has been detected, and the identification flag "0" indicates that an anomaly event has not been detected. The date and time when the anomaly event was detected is registered in the anomaly detection date and time field. The date and time when the anomaly event is detected is registered for the monitoring data in which the identification flag "1" is registered (hereinafter referred to as anomaly data), and the monitoring data in which the identification flag "0" is registered (hereinafter, non-anomaly data). It is not registered for.). In this way, a plurality of anomaly data and non-anomaly data are managed for each combination of the host machine 110 and the monitored resource by the first data management table T1.

In addition, the data collection unit 210 collects INC tickets and change request tickets from the management server 190. More specifically, the data collection unit 210 periodically accesses the management server 190 in units of several minutes to a dozen minutes, and collects INC tickets and change request tickets managed by the management server 190. When the data collection unit 210 collects the INC ticket and the change request ticket, the collected INC ticket and the change request ticket are stored in the data storage unit 220. As a result, the data storage unit 220 stores the INC ticket and the change request ticket. The INC ticket is managed for each issuer by the second data management table T2 and the third data management table T3. Further, the change request ticket is managed by the fourth data management table T4.

Here, as shown in FIG. 6A, the second data management table T2 manages a plurality of INC tickets issued by the event monitoring server 170. Further, the third data management table T3 manages a plurality of INC tickets issued by the user terminal. The second data management table T2 has a plurality of fields such as a ticket ID, an issue date and time, a service name, a host machine, and a title. An identifier that identifies an INC ticket is registered in the ticket ID field. The issue date and time of the INC ticket is registered in the issue date and time field. The name of the service related to the event that occurred is registered in the service name field. The name or identifier of the host machine 110 that executes the service is registered in the field of the host machine. The content of the event that occurred is registered in the title field. Since the third data management table T3 is basically the same as the second data management table T2, detailed description thereof will be omitted.

On the other hand, as shown in FIG. 6B, the fourth data management table T4 manages a plurality of change request tickets issued by the operation terminal 300. The fourth data management table T4 has a plurality of fields such as a ticket ID, an issue date and time, a service name, a host machine, and a title. An identifier that identifies the change request ticket is registered in the ticket ID field. The issue date and time of the change request ticket is registered in the issue date and time field. In the service name field, the name of the service affected by the change of the host machine 110 is registered. The name or identifier of the host machine 110 that executes the service is registered in the field of the host machine. Changes such as modifications and corrections are registered in the title field.

The anomaly detection unit 230 acquires monitoring data from the data storage unit 220, and executes anomaly event detection processing for the acquired monitoring data. For example, the anomaly detection unit 230 generates a normal distribution of monitoring data (specifically, the data value of the monitoring data) for each combination of the host machine 110 and the monitored resource based on the monitoring data acquired from the data storage unit 220. Then, the monitoring data separated by 2σ or more from the average value μ of the normal distribution is detected as an anomaly event. The anomaly detection unit 230 registers the identification flag "1" as an analysis result in the field of the anomaly analysis result included in the first data management table T1 for the monitoring data in which the anomaly event is detected. The anomaly detection unit 230 registers the detection date and time in the field of the anomaly detection date and time included in the first data management table T1 for the monitoring data in which the anomaly event is detected. On the other hand, the anomaly detection unit 230 registers the identification flag "0" in the anomaly analysis result included in the first data management table T1 as the analysis result for the monitoring data in which the anomaly event is not detected. That is, the anomaly detection unit 230 classifies the monitoring data into anomaly data and non-anomaly data.

The display order control unit 240 controls the display order of the anomaly information. More specifically, when the anomaly detection unit 230 classifies the monitoring data into anomaly data and non-anomaly data, the display order control unit 240 acquires the anomaly data, the INC ticket, and the change request ticket from the data storage unit 220. In particular, the display order control unit 240 acquires both the INC ticket issued by the event monitoring server 170 and the INC ticket issued by the user terminal. When the display order control unit 240 acquires the anomaly data, the INC ticket, and the change request ticket, the display order control unit 240 refers to the configuration information stored in the CMDB 140, and performs various processes based on the anomaly data, the INC ticket, the change request ticket, and the configuration information. To determine the display order of the anomaly information. The details of the processing executed by the display order control unit 240 will be described later. When the display order control unit 240 determines the display order, the display order control unit 240 generates the display target data in which the display order is registered and stores it in the data storage unit 220. The display target data is managed by the fifth data management table T5.

Here, as shown in FIG. 7, the fifth data management table T5 has a plurality of fields such as anomaly ID, detection date and time, elapsed time, host machine, and monitored resource. An identifier that identifies the data to be displayed is registered in the field of the anomaly ID. The anomaly ID is assigned by the display order control unit 240 each time the display target data is generated. The anomaly detection date and time of the anomaly data is registered in the detection date and time field. In the elapsed time field, the elapsed time elapsed from the anomaly detection date and time to the current date and time is registered. That is, the elapsed time represents the difference between the anomaly detection date and time and the current date and time. The name or identifier of the host machine 110 of the anomaly data is registered in the field of the host machine. The name of the monitored resource of the anomaly data is registered in the field of the monitored resource.

Further, as shown in FIG. 7, the fifth data management table T5 has a plurality of fields such as the number of INC tickets (issued by the server), the number of change request tickets, and the number of INC tickets (issued by the user). The number of INC tickets issued by the event monitoring server 170 is registered in the field of the number of INC tickets (issued by the server). In the field of the number of change request tickets, the number of change request tickets issued by the operation terminal 300 is registered. The number of INC tickets issued by the user terminal is registered in the field of the number of INC tickets (issued by the user). Since each INC ticket issued by the event monitoring server 170 and the user terminal includes the name of the host machine 110, the number of each INC ticket can be specified for each host machine 110. .. Further, since the name of the host machine 110 is included in the change request ticket, the number of change request tickets can be specified for each host machine 110.

Further, as shown in FIG. 7, the fifth data management table T5 has a plurality of fields such as the number of continuous detections, the number of related services, and the display order. In the field of the number of continuous detections, the number of times that the anomaly event that occurred for the monitored resource is continuously detected is registered. For example, when the anomaly event generated for the monitored resource is continuously detected for 4 minutes at 1-minute intervals, the numerical value "4" is registered in the field of the number of continuous detections. The number of continuous detections is an example of the detection frequency, and the number of times anomaly events are detected per unit time may be used as the detection frequency. In the field of the number of related services, the number of other services related to the service executed by the host machine 110 is registered. For example, based on the configuration information (see FIG. 2), the host machine 110 having the name "host 1" executes the service 1 and the service 2, and the host machine 110 having the name "host 2" executes the service 1. The three services 3 to 5 are executed. Therefore, as shown in FIG. 7, the numerical value "3" is registered in the field of the number of related services corresponding to the host machine 110 having the name "host 1". The display order determined by the display order control unit 240 based on the anomaly data, the INC ticket, the change request ticket, and the configuration information is registered in the display order field. In this embodiment, 123 display target data are managed by the fifth data management table T5.

When the data visualization unit 250 receives a screen display request for displaying the anomaly list screen from the operation terminal 300, the data visualization unit 250 acquires display target data from the data storage unit 220 and visualizes the acquired display target data. For example, the data visualization unit 250 sorts the acquired display target data based on the display order, and generates anomaly information excluding the display order field from the sorted display target data. When the data visualization unit 250 generates the anomaly information, the data visualization unit 250 displays the anomaly list screen including the generated anomaly information on the display unit 320 of the operation terminal 300.

Subsequently, the operation of the analysis server 200 will be described.

FIG. 8 is a flowchart showing an example of the first process executed by the data collection unit 210. The data collection unit 210 periodically executes the first process at predetermined time intervals. First, the data collection unit 210 collects monitoring data from the performance monitoring server 150 (step S101), and stores the collected monitoring data in the data storage unit 220 (step S102). When the process of step S102 is completed, the data collection unit 210 collects various tickets from the management server 190 (step S103), and stores the collected tickets in the data storage unit 220 (step S104). That is, the data collection unit 210 collects each INC ticket and a change request ticket from different issuers, and stores the collected INC ticket and the change request ticket in the data storage unit 220. The data collection unit 210 may collect and store the ticket and then collect and store the monitoring data. When the process of step S104 is completed, the data collection unit 210 ends the process.

FIG. 9 is a flowchart showing an example of the second process executed by the anomaly detection unit 230 and the display order control unit 240. FIG. 10 is a diagram illustrating an example of display priority. The anomaly detection unit 230 and the display order control unit 240 periodically execute the second process. First, as shown in FIG. 9, the anomaly detection unit 230 determines whether or not the set time has arrived (step S201). The set time is a time longer than the above-mentioned predetermined time (for example, several hours such as one hour). For example, the data collection unit 210 collects monitoring data and various tickets every 10 minutes and stores them in the data storage unit 220, and the anomaly detection unit 230 determines whether or not to execute the processing after the processing of step S201 every hour. To judge.

For example, if the set time has not arrived since the anomaly detection unit 230 last executed the processing after the processing of step S201 (step S201: NO), the processing of subsequent steps S202 to S213 is skipped. As a result, the data collection unit 210 collects the monitoring data and various tickets and stores them in the data storage unit 220 every 10 minutes after collecting the monitoring data and various tickets. As a result, time-series monitoring data and various tickets are stored in the data storage unit 220.

On the other hand, when the set time has arrived since the anomaly detection unit 230 last executed the processing after the processing of step S201 (step S201: YES), the anomaly detection unit 230 acquires monitoring data from the data storage unit 220. (Step S202). When the process of step S202 is completed, the anomaly detection unit 230 executes the anomaly event detection process (step S203), and registers the analysis result and the detection date and time in the first data management table T1 (step S204). As a result, the monitoring data is classified into anomaly data and non-anomaly data.

When the process of step S204 is completed, the display order control unit 240 then acquires anomaly data from the data storage unit 220 (step S205), and then acquires various tickets (step S206). When the process of step S204 is completed, the display order control unit 240 then refers to the configuration information stored in the CMDB 140 (step S207) and specifies the number of related services (step S208). When the process of step S208 is completed, the display order control unit 240 then calculates the number of continuous detections (step S209) and specifies the number of tickets (step S210). In particular, the display order control unit 240 specifies the number of tickets for each host machine 110 for each type of ticket. As a result, the number of INC tickets issued by the event monitoring server 170 to the specific host machine 110, the number of INC tickets issued by the user terminal to the specific host machine 110, and the operation terminal 300 are specified. The number of change request tickets issued to the host machine 110 is specified.

When the process of step S210 is completed, the display order control unit 240 measures the elapsed time (step S211), and then determines the display order (step S212). More specifically, the display order control unit 240 determines the number of related services, the number of continuous detections, the number of INC ticket tickets issued by the event monitoring server 170, the number of INC ticket tickets issued by the user terminal, the elapsed time, and predetermined time. The display order of the anomaly information is determined based on the display priority. The display order control unit 240 may use the number of change request tickets issued by the operation terminal 300 when determining the display order.

Here, as shown in FIG. 10, the highest display priority is defined in the number of related services. Then, the display priority is determined in the order of the number of continuous detections, the number of INC ticket tickets issued by the user terminal, and the number of INC ticket tickets issued by the event monitoring server 170, and the lowest display priority is determined for the elapsed time. ing. These priorities may be determined according to, for example, the magnitude of the impact when a problem occurs. Therefore, for example, the display target data in which the numerical value "5" is registered in the number of related services and the numerical value "1" is registered in the number of continuous detections, and the numerical value "3" is registered in the number of related services, and the numerical value "3" is registered in the number of continuous detections. When the display target data in which "9" is registered exists, the anomaly information corresponding to the display target data of the former is displayed higher than the anomaly information corresponding to the display target data of the latter.

Further, the number of related services, the number of continuous detections, the number of INC ticket tickets issued by the user terminal, and the number of INC ticket tickets issued by the event monitoring server 170 are all the data to be displayed as the number increases. Anomaly information according to is displayed at the top. Conversely, the smaller the number of related services, the number of continuous detections, the number of INC ticket tickets issued by the user terminal, and the number of INC ticket tickets issued by the event monitoring server 170, the more the display target. Anomaly information according to the data is displayed at the bottom. For example, when there are two display target data in which the numerical value "3" is registered in the number of related services, the numerical value "9" is registered in the continuous detection number in one display target data and the other display target data. When the numerical value "7" is registered in the number of continuous detections, the anomaly information corresponding to the display target data of the former is displayed higher than the anomaly information corresponding to the display target data of the latter.

However, with regard to the elapsed time, the shorter the elapsed time, the higher the anomaly information is displayed. The shorter the time from the detection of the anomaly event to the current time, the sooner the operator is required to respond. This is because it is assumed that no problem has occurred for anomaly events that take a long time from the detection of the anomaly event to the current time.

Returning to FIG. 9, when the process of step S212 is completed, the display order control unit 240 generates display target data in which the determined display order is registered, and stores the generated display target data in the data storage unit 220 (step S213). .. As a result, the data storage unit 220 stores the display target data managed by the fifth data management table T5 (see FIG. 7). When the process of step S213 is completed, the anomaly detection unit 230 and the display order control unit 240 end the process. The anomaly detection unit 230 and the display order control unit 240 dynamically and repeatedly execute the processes described above. In particular, since the display order control unit 240 periodically determines the display order based on the number of related services, the number of continuous detections, the number of various INC tickets, and the like, the display order dynamically changes.

FIG. 11 is a flowchart showing an example of the third process executed by the data visualization unit 250. FIG. 12 is an example of the anomaly list screen. FIG. 13 is an example of an anomaly detail screen. The screen layouts of the anomaly list screen and the anomaly detail screen may be changed as appropriate.

First, as shown in FIG. 11, the data visualization unit 250 waits until the screen display request is received from the operation terminal 300 (step S301: NO). When the data visualization unit 250 receives the screen display request (step S301: YES), the data visualization unit 250 displays the anomaly list screen (step S302). More specifically, the data visualization unit 250 displays the elapsed time, which is the difference between the anomaly detection date and time and the current date and time, within a predetermined specific time (for example, 24 hours) from the display target data stored in the data storage unit 220. The target data is extracted, and the anomaly list screen is generated and displayed based on the extracted display target data.

As shown in FIG. 12, the anomaly list screen includes the number of detected anomaly events and a list of a plurality of anomaly information arranged in order of priority. Although the upper-order anomaly information is shown in FIG. 12, the lower-level anomaly information may be displayed by providing a vertical scroll bar. In addition, the anomaly list screen has a pie chart showing the percentage of elapsed time and a breakdown of elapsed time, a pie chart showing the percentage of host machine 110 and a breakdown of the names of host machines 110, and a pie chart and monitoring showing the percentage of monitored resources. Contains a breakdown of the names of the target resources. In particular, the name of the host machine 110 and the name of the monitored resource are displayed in descending order of the number of detected anomaly events. When the name of the host machine 110 and the name of the monitored resource are specified, the data visualization unit 250 narrows down and displays the anomaly information including the specified name from the displayed anomaly information list. In this way, even if a large number of anomaly events are detected, the anomaly information related to these anomaly events is displayed in order of priority, so that the operator is less likely to make a mistake in determining the priority of response to the anomaly event. do. As a result, it is possible to prevent problems from occurring due to delays in responding to anomaly events. Since the information related to the anomaly information is also displayed, the possibility of erroneous determination of the priority is further reduced.

Returning to FIG. 11, when the process of step S302 is completed, the data visualization unit 250 then waits until the operation terminal 300 accepts the designation of the anomaly information (step S303: NO). When the data visualization unit 250 receives the designation of the anomaly information (step S303: YES), the anomaly detail screen is displayed (step S304). More specifically, the data visualization unit 250 displays an anomaly detail screen regarding the specified anomaly information.

For example, as shown in FIG. 12, when any one of the anomaly information is specified and instructed (for example, click or tap) from a plurality of anomaly information displayed on the anomaly detail screen by the pointer Pt, the data visualization unit 250 Accepts the designation of anomaly information. In this embodiment, the anomaly information of the anomaly ID "88" is designated by the pointer Pt. When the data visualization unit 250 receives the designation of the anomaly information, as shown in FIG. 13, the data visualization unit 250 displays the anomaly detail screen regarding the designated anomaly information.

In particular, the data visualization unit 250 extracts monitoring data including these names from the data storage unit 220 based on the name of the host machine 110 and the name of the monitored resource included in the designated anomaly information, graphs the data, and graphs the data. The graph GR1 representing the converted monitoring data is displayed in the anomaly detail screen. Since the extracted monitoring data contains both anomaly data and non-anomaly data, the data visualization unit 250 assigns a mark M1 to the graphed portion of the anomaly data and highlights it.

Further, the data visualization unit 250 extracts all the related service names associated with the name from the CMDB 140 based on the name of the host machine 110 included in the designated anomaly information and displays it in the anomaly detail screen. Further, the data visualization unit 250 extracts an INC ticket and a change request ticket including the name from the data storage unit 220 based on the name of the host machine 110 included in the designated anomaly information and displays it in the anomaly detail screen. .. In particular, the data visualization unit 250 extracts the INC ticket and the change request ticket in which the issue date and time within one hour before and after the detection date and time of the anomaly event are registered and displays them in the anomaly detail screen. Although the INC ticket issued by the event monitoring server 170 is shown in FIG. 13, it may be an INC ticket issued by the user terminal.

As described above, according to the first embodiment, the analysis server 200 includes an anomaly detection unit 230, a display order control unit 240, and a data visualization unit 250. The anomaly detection unit 230 executes anomaly event detection processing for detecting an anomaly event that has occurred in any of the plurality of host machines 110 based on the monitoring data of the plurality of host machines 110 included in the monitored system 100. When a plurality of anomaly events are detected, the display order control unit 240 refers to the CMDB 140 that stores the configuration information indicating the relationship between the plurality of services executed by the monitored system 100. Then, the display order control unit 240 determines the number of other services having a specific relationship to the service executed by the host machine 110 for each host machine 110 from which each of the detected plurality of anomaly events occurs. Specify as the number of related services. The data visualization unit 250 displays the anomaly information about the detected plurality of anomaly events on the display unit 320 of the operation terminal 300 in the display order according to the specified number of related services. As a result, it is possible to suppress the occurrence of problems due to the delay in responding to anomaly events.

Further, the anomaly detection unit 230 executes anomaly event detection processing for detecting an anomaly event that has occurred in any of the plurality of monitored resources based on the monitoring data of the plurality of monitored resources included in the monitored system 100. When a plurality of anomaly events are detected, the display order control unit 240 calculates the number of consecutive detections of anomaly events that have occurred for the monitored resource for each monitored resource that is the source of each of the detected anomaly events. .. The data visualization unit 250 displays anomaly information about a plurality of detected anomaly events on the display unit 320 of the operation terminal 300 in a display order according to the calculated number of continuous detections. Similarly, such processing can suppress the occurrence of problems due to the delay in responding to anomaly events.

(Second Embodiment)
Subsequently, the second embodiment of the present case will be described with reference to FIGS. 14 to 16.

14 and 15 are other examples of the anomaly list screen. FIG. 16 is another example of the anomaly detail screen. In the second embodiment, when a plurality of anomaly events are detected, the display order control unit 240 identifies the host machine 110 from which each of the detected plurality of anomaly events occurs. On the other hand, when the data visualization unit 250 determines that the host machine 110 specified by the display order control unit 240 is common and the difference in the detection date and time of the anomaly event generated in the specified host machine 110 is within the threshold time. , Displays the representative anomaly information that aggregates the anomaly information about multiple detected anomaly events.

As a result, as shown in FIG. 14, when the difference between the detection dates and times is within the threshold time (for example, 5 minutes) for the anomaly information of the two common host machines 110 having the name of "host 5", the data is obtained. The visualization unit 250 displays the aggregation mark G1 indicating that the anomaly information can be aggregated and displayed. Then, when the aggregation mark G1 is designated and instructed by the pointer Pt, the data visualization unit 250, based on the instruction, attaches the higher priority anomaly information to the lower anomaly information as shown in FIG. Are aggregated, and the anomaly information with the higher priority is displayed as the representative anomaly information.

Then, the data visualization unit 250 displays the representative anomaly information, and adds the aggregation mark G2 to the representative anomaly information and displays it. When the aggregation mark G2 is designated and instructed by the pointer Pt, the data visualization unit 250 develops representative anomaly information as shown in FIG. 14 based on the instruction. When the anomaly information is aggregated, the data visualization unit 250 displays all the names of the monitored resources before aggregation, but for display items other than the monitored resources (for example, the number of continuous detections and the number of related services), Priority is given to the display items of the representative anomaly information.

On the other hand, as shown in FIG. 15, when the remaining area excluding the display area of the aggregate mark G2 from the display area of the anomaly information on which the aggregate mark G2 is displayed is designated and instructed by the pointer Pt, the data visualization unit 250 Accepts the specification of the specified anomaly information. When the data visualization unit 250 receives the designation of the anomaly information, as shown in FIG. 16, the data visualization unit 250 displays the anomaly detail screen regarding the designated anomaly information. In this case, the anomaly detail screen extracts and graphs each monitoring data of the monitored resource before aggregation, and displays graphs GR1 and GR2 representing the graphed monitoring data in the anomaly detail screen. As described in the first embodiment, since the extracted monitoring data contains anomaly data and non-anomaly data, the data visualization unit 250 assigns marks M1 and M2 to the graphed portion of the anomaly data to emphasize it. And display. As a result, the operator can collectively respond to a plurality of anomaly events that occur in the common host machine 110.

When the data visualization unit 250 refers to the CMDB 140 that stores the configuration information and determines that there is a specific relationship between the services executed by each of the specified host machines 110, the data visualization unit 250 determines that there is a specific relationship. Anomaly information about anomaly events that have occurred in each of the host machines 110 that execute the determined service may be displayed side by side. Specific relationships include, for example, the presence or absence of related services and whether or not the detection date and time is within the threshold time.

As a result, for example, the service executed by the host machine 110 having the name "host 5" and the service executed by the host machine 110 having the name "host 4" are related, and the difference between the detection dates and times is the threshold time. If it is within (for example, 5 minutes), the data visualization unit 250 determines that there is a specific relationship, and as shown in FIG. 14, the anomaly information having the name of "host 5" and the "host 4" Anomaly information with a name is displayed side by side in the order of priority. When displaying the anomaly information side by side, the anomaly information before the arrangement may be left or excluded from the display target. In the present embodiment, the anomaly information having the name of "host 4" is left and displayed. As a result, the operator can collectively respond to a plurality of anomaly events related to the service.

Although the preferred embodiments of the present invention have been described in detail above, the present invention is not limited to the specific embodiments of the present invention, and various modifications are made within the scope of the gist of the present invention described in the claims.・ Can be changed. For example, at least one of the first to third processes described above may be executed by various servers other than the analysis server 200, such as the management server 190, or may be executed by the operation terminal 300.

The following additional notes will be further disclosed with respect to the above explanation.
(Appendix 1) Based on the monitoring data of a plurality of machines included in the system, anomaly event detection processing for detecting an anomaly event generated in any of the plurality of machines is performed, and when a plurality of anomaly events are detected, the above With reference to a storage unit that stores information indicating the relationship between multiple services executed in the system, for each of the machines that originated each of the detected multiple anomaly events, for the service executed on that machine. The computer processes the process of identifying the number of other services having a specific relationship and displaying the detected information on the plurality of anomaly events on the display unit in an order according to the number of the identified other services. An order control program characterized by being executed by a computer.
(Appendix 2) When anomaly event detection processing is performed to detect anomaly events that have occurred in any of the multiple monitoring targets based on the monitoring data of multiple monitoring targets included in the system, and multiple anomaly events are detected. , The detection frequency of the anomaly event that occurred for the monitored target is calculated for each of the monitoring targets of the occurrence source of each of the plurality of detected anomaly events, and the information about the detected plurality of anomaly events is calculated. An order control program characterized by having a computer execute a process that is displayed on the display unit in an order according to the frequency.
(Appendix 3) The incident information that identifies the number of incident information based on an event that can cause a decrease in the service level of a plurality of services executed by the system, and identifies information on the detected plurality of anomaly events. The order control program according to Appendix 1 or 2, wherein the processing is displayed in an order corresponding to the number of the above.
(Appendix 4) A process of measuring the time elapsed since the detection of the anomaly event and displaying the detected information on the plurality of anomaly events in the order corresponding to the measured time is executed. The order control program according to any one of Supplementary note 1 to 3, which is characterized.
(Appendix 5) The sequence control program according to Appendix 4, wherein the shorter the measured time, the higher the information about the detected plurality of anomaly events is displayed, and the process is executed.
(Appendix 6) When a plurality of anomaly events are detected, the machine from which each of the detected plurality of anomaly events is generated is identified, and information indicating the relationship between the plurality of services executed by the system is stored. When it is determined that there is a specific relationship between the services executed by each of the specified machines by referring to the storage unit, it occurs in each machine executing the service determined to have the specific relationship. The order control program according to any one of Supplementary note 1 to 5, wherein information related to anomaly events is displayed side by side, and processing is executed.
(Appendix 7) When a plurality of anomaly events are detected, the machine from which each of the detected plurality of anomaly events is generated is specified, and the identified machines are common and the anomalies generated in the specified machine are common. When it is determined that the difference in the detection time of the event is within the threshold time, the representative information that aggregates the information on the plurality of detected anomaly events is displayed, and the processing is executed. The order control program according to any one of the above items.
(Appendix 8) Based on the monitoring data of a plurality of machines included in the system, anomaly event detection processing for detecting an anomaly event generated in any of the plurality of machines is performed, and when a plurality of anomaly events are detected, the above-mentioned With reference to a storage unit that stores information indicating the relationship between multiple services executed in the system, for each of the machines that originated each of the detected multiple anomaly events, for the service executed on that machine. The computer processes the process of identifying the number of other services having a specific relationship and displaying the detected information on the plurality of anomaly events on the display unit in an order according to the number of the identified other services. An order control method characterized by the execution of.
(Appendix 9) When anomaly event detection processing is performed to detect anomaly events that have occurred in any of the plurality of monitoring targets based on the monitoring data of a plurality of monitoring targets included in the system, and a plurality of anomaly events are detected. , The detection frequency of the anomaly event that occurred for the monitored target is calculated for each of the monitored targets of the source of each of the detected plurality of anomaly events, and the information about the detected plurality of anomaly events is calculated. An order control method characterized in that a computer executes processing, which is displayed on a display unit in an order according to frequency.
(Appendix 10) Based on the monitoring data of a plurality of machines included in the system, anomaly event detection processing for detecting an anomaly event generated in any of the plurality of machines is performed, and when a plurality of anomaly events are detected, the above-mentioned With reference to a storage unit that stores information indicating the relationship between a plurality of services executed by the system, for each of the machines from which each of the plurality of anomaly events detected is generated, for the service executed by the machine. The process of identifying the number of other services having a specific relationship and displaying the detected information on the plurality of anomaly events on the display unit in the order according to the number of the identified other services is executed. An information processing device characterized by having a processing unit for processing.
(Appendix 11) When anomaly event detection processing is performed to detect anomaly events that have occurred in any of the plurality of monitoring targets based on the monitoring data of a plurality of monitoring targets included in the system, and a plurality of anomaly events are detected. , The detection frequency of the anomaly event that occurred for the monitored target was calculated for each of the monitored targets of the occurrence source of each of the plurality of detected anomaly events, and the information about the detected plurality of anomaly events was calculated. An information processing apparatus having a processing unit for executing processing, which is displayed on the display unit in an order according to frequency.
(Appendix 12) The processing unit identifies the number of incident information based on an event that can cause a decrease in the service level of a plurality of services executed by the system, and obtains information on the detected plurality of anomaly events. The information processing apparatus according to Appendix 10 or 11, wherein the information processing apparatus is displayed in an order corresponding to the number of the specified incident information.
(Appendix 13) The processing unit measures the time elapsed since the detection of the anomaly event, and displays the information regarding the detected plurality of anomaly events in the order corresponding to the measured time. The information processing apparatus according to any one of Supplementary note 10 to 12, wherein the information processing apparatus is characterized by the above-mentioned item 1.
(Supplementary Note 14) The information processing apparatus according to Supplementary Note 13, wherein the processing unit displays information on the detected plurality of anomaly events at a higher level as the measured time becomes shorter.
(Appendix 15) When a plurality of anomaly events are detected, the processing unit identifies the machine from which each of the detected plurality of anomaly events is generated, and determines the relationship between the plurality of services executed by the system. When it is determined that there is a specific relationship between the services executed on each of the specified machines by referring to the storage unit that stores the indicated information, the service determined to have the specific relationship is executed. The information processing apparatus according to any one of Supplementary note 10 to 14, wherein information on anomaly events generated in each machine is displayed side by side.
(Appendix 16) When a plurality of anomaly events are detected, the processing unit identifies the machine from which each of the detected plurality of anomaly events is generated, and the identified machines are common and specified. When it is determined that the difference in the detection time of the anomaly event generated in the machine is within the threshold time, the representative information that aggregates the information on the plurality of detected anomaly events is displayed. The information processing apparatus according to any one of 15.

S Information processing system 100 Monitored system 110 Host machine 130 Configuration collection server 140 CMDB
150 Performance monitoring server 170 Event monitoring server 190 Management server 200 Analysis server 210 Data collection unit 220 Data storage unit 230 Anomaly detection unit 240 Display order control unit 250 Data visualization unit 300 Operation terminal

Claims (10)

Based on the monitoring data of a plurality of machines included in the system, anomaly event detection processing for detecting an anomaly event occurring in any of the plurality of machines is performed.
When a plurality of anomaly events are detected, each of the machines from which the plurality of anomaly events are detected is referred to by referring to a storage unit that stores information indicating the relationship between the plurality of services executed by the system. To identify the number of other services that have a particular relationship to the services running on that machine.
The time elapsed since the detection of the multiple anomaly events was measured, and the time elapsed was measured.
Information about the detected plurality of anomaly events is displayed on the display unit in an order according to the number of the specified other services.
The shorter the measured time, the higher the information about the detected plurality of anomaly events is displayed .
An order control program characterized by having a computer perform processing. Based on the monitoring data of a plurality of monitoring targets included in the system, anomaly event detection processing for detecting an anomaly event that has occurred in any of the plurality of monitoring targets is performed.
When a plurality of anomaly events are detected, the detection frequency of the anomaly events that have occurred for the monitored target is calculated for each monitoring target of the source of each of the detected plurality of anomaly events.
The time elapsed since the detection of the multiple anomaly events was measured, and the time elapsed was measured.
Information on the detected plurality of anomaly events is displayed on the display unit in the order according to the calculated detection frequency.
The shorter the measured time, the higher the information about the detected plurality of anomaly events is displayed .
An order control program characterized by having a computer perform processing. Based on the monitoring data of a plurality of machines included in the system, anomaly event detection processing for detecting an anomaly event occurring in any of the plurality of machines is performed.
When multiple anomaly events are detected, the machine from which each of the detected multiple anomaly events is generated is identified.
When it is determined that the specified machines are common and the difference in the detection time of the anomaly events that occurred in the specified machine is within the threshold time, the representative that aggregates the information on the plurality of detected anomaly events. Display information on the display
An order control program characterized by having a computer perform processing. Based on the monitoring data of a plurality of monitoring targets included in the system, anomaly event detection processing for detecting an anomaly event that has occurred in any of the plurality of monitoring targets is performed.
When multiple anomaly events are detected, the machine from which each of the detected multiple anomaly events is generated is identified.
When it is determined that the specified machines are common and the difference in the detection time of the anomaly events that occurred in the specified machine is within the threshold time, the representative that aggregates the information on the plurality of detected anomaly events. Display information on the display
An order control program characterized by having a computer perform processing. Identify the number of incident information based on events that can cause service level degradation for multiple services running on the system.
Information about the plurality of detected anomaly events is displayed in an order according to the number of the identified incident information.
The order control program according to any one of claims 1 to 4, wherein the process is executed. When multiple anomaly events are detected, the machine from which each of the detected multiple anomaly events is generated is identified.
When it is determined that there is a specific relationship between the services executed on each of the specified machines by referring to the storage unit that stores the information indicating the relationship between the plurality of services executed by the system, the specification is performed. Display side-by-side information about anomaly events that occurred on each machine running a service that was determined to be related to
The order control program according to any one of claims 1 to 5, wherein the process is executed. Based on the monitoring data of a plurality of machines included in the system, anomaly event detection processing for detecting an anomaly event occurring in any of the plurality of machines is performed.
When a plurality of anomaly events are detected, each of the machines from which the plurality of anomaly events are detected is referred to by referring to a storage unit that stores information indicating the relationship between the plurality of services executed by the system. To identify the number of other services that have a particular relationship to the services running on that machine.
The time elapsed since the detection of the multiple anomaly events was measured, and the time elapsed was measured.
Information about the detected plurality of anomaly events is displayed on the display unit in an order according to the number of the specified other services.
The shorter the measured time, the higher the information about the detected plurality of anomaly events is displayed .
An order control method characterized by a computer performing processing. Based on the monitoring data of a plurality of monitoring targets included in the system, anomaly event detection processing for detecting an anomaly event that has occurred in any of the plurality of monitoring targets is performed.
When a plurality of anomaly events are detected, the detection frequency of the anomaly events that have occurred for the monitored target is calculated for each monitoring target of the source of each of the detected plurality of anomaly events.
The time elapsed since the detection of the multiple anomaly events was measured, and the time elapsed was measured.
Information on the detected plurality of anomaly events is displayed on the display unit in the order according to the calculated detection frequency.
The shorter the measured time, the higher the information about the detected plurality of anomaly events is displayed .
An order control method characterized by a computer performing processing. Based on the monitoring data of a plurality of machines included in the system, anomaly event detection processing for detecting an anomaly event occurring in any of the plurality of machines is performed.
When a plurality of anomaly events are detected, each of the machines from which the plurality of anomaly events are detected is referred to by referring to a storage unit that stores information indicating the relationship between the plurality of services executed by the system. To identify the number of other services that have a particular relationship to the services running on that machine.
The time elapsed since the detection of the multiple anomaly events was measured, and the time elapsed was measured.
Information about the detected plurality of anomaly events is displayed on the display unit in an order according to the number of the specified other services.
The shorter the measured time, the higher the information about the detected plurality of anomaly events is displayed .
An information processing device characterized by having a processing unit that executes processing. Based on the monitoring data of a plurality of monitoring targets included in the system, anomaly event detection processing for detecting an anomaly event that has occurred in any of the plurality of monitoring targets is performed.
When a plurality of anomaly events are detected, the detection frequency of the anomaly events that have occurred for the monitored target is calculated for each monitoring target of the source of each of the detected plurality of anomaly events.
The time elapsed since the detection of the multiple anomaly events was measured, and the time elapsed was measured.
Information on the detected plurality of anomaly events is displayed on the display unit in the order according to the calculated detection frequency.
The shorter the measured time, the higher the information about the detected plurality of anomaly events is displayed .
An information processing device characterized by having a processing unit that executes processing.

Images