[go: up one dir, main page]

CN113961441B - Alarm event processing methods, audit methods, devices, equipment, media and products - Google Patents

Alarm event processing methods, audit methods, devices, equipment, media and products Download PDF

Info

Publication number
CN113961441B
CN113961441B CN202111279365.9A CN202111279365A CN113961441B CN 113961441 B CN113961441 B CN 113961441B CN 202111279365 A CN202111279365 A CN 202111279365A CN 113961441 B CN113961441 B CN 113961441B
Authority
CN
China
Prior art keywords
alarm
alarm event
event
data
priority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111279365.9A
Other languages
Chinese (zh)
Other versions
CN113961441A (en
Inventor
张蕊
贺卉珍
敬涛
楼闯宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202111279365.9A priority Critical patent/CN113961441B/en
Publication of CN113961441A publication Critical patent/CN113961441A/en
Application granted granted Critical
Publication of CN113961441B publication Critical patent/CN113961441B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3452Performance evaluation by statistical analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Probability & Statistics with Applications (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Hardware Design (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Quality & Reliability (AREA)
  • General Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Alarm Systems (AREA)

Abstract

本公开提供了一种告警事件处理方法,可以应用于信息安全技术领域和人工智能领域,包括:计算第一告警事件的告警指导度、第一告警事件与各第二告警事件的告警数据的文本相似度和关联关系,基于第一告警事件的告警级别、文本相似度和/或关联关系满足预设条件的第二告警事件的告警级别、告警指导度,得到第一告警事件的处理优先级,以按优先级处理第一告警事件。本公开还提供了一种告警事件审计方法,包括:计算第一告警事件的问题根源分析报告与各个第二告警事件之间的文本相似度和关联关系,统计与第一告警事件之间的文本相似度和/或关联关系满足预设条件的第二告警事件。本公开还提供了相应的装置、设备、存储介质和程序产品。

The present disclosure provides a method for processing alarm events, which can be applied to the fields of information security technology and artificial intelligence, including: calculating the alarm guidance degree of a first alarm event, the text similarity and correlation between the alarm data of the first alarm event and each second alarm event, and obtaining the processing priority of the first alarm event based on the alarm level, text similarity and/or correlation of the first alarm event and the alarm level and alarm guidance degree of the second alarm event whose correlation meets the preset conditions, so as to process the first alarm event according to the priority. The present disclosure also provides a method for auditing alarm events, including: calculating the text similarity and correlation between the problem root cause analysis report of the first alarm event and each second alarm event, and counting the second alarm events whose text similarity and/or correlation with the first alarm event meet the preset conditions. The present disclosure also provides corresponding devices, equipment, storage media and program products.

Description

Alarm event processing method, audit method, device, equipment, medium and product
Technical Field
The present disclosure relates to the field of artificial intelligence, and in particular, to an alarm event processing method, an audit method, an apparatus, a device, a medium, and a program product.
Background
With the gradual landing of cloud computing and distributed systems, various information systems are increasingly developed. Because the data centers of various information systems have a large number of calculation, storage and network resources and a large number of nodes, the number of monitoring alarm data received by a daily monitoring platform reaches tens of thousands, however, the existing solution for monitoring alarm mainly depends on simple rule screening and manual processing of operation and maintenance personnel, the processing efficiency is low, and great manual processing pressure is brought, so that the problems of untimely alarm processing, incomplete alarm discovery, high redundant alarm processing pressure and the like exist. How to effectively monitor, alarm and emergency process such information systems is a problem to be solved at present.
Disclosure of Invention
In view of the foregoing, the present disclosure provides an alarm event processing method, an audit method, an apparatus, a device, a medium, and a program product that improve the efficiency of alarm event processing.
According to a first aspect of the present disclosure, an alarm event processing method is provided, which includes obtaining a first alarm event and alarm data thereof, obtaining all second alarm events and alarm data thereof in a first preset time period including occurrence time of the first alarm event, analyzing the alarm data of the first alarm event based on a preset guidance degree calculation rule to calculate alarm guidance degree of the first alarm event, calculating text similarity and association relation between the first alarm event and the alarm data of each second alarm event, judging according to a preset priority judgment rule based on the alarm level and the alarm guidance degree of the second alarm event, and processing the first alarm event according to a priority judgment rule.
According to the embodiment of the disclosure, the method for analyzing the alarm data of the first alarm event based on the preset guidance degree calculation rule to calculate the alarm guidance degree of the first alarm event comprises the steps of setting initial alarm guidance degree, sequentially judging whether a plurality of first key fields in the alarm data of the first alarm event meet the conditions specified by the guidance degree calculation rule or not, wherein the plurality of first key fields are fields representing the environment, state, configuration and maintenance conditions of the first alarm event, and subtracting corresponding values from the initial alarm guidance degree when the first key fields meet the conditions specified by the guidance degree calculation rule to obtain the alarm guidance degree.
According to the embodiment of the disclosure, the method further comprises the steps of calculating the alarm event noise probability of software for generating the first alarm event, and taking the magnitude of the alarm event noise probability as one judgment rule of the guidance degree calculation rule to calculate the alarm guidance degree.
According to the embodiment of the disclosure, the calculation of the alarm event noise probability of the software generating the first alarm event comprises the steps of constructing an alarm event noise probability fitting function taking the transaction fluctuation rate sum of the software and the alarm occurrence time as input and taking the noise probability of the software as output, and calculating the alarm event noise probability of the first alarm event based on the transaction fluctuation rate sum of the alarm occurrence time of the software when the first alarm event occurs.
According to the embodiment of the disclosure, the step of taking the magnitude of the alarm event noise probability as one of the judgment rules of the guidance level calculation rule to calculate the alarm guidance level comprises the steps of obtaining an attribute level of the alarm event noise probability based on the magnitude of the alarm event noise probability, and subtracting a value corresponding to the attribute level from the initial alarm guidance level to calculate the alarm guidance level.
According to an embodiment of the disclosure, the calculating the text similarity between the first alarm event and the alarm data of each of the second alarm events includes calculating the text similarity between the first alarm event and at least one second key field in the alarm data of each of the second alarm events, the second key field being a field describing an alarm condition.
According to the embodiment of the disclosure, the method comprises the step of acquiring the alarm level of the second alarm event with the highest text similarity, so as to judge the processing priority of the first alarm event.
According to the embodiment of the disclosure, the method further comprises the steps of obtaining a link monitoring log of software generating the first alarm event and the second alarm event, wherein the link monitoring log is link information of the software transacting in a second preset time period, and cleaning the link monitoring log to generate a frequent n-item set of links of the software transacting, and n is more than or equal to 2.
According to the embodiment of the disclosure, the calculating of the association relation between the first alarm event and the alarm data of each second alarm event comprises the steps of carrying out minimum support scanning calculation on a plurality of third key fields in the alarm data of the first alarm event and all the second alarm events in the first preset time period to obtain an association relation frequent n-term set, wherein each scanning object adds the link frequent n-term set except the association relation frequent n-term set obtained by n-1 scanning, n is more than or equal to 2, and the third key fields are fields with alarm event occurrence association characteristics.
According to the embodiment of the disclosure, the method further comprises the steps of obtaining a list of second alarm events with the same frequent item set of the first alarm event, screening out the second alarm event with the highest alarm level in the list, and using the alarm level of the second alarm event to judge the processing priority of the first alarm event.
According to the embodiment of the disclosure, the method comprises the steps that the higher the alarm level of the first alarm event is, the higher the alarm level of the second alarm event is, the lower the alarm guidance degree is, the higher the priority of the first alarm event is, and the higher the priority is, the earlier the first alarm event is processed.
According to the embodiment of the disclosure, the method further comprises the steps of taking a plurality of fourth key fields in the alarm data of the first alarm event and the alarm guidance degree as denoising decision attributes, judging a decision tree, judging whether the first alarm event is noise or not, and taking part in the judgment of the priority judgment rule according to the noise judgment result of the first alarm event, wherein when the first alarm event is noise, the priority is reduced by a preset level on the basis of the priority obtained based on the alarm level of the first alarm event, the alarm level of the second alarm event and the alarm guidance degree.
According to an embodiment of the disclosure, the method further comprises cleaning and normalizing alarm data of the first alarm event and the second alarm event.
According to the embodiment of the disclosure, the method further comprises the steps of displaying the processing priority of the first alarm event and displaying a second alarm event with the text similarity of the first alarm event being greater than a preset threshold value and/or in association relation.
The second aspect of the disclosure provides an alarm event auditing method, which comprises the steps of obtaining a problem root analysis report of a first alarm event, obtaining alarm data of all second alarm events in a preset time period, obtaining the problem root analysis report after problem processing based on the alarm data of the first alarm event, calculating text similarity between the problem root analysis report and the alarm data of each second alarm event, calculating association relations between the first alarm event and each second alarm event, and counting the second alarm events, wherein the text similarity and/or the association relations between the second alarm event and the first alarm event meet preset conditions.
According to an embodiment of the disclosure, calculating the text similarity between the problem root cause analysis report and the alert data for each of the second alert events includes calculating the text similarity between the problem root cause analysis report and at least one second key field in the alert data for each of the second alert events, the second key field being a field describing an alert condition.
According to the embodiment of the disclosure, the method comprises the step of counting the second alarm event with the text similarity being larger than a preset threshold value.
According to the embodiment of the disclosure, the method comprises the steps of obtaining a link monitoring log of software generating the first alarm event and the second alarm event, wherein the link monitoring log is link information of the software transacting in a second preset time period, and cleaning the link monitoring log to generate a frequent n-item set of links of the software transacting, and n is more than or equal to 2.
According to the embodiment of the disclosure, calculating the association relationship between the problem root analysis report and the alarm data of each second alarm event comprises carrying out minimum support scanning calculation on a plurality of third key fields in the problem root analysis report and the alarm data of all the second alarm events to obtain a frequent n-term set, wherein each scanning object adds the link frequent n-term set except the association relationship frequent n-term set obtained by the n-1 scanning, n is more than or equal to 2, and the third key field is a field with the alarm event occurrence association characteristic.
According to an embodiment of the present disclosure, the method further comprises counting a second alarm event having the same frequent item set as the first alarm event.
The third aspect of the disclosure provides an alarm event processing device, which comprises a data acquisition module, a guidance degree calculation module, a similarity and incidence relation calculation module and a priority judgment module, wherein the data acquisition module is used for acquiring a first alarm event and alarm data thereof, acquiring all second alarm events and alarm data thereof in a first preset time period including the occurrence time of the first alarm event, the guidance degree calculation module is used for analyzing the alarm data of the first alarm event based on a preset guidance degree calculation rule so as to calculate the alarm guidance degree of the first alarm event, the similarity and incidence relation calculation module is used for calculating the text similarity and incidence relation of the alarm data of the first alarm event and each second alarm event, the priority judgment module is used for judging according to a preset priority judgment rule based on the alarm level, the text similarity and/or the incidence relation of the second alarm event of the first alarm event, and obtaining the processing priority of the first alarm event according to the priority order of the priority.
The fourth aspect of the disclosure provides an alarm event auditing device, which comprises a data acquisition module, a calculation module and a statistics module, wherein the data acquisition module is used for acquiring a problem root analysis report of a first alarm event and acquiring alarm data of all second alarm events in a preset time period, the problem root analysis report is obtained after problem processing is performed on the alarm data of the first alarm event, key fields of the problem root analysis report correspond to key fields of the alarm data, the calculation module is used for calculating text similarity between the problem root analysis report and the alarm data of each second alarm event and calculating association relations between the first alarm event and each second alarm event, and the statistics module is used for counting the second alarm events, wherein the text similarity and/or the association relations between the second alarm events and the first alarm events meet preset conditions.
A fifth aspect of the present disclosure provides an electronic device comprising one or more processors and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of the first or second aspect.
A sixth aspect of the present disclosure also provides a computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of the first or second aspect described above.
A seventh aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the method of the first or second aspect described above.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario diagram of an alarm event processing method, apparatus, device, medium and program product according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a method of alarm event handling according to an embodiment of the disclosure;
FIG. 3A schematically illustrates a similarity chart diagram of event sheet cause feedback according to an embodiment of the present disclosure;
FIG. 3B schematically illustrates a similarity chart diagram of an alert summary in accordance with an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of an alarm event auditing method according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow diagram of an alarm event handling device according to an embodiment of the present disclosure;
FIG. 6 schematically illustrates a flow diagram of an alarm event auditing apparatus according to an embodiment of the present disclosure;
fig. 7 schematically illustrates a block diagram of an electronic device adapted to implement an alarm event processing method or an alarm event auditing method, according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a convention should be interpreted in accordance with the meaning of one of skill in the art having generally understood the convention (e.g., "a system having at least one of A, B and C" would include, but not be limited to, systems having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
It should be noted that, the method and the device for processing an alarm event, the method for auditing an alarm event and the device thereof provided by the present disclosure may be used for processing an alarm event in the aspect of information security in the financial field, and may also be used in any field other than the financial field, and the application fields of the method and the device for processing an alarm event, the method for auditing an alarm event and the device thereof provided by the present disclosure are not limited.
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the related personal information of the user all conform to the regulations of related laws and regulations, necessary security measures are taken, and the public order harmony is not violated.
The embodiment of the disclosure provides an alarm event processing method, which comprises the steps of obtaining a first alarm event and alarm data thereof, obtaining all second alarm events and alarm data thereof in a first preset time period including occurrence time of the first alarm event, calculating alarm guidance degree of the first alarm event, text similarity and association relation of the first alarm event and alarm data of each second alarm event, and obtaining processing priority of the first alarm event based on the alarm level and the alarm guidance degree of the second alarm event, wherein the alarm level and the text similarity and/or the association relation of the second alarm event meet preset conditions, so that the first alarm event is processed according to the priority. According to the method, the priority is obtained based on the alarm level of the first alarm event and the level of the second alarm event which is strongly related to the first alarm event, the accuracy is higher, and in the judgment of the priority, an evaluation index of the alarm guidance degree is added, namely, the actual influence of specific alarm data of the first alarm event is added to the judgment of the priority, so that the accuracy of the priority is further improved. The higher priority means that the higher the emergency degree of the alarm event is, the alarm event is processed based on the priority, and the emergency processing capability of equipment or a device applying the alarm event processing method to the alarm event can be improved.
Fig. 1 schematically illustrates an application scenario diagram of an alarm event processing method and apparatus according to an embodiment of the disclosure.
As shown in fig. 1, an application scenario 100 according to this embodiment may include an operation system of a bank, where the operation system includes an alarm system for reporting alarm events occurring at various operation nodes of the operation system. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only) may be installed on the terminal devices 101, 102, 103.
The terminal devices 101, 102, 103 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that, the alarm event processing method provided by the embodiments of the present disclosure may be generally executed by the server 105. Accordingly, the alarm event handling device provided by the embodiments of the present disclosure may be generally disposed in the server 105. The alarm event processing method provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the alarm event handling apparatus provided by the embodiments of the present disclosure may also be provided in a server or a server cluster different from the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The alarm event processing method of the disclosed embodiment will be described in detail with reference to fig. 2 based on the scenario described in fig. 1.
FIG. 2 schematically illustrates a flow chart of an alarm event handling method according to an embodiment of the disclosure.
As shown in fig. 2, the alarm event processing method of this embodiment includes operations S210 to S250, and the transaction processing method may be sequentially executed.
In operation S210, a first alarm event and alarm data thereof are acquired, and all second alarm events and alarm data thereof within a first preset time period including an occurrence time of the first alarm event are acquired.
In the embodiment of the disclosure, the first alarm event is an alarm event reported in real time currently, and the second alarm event is an alarm event occurring in the same period as the first alarm event, which is used for assisting in judging the priority of the first alarm event. For example, the first preset time period may be 1 hour, the alarm start time of the first alarm event is located in the middle of the time period, and the second alarm event is all alarm events occurring within half an hour before and after the first alarm event occurs.
The first alarm event and the second alarm event are collected by a preset alarm event monitoring system, and various logs and data required by analysis are mainly collected from the monitoring system, event list, change list, configuration management system, distributed service system and the like to form alarm data.
Optionally, the data types of the alarm data may include monitoring system alarm data, event handling data, configuration management information, transaction link information, and the like, specifically, the monitoring system alarm data may include key fields such as an alarm ID, an alarm start time, an alarm end time, an IP address, a software name, an alarm level, an alarm summary, an alarm node maintenance department, an association single number, an alarm location, an alarm handling action, and the like, the event handling data may include key fields such as an event single ID, an association alarm ID, an event summary, a cause analysis, an event handling department, and the like, the configuration management information may include key fields such as an IP address, a software node ID, a system node ID, a partition category (including a physical machine, a virtual machine, a container, and the like), and the transaction link information may also include key fields such as a software name, a service name, a cluster, and the like.
In operation S220, alarm data of the first alarm event is analyzed based on a preset guidance level calculation rule to calculate an alarm guidance level of the first alarm event.
In the embodiment of the disclosure, the index of the alarm guidance degree is used for measuring the authenticity and the credibility of the monitoring alarm information so as to indicate that the environment, the state, the configuration and the maintenance condition of the alarm node influence the authenticity and the credibility of the alarm. The guidance degree calculation rule comprises a plurality of calculation rules for checking alarm data representing the environment, state, configuration and maintenance conditions of the first alarm event one by one, and obtaining the alarm guidance degree according to the checking conditions. The specific calculation mode of the alarm guidance degree will be described later.
In operation S230, a text similarity and an association relationship of the alert data of the first alert event and each of the second alert events are calculated.
According to the embodiment of the present disclosure, by calculating the text similarity and association relationship of the first alarm event and the second alarm event, the second alarm event strongly related to the first alarm event may be acquired, and thus the priority of the first alarm event may be determined based on the priority or alarm level of the second alarm event, for example, when the text similarity with the first alarm event answers 97% of the second alarm event, if the alarm level of the first alarm event is relatively low at this time and the alarm level or priority of the second alarm event is relatively high, the priority of the first alarm event may be increased in operation S240 so that the first alarm event may be processed as soon as possible.
In operation S240, the alarm level and the alarm guidance level of the second alarm event, which satisfy the preset conditions based on the alarm level and the text similarity and/or the association relationship of the first alarm event, are determined according to the preset priority determination rule, so as to obtain the processing priority of the first alarm event.
In the embodiment of the disclosure, the priority judgment rule provides specific rules for dividing the alarm level and the alarm guidance degree of the second alarm event, wherein the alarm level, the text similarity and/or the association relation of the second alarm event meet preset conditions, so as to obtain the accurate priority of the first alarm event. As will be described in detail later.
In operation S250, the first alarm event is processed in the priority order of priority.
According to the embodiment of the disclosure, through the similarity analysis and the association analysis, the second alarm event which is strongly related to the first alarm event but is not processed may be acquired according to operation 230, and the processing of such second alarm event may be completed while the first alarm event is processed, thereby reducing the monitoring alarm handling pressure.
The alarm event processing method provided by the embodiment of the present disclosure will be described in detail below.
According to operation S210, after the alarm data of the first alarm event and the second alarm event are acquired, the method comprises the steps of cleaning and standardizing the alarm data of the first alarm event and the second alarm event.
According to operation S220, calculating the alert guidance level of the first alert event includes operations S221-S223.
In operation S221, an initial alert guidance degree is set.
In operation S222, it is sequentially determined whether a plurality of first key fields in the alarm data of the first alarm event meet the conditions specified by the guidance level calculation rule, where the first key fields are fields representing the environment, state, configuration, and maintenance conditions of the first alarm event.
In the embodiment of the present disclosure, the guidance degree calculation rule may be a plurality of bar rules shown in table 1.
Table 1 alarm event guidance degree calculation rule table
In operation S223, when the first key field meets the condition specified by the guidance level calculation rule, the corresponding value is subtracted from the initial warning guidance level to obtain the warning guidance level.
In this embodiment, assuming that the initial alarm guidance level is 5.0, referring to the calculation rule shown in table 1, the node IP address for generating the current first alarm event is null, the software for generating the first alarm event is external unit hosting software, and the key fields of the other alarm information in table 1 for the first alarm event are all in accordance with the rule requirement, for example, the alarm guidance level=5.0-0.1-1=3.9 for the first alarm event.
Because of customer transaction habit and characteristic influence, and information system maintenance time law, the accuracy of monitoring alarm is related to the alarm occurrence time and the current transaction fluctuation condition, for example, when software is in an inactive state for a long time, no transaction is generated, when a user occasionally activates the software to execute a transaction, the transaction may be mistakenly identified as an alarm event, and the alarm event is noise generated by transaction fluctuation, so in the embodiment of the disclosure, the noise probability is added into the guidance degree calculation rule shown in table 1 to be a calculation index of the guidance degree of the alarm, and the rule 11 is specifically referred to. Therefore, calculating the alert guidance according to the guidance calculation rule includes operations S2221 to S2222.
In operation S2221, an alarm event noise probability of software generating a first alarm event is calculated.
Operation S2221 includes constructing an alarm event noise probability fitting function with the transaction volatility of the software and the alarm occurrence time as inputs and the noise probability of the software as output, and calculating the alarm event noise probability of the first alarm event based on the transaction volatility of the software and the alarm occurrence time when the first alarm event occurs.
Optionally, a maximum likelihood method may be used to fit the relationship between the transaction volatility of each software in the last month, the alarm occurrence time, and the noise probability per minute calculated by the expert in the historical data for judging the noise to obtain a fitting function N rate (a, t), and according to the current transaction volatility a 0 of the software corresponding to the alarm data R 0 and the alarm occurrence time t 0, a noise probability Nrate (a 0,t0) is calculated and is used as one of the calculation rules of the alarm event guidance degree described below.
In operation S2222, the magnitude of the alarm event noise probability is taken as one of the judgment rules of the guidance degree calculation rule to calculate the alarm guidance degree.
Referring to rule 11 shown in Table 1, the method for calculating the alarm guidance level using the noise probability as the alarm guidance level includes the steps of obtaining an attribute level of the alarm event based on the magnitude of the noise probability of the alarm event, and subtracting a value corresponding to the attribute level from the initial alarm guidance level to calculate the alarm guidance level.
In this embodiment, the noise probability of the alarm event and the deduction value corresponding to each attribute level are shown in table 2, where each noise probability range corresponds to one attribute level, and the larger the value, the higher the level, and the more the corresponding deduction value.
TABLE 2 withholding rules for influence of noise probability on alert event guidance
According to operation S230, the text similarity of the alert data of the first alert event and each of the second alert events is calculated to obtain the second alert event similar to the alert text of the first alert event.
In the embodiment of the present disclosure, the second key fields, such as the alarm summary and the event reason feedback, describe the situation of the corresponding alarm event, and operation S230 specifically includes operation S231.
In operation S231, a text similarity between the first alarm event and at least one second key field in alarm data of each second alarm event is calculated.
The alarm system has a large amount of repeated and similar alarm data, and the problems of incapability of identifying similar alarms, misjudgment, missed processing and the like can exist due to alarm processing pressure. And calculating the similarity among the alarm abstracts, the alarm disposal actions and the reasons of the alarm association event list to obtain an alarm similarity calculation result so as to improve the accuracy of the priority of the first alarm event based on the alarm level of the second alarm event, or the second alarm event which is similar to the first alarm event and is processed exists, and the processing mode of the second alarm event can be used as a reference for processing the first alarm event so as to improve the processing efficiency of the first alarm event.
Alternatively, the algorithm for calculating text similarity may be a TF-IDF algorithm.
In operation S230, operation S232 is also included.
In operation S232, the alert level of the second alert event with the highest text similarity is obtained for determining the processing priority of the first alert event.
In operation S240 of the present embodiment, the processing priority of the first alarm event is determined based on the alarm level of the second alarm event, however, the number of the second alarm events is greater, so the alarm level of the second alarm event having the highest similarity with the first alarm event is selected for priority determination. Optionally, a plurality of second alarm events with text similarity higher than a preset threshold may be screened, and the alarm levels of the plurality of second alarm events are used as references to determine the processing priority of the first alarm event.
According to operation S230, the association relationship between the first alarm event and the alarm data of each second alarm event is also calculated, which may specifically include operation S233.
It should be noted that, the alarm event for performing the association calculation should be a non-noise event, that is, the non-noise alarm data is taken as a sample to be analyzed, so as to calculate the association between the alarm data.
In the embodiment of the present disclosure, decision tree judgment is performed by taking a plurality of fourth key fields and alarm guidance degrees in alarm data of a first alarm event as denoising decision attributes, and whether the first alarm event is noise is judged, and table 3 schematically shows a denoising decision attribute list.
Table 3 denoising decision classification improvement attribute table
Further, table 4 schematically shows an attribute value division list of the alarm guidance degree.
TABLE 4 rules for classifying alert event guidance level attribute values
The environment, state, configuration and maintenance conditions of the alarm node can influence the authenticity and credibility of the alarm, the alarm guidance degree is increased in the embodiment of the disclosure, the authenticity and credibility of the monitoring alarm information are measured, and the monitoring alarm information is used as a decision classification attribute. And training and optimizing a decision tree for the historical alarm data and the noise result of expert judgment analysis by using a C4.5 algorithm, and calculating the noise decision result of the alarm data through the trained decision tree.
Because the alarm information contains a large number of key fields, the calculation pressure of the association analysis is increased, therefore, the data needs to be preprocessed, the software and the position data are integrated, the alarm data which is not recorded with the application information is removed, only the third key field reflecting the association relation is reserved, and examples of the third key field are shown in table 5.
TABLE 5 enumeration of alert data processed data
The software information combines the software name and the alarm position, splits the first alarm time and the last alarm time into two fields of date and time, and replaces continuous time data with discrete data. Replacing the time data with discrete data includes dividing the time into a plurality of time periods, each time period corresponding to a time index, e.g., time interval 0:00:00-0:29:59 corresponding to T F 1, time interval 0:30:00-0:59:59 corresponding to T F,
In operation S233, a minimum support scanning calculation is performed on a plurality of third key fields in the alarm data of the first alarm event and all the second alarm events within the first preset time period, so as to obtain a frequent n-term set of association relationships, where n is greater than or equal to 2 and n is an integer.
In the embodiment of the disclosure, before the association relationship frequent n sets are acquired, the method further includes operations S2331 to S2332.
In operation S2331, a link monitoring log of software generating the first alarm event and the second alarm event is acquired, where the link monitoring log is link information of transactions performed by the software in a second preset time period.
In operation S2332, the link monitoring log is purged, generating a set of n frequent links for transactions by the software.
In the embodiment, the association analysis is carried out by the Apriori algorithm to determine the support degree and the confidence degree, and the scan with the minimum support degree is carried out except the nth-1 #) And adding the software service calling relation obtained after the transaction link is cleaned into the frequent n_item set outside the frequent n_item set obtained by the secondary scanning, and continuing to carry out the subsequent multiple scanning and minimum support screening.
In this embodiment, an Apriori algorithm is applied to implement event alarm relevance analysis, and the event alarm relevance analysis is used as a known frequent item set to be added into scanning and calculation of a relevance algorithm through combing transaction links and resource configuration information, so that relevance analysis accuracy and completeness are improved.
In operation S230, operations S234-235 are also included.
In operation S234, a list of second alarm events for which the first alarm event has the same frequent item set is acquired.
In operation S235, the second alarm event with the highest alarm level in the list is screened out, and the alarm level of the second alarm event is used to determine the processing priority of the first alarm event.
Based on the Apriori algorithm, frequent item sets of alarm data of all alarm events in a first preset time period can be obtained, so that second alarm events with the same frequent item sets as the first alarm events can be screened out.
According to operation S240, based on the alarm level, the text similarity and/or the association relation of the first alarm event satisfying the preset condition, the alarm level and the alarm guidance degree of the second alarm event are determined according to the preset priority determination rule, so as to obtain the processing priority of the first alarm event, wherein the higher the alarm level, the higher the alarm level and the lower the alarm guidance degree of the second alarm event, the higher the priority of the first alarm event, and the earlier the first alarm event is processed.
In the embodiment of the present disclosure, operation S240 further includes participating in the judgment of the priority judgment rule with a noise judgment result of the first alarm event, where when the first alarm event is noise, the priority is reduced by a preset level based on the priority obtained based on the alarm level of the first alarm event, the alarm level of the second alarm event, and the alarm guidance level.
Table 6 schematically shows alarm priority judgment rules.
TABLE 6 alarm priority determination rules
Wherein, the same alarm meets the judgment conditions of different priorities, and is processed highly.
In the embodiment of the present disclosure, after the processing priority of the first alarm event is obtained, according to operation S250, the operation and maintenance personnel is caused to process the first alarm event according to the priority.
In an embodiment of the present disclosure, after acquiring the processing priority of the first alarm event, the method further includes operation S260.
In operation S260, the processing priority of the first alarm event is displayed, and the second alarm event with the similarity to the text of the first alarm event being greater than the preset threshold and/or having the association relationship is displayed.
Through the priority of the first alarm event and the display of the related alarm event, the operation and maintenance personnel can intuitively acquire the priority of the alarm event, and timely process the alarm event by referring to the displayed alarm data.
Alternatively, the text similarity result obtained according to operation S230 may also be displayed through a graph, and the text similarity calculated according to different key fields may also be displayed through icons, respectively. As shown in fig. 3A and 3B, a presentation chart of text similarity calculated based on the event cause ticket and the alarm summary is schematically shown, respectively. The abscissa of the graph represents the occurrence time of the second alarm event, and the ordinate represents the text similarity.
In particular, it is also possible to identify in the graph whether a second alarm event corresponding to the text similarity has been processed or not by a different color. For a second alarm event whose text similarity is greater than a preset threshold and has been processed, the first alarm event may be processed with reference to its event processing report.
Fig. 4 schematically illustrates a flow chart of an alarm event auditing method according to an embodiment of the present disclosure.
As shown in FIG. 4, an alarm event auditing method provided by an embodiment of the present disclosure includes operations S410-S430.
In operation S410, a problem root analysis report of the first alarm event is obtained, and alarm data of all second alarm events within a preset period of time is obtained, wherein the problem root analysis report is obtained after problem processing is performed based on the alarm data of the first alarm event, and key fields of the problem root analysis report correspond to key fields of the alarm data.
In operation S420, a text similarity between the problem root analysis report and the alarm data of each second alarm event is calculated, and an association relationship between the first alarm event and each second alarm event is calculated.
In operation S430, the second alarm event, for which the text similarity and/or the association relationship with the first alarm event satisfy the preset condition, is counted.
According to the embodiment of the disclosure, after the first alarm event is processed, the relevant alarm event of the first alarm event can be audited at the time, and the problems that the production event associated alarm is not comprehensive in discovery and is not timely in treatment can be discovered by counting the second alarm event of which the text similarity and/or association relation between the second alarm event and the first alarm event meet the preset conditions, so that an operation and maintenance person is prompted to treat the similar problems, and the discovery rate and the treatment rate of the alarm event are effectively improved.
The problem root cause analysis report is obtained by modifying the first alarm event based on the alarm data of the first alarm event after the operation and maintenance personnel process the first alarm event, for example, the problem root cause analysis report comprises event root cause analysis of the alarm event, and compared with the content included in an event cause return field in the original alarm data, the problem root cause analysis report is more detailed and richer.
In the embodiment of the present disclosure, the preset time period is a time period from the occurrence time of the first alarm event to the end time of the processing of the first alarm event. Because the first alarm event has a certain time difference from the occurrence of the first alarm event to the processed time, the second alarm event which is the same as or similar to the first alarm event can occur in the period, and therefore, after the first alarm event is ended, the second alarm event which has higher similarity with the text of the first alarm event and has association relation in the period is counted, so that the operation and maintenance personnel can rapidly process the events, and the processing efficiency is improved.
Calculating the text similarity between the problem root cause analysis report and the alert data of each second alert event in operation S420 includes operation S421.
In operation S421, a text similarity between the problem root cause analysis report and at least one second key field in the alarm data of each second alarm event, the second key field being a field describing an alarm condition, is calculated. This step is similar to the operation S230 of the alarm processing method shown in fig. 2, and will not be described again.
In operation S430, the second alarm event in which the statistical text similarity satisfies the preset condition specifically includes operation S431.
In operation S431, a second alarm event in which the text similarity is greater than a preset threshold is counted.
Optionally, the preset threshold may be adjusted according to the current capability of processing the alarm event, if the current resource of processing the alarm event is sufficient, the preset threshold may be relatively set higher, so that the operation and maintenance personnel process each alarm event one by one, if the current resource of processing the alarm event is insufficient, the preset threshold may be relatively set lower, and for similar problems, the operation and maintenance personnel perform unified processing first to solve the large fault problem, and then solve the problem carefully one by one.
The method further includes operations S441-S442.
In operation S441, a link monitoring log of software generating the first alarm event and the second alarm event is obtained, where the link monitoring log is link information of transactions performed by the software in a second preset time period;
In operation S442, the link monitoring log is cleaned, and a link frequent n item set of the software for transaction is generated, where n is greater than or equal to 2, and n is an integer.
Operation S422 is also included in operation S420.
In operation 422, a minimum support scan calculation is performed on the problem root analysis report and a plurality of third key fields in the alarm data of all the second alarm events to obtain a set of n frequent items of association.
The link frequent n item sets are added to each scanned object except the association relation frequent n item sets obtained by the n-1 th scanning, n is more than or equal to 2, and the third key field is a field with the association characteristic of the occurrence of the alarm event.
Similar to the method for calculating the association relationship in the alarm event processing method shown in fig. 2, S422 is similar to operation S233, and the Apriori algorithm is applied to implement the analysis of the association relationship of the event alarm, and by combing the transaction link and the resource configuration information, the result is taken as a known frequent item set to be added into the scanning and the calculation of the association algorithm, so that the accuracy and the integrity of the association analysis can be improved.
In operation S430, the second alarm event in which the statistical association relationship satisfies the preset condition specifically includes operation S431.
In operation S431, a second alarm event having the same frequent item set as the first alarm event is counted.
According to the embodiment of the disclosure, data reference is provided for fault handling audit through post-event audit analysis, event cause and root cause alarm data in a problem analysis report are extracted, similarity calculation is carried out on the event cause and root cause alarm data and the total alarm data in the fault duration period, alarm information which is not processed in time is marked and displayed, and a data result is provided for the audit.
Based on the alarm event processing method, the disclosure also provides an alarm event processing device. The device will be described in detail below in connection with fig. 5.
Fig. 5 schematically illustrates a block diagram of an alarm event handling device according to an embodiment of the present disclosure.
As shown in fig. 5, the alarm event processing apparatus 500 of this embodiment includes a data acquisition module 510, a guidance degree calculation module 520, a similarity and association relation calculation module 530, a priority determination module 540, and an event processing module 550.
The data acquisition module 510 is configured to acquire a first alarm event and alarm data thereof, and acquire all second alarm events and alarm data thereof within a first preset time period including an occurrence time of the first alarm event. In an embodiment, the data obtaining module 510 may be configured to perform the operation S210 described above, which is not described herein.
The guidance level calculation module 520 is configured to analyze alarm data of the first alarm event based on a preset guidance level calculation rule, so as to calculate an alarm guidance level of the first alarm event. In an embodiment, the guidance level calculation module 520 may be used to perform the operation S220 described above, which is not described herein.
The similarity and association calculation module 530 is configured to calculate a text similarity and association of the alert data of the first alert event and each second alert event. In an embodiment, the similarity and association calculation module 530 may be used to perform the operation S230 described above, which is not described herein.
The priority judging module 540 is configured to judge, according to a preset priority judging rule, based on the alarm level, the text similarity, and/or the alarm guidance level of the second alarm event whose association relationship satisfies the preset condition, to obtain the processing priority of the first alarm event. In an embodiment, the priority determining module 540 may be used to perform the operation S240 described above, which is not described herein.
The event processing module 550 is configured to process the first alarm event according to the priority order of priority. In an embodiment, the event processing module 550 may be configured to perform the operation S250 described above, which is not described herein.
Fig. 6 schematically illustrates a block diagram of a structure of an alarm event auditing apparatus according to an embodiment of the present disclosure.
As shown in FIG. 6, the alarm event auditing apparatus 600 of this embodiment includes a data acquisition module 610, a calculation module 620, and a statistics module 630.
The data acquisition module 610 is configured to acquire a problem root cause analysis report of the first alarm event, and acquire alarm data of all second alarm events within a preset period of time, where the problem root cause analysis report is obtained after problem processing based on the alarm data of the first alarm event, and a key field of the problem root cause analysis report corresponds to a key field of the alarm data. In an embodiment, the data obtaining module 610 may be configured to perform the operation S410 described above, which is not described herein.
The calculation module 620 is configured to calculate a text similarity between the report of the root cause analysis and the alarm data of each second alarm event, and calculate an association between the first alarm event and each second alarm event. In an embodiment, the calculation module 620 may be configured to perform the operation S420 described above, which is not described herein.
The statistics module 630 is configured to count a second alarm event whose text similarity and/or association relationship with the first alarm event satisfies a preset condition. In an embodiment, the statistics module 630 may be used to perform the operation S430 described above, which is not described herein.
According to an embodiment of the present disclosure, any of the data acquisition module 510, the guidance degree calculation module 520, the similarity and association relation calculation module 530, the priority determination module 540, and the event processing module 550, and the data acquisition module 610, the calculation module 620, and the statistics module 630 may be combined in one module to be implemented, or any of the modules may be split into a plurality of modules. Or at least some of the functionality of one or more of the modules may be combined with, and implemented in, at least some of the functionality of other modules. According to embodiments of the present disclosure, at least one of the data acquisition module 510, the guidance level calculation module 520, the similarity and association calculation module 530, the priority determination module 540, and the event processing module 550, as well as the data acquisition module 610, the calculation module 620, and the statistics module 630, may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware implementations. Or at least one of the data acquisition module 510, the guidance level calculation module 520, the similarity and association relation calculation module 530, the priority determination module 540, and the event processing module 550, and the data acquisition module 610, the calculation module 620, and the statistics module 630 may be at least partially implemented as a computer program module, which may perform corresponding functions when being executed.
Fig. 7 schematically illustrates a block diagram of an electronic device adapted to implement an alarm event processing method and/or an alarm event auditing method, according to an embodiment of the present disclosure.
As shown in fig. 7, an electronic device 700 according to an embodiment of the present disclosure includes a processor 701 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 702 or a program loaded from a storage section 705 into a Random Access Memory (RAM) 703. The processor 701 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 701 may also include on-board memory for caching purposes. The processor 701 may comprise a single processing unit or a plurality of processing units for performing different actions of the method flows according to embodiments of the disclosure.
In the RAM 703, various programs and data necessary for the operation of the electronic apparatus 700 are stored. The processor 701, the ROM 702, and the RAM 703 are connected to each other through a bus 704. The processor 701 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 702 and/or the RAM 703. Note that the program may be stored in one or more memories other than the ROM 702 and the RAM 703. The processor 701 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, the electronic device 700 may further include an input/output (I/O) interface 705, the input/output (I/O) interface 705 also being connected to the bus 704. The electronic device 700 may also include one or more of an input portion 706 including a keyboard, mouse, etc., an output portion 707 including a Cathode Ray Tube (CRT), liquid Crystal Display (LCD), etc., and speaker, etc., a storage portion 708 including a hard disk, etc., and a communication portion 709 including a network interface card such as a LAN card, modem, etc., connected to the I/O interface 705. The communication section 709 performs communication processing via a network such as the internet. The drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read therefrom is mounted into the storage section 708 as necessary.
The present disclosure also provides a computer-readable storage medium that may be included in the apparatus/device/system described in the above embodiments, or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 702 and/or RAM 703 and/or one or more memories other than ROM 702 and RAM 703 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. When the computer program product runs in a computer system, the program code is used for enabling the computer system to realize the alarm event processing method or the alarm event auditing method provided by the embodiment of the disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 701. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed over a network medium in the form of signals, downloaded and installed via the communication section 709, and/or installed from the removable medium 711. The computer program may comprise program code that is transmitted using any appropriate network medium, including but not limited to wireless, wireline, etc., or any suitable combination of the preceding.
In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 709, and/or installed from the removable medium 711. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 701. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. These examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (23)

1. An alarm event processing method, comprising:
acquiring a first alarm event and alarm data thereof, and acquiring all second alarm events and alarm data thereof within a first preset time period including the occurrence time of the first alarm event;
Analyzing the alarm data of the first alarm event based on a preset guidance degree calculation rule to calculate the alarm guidance degree of the first alarm event;
calculating the text similarity and association relation of the alarm data of the first alarm event and each second alarm event;
Judging according to a preset priority judgment rule based on the alarm level, the text similarity and/or the alarm guidance degree of the second alarm event, wherein the alarm level, the text similarity and/or the association relation of the second alarm event meet preset conditions, so as to obtain the processing priority of the first alarm event;
Processing the first alarm event according to the priority order of the priority;
The analyzing the alarm data of the first alarm event based on the preset guidance degree calculation rule to calculate the alarm guidance degree of the first alarm event includes:
Setting an initial alarm guidance degree;
Sequentially judging whether a plurality of first key fields in alarm data of the first alarm event accord with the conditions specified by the guidance degree calculation rule or not, wherein the plurality of first key fields are fields representing the environment, state, configuration and maintenance conditions of the first alarm event;
when the first key field meets the condition specified by the guidance degree calculation rule, subtracting a corresponding value from the initial warning guidance degree to obtain the warning guidance degree;
the higher the alarm level of the first alarm event is, the higher the alarm level of the second alarm event is, the higher the text similarity and/or the association relation satisfies the preset condition is, the lower the alarm guidance degree is, and the higher the priority of the first alarm event is;
The higher the priority, the earlier the first alarm event is processed.
2. The method according to claim 1, wherein the method further comprises:
Calculating alarm event noise probability of software for generating the first alarm event;
And taking the noise probability of the alarm event as one judgment rule of the guidance degree calculation rules to calculate the alarm guidance degree.
3. The method of claim 2, wherein calculating an alarm event noise probability for software generating the first alarm event comprises:
Constructing an alarm event noise probability fitting function taking the transaction fluctuation rate sum and the alarm occurrence time of the software as inputs and the noise probability of the software as output;
And calculating the alarm event noise probability of the first alarm event based on the transaction fluctuation rate and the alarm occurrence time of the software when the first alarm event occurs.
4. The method of claim 2, wherein the calculating the alert guidance level using the magnitude of the alert event noise probability as one of the decision rules of the guidance level calculation rule comprises:
Obtaining attribute level of the alarm event based on the noise probability of the alarm event;
subtracting a value corresponding to the attribute level from the initial alert guidance level to calculate the alert guidance level.
5. The method of claim 1, wherein the calculating the text similarity between the alert data for the first alert event and each of the second alert events comprises:
and calculating the text similarity between the first alarm event and at least one second key field in the alarm data of each second alarm event, wherein the second key field is a field for describing alarm conditions.
6. The method according to claim 5, comprising:
And acquiring the alarm level of the second alarm event with the highest text similarity, and judging the processing priority of the first alarm event.
7. The method according to claim 1, wherein the method further comprises:
Acquiring a link monitoring log of software generating the first alarm event and the second alarm event, wherein the link monitoring log is link information of the software for carrying out transaction in a second preset time period;
And cleaning the link monitoring log to generate a link frequent n item set of the software for transaction, wherein n is more than or equal to 2.
8. The method of claim 7, wherein the calculating the association between the first alarm event and the alarm data for each of the second alarm events comprises:
Performing minimum support scanning calculation on a plurality of third key fields in the alarm data of the first alarm event and all the second alarm events in the first preset time period to obtain a frequent n item set of association relations;
The link frequent n item sets are added to each scanned object except for the n-1 th scanned association relation frequent n item sets, n is more than or equal to 2, and the third key field is a field with the association characteristic of the occurrence of the alarm event.
9. The method of claim 8, wherein the method further comprises:
acquiring a list of second alarm events with the same frequent item set of the first alarm event;
and screening out a second alarm event with the highest alarm level in the list, and using the alarm level of the second alarm event to judge the processing priority of the first alarm event.
10. The method according to claim 1, wherein the method further comprises:
Taking a plurality of fourth key fields in the alarm data of the first alarm event and the alarm guidance degree as denoising decision attributes, judging a decision tree, and judging whether the first alarm event is noise or not;
And taking part in the judgment of the priority judgment rule by using the noise judgment result of the first alarm event, wherein when the first alarm event is noise, the priority is reduced by a preset level on the basis of the priority obtained based on the alarm level of the first alarm event, the alarm level of the second alarm event and the alarm guidance degree.
11. The method as recited in claim 1, further comprising:
And cleaning and standardizing the alarm data of the first alarm event and the second alarm event.
12. The method according to claim 1, wherein the method further comprises:
And displaying the processing priority of the first alarm event and displaying a second alarm event with the text similarity of the first alarm event being larger than a preset threshold value and/or in association relation with the first alarm event.
13. An alarm event auditing method, after being applied to the alarm event processing method according to any one of claims 1 to 12, comprising:
acquiring a problem root cause analysis report of a first alarm event and alarm data of all second alarm events in a preset time period, wherein the problem root cause analysis report is obtained after problem processing based on the alarm data of the first alarm event, key fields of the problem root cause analysis report correspond to key fields of the alarm data, and the preset time period is a preset time period before and after the occurrence time of the first alarm event;
Calculating text similarity between the problem root analysis report and alarm data of each second alarm event, and calculating association relations between the first alarm event and each second alarm event;
And counting a second alarm event of which the text similarity and/or the association relation between the second alarm event and the first alarm event meet preset conditions.
14. The method of claim 13, wherein said calculating a textual similarity between the problem root analysis report and alert data for each of the second alert events comprises:
And calculating text similarity between the problem root analysis report and at least one second key field in the alarm data of each second alarm event, wherein the second key field is a field for describing alarm conditions.
15. The method according to claim 14, comprising:
And counting the second alarm event with the text similarity larger than a preset threshold value.
16. The method according to claim 13, characterized in that the method comprises:
Acquiring a link monitoring log of software generating the first alarm event and the second alarm event, wherein the link monitoring log is link information of the software for carrying out transaction in a second preset time period;
And cleaning the link monitoring log to generate a link frequent n item set of the software for transaction, wherein n is more than or equal to 2.
17. The method of claim 16, wherein said calculating an association between the problem root analysis report and alert data for each of the second alert events comprises:
performing minimum support scanning calculation on the problem root analysis report and a plurality of third key fields in the alarm data of all the second alarm events to obtain a frequent n-item set of association relations;
The link frequent n item sets are added to each scanned object except for the n-1 th scanned association relation frequent n item sets, n is more than or equal to 2, and the third key field is a field with the association characteristic of the occurrence of the alarm event.
18. The method of claim 17, wherein the method further comprises:
and counting a second alarm event with the same frequent item set as the first alarm event.
19. An alarm event processing apparatus, comprising:
The data acquisition module is used for acquiring a first alarm event and alarm data thereof and acquiring all second alarm events and alarm data thereof within a first preset time period including the occurrence time of the first alarm event;
the guidance degree calculation module is used for analyzing the alarm data of the first alarm event based on a preset guidance degree calculation rule so as to calculate the alarm guidance degree of the first alarm event;
the similarity and incidence relation calculating module is used for calculating text similarity and incidence relation of the alarm data of the first alarm event and each second alarm event;
The priority judging module is used for judging according to a preset priority judging rule based on the alarm level of the first alarm event, the alarm level of the second alarm event, the alarm guidance degree of which the text similarity and/or the association relation meet preset conditions, and obtaining the processing priority of the first alarm event;
The event processing module is used for processing the first alarm event according to the priority order of the priority;
The analyzing the alarm data of the first alarm event based on the preset guidance degree calculation rule to calculate the alarm guidance degree of the first alarm event includes:
Setting an initial alarm guidance degree;
Sequentially judging whether a plurality of first key fields in alarm data of the first alarm event accord with the conditions specified by the guidance degree calculation rule or not, wherein the plurality of first key fields are fields representing the environment, state, configuration and maintenance conditions of the first alarm event;
when the first key field meets the condition specified by the guidance degree calculation rule, subtracting a corresponding value from the initial warning guidance degree to obtain the warning guidance degree;
the higher the alarm level of the first alarm event is, the higher the alarm level of the second alarm event is, the higher the text similarity and/or the association relation satisfies the preset condition is, the lower the alarm guidance degree is, and the higher the priority of the first alarm event is;
The higher the priority, the earlier the first alarm event is processed.
20. An alarm event auditing apparatus, after being applied to the alarm event processing apparatus of claim 19, comprising:
The data acquisition module is used for acquiring a problem root analysis report of a first alarm event and alarm data of all second alarm events in a preset time period, wherein the problem root analysis report is obtained after problem processing is performed on the alarm data of the first alarm event, key fields of the problem root analysis report correspond to key fields of the alarm data, and the preset time period is a preset time period before and after the occurrence time of the first alarm event;
the calculation module is used for calculating the text similarity between the problem root analysis report and the alarm data of each second alarm event and calculating the association relation between the first alarm event and each second alarm event;
And the statistics module is used for counting second alarm events, wherein the text similarity and/or the incidence relation between the second alarm events and the first alarm events meet preset conditions.
21. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
Wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-12 or claims 13-18.
22. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-12 or 13-18.
23. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 12 or 13 to 18.
CN202111279365.9A 2021-10-29 2021-10-29 Alarm event processing methods, audit methods, devices, equipment, media and products Active CN113961441B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111279365.9A CN113961441B (en) 2021-10-29 2021-10-29 Alarm event processing methods, audit methods, devices, equipment, media and products

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111279365.9A CN113961441B (en) 2021-10-29 2021-10-29 Alarm event processing methods, audit methods, devices, equipment, media and products

Publications (2)

Publication Number Publication Date
CN113961441A CN113961441A (en) 2022-01-21
CN113961441B true CN113961441B (en) 2025-03-25

Family

ID=79468581

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111279365.9A Active CN113961441B (en) 2021-10-29 2021-10-29 Alarm event processing methods, audit methods, devices, equipment, media and products

Country Status (1)

Country Link
CN (1) CN113961441B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114528820A (en) * 2022-02-18 2022-05-24 中国工商银行股份有限公司 Information processing method, device, equipment and medium
CN115150249B (en) * 2022-06-29 2024-06-14 郑州浪潮数据技术有限公司 Storage system alarm method, device, equipment and storage medium
CN116506276B (en) * 2023-02-06 2025-06-24 华能国际电力股份有限公司 A method and system for mining alarm data correlation

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106411617A (en) * 2016-11-29 2017-02-15 国网山西省电力公司忻州供电公司 Power communication network fault warning correlation processing method
CN109358602A (en) * 2018-10-23 2019-02-19 山东中创软件商用中间件股份有限公司 A kind of failure analysis methods, device and relevant device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8762134B2 (en) * 2012-08-30 2014-06-24 Arria Data2Text Limited Method and apparatus for situational analysis text generation
CN110609759B (en) * 2018-06-15 2021-09-14 华为技术有限公司 Fault root cause analysis method and device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106411617A (en) * 2016-11-29 2017-02-15 国网山西省电力公司忻州供电公司 Power communication network fault warning correlation processing method
CN109358602A (en) * 2018-10-23 2019-02-19 山东中创软件商用中间件股份有限公司 A kind of failure analysis methods, device and relevant device

Also Published As

Publication number Publication date
CN113961441A (en) 2022-01-21

Similar Documents

Publication Publication Date Title
US10614077B2 (en) Computer system for automated assessment at scale of topic-specific social media impact
US20210073627A1 (en) Detection of machine learning model degradation
US20100070981A1 (en) System and Method for Performing Complex Event Processing
CN113961441B (en) Alarm event processing methods, audit methods, devices, equipment, media and products
US11775504B2 (en) Computer estimations based on statistical tree structures
US20220027387A1 (en) Automated event processing system
US12093964B2 (en) Automated rules execution testing and release system
CN112950359A (en) User identification method and device
CN115238292A (en) Data security management and control method and device, electronic equipment and storage medium
CN113052509A (en) Model evaluation method, model evaluation apparatus, electronic device, and storage medium
CN117011080A (en) Financial risk prediction method, apparatus, device, medium and program product
CN115277247A (en) Information processing method, apparatus, electronic device, storage medium, and program product
CN114547406A (en) Data monitoring method, system, storage medium and electronic device
CN113450208A (en) Loan risk change early warning and model training method and device
CN119128260A (en) Content recommendation method, device, equipment and medium based on Gaussian mixture model
CN112346938B (en) Operation auditing method and device, server and computer readable storage medium
CN115795345A (en) Information processing method, device, equipment and storage medium
CN113449886A (en) Data processing method, processing device, equipment and storage medium
US12244455B2 (en) Detecting network anomalies by correlating multiple information sources
CN114154963B (en) Data processing method, device, electronic device and storage medium
US20250148052A1 (en) Systems and methods for automated alert classification and triage
CN121009478A (en) AIGC-based data risk assessment methods, devices, equipment, storage media, and program products
WO2025096444A1 (en) Systems and methods for automated alert classification and triage
CN118260335A (en) Data processing method, apparatus, device, medium, and program product
CN115689263A (en) Information generation method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant