WO2019080249A1 - Alarm processing method and apparatus, computer device, and storage medium - Google Patents

Abstract

The present application discloses an alarm processing method, device, computer device and storage medium. The method includes: obtaining monitoring data of the monitoring object; determining alarm data in the monitoring data and generating an alarm event, recording the alarm event in a preset message queue; acquiring an alarm event in the preset message queue; based on machine learning rules and presets The knowledge base performs preset processing on the alarm event, and sends the preset alarm event to the user terminal.

Description

 Alarm processing method, device, computer device and storage medium

This application claims the priority of the Chinese Patent Application filed on October 24, 2017, the Chinese Patent Application No. 2017110017553, entitled "Alarm Processing Method, Apparatus, Computer Equipment, and Storage Medium", the entire contents of which are incorporated by reference. In this application.

Technical field

The present application relates to the field of communications technologies, and in particular, to an alarm processing method, apparatus, computer device, and storage medium.

Background technique

Currently, there are many open source monitoring systems on the market, such as the Zabbix monitoring system and the Open-falcon monitoring system. These monitoring systems include an "alarm center", which is used to display alarm events to the operation and maintenance personnel to prompt the operation and maintenance personnel to handle them accordingly. However, most of the existing alarm centers simply display the alarm events. This type of processing will result in a large number of invalid alarms, which will prolong the recovery time, which is not conducive to the timely processing of operation and maintenance personnel, resulting in more loss.

Summary of the invention

The application provides an alarm processing method, device, computer device and storage medium, which can reduce invalid alarms and reduce false alarm rate.

In a first aspect, the application provides an alarm processing method, which is applied to a monitoring system, and includes:

Obtain monitoring data of the monitored object;

Determining, by the preset alarm rule, the alarm data in the monitoring data, where the alarm data is monitoring data that triggers the preset alarm rule;

Generating an alarm event according to the alarm data, and recording the alarm event in a preset message queue;

Obtaining an alarm event in the preset message queue according to a preset acquisition rule;

Presetting the alarm event acquired from the preset message queue based on the machine learning rule and the preset knowledge base;

The alarm event that has been processed through the preset is sent to the user terminal.

In a second aspect, the present application provides an alarm processing apparatus, including:

a data acquisition unit, configured to acquire monitoring data of the monitored object;

a data determining unit, configured to determine alarm data in the monitoring data according to a preset alarm rule, where the alarm data is monitoring data that triggers the preset alarm rule;

An event generating and recording unit, configured to generate an alarm event according to the alarm data, and record the alarm event in a preset message queue;

An event obtaining unit, configured to acquire an alarm event in the preset message queue according to a preset acquisition rule;

a preset processing unit, configured to perform preset processing on the alarm event based on a machine learning rule and a preset knowledge base;

The event sending unit is configured to send the alarm event that has been processed by the preset to the user terminal.

In a third aspect, the present application further provides a computer device including a memory, a processor, and a computer program stored on the memory and operable on the processor, the processor implementing the program The alarm processing method described in any one of the applications.

In a fourth aspect, the present application also provides a storage medium, wherein the storage medium stores a computer program, the computer program comprising program instructions, the program instructions, when executed by a processor, causing the processor to execute the application The alarm processing method of any of the provided.

The application provides an alarm processing method, device, computer device and storage medium. The method determines the alarm data in the monitoring data of the monitoring object according to the preset alarm rule. After the alarm data is generated and saved in the preset message queue, the preset information is obtained according to the preset acquisition rule. The alarm event is generated based on the machine learning rule and the preset knowledge base, and the processed alarm event is sent to the user terminal for display to the operation and maintenance manager. The alarm processing method can not only eliminate the alarm storm, but also improve the alarm accuracy rate, thereby reducing the invalid alarm.

DRAWINGS

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings used in the description of the embodiments will be briefly described below. Obviously, the drawings in the following description are some embodiments of the present application, For the ordinary technicians, other drawings can be obtained based on these drawings without any creative work.

FIG. 1 is a schematic flowchart of an alarm processing method according to an embodiment of the present application;

2 is a schematic flowchart of an alarm processing method according to another embodiment of the present application;

Figure 3 is a schematic flow chart of the sub-steps of step S205 in Figure 2;

4 is a schematic block diagram of an alarm processing apparatus according to an embodiment of the present application;

FIG. 5 is a schematic block diagram of an alarm processing apparatus according to another embodiment of the present application; FIG.

FIG. 6 is a schematic block diagram of a computer device according to an embodiment of the present application.

Detailed ways

The technical solutions in the embodiments of the present application are clearly and completely described in the following with reference to the drawings in the embodiments of the present application. It is obvious that the described embodiments are a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without departing from the inventive scope are the scope of the present application.

It will be understood that the terms "comprise" and "the" when used in the specification and the appended claims "Comprising" indicates the existence of the described features, integers, steps, operations, elements and/or components, but does not exclude the presence of one or more other features, integers, steps, operations, elements, components and/or combinations thereof Add to.

The terminology used herein is for the purpose of describing particular embodiments and is not intended to be limiting. As used in the specification and the appended claims, the claims

It should also be further understood that the term "and / is used in the specification and appended claims of this application. Or "" refers to any combination of one or more of the associated listed items and all possible combinations, and includes such combinations.

Referring to FIG. 1 , FIG. 1 is a schematic flowchart of an alarm processing method according to an embodiment of the present application. The alarm processing method is applied to a monitoring system, and the monitoring system can be run in a server, where the server can be a stand-alone server or a server cluster composed of multiple servers. As shown in FIG. 1, the alarm processing method includes steps S101 to S106.

S101. Obtain monitoring data of the monitored object.

In this embodiment, the monitoring object includes a host, a container, a network device, a middleware, and the like, and the middleware is, for example, weblogic. Tomcat, kafka or Zookeeper component, etc. The monitoring data of the monitoring object includes information such as the usage status of the monitoring object. For example, the monitoring object is a host, and the corresponding monitoring data includes information such as the CPU usage, memory usage, disk usage, and network traffic of the host.

S102: Determine alarm data in the monitoring data according to a preset alarm rule, where the alarm data is monitoring data that triggers the preset alarm rule.

In this embodiment, the preset alarm rule is a preset alarm rule, and a set of common alarm rules are automatically configured as a preset alarm rule when the alarm center of the monitoring system is initialized. If the user has personalized requirements, the user can customize the alarm rule. Or modify the preset alarm rule.

Specifically, the preset alarm rule adopts a preset threshold range determining method, by determining whether the value in the monitoring data is within a preset threshold range; if the value in the monitoring data is within the preset threshold range, Then, it is determined that the preset alarm rule is not triggered; if the value in the monitoring data is not within the preset threshold range, it is determined that the preset alarm rule is triggered. The monitoring data corresponding to the triggering the preset alarm rule is the alarm data.

For example, the CPU usage in the monitoring data is determined to be the alarm data if the value corresponding to the usage exceeds the preset threshold range of the CPU usage rate corresponding to the preset alarm rule.

S103. Generate an alarm event according to the alarm data, and record the alarm event in a preset message queue.

In this embodiment, generating an alarm event according to the alarm data includes: generating an alarm event by using the alarm data according to a preset event format. The preset event format can standardize alarm events to facilitate subsequent parsing processing.

Specifically, the preset event format may be defined in advance, so as to subsequently parse the value of the corresponding field in the alarm event, and obtain the desired information, and the alarm event generated according to the preset event format is pushed to each subscribed alarm event. After the user system, the user system needs to parse the alarm event format defined by the alarm center to obtain related information in the alarm event. This design can reduce the complexity of the alarm center interface design.

In an embodiment, the preset event format, for example, adopts a preset JSON format, as follows:

{Detail:[P3#1/1]net_monitor_1cpu.used.percentall(#3)100>=30,Entity:net_monitor_1,Status:1,Url:abc.com,Group:app_type=APP,app_name=NET-MONITOR >}.

In the above JSON formula, P3 in [P3#1/1] indicates the alarm priority level, #1/1 indicates the current alarm number/maximum alarm number; net_monitor_1cpu.used.percentall(#3)100>=30 indicates that the net_monitor_1 indicates the monitoring The system name corresponding to the object, specifically the CPU usage rate; Entity: net_monitor_1 indicates the entity network; Status: 1 indicates the status of the alarm event; Url: abc.com indicates the URL address of the monitored object; Group: app_type = APP indicates the monitored object Category; app_name=NET-MONITOR Represents a small category of monitored objects.

After the alarm data is generated according to the preset event format, the alarm event is sent and saved to the preset message queue, where the preset message queue is saved in a preset database. The use of queues can eliminate alarm storms.

S104. Acquire an alarm event in the preset message queue according to a preset acquisition rule.

In this embodiment, the preset message queue includes multiple alarm events, so the alarm event in the preset message queue is obtained according to the preset acquisition rule. For example, the alarm event may further include priority information or alarm severity information. Correspondingly, the preset acquisition rule may be configured to acquire an alarm event in the preset message queue according to the priority level or the severity of the alarm, so that the alarm event in the preset message queue can be performed in a reasonable and orderly manner. Processing, first solve important alarm problems, thereby indirectly improving the efficiency of alarm processing.

In an embodiment, the acquiring an alarm event in the preset message queue according to the preset acquisition rule includes: acquiring a preset number of alarm events in the preset message queue according to a preset sequence. Specifically, the preset sequence may be a priority order of the alarm events, or may be a time sequence corresponding to the generation time of the alarm events, and a certain number of alarm events are acquired each time according to the preset sequence. Therefore, the preset quantity can ensure that the alarm events in the preset message queue are processed in batches, thereby avoiding the occurrence of an alarm storm.

S105. Perform preset processing on the alarm event obtained from the preset message queue based on the machine learning rule and the preset knowledge base.

In this embodiment, the preset process is performed on the alarm event obtained from the preset message queue based on the machine learning rule and the preset knowledge base, and specifically includes: based on a machine learning rule and a preset knowledge base The alarm event obtained in the preset message queue is subjected to preset alarm analysis processing, preset alarm convergence processing, or preset alarm aggregation processing.

The machine learning rule is mainly a rule model obtained by learning and training a large number of alarm events by using an algorithm, and then applying the rule model to analyzing and processing an existing alarm event, the algorithm is specifically a machine learning algorithm, for example, based on an index. Smooth quadratic smoothing algorithm, cubic smoothing algorithm, decomposition-based Fourier decomposition algorithm, wavelet decomposition algorithm, etc., or deep learning based feedforward neural network, cyclic neural network RNN Algorithms, etc., these machine learning algorithms need to be trained through a large amount of online historical data (historical alarm events) in order to obtain a relatively accurate alarm strategy, which is a rule model for analyzing and processing current alarm events. In addition, multiple algorithms can be trained at the same time. The effect of each algorithm will be different for different scenarios. At this time, according to the historical results, the weight of each algorithm is adjusted, and finally a common alarm strategy is obtained.

The preset knowledge base is used for storing alarm events, alarm event processing result information, and analysis result information, etc., to help analyze and process the alarm events.

Specifically, the analysis method corresponding to the preset alarm analysis processing includes: a method based on historical data statistics, a method of assuming normal distribution, a 3-sigma strategy, etc., and a statistical alarm method can automatically calculate a reasonable alarm valve. Value, when the performance indicator exceeds or falls below this alarm threshold, an alarm is triggered. At the same time, these reasonable alarm thresholds are set to the preset threshold ranges in the preset alarm rules, thereby forming a closed loop control, thereby improving the accuracy of the alarm.

Specifically, the preset alarm convergence process includes: combining the alarm events according to the preset time window, for example, combining the alarm events generated in a certain period of time into one issue; or merging the corresponding alarm events according to the same monitoring policy. For example, multiple alarm events with a CPU usage of more than 90% are combined into one alarm event; or the corresponding alarm events are combined according to the same alarm object, such as the alarm issued by host A in a certain time window, cpu, memory or disk. The alarms can be combined into one alarm event corresponding to host A.

Specifically, the preset alarm aggregation process includes: an association mining process and an exception dependency process. The merging strategy of the association mining process refers to merging multiple alarm events into one alarm event by mining the association between the alarm event and the alarm event and the association between multiple timings. Exception dependency processing refers to the occurrence of an exception and another dependency. For example, a disk failure may cause the host to crash. If an alarm event of disk failure and host loss is received at the same time, the exception dependency can be passed. , Convergence of these two alarm events into one alarm event.

It should be noted that the preset knowledge base and the preset message queue are saved in the same database, so that the alarm event is loaded into the database for preset processing of these alarm events; wherein the preset knowledge base stores historical alarms. Events and related information.

S106. Send the alarm event that has been processed by the preset to the user terminal.

In this embodiment, the user terminal includes a terminal corresponding to the system administrator or a terminal corresponding to the user system, and the system administrator is a management personnel responsible for monitoring the system. Different transmission modes can also be adopted for different user terminals. Specifically, the system administrator can notify the administrator of the system by email, short message, telephone, etc., and for the user system, the alarm event can be pushed to the user's own system for further processing, for example, some users will develop themselves. The tool platform further processes the alarm events and combines the business logic to make judgments. To meet such user requirements, the user system can subscribe to the alarms of the monitoring system. When a new alarm is generated in the alarm center of the monitoring system, the directional push is implemented according to the corresponding topic subscribed by the user system, thereby improving the user experience.

The alarm processing method of the foregoing embodiment determines the alarm data in the monitoring data of the monitoring object according to the preset alarm rule. After the alarm data is generated and saved in the preset message queue, the preset information is obtained according to the preset acquisition rule. An alarm event in the queue, and the obtained alarm event is pre-processed based on the machine learning rule and the preset knowledge base, and the processed alarm event is sent to the user terminal for display to the operation and maintenance manager. The alarm processing method can not only eliminate the alarm storm, but also improve the alarm accuracy rate, thereby reducing the invalid alarm.

Referring to FIG. 2, FIG. 2 is a schematic flowchart of an alarm processing method according to another embodiment of the present application. The alarm processing method is applied to a monitoring system, and the monitoring system can be run in a server, where the server can be a stand-alone server or a server cluster composed of multiple servers. As shown in FIG. 2, the alarm processing method includes steps S201 to S208.

S201. Obtain monitoring data of the monitored object.

Among them, the monitoring object includes the monitoring object itself in addition to the host, the container, the network device, and the middleware.

In this embodiment, acquiring the monitoring data of the monitoring object further includes: acquiring monitoring data of the monitoring system.

S202. Determine, according to a preset alarm rule, alarm data in the monitoring data, where the alarm data is monitoring data that triggers the preset alarm rule.

The preset alarm rule is a preset alarm rule, and the preset threshold range determination method is used, and other similar determination methods may also be used, which are not limited herein.

S203. Generate an alarm event according to the alarm data, and record the alarm event in a preset message queue.

In this embodiment, the alarm data is generated in an alarm event according to a preset event format, and the generated alarm event is saved in a preset message queue.

The preset message queue is used to store multiple alarm events, which can effectively prevent the server from generating multiple alarm events at the same time, thereby generating an alarm storm.

S204. Acquire an alarm event in the preset message queue according to a preset acquisition rule.

Specifically, the preset number of alarm events in the preset message queue are obtained in a preset order. Specifically, the preset sequence may be a priority order of the alarm events, or may be a time sequence corresponding to the generation time of the alarm events, and a certain number of alarm events are acquired each time according to the preset sequence. Therefore, the preset quantity can ensure that the alarm events in the preset message queue are processed in batches, thereby avoiding the occurrence of an alarm storm.

S205. Perform preset processing on the alarm event obtained from the preset message queue based on the machine learning rule and the preset knowledge base.

The monitoring object is not the alarm event corresponding to the monitoring system or the preset processing method of the foregoing embodiment, and is not described in detail herein.

In this embodiment, for the alarm event corresponding to the monitoring system itself, the method steps in FIG. 3 are adopted, specifically, steps S205a and S205b.

S205a: The monitoring alarm event is filtered out from the alarm event, where the monitoring alarm event is an alarm event of the monitoring system.

The alarm event includes not only the alarm event of the monitoring system but also the alarm event of the host, the container, or the middleware. Therefore, the monitoring alarm event needs to be filtered out from the alarm event, and the monitoring alarm event is an alarm of the monitoring system. event.

Specifically, the identification information of the monitoring object may be obtained by associating the monitoring data of the monitoring object with the identification information. Therefore, the alarm data is also associated with the identification information, and the identification information can be used to filter out the monitoring alarm event from the alarm event.

S205b: Send the monitoring alarm event to the self-healing system, so that the self-healing system processes the fault corresponding to the monitoring alarm event.

The self-healing system and the monitoring system can be installed in different servers, and communication connections are established between the servers to complete data interaction. The self-healing system is configured to automatically process faults corresponding to the monitoring alarm events, such as expanding capacity, restarting services, or limiting traffic.

S206. Send an alarm event that has been processed by the preset to the user terminal.

The alarm event that has been processed by the preset is sent to the user terminal, so that the user can perform corresponding processing on the alarm event, and the alarm event is cancelled in time.

S207: Receive feedback information sent by the user terminal, where the feedback information is processing result information generated by the user terminal by performing preset label processing on the preset alarm event.

In this embodiment, the preset tag processing includes: marking an invalid alarm event, not processing, and feeding back to the alarm center of the server. Or mark the event alarm and handle the event. User terminals may have automated event processing systems. After receiving the event, the user terminal starts processing, and notifies the alarm center of the server to the final processing result, which can be specifically sent through an API callback.

S208. Save the processing result information to the preset knowledge base.

In this embodiment, the server saves the processing result information to the preset knowledge base, and uses the alarm event and the corresponding processing result information as historical alarm events to analyze and process the current alarm event, thereby forming a The closed-loop mechanism allows the entire process to be continuously improved, thereby improving the accuracy of the alarm.

The alarm processing method provided by the foregoing embodiment can not only eliminate the alarm storm, but also perform self-healing processing on the alarm corresponding fault of the monitoring system to ensure the normal operation of the monitoring system, and can also receive the feedback information sent by the user terminal, and the The processing result information about the alarm event in the feedback information is saved in the preset database, so as to analyze and process the next alarm event, thereby forming an analysis closed-loop control mechanism, and the monitoring system is continuously improved through the closed-loop control mechanism. The alarm analysis processing capability improves the alarm accuracy.

The embodiment of the present application further provides an alarm processing apparatus, which is used to execute the foregoing alarm processing method. Specifically, please refer to FIG. 4, which is a schematic block diagram of an alarm processing apparatus according to an embodiment of the present application. The alarm processing device 300 can be installed in a server.

As shown in FIG. 4, the alarm processing apparatus 300 includes a data acquisition unit 301, a data determination unit 302, a generation recording unit 303, an event acquisition unit 304, a preset processing unit 305, and an event transmission unit 306.

The data obtaining unit 301 is configured to acquire monitoring data of the monitoring object.

The monitoring object includes a host, a container, a network device, and a middleware, and the middleware is, for example, weblogic, tomcat, Kafka or Zookeeper component, etc. The monitoring data of the monitoring object includes information such as the usage status of the monitoring object. For example, the monitoring object is a host, and the corresponding monitoring data includes information such as the CPU usage, memory usage, disk usage, and network traffic of the host.

The data determining unit 302 is configured to determine alarm data in the monitoring data according to a preset alarm rule, where the alarm data is monitoring data that triggers the preset alarm rule.

The preset alarm rule is a preset alarm rule. When the alarm center of the monitoring system is initialized, a set of common alarm rules is automatically configured as a preset alarm rule. If the user has personalized requirements, the preset can be customized or modified. Set alarm rules.

Specifically, the preset alarm rule adopts a preset threshold range determining method, by determining whether the value in the monitoring data is within a preset threshold range; if the value in the monitoring data is within the preset threshold range, Then, it is determined that the preset alarm rule is not triggered; if the value in the monitoring data is not within the preset threshold range, it is determined that the preset alarm rule is triggered. The monitoring data corresponding to the triggering the preset alarm rule is the alarm data.

The generating record unit 303 is configured to generate an alarm event according to the alarm data, and record the alarm event in a preset message queue.

The generating an alarm event according to the alarm data includes: generating an alarm event by using the alarm data according to a preset event format. The preset event format can standardize alarm events to facilitate subsequent parsing processing.

After the alarm data is generated according to the preset event format, the alarm event is sent and saved to the preset message queue, where the preset message queue is saved in a preset database. The use of queues can eliminate alarm storms.

The event obtaining unit 304 is configured to acquire an alarm event in the preset message queue according to a preset acquisition rule.

The preset message queue includes multiple alarm events, so the alarm event in the preset message queue is obtained according to the preset acquisition rule. For example, the alarm event may further include priority information or alarm severity information, etc., corresponding to The preset acquisition rule may be configured to acquire an alarm event in the preset message queue according to a priority level or an alarm severity. Therefore, the alarm event in the preset message queue may be processed in a reasonable and orderly manner. Important alarm issues, thereby indirectly improving the efficiency of alarm processing.

In an embodiment, the event obtaining unit 304 is configured to: acquire a preset number of alarm events in the preset message queue according to a preset sequence. Specifically, a certain number of alarm events are acquired each time. Therefore, the preset quantity can ensure that the alarm events in the preset message queue are processed in batches, thereby avoiding the occurrence of an alarm storm.

The preset processing unit 305 is configured to perform preset processing on the alarm event acquired from the preset message queue based on the machine learning rule and the preset knowledge base.

Specifically, the method is: performing preset alarm analysis processing, preset alarm convergence processing, or preset alarm aggregation processing on an alarm event obtained from the preset message queue based on a machine learning rule and a preset knowledge base. Based on this, the preset processing unit 305 can include an alarm analysis sub-unit 3051, an alarm convergence sub-unit 3052, and an alarm aggregation sub-unit 3053.

Specifically, the alarm analysis sub-unit 3051 is configured to automatically calculate a reasonable alarm threshold by using a statistical method based on historical data statistics, a method of normal distribution, a 3-sigma strategy, and the like. When the performance indicator exceeds or falls below this alarm threshold, an alarm is triggered. At the same time, these reasonable alarm thresholds are set to the preset threshold ranges in the preset alarm rules, thereby forming a closed loop control, thereby improving the accuracy of the alarm.

Specifically, the alarm convergence sub-unit 3052 is specifically configured to: combine the alarm events according to the preset time window; or merge the corresponding alarm events according to the same monitoring policy; or combine the corresponding alarm events according to the same alarm object. For example, the alarm events generated during a certain period of time are combined into one. For example, multiple alarm events with a CPU usage exceeding 90% are combined into one alarm event; for example, the alarm sent by host A at a certain time window. Alarms such as cpu, memory, or disk can be combined into one alarm event corresponding to host A.

Specifically, the alarm aggregation sub-unit 3053 is specifically configured to: association mining processing and exception dependency processing. The merging strategy of the association mining process refers to merging multiple alarm events into one alarm event by mining the association between the alarm event and the alarm event and the association between multiple timings. Exception dependency processing refers to the occurrence of an exception and another dependency. For example, a disk failure may cause the host to crash. If an alarm event of disk failure and host loss is received at the same time, the exception dependency can be passed. , Convergence of these two alarm events into one alarm event.

The event sending unit 306 is configured to send the alarm event that has undergone the preset processing to the user terminal.

The user terminal includes a system administrator or a terminal corresponding to the user system, and different transmission modes may be adopted for different user terminals. Specifically, the system administrator can notify the administrator of the system by email, short message, telephone, etc., and for the user system, the alarm event can be pushed to the user system for further processing, for example, some users will develop their own tools. The platform further processes the alarm event and combines the business logic to make judgments. To meet such user requirements, the user system can subscribe to the alarm of the monitoring system. When a new alarm is generated in the alarm center of the monitoring system, the directional push is implemented according to the corresponding topic subscribed by the user system, thereby improving the user experience.

The embodiment of the present application further provides another alarm processing apparatus, which is used to execute the foregoing alarm processing method. Specifically, please refer to FIG. 5. FIG. 5 is a schematic block diagram of an alarm processing apparatus according to an embodiment of the present application. The alarm processing device 400 can be installed in a server.

As shown in FIG. 5, the alarm processing apparatus 400 includes a data acquisition unit 401, a data determination unit 402, a generation recording unit 403, an event acquisition unit 404, a preset processing unit 405, an event transmission unit 406, an information reception unit 407, and information storage. Unit 408.

The data obtaining unit 401 is configured to acquire monitoring data of the monitoring object.

Among them, the monitoring object includes the monitoring object itself in addition to the host, the container, the network device, and the middleware. In this embodiment, acquiring the monitoring data of the monitoring object further includes: acquiring monitoring data of the monitoring system.

The data determining unit 402 is configured to determine alarm data in the monitoring data according to a preset alarm rule, where the alarm data is monitoring data that triggers the preset alarm rule.

The preset alarm rule is a preset alarm rule, and the preset threshold range determination method is used, and other similar determination methods may also be used, which are not limited herein.

The generating record unit 403 is configured to generate an alarm event according to the alarm data, and record the alarm event in a preset message queue.

The alarm data is generated in an alarm event according to a preset event format, and the generated alarm event is saved in a preset message queue. The preset message queue is used to store multiple alarm events, which can effectively prevent the server from generating multiple alarm events at the same time, thereby generating an alarm storm.

The event obtaining unit 404 is configured to acquire an alarm event in the preset message queue according to a preset acquisition rule.

Specifically, the method is: acquiring a preset number of alarm events in the preset message queue according to a preset sequence. Specifically, a certain number of alarm events are acquired each time in a preset order. Therefore, the preset quantity can ensure that the alarm events in the preset message queue are processed in batches, thereby avoiding the occurrence of an alarm storm.

The preset processing unit 405 is configured to perform preset processing on the alarm event based on the machine learning rule and the preset knowledge base.

The alarm event and the monitoring object corresponding to the monitoring object are the alarm events corresponding to the monitoring system itself, and therefore different preset processing modes are required. Based on this, the preset processing unit 405 includes the event screening subunit 4051 and The self-healing subunit 4052 is sent.

The event screening sub-unit 4051 is configured to filter out a monitoring alarm event from the alarm event, where the monitoring alarm event is an alarm event of the monitoring system.

The alarm event includes not only the alarm event of the monitoring system but also the alarm event of the host, the container, or the middleware. Therefore, the monitoring alarm event needs to be filtered out from the alarm event, and the monitoring alarm event is an alarm of the monitoring system. event.

Specifically, the identification information of the monitoring object may be obtained by associating the monitoring data of the monitoring object with the identification information. Therefore, the alarm data is also associated with the identification information, and the identification information can be used to filter out the monitoring alarm event from the alarm event.

The self-healing sub-unit 4052 is configured to send the monitoring alarm event to the self-healing system to cause the self-healing system to process the fault corresponding to the monitoring alarm event.

The self-healing system and the monitoring system can be installed in different servers, and communication connections are established between the servers to complete data interaction. The self-healing system is configured to automatically process faults corresponding to the monitoring alarm events, such as expanding capacity, restarting services, or limiting traffic.

The event sending unit 406 is configured to send the alarm event that has undergone the preset processing to the user terminal.

The alarm event that has been processed by the preset is sent to the user terminal, so that the user can perform corresponding processing on the alarm event, and the alarm event is cancelled in time.

The information receiving unit 407 is configured to receive the feedback information sent by the user terminal, where the feedback information is processing result information generated by the user terminal by performing preset label processing on the preset alarm event. .

The preset tag processing includes: marking an invalid alarm event, not processing, and feeding back to the alarm center of the server. Or mark the event alarm and handle the event. User terminals may have automated event processing systems. After receiving the event, the user terminal starts processing, and notifies the alarm center of the server to the final processing result, which can be specifically sent through an API callback.

The information saving unit 408 saves the processing result information to the preset knowledge base.

The server saves the processing result information to the preset knowledge base, and uses the alarm event and the corresponding processing result information as historical alarm events to analyze and process the current alarm event, thereby forming a closed loop mechanism. The entire process is continuously improved, thereby improving the accuracy of the alarm.

The above apparatus may be embodied in the form of a computer program that can be run on a computer device as shown in FIG.

Please refer to FIG. 6. FIG. 6 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 700 device can be a terminal. The terminal can be a communication-enabled electronic device such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a personal digital assistant, and a wearable device.

Referring to FIG. 6, the computer device 700 includes a processor 720, a network interface 750, and a memory connected by a system bus 710, wherein the memory can include a non-volatile storage medium 730 and an internal memory 740.

The non-volatile storage medium 730 can store an operating system 731 and a computer program 732. When the computer program 732 is executed, the processor 720 can be caused to perform an alert processing method.

The processor 720 is used to provide computing and control capabilities to support the operation of the entire computer device 700.

The internal memory 740 provides an environment for the operation of the computer program 732 in the non-volatile storage medium 730.

The network interface 750 is used for network communication, such as sending assigned tasks and the like. It will be understood by those skilled in the art that the structure shown in FIG. 6 is only a block diagram of a part of the structure related to the solution of the present application, and does not constitute a limitation of the computer device 700 to which the solution of the present application is applied, and a specific computer device. 700 may include more or fewer components than shown, or some components may be combined, or have different component arrangements.

The processor 720 is configured to run program code stored in the memory to implement the following functions:

Acquiring the monitoring data of the monitoring object; determining the alarm data in the monitoring data according to the preset alarm rule, wherein the alarm data is monitoring data that triggers the preset alarm rule; generating an alarm event according to the alarm data, and The alarm event is recorded in a preset message queue; the alarm event in the preset message queue is obtained according to a preset acquisition rule; and the alarm event obtained from the preset message queue is obtained based on the machine learning rule and the preset knowledge base. Performing a preset process; and transmitting an alert event processed by the preset to the user terminal.

In an embodiment, after the performing, by the processor 720, the alarm event that has been processed by the preset to the user terminal, the following is also performed: receiving feedback information sent by the user terminal, where the feedback information is Processing result information generated by the user terminal for performing preset label processing on the preset processed alarm event; and saving the processing result information to the preset knowledge base.

In an embodiment, when the processor 720 is executed, the program is specifically executed to: select a monitoring alarm event from the alarm event, where the monitoring alarm event is an alarm event of the monitoring system; The event is sent to the self-healing system such that the self-healing system processes the fault corresponding to the monitored alarm event.

In an embodiment, when executing, the processor 720 specifically executes a process of generating an alarm event by using the alarm data according to a preset event format.

In an embodiment, when the processor 720 is executed, the program is specifically configured to: perform preset alarm analysis processing and preset alarm on the alarm event acquired from the preset message queue based on the machine learning rule and the preset knowledge base. Convergence processing or preset alarm aggregation processing.

In an embodiment, when the processor 720 is executed, the program is specifically executed to acquire a preset number of alarm events in the preset message queue according to a preset sequence.

It should be understood that in the embodiment of the present application, the processor 720 may be a central processing unit (Central Processing Unit, CPU), the processor 720 can also be other general-purpose processors, digital signal processors (DSPs), and application specific integrated circuits. (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate array (Field-Programmable) Gate Array, FPGA) Or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, and the like. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

Those skilled in the art will appreciate that the computer device 700 architecture illustrated in FIG. 6 does not constitute a limitation to computer device 700, may include more or fewer components than illustrated, or may combine certain components, or different components. Arrangement.

In another embodiment of the present application, a storage medium is provided, the storage medium comprising a computer readable storage medium storing a computer program, wherein the computer program comprises program instructions. This program instruction is implemented when executed by the processor:

Acquiring the monitoring data of the monitoring object; determining the alarm data in the monitoring data according to the preset alarm rule, wherein the alarm data is monitoring data that triggers the preset alarm rule; generating an alarm event according to the alarm data, and The alarm event is recorded in a preset message queue; the alarm event in the preset message queue is obtained according to a preset acquisition rule; and the alarm event obtained from the preset message queue is obtained based on the machine learning rule and the preset knowledge base. Performing a preset process; and transmitting an alert event processed by the preset to the user terminal.

In an embodiment, after the program instruction is executed by the processor to send the alarm event that has been processed by the preset to the user terminal, the method further includes: receiving feedback information sent by the user terminal, where the feedback information is Processing result information generated by the user terminal for performing preset label processing on the preset processed alarm event; and saving the processing result information to the preset knowledge base.

In an embodiment, when the program instruction is executed by the processor, the machine learning rule and the preset knowledge base perform preset processing on the alarm event acquired from the preset message queue, and the specific implementation is: The monitoring alarm event is filtered out, wherein the monitoring alarm event is an alarm event of the monitoring system; and the monitoring alarm event is sent to the self-healing system to cause the self-healing system to process the fault corresponding to the monitoring alarm event. .

In an embodiment, when the program instruction is executed by the processor, the alarm event is generated according to the alarm data, and the alarm data is generated according to a preset event format.

In an embodiment, when the program instruction is executed by the processor, the machine learning rule and the preset knowledge base perform preset processing on the alarm event acquired from the preset message queue, and the specific implementation is: based on a machine learning rule. The preset knowledge base performs preset alarm analysis processing, preset alarm convergence processing, or preset alarm aggregation processing on the alarm events obtained from the preset message queue.

In an embodiment, when the program instruction is executed by the processor to obtain the alarm event in the preset message queue according to the preset acquisition rule, the specific implementation is: acquiring the preset in the preset message queue according to a preset order. The number of alarm events.

The computer readable storage medium may be a USB flash drive, a removable hard drive, or a read only memory (ROM, Read-Only) A variety of media that can store program code, such as a memory, a disk, or an optical disk.

Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both, for clarity of hardware and software. Interchangeability, the composition and steps of the various examples have been generally described in terms of function in the above description. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods to implement the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present application.

A person skilled in the art can clearly understand that, for the convenience and brevity of the description, the specific working process of the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.

In the several embodiments provided by the present application, it should be understood that the disclosed alarm processing apparatus and method may be implemented in other manners. For example, the alarm processing device embodiments described above are merely illustrative. For example, the division of each unit is only a logical function division, and there may be another division manner in actual implementation. For example, multiple units or components may be combined or integrated into another system, or some features may be omitted or not implemented.

The steps in the method of the embodiment of the present application may be sequentially adjusted, merged, and deleted according to actual needs. The units in the apparatus of the embodiment of the present application may be combined, divided, and deleted according to actual needs.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, can be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be in essence or part of the contribution to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. Including several instructions to make a computer device (may be a personal computer, terminal, or network device, etc.) Performing all or part of the steps of the method described in various embodiments of the present application.

The foregoing is only a specific embodiment of the present application, but the scope of protection of the present application is not limited thereto, and any equivalents can be easily conceived by those skilled in the art within the technical scope disclosed in the present application. Modifications or substitutions are intended to be included within the scope of the present application. Therefore, the scope of protection of this application should be determined by the scope of protection of the claims.

Claims (20)

 An alarm processing method is applied to a monitoring system, which includes: Obtain monitoring data of the monitored object; Determining, by the preset alarm rule, the alarm data in the monitoring data, where the alarm data is monitoring data that triggers the preset alarm rule; Generating an alarm event according to the alarm data, and recording the alarm event in a preset message queue; Obtaining an alarm event in the preset message queue according to a preset acquisition rule; Presetting the alarm event acquired from the preset message queue based on the machine learning rule and the preset knowledge base; The alarm event that has been processed through the preset is sent to the user terminal. The alarm processing method according to claim 1, wherein after the sending the preset processed alarm event to the user terminal, the method further includes: Receiving the feedback information sent by the user terminal, where the feedback information is processing result information generated by the user terminal by performing preset label processing on the preset processed alarm event; Saving the processing result information to the preset knowledge base. The alarm processing method according to claim 1, wherein the preset processing of the alarm event acquired from the preset message queue based on the machine learning rule and the preset knowledge base comprises: And filtering a monitoring alarm event from the alarm event, where the monitoring alarm event is an alarm event of the monitoring system; And transmitting the monitoring alarm event to the self-healing system to cause the self-healing system to process the fault corresponding to the monitoring alarm event. The alarm processing method according to claim 1, wherein the generating an alarm event according to the alarm data comprises: generating an alarm event according to a preset event format. The alarm processing method according to claim 1, wherein the acquiring an alarm event in the preset message queue according to a preset acquisition rule comprises: Obtaining a preset number of alarm events in the preset message queue according to a preset order. The alarm processing method according to claim 1, wherein the preset processing of the alarm event acquired from the preset message queue based on the machine learning rule and the preset knowledge base comprises: Performing preset alarm analysis processing, preset alarm convergence processing, or preset alarm aggregation processing on the alarm events acquired from the preset message queue based on the machine learning rules and the preset knowledge base. The alarm processing method according to claim 6, wherein the analysis method corresponding to the preset alarm analysis processing comprises a method based on historical data statistics, a method based on normal distribution, or a 3-sigma strategy method. The alarm processing method according to claim 6, wherein the preset alarm convergence processing comprises: combining the alarm events according to a preset time window. The alarm processing method according to claim 6, wherein the preset alarm aggregation processing comprises: association mining processing and abnormal dependency processing.  An alarm processing device includes: a data acquisition unit, configured to acquire monitoring data of the monitored object; a data determining unit, configured to determine alarm data in the monitoring data according to a preset alarm rule, where the alarm data is monitoring data that triggers the preset alarm rule; Generating a recording unit, configured to generate an alarm event according to the alarm data, and record the alarm event in a preset message queue; An event obtaining unit, configured to acquire an alarm event in the preset message queue according to a preset acquisition rule; a preset processing unit, configured to perform preset processing on an alarm event acquired from the preset message queue based on a machine learning rule and a preset knowledge base; The event sending unit is configured to send the alarm event that has been processed by the preset to the user terminal. The alarm processing device of claim 10, further comprising: The information receiving unit is configured to receive the feedback information sent by the user terminal, where the feedback information is processing result information generated by the user terminal by performing preset label processing on the preset alarm event; as well as And an information saving unit, configured to save the processing result information to the preset knowledge base. The alarm processing device according to claim 10, wherein the preset processing unit comprises: An event screening subunit, configured to filter out a monitoring alarm event from the alarm event, where the monitoring alarm event is an alarm event of the monitoring system; And sending a self-healing subunit, configured to send the monitoring alarm event to the self-healing system, so that the self-healing system processes the fault corresponding to the monitoring alarm event. The alarm processing device according to claim 10, wherein the generating and recording unit is configured to generate an alarm event according to the preset event format. The alarm processing device according to claim 10, wherein the preset processing unit is configured to perform preset alarm analysis on an alarm event acquired from the preset message queue based on a machine learning rule and a preset knowledge base. Process, preset alarm convergence processing, or preset alarm aggregation processing. A computer device comprising a memory, a processor, and a computer program stored on the memory and operative on the processor, wherein the processor executes the computer program: Obtain monitoring data of the monitored object; Determining, by the preset alarm rule, the alarm data in the monitoring data, where the alarm data is monitoring data that triggers the preset alarm rule; Generating an alarm event according to the alarm data, and recording the alarm event in a preset message queue; Obtaining an alarm event in the preset message queue according to a preset acquisition rule; Presetting the alarm event acquired from the preset message queue based on the machine learning rule and the preset knowledge base; The alarm event that has been processed through the preset is sent to the user terminal. The computer device according to claim 15, wherein after the processor executes the computer program, after the sending of the preset processed alarm event to the user terminal, the processor further implements: Receiving the feedback information sent by the user terminal, where the feedback information is processing result information generated by the user terminal by performing preset label processing on the preset processed alarm event; Saving the processing result information to the preset knowledge base. The computer device according to claim 15, wherein said processor executes said computer program to implement said machine learning rule and a preset knowledge base to perform preset processing on an alarm event acquired from said preset message queue When the specific implementation: And filtering a monitoring alarm event from the alarm event, where the monitoring alarm event is an alarm event of the monitoring system; And transmitting the monitoring alarm event to the self-healing system to cause the self-healing system to process the fault corresponding to the monitoring alarm event. The computer device according to claim 15, wherein the processor executes the computer program to implement the generating an alarm event according to the alarm data, and specifically: generating an alarm event according to a preset event format. . The computer device according to claim 15, wherein said processor executes said computer program to implement said machine learning rule and a preset knowledge base to perform preset processing on an alarm event acquired from said preset message queue The specific implementation is: performing preset alarm analysis processing, preset alarm convergence processing, or preset alarm aggregation processing on the alarm event obtained from the preset message queue based on the machine learning rule and the preset knowledge base. A storage medium, wherein the storage medium stores a computer program, the computer program comprising program instructions that, when executed by a processor, cause the processor to execute: Obtain monitoring data of the monitored object; Determining, by the preset alarm rule, the alarm data in the monitoring data, where the alarm data is monitoring data that triggers the preset alarm rule; Generating an alarm event according to the alarm data, and recording the alarm event in a preset message queue; Obtaining an alarm event in the preset message queue according to a preset acquisition rule; Presetting the alarm event acquired from the preset message queue based on the machine learning rule and the preset knowledge base; The alarm event that has been processed through the preset is sent to the user terminal.