CN113051308A - Alarm information processing method, equipment, storage medium and device - Google Patents
Alarm information processing method, equipment, storage medium and device Download PDFInfo
- Publication number
- CN113051308A CN113051308A CN201911402452.1A CN201911402452A CN113051308A CN 113051308 A CN113051308 A CN 113051308A CN 201911402452 A CN201911402452 A CN 201911402452A CN 113051308 A CN113051308 A CN 113051308A
- Authority
- CN
- China
- Prior art keywords
- information
- alarm
- alarm information
- item set
- confidence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000010365 information processing Effects 0.000 title claims abstract description 61
- 238000003672 processing method Methods 0.000 title claims abstract description 27
- 238000000034 method Methods 0.000 claims description 26
- 238000012545 processing Methods 0.000 claims description 15
- 238000012163 sequencing technique Methods 0.000 claims description 5
- 238000012544 monitoring process Methods 0.000 description 18
- 230000008569 process Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000001364 causal effect Effects 0.000 description 4
- 238000007781 pre-processing Methods 0.000 description 4
- 238000012098 association analyses Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000013138 pruning Methods 0.000 description 2
- 238000010219 correlation analysis Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2458—Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
- G06F16/2465—Query processing support for facilitating data mining operations in structured databases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
- G06F16/2282—Tablespace storage structures; Management thereof
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24553—Query execution of query operations
- G06F16/24554—Unary operations; Data partitioning operations
- G06F16/24556—Aggregation; Duplicate elimination
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2457—Query processing with adaptation to user needs
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- Software Systems (AREA)
- Fuzzy Systems (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Alarm Systems (AREA)
Abstract
The invention relates to the technical field of alarm information processing, and discloses an alarm information processing method, alarm information processing equipment, an alarm information processing storage medium and an alarm information processing device. The invention obtains a plurality of alarm information to be processed; determining a target association relationship among alarm information to be processed through a logic relationship table, wherein the logic relationship table comprises association relationships between reason alarm information and result alarm information; and determining the current reason alarm information and the current result alarm information in each alarm information to be processed according to the target association relationship, so that the current reason alarm information and the current result alarm information can be accurately positioned through a logic relationship table according to the current alarm information, and the aim of improving the accuracy of alarm information processing is fulfilled.
Description
Technical Field
The present invention relates to the field of alarm information processing technologies, and in particular, to an alarm information processing method, device, storage medium, and apparatus.
Background
The Internet Technology (IT) application system of medium and large-sized enterprises is large and complex, the number of devices is many thousands, and any small IT problem may cause an "alarm storm". The alarm storm refers to that a system generates a large number of alarm messages in a short time, some of the messages are caused by a certain common factor, certain correlation exists between the messages, and some messages do not have any relation. Such an alarm storm can cause fatigue in the alarms of the person, increasing the difficulty of the service personnel in handling the problem, and therefore these alarms must be masked. Mining call associations between entities within an application becomes a key to locating problems and addressing these alarms. The current technical scheme is as follows: (1) the correlation analysis algorithm is used for carrying out correlation judgment, a Pearson correlation coefficient between alarm units is calculated by using the Pearson algorithm and the like, and whether the correlation exists between the alarm units is judged according to the distance value, so that the correlation between each alarm sequence when the alarm occurs is obtained, but the correlation between the alarm sequences cannot be accurately expressed by the equal distance value of the Pearson correlation coefficient, because time lag possibly exists in the time sequence alarm sequence; (2) the alarm information is processed by using an artificially self-set strategy, for example, how many continuous time point alarm information are combined into one alarm information, the alarm information of a certain host is shielded and not notified any more, or the alarm information of a plurality of units is combined into one alarm information, although the alarm quantity can be shielded, many meaningful alarms can be shielded, data distortion is caused, and shielding errors occur.
Disclosure of Invention
The invention mainly aims to provide an alarm information processing method, equipment, a storage medium and a device, and aims to solve the technical problem of how to improve the accuracy of alarm information processing.
In order to achieve the above object, the present invention provides an alarm information processing method, which comprises the following steps:
acquiring a plurality of alarm information to be processed;
determining a target association relationship among alarm information to be processed through a logic relationship table, wherein the logic relationship table comprises association relationships between reason alarm information and result alarm information;
and determining current reason alarm information and current result alarm information in each alarm information to be processed according to the target association relation.
Preferably, after determining the current reason alarm information and the current result alarm information in each alarm information to be processed according to the target association relationship, the method further includes:
and determining a target host corresponding to the current reason alarm information through an alarm relation table, and shielding the current result alarm information according to the target host, wherein the alarm relation table comprises the corresponding relation between the host and the alarm information.
Preferably, before the target host corresponding to the current cause alarm information is determined through an alarm relationship table and the current result alarm information is shielded according to the target host, the alarm information processing method further includes:
acquiring historical alarm information, and sequencing the historical alarm information according to time information of the historical alarm information to obtain reference alarm information;
acquiring host information corresponding to the reference alarm information, and grouping the reference alarm information through preset attribute information to obtain grouped alarm information related to the host information;
and constructing an alarm relation table according to the grouped alarm information.
Preferably, the constructing an alarm relationship table according to the grouped alarm information includes:
selecting alarm item set information in a preset time from the grouped alarm information;
acquiring frequent item set information in the alarm item set information according to the support degree of the alarm item set information;
obtaining reference confidence information according to the frequent item set information, and generating alarm rule information according to the reference confidence information;
and combining the alarm rule information, and constructing an alarm relation table according to the combined alarm rule information.
Preferably, the obtaining of frequent item set information in the alarm item set information according to the support degree of the alarm item set information includes:
acquiring occurrence probability information of each historical alarm information in the alarm item set information, and taking the occurrence probability information as a support degree;
and taking the alarm item set information corresponding to the support degree greater than the preset threshold value as frequent item set information.
Preferably, the obtaining reference confidence information according to the frequent item set information and generating alarm rule information according to the reference confidence information includes:
obtaining reference confidence information according to historical alarm information in the frequent item set information, and obtaining promotion information among the historical alarm information in the frequent item set information;
adjusting the reference confidence information according to the promotion degree information to obtain target confidence information;
and generating alarm rule information according to the target confidence coefficient information.
Preferably, the obtaining reference confidence information according to the frequent item set information and generating alarm rule information according to the reference confidence information includes:
obtaining reference confidence information according to the frequent item set information, and obtaining reference reason alarm information and reference result alarm information according to the reference confidence information;
adjusting the reference confidence information according to the reference probability information of the reference result alarm information and the common probability information of the reference reason alarm information and the reference result alarm information to obtain adjusted confidence information;
comparing the adjusted confidence information with reference confidence information, and adjusting the reference reason alarm information and the reference result alarm information according to the comparison result to obtain target reason alarm information and target result alarm information;
and generating alarm rule information according to the target reason alarm information and the target result alarm information.
Preferably, before the obtaining of the plurality of alarm information to be processed, the alarm information processing method further includes:
acquiring initial alarm information;
sequencing the initial alarm information according to time sequence to obtain sequenced initial alarm information;
and removing the duplicate of the sequenced initial alarm information to obtain the original alarm information after the duplicate is removed, and taking the original alarm information after the duplicate is removed as the alarm information to be processed.
Further, to achieve the above object, the present invention also proposes an alert information processing apparatus including: a memory, a processor and an alert information handling program stored on the memory and executable on the processor, the alert information handling program when executed by the processor implementing the steps of the alert information handling method as described above.
Furthermore, to achieve the above object, the present invention further provides a storage medium having an alarm information processing program stored thereon, which when executed by a processor implements the steps of the alarm information processing method as described above.
Further, to achieve the above object, the present invention also proposes an alert information processing apparatus including:
the acquisition module is used for acquiring a plurality of pieces of alarm information to be processed;
the determining module is used for determining a target incidence relation between the alarm information to be processed through a logic relation table, wherein the logic relation table comprises incidence relations between reason alarm information and result alarm information;
the determining module is further configured to determine current cause alarm information and current result alarm information in each alarm information to be processed according to the target association relationship.
According to the technical scheme provided by the invention, a plurality of pieces of alarm information to be processed are obtained; determining a target association relationship among alarm information to be processed through a logic relationship table, wherein the logic relationship table comprises association relationships between reason alarm information and result alarm information; and determining the current reason alarm information and the current result alarm information in each alarm information to be processed according to the target association relationship, so that the current reason alarm information and the current result alarm information can be accurately positioned through a logic relationship table according to the current alarm information, and the aim of improving the accuracy of alarm information processing is fulfilled.
Drawings
FIG. 1 is a schematic structural diagram of an alarm information processing device in a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating an embodiment of a method for processing alarm information according to the present invention;
FIG. 3 is a schematic view of an overall flow of an alarm information processing system according to an embodiment of the alarm information processing method of the present invention;
FIG. 4 is a flow chart of matching with a knowledge base in an actual environment according to an embodiment of the method for processing alarm information of the present invention;
FIG. 5 is a flowchart illustrating an alarm information processing method according to another embodiment of the present invention;
FIG. 6 is a flowchart illustrating an alarm information processing method according to yet another embodiment of the present invention;
FIG. 7 is a block diagram of an embodiment of an alarm information processing apparatus according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of an alarm information processing device in a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the warning information processing apparatus may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), the optional user interface 1003 may also include a standard wired interface and a wireless interface, and the wired interface of the user interface 1003 may be a Universal Serial Bus (USB) interface in the present invention. The network interface 1004 may optionally include a standard wired interface as well as a wireless interface (e.g., WI-FI interface). The Memory 1005 may be a high speed Random Access Memory (RAM); or a stable Memory, such as a Non-volatile Memory (Non-volatile Memory), and may be a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in fig. 1 does not constitute a limitation of the warning information processing apparatus and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and an alarm information processing program.
In the alarm information processing apparatus shown in fig. 1, the network interface 1004 is mainly used for connecting to a background server and performing data communication with the background server; the user interface 1003 is mainly used for connecting peripheral equipment; the alarm information processing apparatus calls an alarm information processing program stored in the memory 1005 through the processor 1001 and executes the alarm information processing method provided by the embodiment of the present invention.
Based on the hardware structure, the embodiment of the alarm information processing method is provided.
Referring to fig. 2, fig. 2 is a flowchart illustrating an embodiment of an alarm information processing method according to the present invention.
In the embodiment of fig. 2, the alarm information processing method includes the following steps:
step S10: and acquiring a plurality of alarm information to be processed.
It should be noted that, the execution subject of the embodiment is an alarm information processing device, and may also be other devices that can implement the same or similar functions.
As shown in fig. 3, the overall flow diagram of the alarm information processing system includes an alarm information rule matching module, an association rule calculation module, and a historical data preprocessing grouping module, where the alarm information to be processed is currently acquired actual alarm information, and the actual alarm information is processed through a text knowledge base to obtain result alarm information and reason alarm information, i.e., output root cause problems, and shield useless alarm information.
Step S20: and determining a target association relationship among the alarm information to be processed through a logic relationship table, wherein the logic relationship table comprises the association relationship between the reason alarm information and the result alarm information.
It should be noted that the logical relationship table is learned according to historical data, and includes an association relationship between reason alarm information and result alarm information, each monitoring host has monitoring items such as a Central Processing Unit (CPU), a disk, and a flow, each monitoring item may generate an alarm record, monitoring inside each host may affect each other, and alarm information of the same monitoring items of different hosts is directly divided into a group, which may also be expressed as a relationship between hosts, so that a rule for producing multiple monitoring items may be obtained between different hosts, and finally, an association rule between hosts is obtained by statistics between different monitoring items, which is more accurate.
Step S30: and determining current reason alarm information and current result alarm information in each alarm information to be processed according to the target association relation.
It should be noted that the associated information is a causal relationship between historical cause alarm information and result alarm information mined according to the historical alarm information, and the cause alarm information and the result alarm information in each current alarm information can be obtained according to the mined causal relationship, so that the alarm information can be effectively positioned.
For example, fig. 4 is a flow chart of matching with the knowledge base in the actual environment, and the alarm information in the actual environment and the alarm relation table, that is, the knowledge base, are matched one by one according to the priority. If there is an associated rule match in the alarm information, for example A, B alarm matches a rule such as A-B, then the alarm B can be masked and only the root cause problem A is reported. Therefore, the alarm quantity can be shielded, the root cause problem is exposed, the problem is checked more quickly, and the checking efficiency is improved.
According to the scheme, a plurality of pieces of alarm information to be processed are obtained; determining a target association relationship among alarm information to be processed through a logic relationship table, wherein the logic relationship table comprises association relationships between reason alarm information and result alarm information; and determining the current reason alarm information and the current result alarm information in each alarm information to be processed according to the target association relationship, so that the current reason alarm information and the current result alarm information can be accurately positioned through a logic relationship table according to the current alarm information, and the aim of improving the accuracy of alarm information processing is fulfilled.
Referring to fig. 5, fig. 5 is a flowchart illustrating another embodiment of the method for processing an alarm information according to the present invention, and based on the embodiment illustrated in fig. 2, another embodiment of the method for processing an alarm information according to the present invention is provided, where after step S30, the method further includes:
step S40, determining a target host corresponding to the current reason alarm information through an alarm relation table, and shielding the current result alarm information according to the target host, wherein the alarm relation table comprises the corresponding relation between the host and the alarm information.
It should be noted that, an alarm relationship table is further provided in the preset storage area, where the alarm relationship table includes a corresponding relationship between the host and the alarm information, that is, the corresponding host information generating the alarm information can be queried through the alarm information, and the target host corresponding to the host information shields the useless alarm information of the current result, so as to achieve the purpose of suppressing a variety of alarm information, for example, the alarm information corresponding to the host a includes a1 and a2, and the alarm information corresponding to the host B includes B1 and B2, and when the current reason alarm information is B1, the corresponding target host is queried as B, so that the target host B can effectively process the alarm information.
Further, before the step S40, the method further includes:
step S401, obtaining historical alarm information, and sorting the historical alarm information according to the time information of the historical alarm information to obtain reference alarm information.
It should be noted that after the historical alarm data is acquired, the data is sorted according to time, and the alarm information with the same attribute is divided into a group. Therefore, the number of alarms of each group is reduced compared with the whole group, and the result is easier to obtain when the association rule calculation is carried out later.
Step S402, obtaining host information corresponding to the reference alarm information, and grouping the reference alarm information through preset attribute information to obtain grouped alarm information related to the host information.
It can be understood that the preset attribute information includes at least one of CPU information, disk information, and traffic information, each host in the monitoring system has attributes of monitoring items such as CPU and traffic, and the monitoring system can perform grouping processing according to which required attributes, for example, information belonging to a traffic alarm is grouped into one group, and information belonging to a disk alarm is grouped into one group for processing.
Continuing as shown in fig. 3, firstly, historical alarm data is obtained through the monitoring system, then the data is preprocessed, then the historical alarm information is grouped through the attribute information, and the grouped data is analyzed, so that the data analysis efficiency is improved.
And step S403, constructing an alarm relation table according to the grouped alarm information.
In the embodiment, independence between each attribute can be ensured through grouping, and rules of the alarm units on different attributes can be calculated, so that the rules can be ensured to be as comprehensive and interpretable as possible, wherein the alarm units are sets containing historical alarm information in a preset time period. And the grouping mode can reduce the space complexity and the time complexity of the algorithm, because the association rule is independently calculated between each group. The association analysis algorithm automatically analyzes data to obtain the association rule without human intervention, and the automatic mode can greatly save manpower.
Continuing as shown in fig. 3, firstly, data is cut into data item sets according to a certain time, then an optimized association rule algorithm is used, wherein the optimized association rule algorithm comprises an optimized confidence coefficient formula and an increased promotion degree, then an algorithm association rule result is obtained, and the rule result is confirmed to form a text knowledge base for utilization, namely, a preset relation knowledge base is generated.
Further, the step S403 includes:
selecting alarm item set information in a preset time from the grouped alarm information; acquiring frequent item set information in the alarm item set information according to the support degree of the alarm item set information; obtaining reference confidence information according to the frequent item set information, and generating alarm rule information according to the reference confidence information; and combining the alarm rule information, and constructing an alarm relation table according to the combined alarm rule information.
It can be understood that the group alarm information is obtained by grouping reference alarm information in the historical alarm information according to attributes, for example, the group alarm information a1 and a2 obtained according to the traffic alarm information, the group alarm information b1 and b2 obtained according to the disk alarm information, and the like, and the group alarm information is selected from alarm group information within a preset time and combined to obtain alarm item set information, for example, the alarm item set information S1 ═ a ═ b21,a2...anWhere n is greater than 0, and S2 ═ b1,b2...bkWherein k is greater than 0},calculating each alarm information in the alarm item set information, for example, the support degree of the alarm information a in the alarm item set information S1 is 70%, the support degree of the alarm information B in the alarm item set information S2 is 10%, and in the case that the support degree threshold is 50%, it indicates that the support degree of a is greater than the support degree threshold, and the support degree of B is less than the support degree threshold, and the alarm item set information S1 in which a is located is called frequent item set information.
In the historical alarm data, the alarms in a period of time are taken as an item set, then the probability of the alarm unit appearing in all the item sets, namely the support degree, is continuously calculated, and the item set with the support degree larger than a threshold value is called a frequent item set. And then connecting pruning operation, wherein the specific pruning logic is that if a certain alarm unit is not a frequent item set, the information containing the alarm unit is not greater than the support degree, for example, the alarm support degree A is less than a threshold value, the alarm units such as AB, ABC and the like are not frequent item sets, so as to obtain the frequent item sets in the historical data, and the items with the confidence degrees between the frequent item sets greater than the threshold value are integrated into an alarm rule.
In this embodiment, the support degree is probability support (a) ═ P (a) of the item set appearing in all item sets, and the confidence degree is probability confidence (P (B | a) ═ P (AB)/(a)) of A, B occurring under the probability of a occurrence, so that the association relationship between the alarms AB is obtained through the confidence degree between the alarms AB, and the reason alarm information and the result alarm information are distinguished.
Further, the obtaining of frequent item set information in the alarm item set information according to the support degree of the alarm item set information includes:
acquiring occurrence probability information of each historical alarm information in the alarm item set information, and taking the occurrence probability information as a support degree; and taking the alarm item set information corresponding to the support degree greater than the preset threshold value as frequent item set information.
Further, the obtaining reference confidence information according to the frequent item set information and generating alarm rule information according to the reference confidence information includes:
in this embodiment, when a certain alarm in the alarm system always appears, for example, a B event always appears, then p (B) is very high, and then the probability of p (ab) is close to p (a) regardless of the probability of the a event, so that a large error is brought to the confidence level when an alarm rule always appears, and the problem is solved by modifying the confidence level formula, and a certain improvement is made in calculating the confidence level value.
Obtaining reference confidence information according to historical alarm information in the frequent item set information, and obtaining promotion information among the historical alarm information in the frequent item set information; adjusting the reference confidence information according to the promotion degree information to obtain target confidence information; and generating alarm rule information according to the target confidence coefficient information.
For example, by scheme one: since the B alarm is always generated, P (AB) is close to A, not really because A causes B. The concept of the degree of lift can be added to eliminate the influence, namely, whether the probability of AB occurrence under the probability of a and the probability of AB occurrence under the condition that a does not occur increase or not is judged, that is, the degree of lift (p), (AB)/p (a) is judged if the value is greater than 1, which indicates that p (B) also increases under the condition that p (a) increases, that is, the occurrence of an event a really has a positive effect on an event B, and conversely, if p (B) does not increase under the condition that p (a) increases, that is, the occurrence of an event a does not have an influence on the occurrence of an event B, which indicates that a is not a reason for B, so that the original confidence information needs to be corrected, and the accuracy of alarm information judgment is improved.
Further, the obtaining reference confidence information according to the frequent item set information and generating alarm rule information according to the reference confidence information includes:
the embodiment provides a modification scheme, that is, reference confidence information is obtained according to the frequent item set information, and reference reason alarm information and reference result alarm information are obtained according to the reference confidence information; adjusting the reference confidence information according to the reference probability information of the reference result alarm information and the common probability information of the reference reason alarm information and the reference result alarm information to obtain adjusted confidence information; comparing the adjusted confidence information with reference confidence information, and adjusting the reference reason alarm information and the reference result alarm information according to the comparison result to obtain target reason alarm information and target result alarm information; and generating alarm rule information according to the target reason alarm information and the target result alarm information.
In a specific implementation, the original confidence formula is modified as follows: the confidence is added with P (B) -P (AB) in the original confidence formula denominator, which shows that the whole denominator is increased along with the increase of P (B) under the condition that the B event is increased and P (AB) is not changed, so the problem can be solved, and if the confidence between A and B is larger than the threshold value, the A event can be judged to influence the B event.
In the embodiment, the association rules in each group can be obtained by using the optimized association analysis algorithm, and the association rules can be converted into a fixed text format to form a rule knowledge base by adding artificial judgment. In a practical environment, when a series of alarms are generated, alarm matching can be carried out according to the established knowledge base. Because each rule indicates which alarm is directed to which alarm, e.g., alarm a results in alarm B, the source alarm information a can be accurately located, and other useless alarms B are masked.
According to the scheme, the association analysis algorithm is modified and optimized, so that the rules mined by the algorithm have higher reliability, the relationship among the associated rules is more accurate, the optimized algorithm is more robust, and errors caused by the fact that certain alarm information always exists in the system can be eliminated.
Referring to fig. 6, fig. 6 is a flowchart illustrating a further embodiment of the alarm information processing method according to the present invention, and a further embodiment of the alarm information processing method according to the present invention is proposed based on fig. 2 or fig. 5, in this embodiment, based on the embodiment of fig. 2, before the step S10, the alarm information processing method further includes:
step S101, obtaining initial alarm information.
It should be noted that, the historical alarm data of the system is acquired, and the data is subjected to preprocessing operations such as sorting and duplicate removal, and then is used as the input of the data, so that only the effective alarm information is analyzed, and the efficiency of data processing is improved.
And S102, sequencing the initial alarm information according to time sequence to obtain the sequenced initial alarm information.
Step S103, carrying out duplication elimination on the sequenced initial alarm information to obtain the duplicated initial alarm information, and taking the duplicated initial alarm information as the alarm information to be processed.
In this embodiment, the initial alarm information is preprocessed, the processed alarm information is processed, the data preprocessing process shown in fig. 3 is continued, and the grouped data is processed through operations such as sorting and deduplication.
According to the scheme provided by the embodiment, the initial alarm information is preprocessed, so that only effective alarm information is analyzed, and the data processing efficiency is improved.
In addition, an embodiment of the present invention further provides a storage medium, where an alarm information processing program is stored on the storage medium, and the alarm information processing program, when executed by a processor, implements the steps of the terminal network access method described above.
Since the storage medium adopts all technical solutions of all the embodiments, at least all the beneficial effects brought by the technical solutions of the embodiments are achieved, and no further description is given here.
In addition, referring to fig. 7, an embodiment of the present invention further provides an alert information processing apparatus, where the alert information processing apparatus includes:
the acquiring module 10 is configured to acquire a plurality of pieces of alarm information to be processed.
As shown in fig. 3, the overall flow diagram of the alarm information processing system includes an alarm information rule matching module, an association rule calculation module, and a historical data preprocessing grouping module, where the alarm information to be processed is currently acquired actual alarm information, and the actual alarm information is processed through a text knowledge base to obtain result alarm information and reason alarm information, i.e., output root cause problems, and shield useless alarm information.
The determining module 20 is configured to determine a target association relationship between the alarm information to be processed through a logical relationship table, where the logical relationship table includes an association relationship between the reason alarm information and the result alarm information.
It should be noted that each monitoring host has monitoring items such as a Central Processing Unit (CPU), a disk, and a flow, each monitoring item may generate an alarm record, and the monitoring in each host may affect each other, and alarm information of the same monitoring item of different hosts is directly divided into a group, which may also be expressed as a relationship between hosts, so that a rule for producing multiple monitoring items may be obtained between different hosts, and finally, an association rule between hosts is obtained by counting different monitoring items, which is more accurate.
The determining module 20 is further configured to determine current cause alarm information and current result alarm information in each alarm information to be processed according to the target association relationship.
It should be noted that the associated information is a causal relationship between historical cause alarm information and result alarm information mined according to the historical alarm information, and the cause alarm information and the result alarm information in each current alarm information can be obtained according to the mined causal relationship, so that the alarm information can be effectively positioned.
Fig. 4 is a flow chart of matching with the knowledge base in the actual environment, and the alarm information in the actual environment is matched with the knowledge base one by one according to the priority. If there is an associated rule match in the alarm information, for example A, B alarm matches a rule such as A-B, then the alarm B can be masked and only the root cause problem A is reported. Therefore, the alarm quantity can be inhibited, the root cause problem is exposed, the problem is more quickly checked, and the checking efficiency is improved.
According to the scheme, a plurality of pieces of alarm information to be processed are obtained; determining a target association relationship among alarm information to be processed through a logic relationship table, wherein the logic relationship table comprises association relationships between reason alarm information and result alarm information; and determining the current reason alarm information and the current result alarm information in each alarm information to be processed according to the target association relationship, so that the current reason alarm information and the current result alarm information can be accurately positioned through a logic relationship table according to the current alarm information, and the aim of improving the accuracy of alarm information processing is fulfilled.
The alarm information processing apparatus of the present invention adopts all technical solutions of all the above embodiments, so that the apparatus at least has all the beneficial effects brought by the technical solutions of the above embodiments, and details are not repeated herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order, but rather the words first, second, third, etc. are to be interpreted as names.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as a read-only memory, a RAM, a magnetic disk, and an optical disk), and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (11)
1. An alarm information processing method, characterized in that the alarm information processing method comprises the following steps:
acquiring a plurality of alarm information to be processed;
determining a target association relationship among alarm information to be processed through a logic relationship table, wherein the logic relationship table comprises association relationships between reason alarm information and result alarm information;
and determining current reason alarm information and current result alarm information in each alarm information to be processed according to the target association relation.
2. The method for processing alarm information according to claim 1, wherein after determining the current cause alarm information and the current result alarm information in each alarm information to be processed according to the target association relationship, the method further comprises:
and determining a target host corresponding to the current reason alarm information through an alarm relation table, and shielding the current result alarm information according to the target host, wherein the alarm relation table comprises the corresponding relation between the host and the alarm information.
3. The method for processing alarm information according to claim 2, wherein before the target host corresponding to the alarm information of the current reason is determined through an alarm relation table and the alarm information of the current result is masked according to the target host, the method for processing alarm information further comprises:
acquiring historical alarm information, and sequencing the historical alarm information according to time information of the historical alarm information to obtain reference alarm information;
acquiring host information corresponding to the reference alarm information, and grouping the reference alarm information through preset attribute information to obtain grouped alarm information related to the host information;
and constructing an alarm relation table according to the grouped alarm information.
4. The alarm information processing method of claim 3, wherein said constructing an alarm relationship table according to the group alarm information comprises:
selecting alarm item set information in a preset time from the grouped alarm information;
acquiring frequent item set information in the alarm item set information according to the support degree of the alarm item set information;
obtaining reference confidence information according to the frequent item set information, and generating alarm rule information according to the reference confidence information;
and combining the alarm rule information, and constructing an alarm relation table according to the combined alarm rule information.
5. The method for processing alarm information according to claim 4, wherein the obtaining frequent item set information in the alarm item set information according to the support degree of the alarm item set information includes:
acquiring occurrence probability information of each historical alarm information in the alarm item set information, and taking the occurrence probability information as a support degree;
and taking the alarm item set information corresponding to the support degree greater than the preset threshold value as frequent item set information.
6. The alarm information processing method of claim 4, wherein the obtaining of the reference confidence information according to the frequent item set information and the generating of the alarm rule information according to the reference confidence information includes:
obtaining reference confidence information according to historical alarm information in the frequent item set information, and obtaining promotion information among the historical alarm information in the frequent item set information;
adjusting the reference confidence information according to the promotion degree information to obtain target confidence information;
and generating alarm rule information according to the target confidence coefficient information.
7. The alarm information processing method of claim 4, wherein the obtaining of the reference confidence information according to the frequent item set information and the generating of the alarm rule information according to the reference confidence information includes:
obtaining reference confidence information according to the frequent item set information, and obtaining reference reason alarm information and reference result alarm information according to the reference confidence information;
adjusting the reference confidence information according to the reference probability information of the reference result alarm information and the common probability information of the reference reason alarm information and the reference result alarm information to obtain adjusted confidence information;
comparing the adjusted confidence information with reference confidence information, and adjusting the reference reason alarm information and the reference result alarm information according to the comparison result to obtain target reason alarm information and target result alarm information;
and generating alarm rule information according to the target reason alarm information and the target result alarm information.
8. The alarm information processing method according to any one of claims 1 to 7, wherein before the obtaining of the plurality of alarm information to be processed, the alarm information processing method further comprises:
acquiring initial alarm information;
sequencing the initial alarm information according to time sequence to obtain sequenced initial alarm information;
and removing the duplicate of the sequenced initial alarm information to obtain the original alarm information after the duplicate is removed, and taking the original alarm information after the duplicate is removed as the alarm information to be processed.
9. An alarm information processing apparatus characterized by comprising: memory, processor and an alert information handling program stored on the memory and executable on the processor, the alert information handling program when executed by the processor implementing the steps of the alert information handling method according to any of claims 1 to 8.
10. A storage medium having stored thereon an alert information processing program which, when executed by a processor, implements the steps of the alert information processing method according to any one of claims 1 to 8.
11. An alert information processing apparatus characterized by comprising:
the acquisition module is used for acquiring a plurality of pieces of alarm information to be processed;
the determining module is used for determining a target incidence relation between the alarm information to be processed through a logic relation table, wherein the logic relation table comprises incidence relations between reason alarm information and result alarm information;
the determining module is further configured to determine current cause alarm information and current result alarm information in each alarm information to be processed according to the target association relationship.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911402452.1A CN113051308A (en) | 2019-12-27 | 2019-12-27 | Alarm information processing method, equipment, storage medium and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911402452.1A CN113051308A (en) | 2019-12-27 | 2019-12-27 | Alarm information processing method, equipment, storage medium and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113051308A true CN113051308A (en) | 2021-06-29 |
Family
ID=76507490
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911402452.1A Pending CN113051308A (en) | 2019-12-27 | 2019-12-27 | Alarm information processing method, equipment, storage medium and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113051308A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113536312A (en) * | 2021-07-28 | 2021-10-22 | 工银科技有限公司 | Alarm information processing method and device |
| CN113660223A (en) * | 2021-07-28 | 2021-11-16 | 上海纽盾科技股份有限公司 | Network security data processing method, device and system based on alarm information |
| CN114071263A (en) * | 2021-07-14 | 2022-02-18 | 北京天元创新科技有限公司 | Method and device for removing duplicate of optical fiber network alarm repeated data |
| CN114567538A (en) * | 2022-03-03 | 2022-05-31 | 中国工商银行股份有限公司 | Alarm information processing method and device |
| CN114996119A (en) * | 2022-04-20 | 2022-09-02 | 中国工商银行股份有限公司 | Fault diagnosis method, fault diagnosis device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108768753A (en) * | 2018-06-26 | 2018-11-06 | 腾讯科技(深圳)有限公司 | Localization method, device, storage medium and the electronic device of alarm source |
| CN109358602A (en) * | 2018-10-23 | 2019-02-19 | 山东中创软件商用中间件股份有限公司 | A kind of failure analysis methods, device and relevant device |
| CN109687999A (en) * | 2018-12-11 | 2019-04-26 | 山东中创软件商用中间件股份有限公司 | A kind of association analysis method of alarm failure, device and equipment |
| CN110503247A (en) * | 2019-08-01 | 2019-11-26 | 中国科学院深圳先进技术研究院 | Alarm of telecommunication network prediction technique and system |
-
2019
- 2019-12-27 CN CN201911402452.1A patent/CN113051308A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108768753A (en) * | 2018-06-26 | 2018-11-06 | 腾讯科技(深圳)有限公司 | Localization method, device, storage medium and the electronic device of alarm source |
| CN109358602A (en) * | 2018-10-23 | 2019-02-19 | 山东中创软件商用中间件股份有限公司 | A kind of failure analysis methods, device and relevant device |
| CN109687999A (en) * | 2018-12-11 | 2019-04-26 | 山东中创软件商用中间件股份有限公司 | A kind of association analysis method of alarm failure, device and equipment |
| CN110503247A (en) * | 2019-08-01 | 2019-11-26 | 中国科学院深圳先进技术研究院 | Alarm of telecommunication network prediction technique and system |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114071263A (en) * | 2021-07-14 | 2022-02-18 | 北京天元创新科技有限公司 | Method and device for removing duplicate of optical fiber network alarm repeated data |
| CN113536312A (en) * | 2021-07-28 | 2021-10-22 | 工银科技有限公司 | Alarm information processing method and device |
| CN113660223A (en) * | 2021-07-28 | 2021-11-16 | 上海纽盾科技股份有限公司 | Network security data processing method, device and system based on alarm information |
| CN114567538A (en) * | 2022-03-03 | 2022-05-31 | 中国工商银行股份有限公司 | Alarm information processing method and device |
| CN114567538B (en) * | 2022-03-03 | 2024-05-07 | 中国工商银行股份有限公司 | Alarm information processing method and device |
| CN114996119A (en) * | 2022-04-20 | 2022-09-02 | 中国工商银行股份有限公司 | Fault diagnosis method, fault diagnosis device, electronic equipment and storage medium |
| CN114996119B (en) * | 2022-04-20 | 2023-03-03 | 中国工商银行股份有限公司 | Fault diagnosis method, fault diagnosis device, electronic device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113051308A (en) | Alarm information processing method, equipment, storage medium and device | |
| CN110708204B (en) | Abnormity processing method, system, terminal and medium based on operation and maintenance knowledge base | |
| CN111614690B (en) | Abnormal behavior detection method and device | |
| CN107819627B (en) | System fault processing method and server | |
| CN111290916B (en) | Big data monitoring method, device and equipment and computer readable storage medium | |
| US11042525B2 (en) | Extracting and labeling custom information from log messages | |
| CN110113315B (en) | Service data processing method and device | |
| CN110995482A (en) | Alarm analysis method and device, computer equipment and computer readable storage medium | |
| US20180349250A1 (en) | Content-level anomaly detector for systems with limited memory | |
| CN114430365B (en) | Fault root cause analysis method, device, electronic equipment and storage medium | |
| JP6419667B2 (en) | Test DB data generation method and apparatus | |
| CN114021156A (en) | Method, device and equipment for organizing vulnerability automatic aggregation and storage medium | |
| US8543552B2 (en) | Detecting statistical variation from unclassified process log | |
| CN112306833A (en) | Application program crash statistical method and device, computer equipment and storage medium | |
| CN115544519A (en) | Method for carrying out security association analysis on threat information of metering automation system | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| CN110889597A (en) | Method and device for detecting abnormal business timing sequence indexes | |
| CN116471174B (en) | Log data monitoring system, method, device and storage medium | |
| CN108255710B (en) | Script abnormity detection method and terminal thereof | |
| CN114513334B (en) | Risk management method and risk management device | |
| CN107273293B (en) | Big data system performance test method and device and electronic equipment | |
| CN115208938A (en) | User behavior control method and device and computer readable storage medium | |
| CN114579809A (en) | Event analysis method and device, electronic equipment and storage medium | |
| US10909242B2 (en) | System and method for detecting security risks in a computer system | |
| CN115114343A (en) | Root cause rule establishing method, root cause analyzing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210629 |