Alarm event analysis method, apparatus, device, medium, and program product

By constructing a relationship graph and calculating root cause scores, the problem of fault location in massive alarm information in cloud computing was solved, enabling rapid and accurate fault propagation path analysis and fault source identification, thus improving operation and maintenance efficiency.

CN122160236APending Publication Date: 2026-06-05INDUSTRIAL AND COMMERCIAL BANK OF CHINA

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
INDUSTRIAL AND COMMERCIAL BANK OF CHINA
Filing Date
2026-02-26
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

In cloud computing environments, existing technologies struggle to efficiently identify fault initiation nodes and propagation paths in order to effectively process massive amounts of alarm information and achieve clear global fault location and propagation path analysis.

Method used

By constructing a relational graph, generating a graph of nodes and edges using multi-source heterogeneous data, calculating the root cause score of alarm events, identifying the fault initiation node, and displaying the fault propagation path, efficient analysis is performed using multi-dimensional data association and graph algorithms.

Benefits of technology

It enables accurate location of massive alarm information and rapid identification of fault sources, reduces false alarm and missed alarm rates, greatly shortens fault troubleshooting time, and improves the efficiency of operation and maintenance decision-making.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160236A_ABST
    Figure CN122160236A_ABST
Patent Text Reader

Abstract

The application provides an alarm event analysis method, which can be applied to the field of cloud computing and specifically relates to the fields of system operation and maintenance and fault positioning. The method comprises the following steps: in response to detecting alarm information, adding the alarm information as a target node into a relationship graph, the relationship graph comprising a plurality of nodes and edges representing the relationship between each two nodes; taking the target node as a cluster member, determining a target alarm cluster corresponding to the alarm information from the relationship graph; determining a fault starting node and other alarm event nodes except the fault starting node according to the root cause score of each alarm event node in the target alarm cluster; determining a fault propagation path with the fault starting node as a starting point according to the root cause score of the other alarm event nodes and the relationship with the fault starting node; and displaying the fault propagation path in a preset display mode. The application also provides an alarm event analysis device, equipment, storage medium and program product.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of cloud computing, specifically to the fields of system operation and maintenance and fault location technology, and more specifically to an alarm event analysis method, apparatus, equipment, medium and program product. Background Technology

[0002] With the rapid development of cloud computing, big data, and artificial intelligence technologies, the scale and complexity of data centers are growing exponentially. Thousands upon thousands of servers, network devices, storage devices, and application software constitute numerous massive and complex systems. To ensure stable system operation, various monitoring systems generate massive amounts of alarm information. These alarms involve various departments and professions, from the infrastructure layer to the application layer. How to comprehensively and clearly handle these massive alarms is a pressing technical challenge that needs to be solved. Summary of the Invention

[0003] In view of the above problems, embodiments of this application provide an alarm event analysis method, apparatus, device, medium, and program product.

[0004] According to a first aspect of this application, an alarm event analysis method is provided, comprising: in response to detecting alarm information, adding the alarm information as a target node to a relation graph, the relation graph including multiple nodes and edges representing the relationships between pairs of nodes; determining a target alarm cluster corresponding to the alarm information from the relation graph, with the target node as a cluster member; determining a fault initiation node and other alarm event nodes other than the fault initiation node based on the root cause scores of each alarm event node in the target alarm cluster; determining a fault propagation path starting from the fault initiation node based on the root cause scores of the other alarm event nodes and their relationships with the fault initiation node; and displaying the fault propagation path in a preset display mode.

[0005] According to an embodiment of this application, the relationship graph is generated in the following manner: acquiring multi-source heterogeneous data, including alarm data, device configuration information, physical device acquisition data, time-series detection data, and fault module tracking data; cleaning and standardizing the multi-source heterogeneous data to obtain standard data; extracting at least one content entity from the standard data, including devices, modules, containers, interfaces, services, and alarm events; constructing a relationship graph with content entities as nodes and the relationships between content entities as edges, where the relationships include one of spatial relationships, temporal relationships, and logical relationships.

[0006] According to an embodiment of this application, the method further includes: calculating the event evaluation value of the alarm event node, the event evaluation value including alarm level evaluation value, map location evaluation value, time evaluation value and historical frequency evaluation value; and performing weighted summation calculation based on the event evaluation value and the corresponding evaluation value weight to obtain the root cause score of each alarm event node.

[0007] According to an embodiment of this application, calculating the event evaluation value of an alarm event node includes: determining the map location evaluation value based on the number of nodes connected to the alarm event node; determining the time evaluation value based on the difference between the event occurrence time corresponding to the alarm event node and the current time; and determining the historical frequency evaluation value based on the number of times the alarm event node has been identified as a fault initiation node.

[0008] According to an embodiment of this application, determining the target alarm cluster corresponding to the alarm information from the relationship graph includes: adding the nodes connected to the target node to the node cluster; deleting the last added node in response to the internal edge density and / or number of nodes of the node cluster not meeting the high cohesion condition; and determining the current node cluster as the target alarm cluster in response to the internal edge density and / or number of nodes of the node cluster meeting the high cohesion condition and there being no node outside the node cluster that meets the high cohesion condition.

[0009] According to embodiments of this application, satisfying the high cohesion condition includes: the internal edge density of the node cluster is greater than a preset density threshold; or the number of nodes in the node cluster is greater than a preset number threshold.

[0010] According to an embodiment of this application, displaying a fault propagation path in a preset display mode includes: determining at least one preset display mode based on the path type and fault type of the fault propagation path, wherein the preset display mode includes a propagation path diagram, a root cause tree diagram, and a fault timeline; and displaying the fault propagation path according to at least one preset display mode.

[0011] According to a second aspect of this application, an alarm event analysis device is provided, comprising: a node addition module, configured to add the alarm information as a target node to a relation graph in response to the detection of alarm information, the relation graph including multiple nodes and edges representing the relationships between pairs of nodes, the nodes including alarm event nodes and other entity nodes; a cluster determination module, configured to determine a target alarm cluster corresponding to the alarm information from the relation graph with the target node as a cluster member; a node determination module, configured to determine a fault initiation node based on the root cause scores of each alarm event node in the target alarm cluster; a path determination module, configured to determine a fault propagation path starting from the fault initiation node based on the root cause scores of other nodes in the target alarm cluster and their relationships with the initiation node; and a display module, configured to display the fault propagation path in a preset display mode.

[0012] According to a third aspect of this application, an electronic device is provided, comprising: one or more processors; and a memory for storing one or more computer programs, wherein the one or more processors execute the one or more computer programs to implement the steps of the method described above.

[0013] According to a fourth aspect of this application, a computer-readable storage medium is also provided, on which a computer program or instructions are stored, wherein the computer program or instructions, when executed by a processor, implement the steps of the above-described method.

[0014] According to a fifth aspect of this application, a computer program product is also provided, including a computer program or instructions that, when executed by a processor, implement the steps of the above-described method. Attached Figure Description

[0015] The above-mentioned contents, other objects, features and advantages of this application will become clearer from the following description of embodiments with reference to the accompanying drawings, in which:

[0016] Figure 1 The illustration shows an application scenario of the alarm event analysis method, apparatus, device, medium, and program product according to embodiments of this application;

[0017] Figure 2 A flowchart illustrating an alarm event analysis method according to an embodiment of this application is shown schematically.

[0018] Figure 3 A schematic diagram illustrating an alarm event analysis method according to an embodiment of this application is shown.

[0019] Figure 4 The illustration shows a fault propagation path according to an embodiment of this application;

[0020] Figure 5 This schematic diagram illustrates the structural block diagram of an alarm event analysis apparatus according to an embodiment of the present application;

[0021] Figure 6 A block diagram schematically illustrates an electronic device suitable for implementing an alarm event analysis method according to an embodiment of this application. Detailed Implementation

[0022] The embodiments of this application will now be described with reference to the accompanying drawings. However, it should be understood that these descriptions are exemplary only and are not intended to limit the scope of this application. In the following detailed description, numerous specific details are set forth to provide a thorough understanding of the embodiments of this application for ease of explanation. However, it will be apparent that one or more embodiments may be implemented without these specific details. Furthermore, descriptions of well-known structures and technologies are omitted in the following description to avoid unnecessarily obscuring the concepts of this application.

[0023] The terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of this application. The terms “comprising,” “including,” etc., as used herein indicate the presence of the stated features, steps, operations, and / or components, but do not exclude the presence or addition of one or more other features, steps, operations, or components.

[0024] All terms used herein (including technical and scientific terms) have the meanings commonly understood by those skilled in the art, unless otherwise defined. It should be noted that the terms used herein are to be interpreted in a manner consistent with the context of this specification, and not in an idealized or overly rigid way.

[0025] When using expressions such as "at least one of A, B and C", they should generally be interpreted in accordance with the meaning that is commonly understood by those skilled in the art (e.g., "a system having at least one of A, B and C" should include, but is not limited to, a system having A alone, a system having B alone, a system having C alone, a system having A and B, a system having A and C, a system having B and C, and / or a system having A, B and C, etc.).

[0026] It should be noted that the alarm event analysis methods, apparatus, devices, storage media, and program products specified in this application relate to the application of cloud computing in the fintech field. They can be used in system operation and maintenance, fault location technology, and fintech technology fields, and can also be used in various other fields besides system operation and maintenance, fault location technology, and fintech technology fields. This application does not limit the application areas of the provided alarm event analysis methods, apparatus, devices, storage media, and program products.

[0027] In the technical solution of this application, the user information (including but not limited to user personal information, user image information, user device information, such as location information) and data (including but not limited to data used for analysis, stored data, and displayed data) involved are all information and data authorized by the user or fully authorized by all parties. Furthermore, the collection, storage, use, processing, transmission, provision, disclosure, and application of related data all comply with relevant laws, regulations, and standards, take necessary confidentiality measures, do not violate public order and good morals, and provide corresponding operation entry points for users to choose to authorize or refuse.

[0028] Figure 1 The illustration schematically depicts application scenarios of the alarm event analysis method, apparatus, device, storage medium, and program product according to embodiments of this application. For example... Figure 1As shown, application scenario 100 according to an embodiment of this application may include a first terminal device 101, a second terminal device 102, a third terminal device 103, a network 104, and a server 105. The network 104 serves as a medium for providing a communication link between the first terminal device 101, the second terminal device 102, the third terminal device 103, and the server 105. The network 104 may include various connection types, such as wired or wireless communication links or fiber optic cables. For example, a user can use the first terminal device 101, the second terminal device 102, and the third terminal device 103 to interact with the server 105 through the network 104 to receive or send information, etc.

[0029] The first terminal device 101, the second terminal device 102, and the third terminal device 103 can be electronic devices such as smartphones, wearable devices, personal computers, intelligent voice interaction devices, smart home appliances, intelligent vehicles, in-vehicle terminals, aircraft, unmanned vending terminals, and extended reality devices. Extended reality devices can include virtual reality devices, augmented reality devices, and mixed reality devices. A client application for the target application can be installed and run on the terminal devices. This target application can include, but is not limited to, financial transaction applications, payment applications, shopping applications, web browser applications, search applications, instant messaging tools, email clients, and social media platform software (these are just examples). Furthermore, this application embodiment does not limit the form of the target application, and it can include, but is not limited to, applications, mini-programs, etc., installed on the terminal devices, and can also be in the form of web pages.

[0030] Server 105 can be a server that provides various services, such as a backend management server that supports websites browsed by users using the first terminal device 101, the second terminal device 102, and the third terminal device 103 (this is just an example). The backend management server can detect alarm information generated by various components within the system in real time, add the alarm information to the correlation graph, perform root cause analysis, and after obtaining the fault propagation path, display the fault propagation path in a visual form on the first terminal device 101, the second terminal device 102, and the third terminal device 103, so that users can understand and further analyze the alarm events based on the first terminal device 101, the second terminal device 102, and the third terminal device 103.

[0031] It should be noted that the alarm event analysis method provided in this application embodiment can generally be executed by the server 105. Accordingly, the alarm event analysis device provided in this application embodiment can generally be set in the server 105.

[0032] It should be understood that Figure 1 The number of terminal devices, networks, and servers shown is merely illustrative. Depending on implementation needs, any number of terminal devices, networks, and servers can be included.

[0033] Figure 2 A flowchart illustrating an alarm event analysis method according to an embodiment of this application is shown schematically. Figure 2 As shown, the alarm event analysis method 200 according to the embodiments of this application may include steps S210 to S250.

[0034] In step S210, in response to the detection of alarm information, the alarm information is added as a target node to the relationship graph, which includes multiple nodes and edges representing the relationships between pairs of nodes.

[0035] Alarm information can be alarm events that may be generated by components such as servers, network devices, storage devices, and application software in a data processing system. A relationship graph can be used to construct a map showing the relationships between different alarm events and various components.

[0036] For example, an alarm message could be that the external hard drive is full. Adding the alarm message to a relationship graph allows you to connect the alarm message to a node representing the external hard drive. The edge between the alarm message and the external hard drive node represents their relationship: the external hard drive generated the alarm message at a specific time.

[0037] In step S220, the target alarm cluster corresponding to the alarm information is determined from the relationship graph, with the target node as a cluster member.

[0038] The target alarm cluster can be a cluster closely related to the target node. The cause of the alarm event on the target node can be determined based on the target alarm cluster. Other cluster members in the target alarm cluster can be nodes directly or indirectly connected to the target node.

[0039] In step S230, the fault initiation node and other alarm event nodes other than the fault initiation node are determined based on the root cause scores of each alarm event node in the target alarm cluster.

[0040] In a target alarm cluster, each alarm event node can be a series of faults caused by a single root cause event. The root cause score refers to the probability that each alarm event node is the root cause event. For example, the alarm event node with the highest root cause score can be considered the fault initiation node. Other alarm event nodes can be nodes in the target alarm cluster that have a direct or indirect relationship with the fault initiation node.

[0041] In step S240, based on the root cause scores of other alarm event nodes and their relationship with the fault initiation node, the fault propagation path starting from the fault initiation node is determined.

[0042] Based on the root cause scores of other alarm event nodes and / or the relationship between other alarm event nodes and the fault initiation node (such as the degree of influence), determine the fault propagation path caused by the alarm event corresponding to the fault initiation node.

[0043] In the embodiments of this application, one or more fault propagation paths can be generated by tracing back or forward from the node with the highest root cause score through shortest path analysis or influence propagation analysis. The starting point of the fault propagation path is the possible source of the fault, and other nodes on the fault propagation path can characterize the scope of the influence of the source of the fault.

[0044] For example, the alarm event node with the highest root cause score is taken as the fault initiation node, and the shortest path from the fault initiation node to other alarm event nodes is found based on the shortest path algorithm, thereby determining the fault propagation path.

[0045] For example, based on the influence propagation algorithm, the alarm event node with the highest root cause score is taken as the fault initiation node, and the influence of the fault initiation node on other alarm event nodes is evaluated to generate a root cause tree including multiple layers of alarm event nodes.

[0046] In step S250, the fault propagation path is displayed in a preset display mode.

[0047] By displaying the fault propagation path in a pre-defined manner, the fault propagation path can be presented to the user in a visual way, which can help the user confirm the fault and make decisions.

[0048] According to embodiments of this application, the system can dynamically adjust the association strategy and analysis logic based on real-time alarm information and the topological relationship between events. In the case of complex fault scenarios, it can transform the root cause analysis problem into a graph calculation problem, helping operation and maintenance personnel improve decision-making efficiency.

[0049] According to an embodiment of this application, the method further includes: calculating the event evaluation value of the alarm event node, the event evaluation value including alarm level evaluation value, map location evaluation value, time evaluation value and historical frequency evaluation value; and performing weighted summation calculation based on the event evaluation value and the corresponding evaluation value weight to obtain the root cause score of each alarm event node.

[0050] According to an embodiment of this application, calculating the event evaluation value of an alarm event node includes: determining the map location evaluation value based on the number of nodes connected to the alarm event node; determining the time evaluation value based on the difference between the event occurrence time corresponding to the alarm event node and the current time; and determining the historical frequency evaluation value based on the number of times the alarm event node has been identified as a fault initiation node.

[0051] The root cause score is a comprehensive evaluation value that takes into account factors such as the event severity, centrality in the network, time urgency, and likelihood of historical root causes of the alarm event. The root cause score can be determined using the following formula (1):

[0052] Root cause score = Alarm level score + Map location score + Time score + Historical frequency score (1)

[0053] Among them, the alarm level score is obtained by multiplying the alarm level evaluation value by the weight value corresponding to the alarm level; the map location score is obtained by multiplying the map location evaluation value by the weight value corresponding to the map location; the time score is obtained by multiplying the time evaluation value by the weight value corresponding to the time factor; and the historical frequency score is obtained by multiplying the historical frequency evaluation value by the weight value corresponding to the historical frequency.

[0054] Alarm levels can be used to characterize the severity of alarm events (e.g., urgent, important, minor), and different alarm levels can be assigned different evaluation values.

[0055] For example, alarm event A has an alarm level of S, indicating an urgent alarm event, and its alarm level evaluation value can be set to 10. Alarm event B has an alarm level of A, indicating a significant alarm event, and its alarm level evaluation value can be set to 5. Alarm event C has an alarm level of B, indicating a minor alarm event, and its alarm level evaluation value can be set to 1.

[0056] Graph position evaluation values ​​can be used to characterize whether an alarm event node is closer to the center of the relation graph. For example, graph position evaluation values ​​can be the degree centrality or betweenness centrality of an alarm event node.

[0057] The time evaluation value can be used to characterize how long the time since the alarm event occurred is relative to the current time. If the time since the alarm event occurred is too long, a higher time evaluation value can be determined.

[0058] Historical frequency assessment value can refer to the number of times an event has been a root cause in historical data. If an alarm event node frequently appears as a root cause node in the historical fault propagation path, a high historical frequency assessment value can be determined.

[0059] According to the embodiments of this application, by considering factors such as alarm level, map center, time urgency and frequency of historical root causes, the root cause influence of each node is comprehensively determined, providing a clear basis for judgment and interpretability for fault propagation paths.

[0060] According to an embodiment of this application, determining the target alarm cluster corresponding to the alarm information from the relationship graph includes: adding the nodes connected to the target node to the node cluster; deleting the last added node in response to the internal edge density and / or number of nodes of the node cluster not meeting the high cohesion condition; and determining the current node cluster as the target alarm cluster in response to the internal edge density and / or number of nodes of the node cluster meeting the high cohesion condition and there being no node outside the node cluster that meets the high cohesion condition.

[0061] A node cluster can be an initial cluster established with the target node as a member. Other nodes are added to the initial cluster, and then the internal edge density and / or number of nodes in the cluster are calculated to determine if they meet the high cohesion condition. If they do, the newly added node is retained; otherwise, it is deleted. This process continuously determines whether newly added nodes belong to the cluster. After traversing the nodes in the relationship graph, the target alarm cluster that meets the high cohesion condition can be obtained.

[0062] For example, the initial cluster includes the target node and nodes A, B, and C. When adding node D, the internal edge density and / or number of nodes in the node cluster are calculated. If the calculation results determine that the node cluster does not meet the high cohesion condition, node D is deleted, and node E is added to the node cluster. The internal edge density and / or number of nodes in the node cluster are then calculated again. If the calculation results determine that the node cluster meets the high cohesion condition, node E is retained.

[0063] According to embodiments of this application, satisfying the high cohesion condition includes: the internal edge density of the node cluster is greater than a preset density threshold; or the number of nodes in the node cluster is greater than a preset number threshold.

[0064] In the embodiments of this application, for example, a target alarm cluster can be established by a community discovery method. The criterion for determining that the target alarm cluster is a high-internal-cluster cluster is that the internal edge density of the node cluster is greater than a preset density threshold.

[0065] For example, a target alarm cluster can be established using a graph clustering algorithm. The criterion for determining whether a target alarm cluster is a high-internal cluster is that the number of nodes in the node cluster is greater than a preset threshold.

[0066] According to the embodiments of this application, by using multi-dimensional data association and graph algorithm calculation, it is possible to penetrate the appearance of alarm events, transform the complex root cause analysis problem into an efficient graph calculation problem, accurately locate the fault node and the source of the fault, significantly reduce the false alarm and false alarm rates, and complete the analysis and convergence of massive alarms within seconds and minutes, greatly shortening the fault troubleshooting time.

[0067] Figure 3 A schematic diagram of an alarm event analysis method according to an embodiment of this application is shown.

[0068] According to an embodiment of this application, the relationship graph is generated in the following manner: acquiring multi-source heterogeneous data, including alarm data, device configuration information, physical device acquisition data, time-series detection data, and fault module tracking data; cleaning and standardizing the multi-source heterogeneous data to obtain standard data; extracting at least one content entity from the standard data, including devices, modules, containers, interfaces, services, and alarm events; constructing a relationship graph with content entities as nodes and the relationships between content entities as edges, where the relationships include one of spatial relationships, temporal relationships, and logical relationships.

[0069] like Figure 3 As shown, the multi-source heterogeneous data can include data obtained from the multi-source heterogeneous database 310. The multi-source heterogeneous database 310 can include data obtained from various data sources such as the monitoring system 311, the log system 312, the link tracing system 313, the configuration management database 314, and physical devices 315. Specifically, alarm data can be obtained through the monitoring system 311, device configuration information can be obtained through the configuration management database 314, data collected by physical devices can be obtained through physical devices 315, time-series detection data can be obtained through the log system 312, and fault module tracing data can be obtained through the link tracing system 313.

[0070] Multi-source heterogeneous data is collected by the multi-source data acquisition module 320 and input into the standardization module 331 of the analysis layer 330. This standardization module cleans, formats, and standardizes the multi-source heterogeneous data, resulting in time-series data and graph data stored in a unified format in the graph database 340. The graph construction module 332 extracts content entities from the time-series and graph data to construct a graph, resulting in a relational graph that integrates time, space, and logical dimensions. Content entities can include devices, modules, containers, interfaces, services, alarm events, etc., with edges representing the relationships between entities.

[0071] For example, the relationships between entities can be "occurred at XXX time", "deployed on XXX host", "called by XXX", "depends on XXX service", or "located in XXX rack".

[0072] Upon receiving a new alarm message, the root cause analysis module 333 can be used to add the alarm message as a target node to the relationship graph and calculate the fault propagation path including the target node. The result display module 350 then visualizes the fault propagation path obtained by the root cause analysis module 333.

[0073] Next, combined Figure 4 The visualization of the fault propagation path in this application is further explained.

[0074] According to an embodiment of this application, displaying a fault propagation path in a preset display mode includes: determining at least one preset display mode based on the path type and fault type of the fault propagation path, wherein the preset display mode includes a propagation path diagram, a root cause tree diagram, and a fault timeline; and displaying the fault propagation path according to at least one preset display mode.

[0075] Figure 4 The diagram illustrates a fault propagation path according to an embodiment of this application. Figure 4 The fault propagation path is shown using a root cause tree diagram as the default display method.

[0076] like Figure 4 As shown, root cause event 410 includes the alarm event of host CPU utilization rising to 95%. Directly affected nodes 420, connected to root cause event 410, refer to the nodes directly affected by the root cause event. Directly affected nodes 420 include three nodes, with corresponding alarm events of payment service timeout, excessive system load, and power exceeding limit for line-head cabinet branch 2. Further impacts caused by directly affected nodes 420 can be categorized into secondary impact events 430 and business impact events 440 based on their impact type.

[0077] Based on the alarm event "Payment service response timeout" in directly affected node 420, the identified business impact 440 includes a decrease in payment success rate and resulting degraded user experience. The identified secondary impact event 430 based on the alarm event "Payment service response timeout" in directly affected node 420 includes internal server errors and service call failures. The identified secondary impact event 430 based on the alarm events "System overload" and "Power of rack branch 2 exceeds limit" in directly affected node 420 includes increased rack temperature.

[0078] According to the embodiments of this application, the fault propagation path is presented to the user in an intuitive and clear way using fault propagation trees, timeline views, etc., which can help operation and maintenance personnel quickly establish a global understanding and improve decision-making efficiency.

[0079] Based on the above alarm event analysis method, embodiments of this application also provide an alarm event analysis device. The following will be combined with... Figure 5 The device is described in detail.

[0080] Figure 5 A schematic block diagram of an alarm event analysis apparatus according to an embodiment of this application is shown.

[0081] like Figure 5 As shown, the alarm event analysis device 500 of this embodiment includes a node addition module 510, a cluster determination module 520, a node determination module 530, a path determination module 540, and a display module 550.

[0082] The node addition module 510 is used to add the alarm information as a target node to the relationship graph in response to the detection of alarm information. The relationship graph includes multiple nodes and edges representing the relationships between pairs of nodes. The nodes include alarm event nodes and other entity nodes. In one embodiment, the node addition module 510 can be used to perform step S210 described above, which will not be repeated here.

[0083] The cluster determination module 520 is used to determine the target alarm cluster corresponding to the alarm information from the relationship graph, with the target node as a cluster member. In one embodiment, the cluster determination module 520 can be used to execute the step S220 described above, which will not be repeated here.

[0084] The node determination module 530 is used to determine the fault initiation node based on the root cause score of each alarm event node in the target alarm cluster. In one embodiment, the node determination module 530 can be used to execute the step S530 described above, which will not be repeated here.

[0085] The path determination module 540 is used to determine the fault propagation path starting from the fault initiation node based on the root cause scores of other nodes in the target alarm cluster and their relationship with the initiating node. In one embodiment, the path determination module 540 can be used to execute step S240 described above, which will not be repeated here.

[0086] The display module 550 is used to display the fault propagation path in a preset display mode. In one embodiment, the display module 550 can be used to execute the step S250 described above, which will not be repeated here.

[0087] According to embodiments of this application, the relationship graph is generated through the following modules: An acquisition module, used to acquire multi-source heterogeneous data, including alarm data, device configuration information, physical device acquisition data, time-series detection data, and fault module tracking data. A standardization module, used to clean and standardize the multi-source heterogeneous data to obtain standard data. An entity extraction module, used to extract at least one content entity from the standard data, including devices, modules, containers, interfaces, services, and alarm events. A construction module, used to construct the relationship graph with content entities as nodes and the relationships between content entities as edges, where the relationships include spatial relationships, temporal relationships, and logical relationships.

[0088] According to an embodiment of this application, the alarm event analysis device 500 further includes an evaluation value calculation module and a weighting module. The evaluation value calculation module is used to calculate the event evaluation value of the alarm event node, which includes an alarm level evaluation value, a map location evaluation value, a time evaluation value, and a historical frequency evaluation value. The weighting module is used to perform a weighted summation calculation based on the event evaluation value and its corresponding evaluation value weight to obtain the root cause score of each alarm event node.

[0089] According to an embodiment of this application, the evaluation value calculation module includes a first determination submodule, a second determination submodule, and a third determination submodule. The first determination submodule is used to determine the map location evaluation value based on the number of nodes connected to the alarm event node. The second determination submodule is used to determine the time evaluation value based on the difference between the event occurrence time corresponding to the alarm event node and the current time. The third determination submodule is used to determine the historical frequency evaluation value based on the number of times the alarm event node has been identified as a fault initiation node.

[0090] According to an embodiment of this application, the cluster determination module 520 includes a node addition submodule, a deletion submodule, and a cluster determination submodule. The node addition submodule is used to add nodes connected to the target node to the node cluster. The deletion submodule is used to delete the last added node in response to the node cluster's internal edge density and / or number of nodes not meeting the high cohesion condition. The cluster determination submodule is used to determine the current node cluster as the target alarm cluster in response to the node cluster's internal edge density and / or number of nodes meeting the high cohesion condition, and the absence of any nodes outside the node cluster that meet the high cohesion condition.

[0091] According to embodiments of this application, satisfying the high cohesion condition includes: the internal edge density of the node cluster is greater than a preset density threshold; or the number of nodes in the node cluster is greater than a preset number threshold.

[0092] According to an embodiment of this application, the display module 550 includes a type determination submodule and a display submodule. The type determination submodule is used to determine at least one preset display method based on the path type and fault type of the fault propagation path. The preset display methods include a propagation path diagram, a root cause tree diagram, and a fault timeline. The display submodule is used to display the fault propagation path according to at least one preset display method.

[0093] Any plurality of modules among node addition module 510, cluster determination module 520, node determination module 530, path determination module 540, and display module 550 can be merged into one module, or any one of these modules can be split into multiple modules. Alternatively, at least part of the functionality of one or more of these modules can be combined with at least part of the functionality of other modules and implemented in one module. According to embodiments of this application, at least one of node addition module 510, cluster determination module 520, node determination module 530, path determination module 540, and display module 550 can be at least partially implemented as hardware circuitry, such as field-programmable gate arrays, programmable logic arrays, systems-on-a-chip, systems-on-a-substrate, systems-on-package, application-specific integrated circuits, or any other reasonable means of integrating or packaging circuitry, or implemented in software, hardware, or firmware, or in any one of the three implementation methods, or in a suitable combination of any of them. Alternatively, at least one of the node addition module 510, cluster determination module 520, node determination module 530, path determination module 540, and display module 550 may be implemented at least partially as a computer program module, which can perform corresponding functions when the computer program module is run.

[0094] Figure 6 A block diagram schematically illustrates an electronic device suitable for implementing an alarm event analysis method according to an embodiment of this application.

[0095] like Figure 6 As shown, an electronic device 600 according to an embodiment of this application includes a processor 601, which can perform various appropriate actions and processes according to a program stored in a read-only memory 602 or a program loaded from a storage portion 608 into a random access memory 603. The processor 601 may include, for example, a general-purpose microprocessor, an instruction set processor and / or an associated chipset and / or a dedicated microprocessor. The processor 601 may also include onboard memory for caching purposes. The processor 601 may include a single processing unit or multiple processing units for executing different steps of the method flow according to an embodiment of this application.

[0096] Random access memory 603 stores various programs and data required for the operation of electronic device 600. Processor 601, read-only memory 602, and random access memory 603 are interconnected via bus 604. Processor 601 executes various steps of the method flow according to embodiments of this application by executing programs in read-only memory 602 and / or random access memory 603. It should be noted that the programs may also be stored in one or more memories other than read-only memory 602 and random access memory 603. Processor 601 may also execute various steps of the method flow according to embodiments of this application by executing programs stored in said one or more memories.

[0097] According to embodiments of this application, the electronic device 600 may further include an input / output interface 605, which is also connected to a bus 604. The electronic device 600 may also include one or more of the following components connected to the input / output interface 605: an input section 606 including a keyboard, mouse, etc.; an output section 607 including a cathode ray tube, liquid crystal display, etc., and a speaker, etc.; a storage section 608 including a hard disk, etc.; and a communication section 609 including a network interface card, such as a local area network card, modem, etc. The communication section 609 performs communication processing via a network such as the Internet. A drive 610 is also connected to the input / output interface 605 as needed. A removable medium 611, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., is installed on the drive 610 as needed so that computer programs read from it can be installed into the storage section 608 as needed.

[0098] Embodiments of this application also provide a computer-readable storage medium, which may be included in the device / apparatus / system described in the above embodiments; or it may exist independently and not assembled into the device / apparatus / system. The computer-readable storage medium carries one or more programs, which, when executed, implement the method according to the embodiments of this application.

[0099] According to embodiments of this application, the computer-readable storage medium can be a non-volatile computer-readable storage medium, such as including but not limited to: portable computer disks, hard disks, random access memory, read-only memory, erasable programmable read-only memory, portable compact disk read-only memory, optical storage devices, magnetic storage devices, or any suitable combination thereof. In embodiments of this application, the computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. For example, according to embodiments of this application, the computer-readable storage medium may include the read-only memory 602 described above, and / or random access memory 603, and / or one or more memories other than read-only memory 602 and random access memory 603.

[0100] Embodiments of this application also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowchart. When the computer program product is run on a computer system, the program code is used to cause the computer system to implement the methods provided in the embodiments of this application.

[0101] In one embodiment, the computer program may rely on a tangible storage medium such as an optical storage device or a magnetic storage device. In another embodiment, the computer program may also be transmitted and distributed in the form of signals over a network medium, and downloaded and installed via the communication section 609, and / or installed from the removable medium 611. The program code contained in the computer program can be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination thereof.

[0102] In embodiments of this application, the computer program can be downloaded and installed from a network via communication section 609, and / or installed from removable medium 611. When the computer program is executed by processor 601, it performs the functions defined in the system of embodiments of this application. According to embodiments of this application, the systems, devices, apparatuses, modules, units, etc., described above can be implemented by computer program modules.

[0103] According to embodiments of this application, program code for executing the computer programs provided in the embodiments of this application can be written in any combination of one or more programming languages. Specifically, these computational programs can be implemented using high-level procedural and / or object-oriented programming languages, and / or assembly / machine languages. The program code can be executed entirely on the user's computing device, partially on the user's device, partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).

[0104] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, may be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0105] Those skilled in the art will understand that the features described in the various embodiments of this application can be combined and / or combined in various ways, even if such combinations or combinations are not explicitly described in this application. In particular, the features described in the various embodiments of this application can be combined and / or combined in various ways without departing from the spirit and teachings of this application. All such combinations and / or combinations fall within the scope of this application.

Claims

1. An alarm event analysis method, comprising: In response to the detection of alarm information, the alarm information is added as a target node to the relationship graph, which includes multiple nodes and edges representing the relationships between pairs of nodes; Using the target node as a cluster member, determine the target alarm cluster corresponding to the alarm information from the relationship graph; Based on the root cause scores of each alarm event node in the target alarm cluster, determine the fault initiation node and other alarm event nodes besides the fault initiation node; Based on the root cause scores of the other alarm event nodes and their relationship with the fault initiation node, determine the fault propagation path starting from the fault initiation node; The fault propagation path is displayed in a preset display mode.

2. The method according to claim 1, characterized in that, The relationship graph is generated in the following way: Acquire multi-source heterogeneous data, including alarm data, device configuration information, physical device acquisition data, time-series detection data, and fault module tracking data; Standard data is obtained by cleaning and standardizing the multi-source heterogeneous data; Extract at least one content entity from the standard data, the content entity including device, module, container, interface, service, alarm event; Using the content entities as nodes and the relationships between the content entities as edges, a relationship graph is constructed, wherein the relationships include one of spatial relationships, temporal relationships, and logical relationships.

3. The method according to claim 1, characterized in that, The method further includes: Calculate the event evaluation value of the alarm event node, which includes alarm level evaluation value, map location evaluation value, time evaluation value, and historical frequency evaluation value; The root cause score of each alarm event node is obtained by weighted summation based on the event evaluation value and the corresponding evaluation value weight.

4. The method according to claim 3, characterized in that, The calculation of the event evaluation value of the alarm event node includes: The map location evaluation value is determined based on the number of nodes connected to the alarm event node; The time evaluation value is determined based on the difference between the event occurrence time corresponding to the alarm event node and the current time; The historical frequency evaluation value is determined based on the number of times the alarm event node is identified as the fault initiation node.

5. The method according to claim 1, characterized in that, The step of determining the target alarm cluster corresponding to the alarm information from the relationship graph includes: Add the node connected to the target node to the node cluster; If the internal edge density and / or number of nodes in the node cluster do not meet the high cohesion condition, the last node added is deleted. If the internal edge density and / or number of nodes of the node cluster meet the high cohesion condition, and there are no nodes outside the node cluster that meet the high cohesion condition, the current node cluster is determined as the target alarm cluster.

6. The method according to claim 5, characterized in that, The conditions for satisfying high cohesion include: The internal edge density of the node cluster is greater than a preset density threshold; or The number of nodes in the node cluster is greater than a preset threshold.

7. The method according to claim 1, characterized in that, The method of displaying the fault propagation path in a preset display mode includes: Based on the path type and fault type of the fault propagation path, at least one preset display method is determined, and the preset display method includes a propagation path diagram, a root cause tree diagram, and a fault timeline. The fault propagation path is displayed according to at least one preset display method.

8. An alarm event analysis device, comprising: A node addition module is used to add the alarm information as a target node to a relationship graph in response to the detection of alarm information. The relationship graph includes multiple nodes and edges representing the relationships between pairs of nodes. The nodes include alarm event nodes and other entity nodes. The cluster determination module is used to determine the target alarm cluster corresponding to the alarm information from the relationship graph, with the target node as a cluster member; The node determination module is used to determine the fault initiation node based on the root cause score of each alarm event node in the target alarm cluster. The path determination module is used to determine the fault propagation path starting from the fault initiation node based on the root cause scores of other nodes in the target alarm cluster and their relationship with the initiation node. The display module is used to display the fault propagation path in a preset display mode.

9. An electronic device, comprising: One or more processors; Memory, used to store one or more computer programs. The characteristic feature is that the one or more processors execute the one or more computer programs to implement the steps of the method according to any one of claims 1 to 7.

10. A computer-readable storage medium having a computer program or instructions stored thereon, characterized in that, When the computer program or instructions are executed by a processor, they implement the steps of the method according to any one of claims 1 to 7.

11. A computer program product, comprising a computer program or instructions, characterized in that, When the computer program or instructions are executed by a processor, they implement the steps of the method according to any one of claims 1 to 7.