CN117290133A - Abnormal event processing method, electronic device and storage medium - Google Patents

Abstract

The embodiment of the invention discloses an abnormal event processing method, electronic equipment and a storage medium, wherein the abnormal event processing method comprises the following steps: acquiring a plurality of abnormal events of a target position in a preset time period, wherein the abnormal events comprise at least one of alarms, key performance index anomalies and operation logs; determining an aggregation point in the abnormal event; and polymerizing according to the polymerization point and the abnormal event to obtain a polymerization result. The embodiment of the invention can carry out aggregation according to the aggregation point, the obtained aggregation result can carry out root cause analysis, and because a plurality of abnormal events are acquired in a period of time, the abnormal events required by the previous aggregation can be carried out to the time node of the aggregation point according to the time node, the position and the like of the aggregation point during aggregation, so that the embodiment of the invention can realize bidirectional aggregation during aggregation, aggregate other events which are possibly the root cause of the fault, improve the aggregation capability of a data source and improve the fault operation and maintenance level.

Description

Abnormal event handling methods, electronic equipment and storage media

Technical field

The present invention relates to but is not limited to the field of communication technology, and in particular, to an abnormal event processing method, electronic equipment and storage media.

Background technique

With the development of mobile communication technology, network complexity, application diversity, and data explosion have led to increasing requirements for intelligent operation and maintenance. Aggregating relevant streaming data and then analyzing it is the main means to identify the root cause of a fault. However, in related technologies, when aggregating data sources, it is often only possible to aggregate the alarms after the alarms occur first. , if the alarm is triggered by some operation in advance, such aggregation cannot clarify the root cause of the fault, so the aggregation capability is low, resulting in low fault operation and maintenance levels.

Contents of the invention

Embodiments of the present invention provide an abnormal event processing method, an electronic device, and a storage medium to realize bidirectional aggregation, which can improve the aggregation capability of data sources and improve the level of fault operation and maintenance.

In a first aspect, embodiments of the present invention provide an abnormal event processing method. The method includes: acquiring multiple abnormal events at a target location within a preset time period. The abnormal events include alarms, key performance indicator exceptions, and operation At least one of the logs; determining an aggregation point in the abnormal event; performing aggregation according to the aggregation point and the abnormal event to obtain an aggregation result.

In a second aspect, an embodiment of the present invention provides an electronic device, including: a memory and a processor. The memory stores a computer program. When the processor executes the computer program, it implements the steps in the first embodiment of the present invention. Any of the above exception event handling methods.

In a third aspect, embodiments of the present invention provide a computer-readable storage medium, the storage medium stores a program, and the program is executed by a processor to implement an exception as described in any one of the embodiments of the first aspect of the present invention. Event handling methods.

Embodiments of the present invention at least include the following beneficial effects: the abnormal event processing method, electronic device and storage medium in the embodiment of the present invention, by executing the abnormal event processing method, can continuously obtain multiple abnormal events at the target location within a preset period of time. , the target location is a link, a network element or a computer room in space. Abnormal events include at least one of alarms, key performance indicator exceptions and operation logs. This enables the acquisition of multiple data sources, and then determines the aggregation in the abnormal events. point, the aggregation point can be any one of the calibrated abnormal events. During aggregation, the embodiment of the present invention can perform aggregation based on the aggregation point, and perform aggregation based on the aggregation point and the abnormal event to obtain an aggregation result for root cause analysis. It is a plurality of abnormal events obtained within a period of time. During aggregation, the required abnormal events can be aggregated to the time node of the aggregation point according to the time node and location of the aggregation point, so that the embodiment of the present invention can When aggregating, not only backward aggregation can be performed, but also forward aggregation can be performed to aggregate other events that may be the root cause of the fault to achieve two-way aggregation, which can improve the aggregation capabilities of data sources and improve the level of fault operation and maintenance.

Description of drawings

Figure 1 is a schematic flowchart of an abnormal event processing method provided by an embodiment of the present invention;

Figure 2 is a schematic flowchart of an abnormal event processing method provided by another embodiment of the present invention;

Figure 3 is a schematic flowchart of an abnormal event processing method provided by another embodiment of the present invention;

Figure 4 is a schematic flowchart of an abnormal event processing method provided by another embodiment of the present invention;

Figure 5 is a schematic diagram of a target cache area provided by an embodiment of the present invention;

Figure 6 is a schematic flowchart of an abnormal event processing method provided by another embodiment of the present invention;

Figure 7 is a schematic flowchart of an abnormal event processing method provided by another embodiment of the present invention;

Figure 8 is a schematic flowchart of an abnormal event processing method provided by another embodiment of the present invention;

Figure 9 is a schematic diagram of forward and backward bidirectional aggregation using communication exceptions as aggregation points according to an embodiment of the present invention;

Figure 10 is a schematic diagram of forward and backward bidirectional aggregation using network unreachable alarms as aggregation points according to an embodiment of the present invention;

Figure 11 is a schematic flowchart of an abnormal event processing method provided by another embodiment of the present invention;

Figure 12 is a schematic flowchart of an abnormal event processing method provided by another embodiment of the present invention;

Figure 13 is a schematic flowchart of an abnormal event processing method provided by another embodiment of the present invention;

Figure 14 is a schematic flowchart of an abnormal event processing method provided by another embodiment of the present invention;

Figure 15 is a schematic flowchart of an abnormal event processing method provided by another embodiment of the present invention;

Figure 16 is a schematic diagram of an electronic device provided by an embodiment of the present invention.

Detailed ways

In order to make the purpose, technical solutions and advantages of the present invention more clear, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention and are not intended to limit the present invention.

In the description of the present invention, it should be understood that orientation descriptions, such as up, down, front, back, left, right, etc., are based on the orientation or position relationships shown in the drawings and are only In order to facilitate the description of the present invention and simplify the description, it is not intended to indicate or imply that the device or element referred to must have a specific orientation, be constructed and operated in a specific orientation, and therefore should not be construed as limiting the embodiments of the present invention.

It should be understood that in the description of the embodiments of the present invention, several means one or more, plural (or multiple) means two or more, greater than, less than, more than, etc. are understood to exclude the number, above, below, within etc. shall be understood as including the original number. If there are descriptions of "first", "second", etc., they are only used for the purpose of distinguishing technical features and cannot be understood as indicating or implying the relative importance or implicitly indicating the number of technical features indicated or implicitly indicating the indicated technical features. The sequence relationship of technical features.

In the description of the embodiments of the present invention, unless otherwise explicitly limited, words such as setting, installation, and connection should be understood in a broad sense. Those skilled in the art can reasonably determine the meaning of the above words in the embodiments of the present invention based on the specific content of the technical solution. specific meaning.

With the continuous advancement and development of 5G new infrastructure, network complexity, application diversity, and data explosion, operators and equipment vendors are facing increasing challenges in automation and intelligence in the aspects of "planning, construction, maintenance, and operation" of autonomous networks (Autonomous Networks). The demand for automation is increasing day by day. Among them, "dimension" refers to operation and maintenance, which focuses on fault handling. The positioning of faults has evolved from the aggregation analysis and positioning of a single alarm data source to multiple data sources, such as logs, key performance indicators (Key Performance). Indicator, KPI) and alarm aggregate analysis.

Aggregation analysis refers to aggregating relevant streaming data and then analyzing to identify the root cause of the fault. Aggregation has two dimensions: time and space. This is also the so-called spatio-temporal aggregation. Aggregation in the spatial dimension can use topological resource correlation, such as related data of the same network element, the same link, and the same computer room; aggregation in the time dimension, that is, related data is aggregated within a certain time range, which is similar to aggregation in the spatial dimension. Differently, aggregation of the time dimension is relatively difficult, mainly because the time range is not easy to determine.

For example, in a spatial dimension, within a certain time window, alarm A leads to alarm B. Operators and equipment vendors have formed some rules based on the statistical experience of historical data. The following is an example of three rules. The basic format of the rules can be for:

1) The first rule is that in the same network element, in a 5-minute window, if the remote radio unit (RRU) link high bit error rate alarm and the optical module receiving optical power abnormality occur at the same time, it is considered that their two alarms can be aggregated ;

1) The second rule is that in the same network element, in a 10-minute window, if the optical module receives optical power abnormality and the RRU link down alarm occurs at the same time, it is considered that the two alarms can be aggregated;

2) The third rule is that for the same network element, in a 15-minute window, if the RRU link disconnection alarm and the distributed unit (DistributedUnit, DU) cell outage alarm are considered, the two alarms can be aggregated.

Based on the above rules, it is necessary to aggregate RRU link high bit error rate alarms, optical module received optical power abnormality alarms, RRU link disconnection alarms and DU cell outage alarms in the space and time dimension, and finally find out that the root cause is RRU The DU cell is out of service due to high link error rate.

The applicant found that in the related technology, the time in the time dimension is difficult to determine, and the design idea of requiring time steps cannot be determined by the maximum time of 15 minutes for several rules, nor can it be determined by the sum of the times of all relevant rules. OK, not only that, but there is also a key dependency, that is, the time dimension completely relies on backward judgment, that is, the occurrence of alarm A causes the occurrence of alarm B, then the occurrence time of alarm A will be before the occurrence of alarm B, then the occurrence of alarm A Then predict the time when alarm B occurs.

The applicant found that aggregation in this case would have many problems. In this case, the alarm occurrence time may be different, and the B alarm may even be before the A alarm, and multiple data sources cannot be aggregated, because if Only alarms and key performance indicators are abnormal. Relatively speaking, it is easy to determine the time when the exception occurs, that is, there is a clear abnormal data source. If the alarm causes the key performance indicator to deteriorate or be abnormal, then the alarm occurs first and the alarm is aggregated later. But if it is a certain A certain operation causes a related alarm. For example, the log of a certain operation is before the alarm, which is inconvenient to aggregate backwards. Since the log is inconvenient to clearly identify abnormalities, it cannot be perceived immediately. It is often after an alarm or key performance indicator is abnormal, and then go forward. Looking back at relevant logs, such as memory leaks and other faults, means that memory leaks or leak trends have been discovered, and then looking back at relevant logs is a post-event aggregation.

Therefore, the solutions in related technologies have technical flaws. If the alarm is triggered by some operation before the alarm, such aggregation cannot clarify the root cause of the fault. Therefore, the aggregation capability is low, resulting in low fault operation and maintenance levels.

Based on this, embodiments of the present invention provide an abnormal event processing method, electronic device and storage medium, which can realize two-way aggregation, improve the aggregation capability of data sources, and improve the level of fault operation and maintenance.

Detailed explanation below.

An embodiment of the present invention provides an abnormal event processing method. Referring to FIG. 1 , the abnormal event processing method in the embodiment of the present invention includes but is not limited to steps S101 to S103.

Step S101: Obtain multiple abnormal events at the target location within a preset time period. The abnormal events include at least one of alarms, key performance indicator abnormalities, and operation logs.

Step S102: Determine the aggregation point in abnormal events.

Step S103: Aggregate based on aggregation points and abnormal events to obtain aggregation results.

In one embodiment, the abnormal event processing method in the embodiment of the present invention can be applied in communication equipment. By executing the abnormal event processing method, two-way aggregation can be achieved, the aggregation capability of data sources can be improved, and the level of fault operation and maintenance can be improved. Specifically, in the embodiment of the present invention, multiple abnormal events at the target location can be obtained within a preset time period, and the aggregation point is determined among the obtained abnormal events. The abnormal events include alarms, key performance indicator (KPI) exceptions and operation At least one of the logs. In one embodiment, the abnormal events include one of alarms or key performance indicator exceptions, and also include operation logs. Alternatively, in another embodiment, the abnormal events include alarms, key performance indicator exceptions. Indicator anomalies and operation logs are described in the embodiment of the present invention by taking the above three as an example. The aggregation point is a point set according to the aggregation needs, and the specific type of the aggregation point can be specified through configuration.

The embodiment of the present invention performs aggregation based on aggregation points and abnormal events to obtain aggregation results. It can be understood that the aggregation point is one or more of many abnormal events. Since abnormal events are continuously acquired within a preset time period, Therefore, the time of the aggregation point is in the middle of the preset time period. It can be understood that the aggregation of the aggregation point can contain multiple abnormal events before and after the acquisition time of the aggregation point. The abnormal events at these times before and after can be alarms. , at least one of key performance indicator anomalies and operation logs. Therefore, in the embodiment of the present invention, when an alarm or key performance indicator anomaly is triggered in advance due to some operation before the aggregation point, it can be aggregated before and after the aggregation point. The data obtained, the aggregation results can be used to clarify the root cause of the fault and achieve two-way aggregation, which can improve the aggregation capabilities of the data source and improve the level of fault operation and maintenance.

It should be noted that the preset time period in the embodiment of the present invention can be set according to actual operation and maintenance needs. For example, the preset time period can be 20 minutes, 1 hour, 4 hours or longer. From the preset time period Starting from the starting time, the embodiment of the present invention can start to obtain abnormal events as data sources, including obtaining at least one of alarms, key performance indicator exceptions and operation logs, to achieve the acquisition of multiple data sources. In the embodiment of the present invention, the predetermined The data source is obtained within a set time period. By setting the length of the preset time period, the aggregation time can be clarified in the time dimension.

It should be noted that the target location in the embodiment of the present invention is a location in the spatial dimension. For example, the target location can be a network element, a computer room or a link. Through the final aggregation result, after aggregation analysis The root cause of the fault of the network element, computer room or link can be obtained.

Referring to FIG. 2 , in an embodiment, the above step S101 may also include but is not limited to step S201 and step S202.

Step S201: Create multiple time buckets in the target cache area according to the total duration of the preset time period. The time buckets are composed of timestamp intervals. The duration of each time bucket is the same and the time of two adjacent time buckets is continuous.

Step S202: Continuously acquire multiple abnormal events at the target location and cache them in the time bucket corresponding to the acquisition time of each abnormal event.

In one embodiment, the embodiment of the present invention realizes the caching method of abnormal events by setting time buckets. Specifically, the embodiment of the present invention establishes multiple time buckets in the target cache area according to the total duration of the preset time period. Time buckets are composed of timestamp intervals. The duration of each time bucket is the same and the time of two adjacent time buckets is continuous. When multiple abnormal events at the target location are continuously obtained, they are cached at the corresponding time according to the acquisition time of each abnormal event. In the time bucket, data caching is implemented. The target cache area is the cache area corresponding to the target location cache. One target location can correspond to multiple cache areas, or correspond to a one-to-one corresponding cache area. In the embodiment of the present invention, a two-way time dimension is used For aggregation, each cache area caches abnormal events according to the timestamp and a certain time interval as a time bucket. Therefore, after caching the abnormal events, it is not necessary to aggregate immediately. You also need to wait for a certain period of time until the time bucket is cached. After that, start preparations for aggregation.

It should be noted that in the target buffer area, the duration of each time bucket is the same and the times of two adjacent time buckets are continuous. For example, when a target buffer area obtains an abnormal event within the preset time period of 20 minutes, The length of each time bucket can be set to 5 minutes, so you can get 4 consecutive time buckets. Among them, the time of the first time bucket is cached from minute 0 to minute 5, and the time of the second time bucket is cached from minute 0 to minute 5. The cache is cached from 5 minutes to the 10th minute, the third time bucket is cached from the 10th minute to the 15th minute, the fourth time bucket is cached from the 15th minute to the 20th minute, and so on for longer preset time periods. The length of each time bucket can be set according to actual operation and maintenance needs, and there are no specific restrictions here.

It can be understood that in the embodiment of the present invention, the stop caching exception event can be controlled by setting the condition that the time bucket in the target cache area is no longer cached.

Referring to FIG. 3 , in one embodiment, the above step S202 may also include but is not limited to steps S301 to S303.

Step S301: Obtain convergence conditions for stopping caching of abnormal events within a preset time period.

Step S302: Continuously acquire multiple abnormal events at the target location starting from the start time of the preset time period, and cache them in the time bucket of the corresponding time according to the acquisition time of each abnormal event.

Step S303: When the cached abnormal events meet the convergence condition, stop caching the abnormal events.

In one embodiment, in order to solve the current problem that the time of aggregation in the time dimension is difficult to determine, the embodiment of the present invention caches abnormal events at the target location by setting the time bucket mode, and controls it by setting the convergence conditions of the time bucket. The time point when the time bucket stops caching. Specifically, the embodiment of the present invention obtains the convergence condition for stopping the caching of abnormal events within a preset time period. In the embodiment of the present invention, when caching abnormal events, it starts from the starting time of the preset time period. Continuously obtain multiple exception events at the target location, and cache them in the time bucket of the corresponding time according to the acquisition time of each exception event. When the cached exception events meet the convergence conditions, stop caching the exception events. When the convergence conditions are met, It means that the target buffer area is cached, that is, the buffer area is closed and no longer receives other abnormal events. The time bucket is encapsulated and prepared for aggregation. The target buffer area can also be cleared after the convergence conditions are met to wait for subsequent abnormal event caching. The present invention implements In the example, by setting convergence conditions to control when to stop caching exception events, there is no need to waste time on data collection, and the efficiency of aggregation can be improved in the time dimension and the aggregation capability can be improved.

It should be noted that, from the perspective of the aggregation point, in the embodiment of the present invention, when the target cache area is closed to stop caching abnormal events based on meeting the convergence conditions, the currently cached data already contains bidirectional data in the time dimension of the aggregation point. The abnormal events, that is, the abnormal events before and after the aggregation point as the center have entered the target cache area, which improves the aggregation ability of the data, so that two-way aggregation can be performed.

Referring to FIG. 4 , in an embodiment, the convergence condition may include but is not limited to at least one of steps S401 to S403.

Step S401: The time of obtaining the abnormal event exceeds the end time of the preset time period.

Step S402: The deceleration rate of the number of cached abnormal events between multiple consecutive time buckets is less than the preset target deceleration rate.

Step S403: The number of abnormal events in the time bucket is less than the preset minimum threshold for the number of events in the bucket.

In one embodiment, there can be multiple convergence conditions in the embodiment of the present invention. It can be judged in the time dimension when the data source collection is completed, so as to improve the aggregation efficiency and aggregation capability in the time dimension. Specifically, the convergence conditions can be Including at least one of steps S401 to S403, it can be understood that when one of the convergence conditions in the above steps is met, it can be determined that the data source collection is completed, and therefore the caching of exception events is stopped.

It should be noted that judging whether the time for obtaining abnormal events exceeds the end time of the preset time period is one of the convergence conditions. Specifically, the preset time period has a start time and an end time. When the time for obtaining abnormal events exceeds the preset time, Set the end time of the time period to indicate the cache time deadline, that is, the time interval from the time of the last aggregation point of this cache to the deadline. This time interval is the maximum value of the preset time period, which limits excessive waiting. The convergence condition of the embodiment of the present invention implements forced termination of caching. In one embodiment, the maximum value of the aggregation time interval, that is, the preset time period, is set to 60 minutes. After this time, there will be no more waiting for subsequent messages.

It should be noted that judging whether the deceleration rate of the number of cached abnormal events between multiple consecutive time buckets is less than the preset target deceleration rate is one of the convergence conditions. Specifically, when the number of abnormal events in three consecutive time buckets is set to The judgment is made by decreasing at a certain rate. It is lower than the decrease rate of the number of events, that is, it is lower than the target decrease rate, that is, the number of back buckets is lower than the number of front buckets by a certain percentage. When it is lower than the target decrease rate, it is judged that there is no need to cache abnormal events, such as When the target deceleration rate is 25%, the value of the target deceleration rate can be set according to actual needs. The convergence condition in the embodiment of the present invention ends caching after the marginal effect is reduced. As shown in Figure 5, the time buckets in the target cache area are respectively It caches user login logs, configuration routing logs, restart routing logs, communication exceptions, network unavailability alarms, key performance indicator anomalies (KPI exceptions in the figure), business exceptions, business restart alarms and other abnormal events. Among them, communication anomalies, network unavailability alarms, etc. Alarms, key performance indicator anomalies and business restart alarms are aggregation points. In the example in Figure 5, the number of abnormal events in time bucket 4 is one-third of that in time bucket 3, which is higher than the set target deceleration rate (25%). , so the cache cannot be ended yet and the exception events can continue to be received.

It should be noted that judging whether the number of abnormal events in the time bucket is less than the preset minimum threshold for the number of events in the bucket is one of the convergence conditions. Specifically, the number of abnormal events in the time bucket is less than the minimum threshold for the number of events in the bucket, that is, bucket events The minimum number of events in the bucket can be set according to actual needs. When it is lower than the minimum threshold of the number of events in the bucket, it is judged that it is no longer necessary to cache abnormal events. The embodiment of the present invention realizes that the event ends after the events converge within a certain period of time. Caching, also shown in Figure 5, time bucket 4 receives only 1 event, which is less than the minimum threshold of the number of events in the bucket (assumed to be 2), that is, it no longer needs to receive abnormal events, and stops caching abnormal events, that is, time bucket 5 does not need to Receive again, and finally complete the collection of data sources.

In one embodiment, there are multiple target locations. Referring to FIG. 6 , the above step S201 may also include but is not limited to step S501 and step S302.

Step S501: Obtain the preset time period corresponding to each target position.

Step S502: Create target cache areas corresponding to each target location, and create multiple time buckets in the corresponding target cache areas according to the total duration of each preset time period.

In one embodiment, when there are multiple target locations, the embodiment of the present invention caches data sources according to different target locations. Specifically, each different location can set a preset time required for its own cache. period, the embodiment of the present invention obtains the preset time period corresponding to each target location, caches the data of each target location, and establishes a target cache area corresponding to each target location. In one embodiment, the target cache area and There is a one-to-one correspondence between the target locations. Each target location has a corresponding target cache area, and multiple time buckets are established in the corresponding target cache areas according to the total duration of each preset time period, so that each target location can be allocated according to the total duration of each preset time period. Exception times are cached in the corresponding time bucket.

The target location in the embodiment of the present invention is a location in the spatial dimension. For example, the target location can be a network element, a link, or an computer room. Multiple target locations can include multiple network elements, links, and computer rooms. By By collecting abnormal events at different target locations, the aggregation results of each different target location can be obtained, so as to perform aggregate analysis on each target location. It can be understood that in the embodiment of the present invention, the aggregation results of each target location can be obtained, by This aggregation result can analyze the fault root cause of each target location itself, and can also obtain the overall aggregation result of multiple target locations. Through this aggregation result, the root cause of faults in multiple target locations can be analyzed, which improves the aggregation capability and improves the fault Operation and maintenance level.

Referring to FIG. 7 , in one embodiment, the above step S102 may also include but is not limited to step S601 and step S602.

Step S601: Obtain the filtering conditions of the aggregation point.

Step S601: Determine the abnormal event that satisfies the filtering conditions among multiple abnormal events as the aggregation point.

In one embodiment, the embodiment of the present invention can obtain the filtering conditions of the aggregation points, determine the aggregation points from abnormal events, and determine which are major alarms or major key performance indicator abnormalities from the abnormal events through the filtering conditions. Major alarms can be Any of the alarms in abnormal events, major key performance indicator abnormalities can be any of the key performance indicator abnormalities in abnormal events, for example, the aggregation point such as base station out of service, cell out of service, etc. The aggregation point is the real operation and maintenance Center, with the aggregation point of major alarms or major key performance indicator abnormalities as the center, aggregation is suitable for actual operation and maintenance needs. Otherwise, aggregation of a large number of ordinary alarms will waste a lot of time, resulting in low operation and maintenance levels. The specific alarm types of aggregation points and Key performance indicator exception types can be specified through configuration.

It can be understood that in the embodiment of the present invention, the filtering conditions can be customized according to actual operation and maintenance needs to determine major alarms or major key performance indicator anomalies. The aggregation point is one or more of the many abnormal events. Since abnormal events are continuously acquired within the preset time period, the time of the aggregation point is located in the middle of the preset time period. It can be understood that the aggregation of the aggregation point can include before and after the acquisition time of the aggregation point. Multiple abnormal events. These abnormal events at the time before and after can be at least one of alarms, key performance indicator exceptions, and operation logs. Therefore, in the embodiment of the present invention, an alarm or alarm may be triggered by a certain operation before the aggregation point. When key performance indicators are abnormal, the data before and after the aggregation point can be aggregated. The obtained aggregation results can be used to clarify the root cause of the fault and achieve two-way aggregation, which can improve the aggregation capabilities of the data source and improve the level of fault operation and maintenance.

It should be noted that in related technologies, a certain operation log is not used as the starting point for backward aggregation because there are too many and too frequent logs, and most operation logs are only for recording and do not explain abnormalities, so the operation logs are It is said that because the operation log is inconvenient to clearly identify exceptions, it is impossible to detect them immediately. It is often after an alarm or key performance indicator is abnormal, and then go back and look for the relevant operation logs. For example, memory leaks and other faults indicate that a memory leak has been discovered or a leak trend has been discovered. , and then look for relevant operation logs, thus resulting in low aggregation capabilities.

Referring to FIG. 8 , in one embodiment, the above step S103 may also include but is not limited to steps S701 to S703.

Step S701: Determine the first target event and the second target event among the abnormal events, where the first target event is characterized as a noise event at the aggregation point, and the second target event is characterized as a related event at the aggregation point.

Step S702: Clear the first target event and retain the second target event.

Step S703: Perform aggregation based on the aggregation point and the second target event to obtain an aggregation result.

In one embodiment, the embodiment of the present invention can denoise abnormal events, remove unnecessary events, and retain abnormal events related to the aggregation point, so as to improve the aggregation capability. Specifically, in the embodiment of the present invention, abnormal events can be removed The first abnormal event and the second abnormal event are determined in the event. The first target event is characterized as a noise event at the aggregation point, and the second target event is characterized as an associated event at the aggregation point. As a noise event, if aggregated with the aggregation point, it will cause The amount of data in the final aggregation result is too large, and there are many abnormal events that are useless for fault root cause analysis. Therefore, in the embodiment of the present invention, the noise event characterized as the aggregation point can be determined, that is, the first target event is determined, and the characterization To represent the associated events of the aggregation point, that is, the second target event, the first target event is cleared and the second target event is retained. Finally, aggregation can be performed based on the aggregation point and the second target event to obtain an aggregation result, which can improve the performance of the embodiment of the present invention. Aggregation capabilities to improve fault operation and maintenance levels.

It should be noted that since the abnormal events in the embodiment of the present invention include operation logs, in the actual operation and maintenance process, there will be a large number of operation logs. In the embodiment of the present invention, through two-way aggregation, the data before and after the aggregation point can be obtained. Abnormal events can be used to obtain the aggregation results, that is, the operation logs before and after the aggregation point can be obtained to obtain the aggregation results. Finally, the root cause of the fault can be determined based on the aggregation results to find the operation logs that caused the aggregation point exception. In order to solve the problem of excessive and large number of operation logs and aggregation Regardless of the issue, the embodiment of the present invention ultimately ensures the aggregation capability and efficiency of the embodiment of the present invention by clarifying the first target event and the second target event in the abnormal event, clearing the first target event and retaining the second target event.

Taking the abnormal events collected in Figure 5 as an example, when the abnormal event of communication exception is used as the aggregation point, communication exceptions can be aggregated in both directions as shown in Figure 9. In the forward direction, user login logs, configuration routing logs and restarts can be aggregated. For abnormal events such as routing logs, backward aggregation can aggregate network unreachable alarms, key performance indicator anomalies, business anomalies and other abnormal events. When the abnormal event of network unreachable alarm is used as the aggregation point, communication anomalies can be processed as shown in Figure 10 Backward and forward two-way aggregation, forward can aggregate user login logs, configuration routing logs, restart routing logs, communication exceptions and other abnormal events, backward aggregation can aggregate key performance indicator abnormalities, business exceptions and business restart alarms and other abnormal events.

Referring to FIG. 11 , in one embodiment, the above step S103 may also include but is not limited to step S801 and step S802.

Step S801: Aggregate aggregation points and abnormal events to obtain an aggregation package.

Step S802: Perform root cause identification on the aggregation package, and combine the abnormal events corresponding to each aggregation point to obtain the root cause identification result of the aggregation point.

In one embodiment, in the embodiment of the present invention, root cause identification can be performed to obtain the root cause identification result. In the embodiment of the present invention, the aggregation point and the abnormal event are aggregated to obtain an aggregation package, and the root cause identification is performed on the aggregation package, and The root cause identification result of the aggregation point is obtained by combining the abnormal events corresponding to each aggregation point. In another embodiment, in the embodiment of the present invention, aggregation is performed based on the aggregation point and the second target event to obtain an aggregation package. By analyzing the second target event Perform aggregation to obtain an aggregation package with higher aggregation efficiency, and identify the root cause of these useful abnormal events. You can use the second target event and knowledge base in the aggregation point and other technologies to analyze which abnormal event is the root cause event, thus improving the efficiency of the aggregation. Failure operation and maintenance level.

Referring to FIG. 12 , in one embodiment, the above step S701 may also include but is not limited to step S901 and step S902.

Step S901: Perform initialization processing on the abnormal events to obtain initial data, and input the initial data into the preset two-way aggregation model for probability calculation to obtain the noise probability values of each abnormal event and the corresponding aggregation point.

Step S902: Determine the first target event and the second target event among the abnormal events according to the noise probability value.

In one embodiment, the embodiment of the present invention determines the first target event and the second target event in the abnormal event by obtaining a preset two-way aggregation model. The two-way aggregation model is a kind of data obtained through neural network model training. Processing model. Specifically, in the embodiment of the present invention, initial data is obtained by initializing abnormal events, and the initial data is input into a preset two-way aggregation model for probability calculation, and the values of each abnormal event and the corresponding aggregation point are obtained. Noise probability value. The input of the two-way aggregation model needs to match the corresponding initial data so that the two-way aggregation model can perform data processing. The noise probability value can represent the probability that the abnormal event is a noise event at the corresponding aggregation point. It is characterized by the noise probability value. Based on the probability, it can be determined whether the abnormal event is a noise event at the corresponding aggregation point, thereby determining the first target event and the second target event.

It can be understood that there can be multiple aggregation points in the embodiment of the present invention. When there are multiple aggregation points, each abnormal event can be subject to probability calculation through a two-way aggregation model to obtain the noise probability value for each aggregation point. This is because some abnormal events have low probability for some aggregation points, but high probability for other aggregation points. Therefore, calculating the probability of each abnormal event and each aggregation point can avoid removing some high-probability abnormal events. Helps to aggregate all aggregation points.

Referring to FIG. 13 , in one embodiment, the above step S902 may also include but is not limited to steps S1001 to S1003.

Step S1001: Obtain the first probability threshold and the second probability threshold of each aggregation point.

Step S1002: Determine abnormal events corresponding to noise probability values lower than all first probability thresholds as first target events.

Step S1003: Determine an abnormal event corresponding to a noise probability value higher than any second probability threshold as a second target event.

In one embodiment, the embodiment of the present invention filters abnormal events by setting a low probability threshold and a high probability threshold. The embodiment of the present invention can obtain the first probability threshold and the second probability threshold of each aggregation point. The first probability The threshold is a low probability threshold, which is used to filter out the first target event among abnormal events. Therefore, the abnormal event corresponding to the noise probability value lower than all the first probability thresholds is determined as the first target event, and the first target event is low probability. event, the second probability threshold is a high probability threshold, used to filter out the second target event, and determine the abnormal event corresponding to the noise probability value higher than any second probability threshold as the second target event, and the second target event is high Probabilistic events.

It should be noted that in the embodiment of the present invention, marks that are lower than the low probability threshold will be used as the first probability threshold of the low probability threshold, which can be set in the interface or configuration file, and configured according to actual operation and maintenance needs, and marks that are higher than the high probability threshold will be Abnormal events are placed in a high probability list. The second probability threshold as the high probability threshold can be set in the interface or configuration file and configured according to actual operation and maintenance needs. The key value is the abnormal point and the value is a list. These high probability thresholds are saved in the list. Abnormal events above the high probability threshold, and abnormal events below the low probability threshold are temporarily excluded when analyzing each aggregation point, because some abnormal events are low probability for some aggregation points but high probability for other aggregation points, so In the embodiment of the present invention, when determining which abnormal events are the first target events, it is required that the noise probability value of the abnormal event is lower than the first probability threshold of all aggregation points before it is determined as the first target event, and the second target event is determined. When a target event occurs, the noise probability value of the abnormal event only needs to be higher than the second probability threshold of any aggregation point to determine it as the second target event.

In one embodiment, the first probability threshold is used to predict the context-related events of this aggregation point using a certain aggregation point. If the probability of some abnormal events is very low, the probabilities for all aggregation points are lower than the first probability threshold. , if set to 10%, it can be used as noise denoising; the second probability threshold, when using a certain aggregation point to predict the context-related events of this aggregation point, if the probability of certain abnormal events is higher than the second probability threshold , if set to 75%, it can be considered that the correlation is very strong and can assist in subsequent root cause analysis.

Referring to FIG. 14 , in one embodiment, the above step S901 may also include but is not limited to steps S1101 to S1103.

Step S1101: Perform one-hot encoding on the abnormal event to obtain initialized initial vector data.

Step S1102: Obtain a preset bidirectional aggregation model, where the bidirectional aggregation model is obtained through unsupervised training based on sample abnormal events in the acquired samples, sample target events characterized as noise events, and sample aggregation points.

Step S1103: Input the initial vector data into the preset two-way aggregation model for probability calculation, and obtain the noise probability values of each abnormal event and the corresponding aggregation point.

In one embodiment, the abnormal event needs to be initialized into a vector before it is input into a preset two-way aggregation model for processing to obtain the required noise probability value. Specifically, the two-way aggregation model can be established in advance based on the data in the sample. In the embodiment of the present invention, there will be a large number of abnormal events during aggregation, and not all of them are useful for root cause analysis. Some events are useful for the aggregation point. Generally speaking, they are noise events, such as some daily operation operation logs, and flash alarms happen to be in a certain time window with the abnormal point. Their existence interferes with the aggregate analysis. Therefore, through artificial intelligence (AI) training, through a certain Filtering based on probability can make aggregate analysis more accurate.

Just like in Natural Language Processing (NLP), the Continuous Skip-Gram Model (Skip-gram) model of word vectorization (Wordvecor (word embedding), Word2vec) uses the center word to predict the context words. This principle of probability, the embodiment of the present invention uses the same principle, after vectorizing abnormal events, obtains the probability of abnormal events in the time period before and after the aggregation point pair through a two-way aggregation model, and denoises abnormal events through probability thresholds.

In the embodiment of the present invention, a trainer can be set up to load historical data. The historical data can include sample abnormal events in the sample, sample target events characterized as noise events, and sample aggregation points. In the training phase, these data in the sample After performing one-hot coding, through unsupervised training, when the context probability is maximum and the loss function is minimum, abnormal events can be vectorized, and a bidirectional aggregation model is obtained through training, which will be needed for subsequent applications.

In the embodiment of the present invention, when performing probability calculations, the trained two-way aggregation model is first loaded, one-hot encoding is performed on the abnormal events, and the initial vector data after initialization is obtained, and the initial vector data is input into the preset two-way aggregation model. Probability calculations are used to obtain the noise probability values of each abnormal event and the corresponding aggregation point. The money input into the bidirectional aggregation model has been expressed as an initialization vector through one-hot encoding. Therefore, the bidirectional model obtained through training and release can be used directly to calculate the probability of the event. Calculate, perform vector probability calculation on abnormal events, and obtain the noise probability value of each abnormal event and the corresponding aggregation point.

It can be understood that the implementation of the present invention can use but is not limited to the Skip-gram model of Word2vec for training, including the construction of neural networks to obtain the required two-way aggregation model. First, obtain the historical data in the sample, or according to the fault handling manual, etc. After the corpus is subjected to one-hot encoding, the Skip-gram model is used, and its loss function is to minimize all probabilities. At this time, the correlation of different alarms, operation logs and other abnormal events is obtained through training to obtain the intermediate hidden layer. This It is the model that is ultimately required. The steps of training to obtain the bidirectional aggregation model will not be described in detail in the embodiment of the present invention.

Referring to FIG. 15 , in an embodiment, the above step S901 may also include but is not limited to step S1201 and step S1202.

Step S1201: Sort multiple aggregation points according to time and store them in an aggregation point list.

Step S1202, input the initial data into the preset two-way aggregation model, and perform probability calculations on abnormal events according to each aggregation point in the aggregation point list to obtain the noise probability value of each abnormal event and the corresponding aggregation point.

In one embodiment, the embodiment of the present invention stores the aggregation points by establishing an aggregation point list. After the target cache stops caching exception events, the target cache is closed and no longer receives other exception events, and the time bucket is encapsulated into an initial package for preparation. aggregation, and then clear the cache area to wait for subsequent event caching. It needs to be emphasized that from the perspective of the aggregation point, the difference from the conventional one-way backward aggregation is that when closing the target cache area, the embodiment of the present invention already includes The two-way events before and after, that is, the events before and after the aggregation point as the center have entered the cache area. The two-way aggregation in the embodiment of the present invention is based on the aggregation point for bidirectional aggregation. Therefore, the aggregation point of the target cache area can be collected. If there is no aggregation point, the target cache area is directly recycled for the next cache. If there may be multiple aggregation points in a target cache area or even a bucket in the cache area, the aggregation points are collected first, sorted by time, and stored in the aggregation point In the list, the exception events with the earliest occurrence time and the latest occurrence time in the cache area are then given. In addition, the location of the target cache area can also be given, such as network elements, computer rooms, or links.

It should be noted that when performing probability calculations, the embodiment of the present invention first obtains a list of aggregation points, and then uses a two-way model to obtain the noise probability rate of other abnormal events in the data for the aggregation points in the list, which will be lower than the low probability threshold ( mark, put the abnormal events higher than the high probability threshold in a high probability list, the key value is the abnormal point, and the value is the list. These abnormal events higher than the high probability threshold are saved in the list. Finally, after denoising, The aggregation point can be attached to a high probability list, combined into an aggregation package, and sent to root cause identification.

In addition, the abnormal event processing method in the embodiment of the present invention can be applied in an abnormal event processing device, referred to as a processing device, and the processing device may include:

Cache: receives external exception events into the cache area, assembles them into initial packages and sends them to the packager;

Packer: receives the initial packet, packages it into an encoded packet and sends it to the aggregator;

Aggregator: receives the coding packet, performs context probability training and prediction centered on the aggregation point, denoises, obtains the aggregation packet, and sends it to root cause analysis;

The communication connection between the trainer, the cache, the packager, the aggregator and the trainer, when executing the exception event processing method in the above embodiment through the processing device, may include the following four steps:

The first step: the trainer trains the bidirectional aggregation model to complete event vectorization.

Specifically, in aggregation, there may be a large number of abnormal events, and not all of them are useful for root cause analysis. Some events are noise events for the aggregation point, such as some daily operation logs and flash alarms. In a certain time window with abnormal points, their existence interferes with the aggregation analysis. Therefore, through AI training and filtering with a certain probability, the aggregation analysis can be made more accurate.

Just like in NLP, the Skip-gram model of Word2vec uses the principle of predicting the probability of context words using the center word. The embodiment of the present invention uses the same principle to vectorize the abnormal events and obtain the time before and after the aggregation point pair through the two-way aggregation model. The probability of abnormal events in the segment is determined, and the abnormal events are denoised through the probability threshold.

After the trainer loads historical alarms, logs, key performance indicator anomalies, and troubleshooting manuals as a corpus for one-hot encoding, through unsupervised training, when the context probability is the largest and the loss function is the smallest, the abnormal events can be vectorized, then we get Bi-directionally aggregate models and then publish the model.

Step 2: The cache receives and caches streaming exception events.

Exception events are streaming input, so exception events need to be cached for a certain period of time.

The cache sets different cache areas according to different spatial dimensions, that is, different locations. One cache area can only cache abnormal events in the same spatial dimension. Each cache area is cached as a time bucket according to the timestamp and a certain time interval. Exception events, if the event is a convergence point, mark it.

After you have an aggregation point, you do not need to aggregate immediately. You also need to wait for a certain period of time until the time bucket is cached before starting to prepare for aggregation. A time bucket is a time interval, such as five minutes, and the abnormal events of these 5 minutes are cached in it. The next time bucket caches the abnormal events of the next time interval, such as five minutes.

As shown in Figure 5, after the streaming exception event enters, there is a cache area at the same location. In the figure, a time bucket caches a batch of exception events every 5 minutes. The size of the bucket may be different at different times.

A cache area consists of one or more time buckets. The key is when to end, that is, the cache is completed and can be aggregated. The embodiment of the present invention uses three dimensions as convergence conditions to complete the cache of the last time bucket:

The cache time expires, that is, the time interval from the time of the last aggregation point of this cache to the deadline. This time interval is the maximum time interval. It limits excessive waiting. This approach is to force the end;

The number of abnormal events in three consecutive time buckets decreases at a certain rate, which is lower than the event number decrement ratio. That is, the number of subsequent buckets is lower than the number of previous buckets by a certain percentage, such as 25%. This number can be set. This approach ends after the marginal effect decreases. , as shown in Figure 5, the number of events in time bucket 4 is one-third of that in time bucket 3, so it cannot end yet and continue to receive abnormal events;

The number of abnormal events in the time bucket is less than the minimum threshold of the number of events in the bucket, that is, the minimum number of events in the bucket. This value can be set. This method is to end after the events converge within a certain period of time. Also shown in Figure 5, the events received by time bucket 4 There is only 1, which is less than the minimum threshold of the number of events in the bucket (assumed to be 2), that is, it does not need to be received anymore, that is, time bucket 5 does not need to receive abnormal data anymore.

When any of the above three conditions is met, the buffer area is cached, that is, the buffer area is closed and no longer receives other abnormal events. The time bucket is encapsulated into an initial package and sent to the packager to prepare for aggregation, and then the buffer area is cleared to wait for Later event caching.

It needs to be emphasized that from the perspective of the aggregation point, the difference from the conventional one-way backward aggregation is that when the buffer area is closed in the embodiment of the present invention, the events in the front and back directions are already included, that is, the events before and after the aggregation point are centered. Enter the cache area.

Step 3: The packager performs the initial package for packaging.

After the cache is completed, the packager packages the initial package into an aggregate package. The two-way aggregation of the present invention is based on the aggregation point. Therefore, the packager first collects the aggregation points of this cache area. If there is no aggregation point, the cache The area is directly recycled for the next cache. If there may be multiple aggregation points in a cache area or even a bucket in the cache area, first collect the aggregation points, sort them by time, and then give the earliest exception in the cache area. Events and abnormal events with the latest occurrence time are given, and the location of this cache area is given, such as network elements, computer rooms, or links. One-hot encoding is performed on the abnormal events in this cache area. After completing the above operations, the packager completes packaging, and we get Encoding package, the packager sends the encoding package to the aggregator for aggregation.

Step 4: Aggregation.

The aggregator loads the trained bidirectional aggregation model and performs forward and backward bidirectional denoising on the aggregation points in the aggregation package to complete the aggregation.

At the end of the third step, the aggregator receives the encoded packet sent by the packer. Since it has been one-hot encoded, it can directly use the bidirectional model obtained through training and release to vectorize the event and vectorize the probability of abnormal events in the packet. calculate.

The aggregator first obtains a list of aggregation points, and then uses a two-way model to obtain the probability of other abnormal events in this package for the aggregation points in the list. Marks that are lower than the low probability threshold (can be set in the interface or configuration file) will be higher than the high probability threshold. Abnormal events with probability thresholds (which may also be aggregation points) are placed in a high probability list, with the key value being the abnormal point and the value being the list. The list stores these abnormal events that are higher than the high probability threshold.

Note that abnormal events below the low probability threshold are not temporarily excluded when analyzing each aggregation point, because some abnormal events are low probability for some aggregation points but high probability for other aggregation points. When all aggregations in this encoding package After the point analysis is completed, all abnormal events marked with low probability are viewed and cleared if their probability for all aggregation points is lower than the minimum probability threshold.

After the aggregator has analyzed all aggregation points, it can also conduct a second check on the marked abnormal events that are lower than the low probability threshold to see whether they are lower than low probability for each aggregation point. If not, they will be retained. Otherwise, denoising is performed. After denoising, the aggregator attaches a high probability list to the aggregation points in the coding packet, combines them into an aggregation packet, and sends it to root cause identification. This aggregation is completed.

Figure 16 shows an electronic device 100 provided by an embodiment of the present invention. The electronic device 100 includes: a processor 110, a memory 120, and a computer program stored on the memory 120 and executable on the processor 110. When the computer program is run, it is used to execute the above-mentioned abnormal event processing method.

The processor 110 and the memory 120 may be connected through a bus or other means.

As a non-transitory computer-readable storage medium, the memory 120 can be used to store non-transitory software programs and non-transitory computer executable programs, such as the abnormal event processing method described in the embodiment of the present invention. The processor 110 implements the above-mentioned exception event processing method by running non-transient software programs and instructions stored in the memory 120 .

The memory 120 may include a program storage area and a data storage area, where the program storage area may store an operating system and an application program required for at least one function; the storage data area may store the above-mentioned exception event handling method. Additionally, memory 120 may include high-speed random access memory 120 and may also include non-transitory memory 120, such as at least one storage device storage device, flash memory device, or other non-transitory solid-state storage device. In some embodiments, the memory 120 optionally includes memory 120 located remotely relative to the processor 110 , and these remote memories 120 can be connected to the electronic device 100 through a network. Examples of the above-mentioned networks include but are not limited to the Internet, intranets, local area networks, mobile communication networks and combinations thereof.

The non-transitory software programs and instructions required to implement the above-mentioned exception event processing method are stored in the memory 120. When executed by one or more processors 110, the above-mentioned exception event processing method is executed, for example, execution in Figure 1 Method steps S101 to step S103, method steps S201 to step S202 in Figure 2, method steps S301 to step S303 in Figure 3, method steps S401 to step S403 in Figure 4, method steps S501 to step S502 in Figure 6 , the method steps S601 to step S602 in Figure 7, the method steps S701 to step S703 in Figure 8, the method steps S801 to step S802 in Figure 11, the method steps S901 to step S902 in Figure 12, the method in Figure 13 Steps S1001 to step S1003, method steps S1101 to step S1103 in FIG. 14 , and method steps S1201 to step S1202 in FIG. 15 .

Embodiments of the present invention also provide a computer-readable storage medium that stores computer-executable instructions, and the computer-executable instructions are used to execute the above-mentioned abnormal event processing method.

In one embodiment, the computer-readable storage medium stores computer-executable instructions, and the computer-executable instructions are executed by one or more control processors, for example, executing steps S101 to S103 of the method in Figure 1, Figure 2 The method steps S201 to S202 in Figure 3 , the method steps S301 to S303 in Figure 3 , the method steps S401 to S403 in Figure 4 , the method steps S501 to S502 in Figure 6 , the method steps S601 to S601 in Figure 7 Step S602, method steps S701 to step S703 in Figure 8, method steps S801 to step S802 in Figure 11, method steps S901 to step S902 in Figure 12, method steps S1001 to step S1003 in Figure 13, method steps S1001 to step S1003 in Figure 14 method steps S1101 to step S1103, and method steps S1201 to step S1202 in Figure 15 .

The device embodiments described above are only illustrative, and the units described as separate components may or may not be physically separate, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

Those of ordinary skill in the art can understand that all or some steps and systems in the methods disclosed above can be implemented as software, firmware, hardware, and appropriate combinations thereof. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit . Such software may be distributed on computer-readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). As well known to those of ordinary skill in the art, computer storage media includes volatile and nonvolatile media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. , removable and non-removable media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disk (DVD) or other optical disk storage, magnetic cassettes, tapes, storage device storage or other magnetic storage devices, or Any other medium that can be used to store the desired information and that can be accessed by a computer. Furthermore, it is known to those of ordinary skill in the art that communication media typically includes computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media .

It should also be understood that the various implementation modes provided by the embodiments of the present invention can be combined arbitrarily to achieve different technical effects.

The above is a detailed description of the preferred implementation of the present invention, but the present invention is not limited to the above-mentioned embodiments. Those skilled in the art can also make various equivalent modifications or substitutions without violating the spirit of the present invention. These equivalent modifications or substitutions are included in the scope defined by the claims of the present invention.

Claims (14)

1. A method of exception event handling, the method comprising:

acquiring a plurality of abnormal events of a target position in a preset time period, wherein the abnormal events comprise at least one of alarms, key performance index anomalies and operation logs;

determining an aggregation point in the abnormal event;

and polymerizing according to the polymerization point and the abnormal event to obtain a polymerization result.

2. The abnormal event processing method according to claim 1, wherein the acquiring a plurality of abnormal events of the target position within a preset period of time includes:

establishing a plurality of time barrels in a target cache region according to the total duration of a preset time period, wherein the time barrels are formed by time stamp intervals, and the duration of each time barrel is the same and the time of two adjacent time barrels is continuous;

And continuously acquiring a plurality of abnormal events of the target position, and caching the abnormal events in the time barrel of the corresponding time according to the acquisition time of each abnormal event.

3. The method according to claim 2, wherein the sequentially acquiring a plurality of abnormal events of a target position and buffering the acquired time of each abnormal event in the time bucket at a corresponding time comprises:

acquiring a convergence condition for stopping caching the abnormal event within the preset time period;

continuously acquiring a plurality of abnormal events of a target position from the starting time of the preset time period, and caching the abnormal events in the time barrel of the corresponding time according to the acquisition time of each abnormal event;

and stopping caching the abnormal event when the cached abnormal event meets the convergence condition.

4. The method of claim 3, wherein the convergence condition comprises at least one of:

acquiring the ending time of the abnormal event exceeding the preset time period;

the quantity decrement rate of caching the abnormal events among the continuous time buckets is smaller than a preset target decrement rate;

And the number of the abnormal events in the time bucket is smaller than a preset minimum threshold value of the number of the events in the bucket.

5. The method for processing an abnormal event according to claim 3, wherein the plurality of target locations are provided, the establishing a plurality of time slots in the target buffer according to a total duration of a preset time period includes:

respectively acquiring preset time periods corresponding to the target positions;

and respectively establishing target cache areas corresponding to the target positions, and respectively establishing a plurality of time barrels in the corresponding target cache areas according to the total duration of the preset time periods.

6. The method of claim 1, wherein determining an aggregation point in the exception event comprises:

obtaining screening conditions of the polymerization points;

and determining that the abnormal event meeting the screening condition is the aggregation point in a plurality of abnormal events.

7. The method for processing an abnormal event according to claim 1, wherein the aggregating according to the aggregation point and the abnormal event to obtain an aggregate result comprises:

determining a first target event and a second target event in the abnormal event, wherein the first target event is characterized as a noise event of the aggregation point, and the second target event is characterized as an association event of the aggregation point;

Clearing the first target event and retaining the second target event;

and polymerizing according to the polymerization point and the second target event to obtain a polymerization result.

8. The method for processing an abnormal event according to claim 1 or 7, wherein the aggregating the abnormal event according to the aggregation point and the abnormal event to obtain an aggregation result, includes:

the aggregation point and the abnormal event are aggregated to obtain an aggregation packet;

and carrying out root cause identification on the aggregation package, and obtaining root cause identification results of the aggregation points by combining the abnormal events corresponding to the aggregation points.

9. The method of claim 7, wherein determining a first target event and a second target event among the abnormal events comprises:

initializing the abnormal event to obtain initial data, inputting the initial data into a preset bidirectional aggregation model for probability calculation, and respectively obtaining noise probability values of each abnormal event and the corresponding aggregation point;

and determining a first target event and a second target event in the abnormal events according to the noise probability value.

10. The method of claim 9, wherein determining a first target event and a second target event of the abnormal events according to the noise probability value comprises:

acquiring a first probability threshold and a second probability threshold of each aggregation point;

determining the abnormal event corresponding to the noise probability value lower than all the first probability threshold values as a first target event;

and determining the abnormal event corresponding to the noise probability value higher than any one of the second probability thresholds as a second target event.

11. The method for processing an abnormal event according to claim 9, wherein initializing the abnormal event to obtain initial data, and inputting the initial data into a preset bidirectional aggregation model to perform probability calculation, so as to obtain noise probability values of each abnormal event and the corresponding aggregation point, respectively, including:

performing single-heat coding on the abnormal event to obtain initialized initial vector data;

acquiring a preset bidirectional aggregation model, wherein the bidirectional aggregation model is obtained after unsupervised training according to a sample abnormal event in an acquired sample, a sample target event which is characterized as a noise event and a sample aggregation point;

And inputting the initial vector data into a preset bidirectional aggregation model to perform probability calculation, and respectively obtaining noise probability values of the abnormal events and the corresponding aggregation points.

12. The method for processing an abnormal event according to claim 9, wherein the inputting the initial data into a preset bidirectional aggregation model for probability calculation, respectively obtaining noise probability values of each abnormal event and the corresponding aggregation point, includes:

sorting a plurality of aggregation points according to time and storing the aggregation points in an aggregation point list;

and inputting the initial data into a preset bidirectional aggregation model, and respectively carrying out probability calculation on the abnormal events according to each aggregation point in the aggregation point list to obtain noise probability values of each abnormal event and the corresponding aggregation point.

13. An electronic device, comprising: a memory, a processor storing a computer program, the processor executing the computer program implementing the abnormal event handling method according to any one of claims 1 to 12.

14. A computer-readable storage medium storing a program that is executed by a processor to implement the abnormal event processing method according to any one of claims 1 to 12.