Search

US-12619884-B2 - Artificial intelligence operations adaptive multi-granularity event grouping

US12619884B2US 12619884 B2US12619884 B2US 12619884B2US-12619884-B2

Abstract

System and methods for adaptive multi-granularity event groupings are provided. In embodiments, a method includes: determining to group IT operations data at a first level of granularity for similar events or at a second level of granularity for related events based on user input of a data grouping event; parsing, by an event parser, the IT operations data into one or more groups of similar events based on text information and parser rules in response to determining to group the IT operations data at the first level of granularity; obtaining user feedback indicating the one or more groups of similar events require modification; determining one or more keywords of the IT operations data using an artificial intelligence model in response to the user feedback; and updating the parser rules for the event parser based on the one or more keywords, thereby generating updated parser rules.

Inventors

  • Zhao Qi Wu
  • Zhi Wang
  • Qian Ke Fang
  • Li Na YUAN
  • Min Xiang
  • Li Long Chen

Assignees

  • INTERNATIONAL BUSINESS MACHINES CORPORATION

Dates

Publication Date
20260505
Application Date
20220110

Claims (20)

  1. 1 . A method, comprising: determining, by a computing device, to group Information Technology (IT) operations data at a first level of granularity for similar events or at a second level of granularity for related events based on user input of a data grouping event, received through a user interface communicatively connected to the computing device; parsing, by an event parser of the computing device, the IT operations data into one or more groups of similar events based on text information and parser rules according to a text template of one or more keywords in response to determining to group the IT operations data at the first level of granularity, wherein the event parser is a log parser modified to handle specific keywords when creating event templates; obtaining, by the computing device, user feedback repeatedly through a user-selected button on the user interface indicating that the one or more groups of similar events require modification; determining, by the computing device, the one or more keywords of the IT operations data using an artificial intelligence model in response to the user feedback; and updating, by the computing device, the parser rules for the event parser based on the one or more keywords, thereby generating updated parser rules such that the event parser can automatically produce the one or more groups of similar events over time.
  2. 2 . The method of claim 1 , further comprising: parsing, by the event parser of the computing device, the IT operations data into one or more new groups of similar events based on the text information and the updated parser rules; and providing, by the event parser, the one or more new groups of similar events to the user in response to the user input.
  3. 3 . The method of claim 2 , further comprising: receiving, by the computing device, new feedback from the user that the one or more new groups of similar events do not require modification; and ending, by the computing device, the data grouping event.
  4. 4 . The method of claim 1 , wherein the determining the one or more keywords of the IT operations data comprises: extracting, by the computing device, parameters from the IT operations data; extracting, by the computing device, features from the IT operations data; and determining, by the computing device, based on an output of a trained classification model with the parameters and the features as inputs, that one or more words are the one or more keywords based on the one or more words have a probability of being keywords greater than a threshold value.
  5. 5 . The method of claim 4 , further comprising updating, by the computing device, the trained classification model based on the keywords.
  6. 6 . The method of claim 1 , further comprising: determining, by the computing device, whether to group IT operations data at a first level of granularity for similar events or a second level of granularity for related events based on additional user input of a second data grouping event; transforming, by the computing device, the IT operations data to multi-dimensional vector data in response to determining to group the IT operations data at the second level of granularity based on the additional user input; determining, by the computing device, a group of related events using a trained data classification model with the multi-dimensional vector data as input; and updating, by the computing device, classification labels of the trained classification model based on user feedback regarding the group of related events.
  7. 7 . The method of claim 1 , further comprising: determining, by the computing device, whether to group the IT operations data at the first level of granularity for similar events or the second level of granularity for related events based on additional user input of a second data grouping event; transforming, by the computing device, the IT operations data to multi-dimensional vector data in response to determining to group the IT operations data at the second level of granularity based on the additional user input; and obtaining, by the computing device, a group of related events using a density-based spatial clustering algorithm with the multi-dimensional vector data as input.
  8. 8 . The method of claim 1 , wherein the computing device includes software provided as a service in a cloud environment.
  9. 9 . A computer program product comprising one or more computer readable storage media having program instructions collectively stored on the one or more computer readable storage media, the program instructions executable to: determine whether to group Information Technology (IT) operations data at a first granularity for similar events or a second granularity for related events based on user input of a data grouping event; in response to determining to group the IT operations data at the first level of granularity based on the user input, parse the IT operations data into a first set of event groupings using an event parser based on text information and parser rules according to a text template of one or more keywords, wherein the event parser is a log parser modified to handle specific keywords when creating event templates; in response to determining to group the IT operations data at the second level of granularity based on the user input, transform the IT operations data to multi-dimensional vector data, the multi-dimensional vector data generated by separately embedding data from different sources and merging them using a statistical method; and in response to transforming the IT operations data to multi-dimensional vector data, determine a second set of event groupings density-based spatial clustering algorithm with the multi-dimensional vector data as input.
  10. 10 . The computer program product of claim 9 , wherein the program instructions are further executable to: obtain user feedback indicating the first set of event groupings require modification; automatically determine one or more keywords of the IT operations data using an adaptive artificial intelligence model in response to the user feedback; and automatically update the parser rules based on the one or more keywords, thereby obtaining updated parser rules.
  11. 11 . The computer program product of claim 10 , wherein the determining the one or more keywords of the IT operations data comprises: extracting parameters from the IT operations data; extracting features from the IT operations data; and determining based on an output of a trained classification model with the parameters and the features as inputs, that one or more words are the one or more keywords based on the more or more words have a probability of being keywords greater than a threshold value.
  12. 12 . The computer program product of claim 10 , wherein the program instructions are further executable to update the trained classification model based on the determining the one or more keywords.
  13. 13 . The computer program product of claim 10 , wherein the program instructions are further executable to determine a third set of event groupings using a trained data classification model with the multi-dimensional vector data as input.
  14. 14 . The computer program product of claim 13 , wherein the program instructions are further executable to update classification labels of the trained classification model based on user feedback regarding the third set of event groupings.
  15. 15 . A system comprising: a processor, a computer readable memory, one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media, the program instructions executable to: determine whether to group Information Technology (IT) operations data at a first level of granularity for similar events or a second level of granularity for related events based on user input of a data grouping event; in response to determining to group the IT operations data at the first level of granularity based on the user input, parse the IT operations data into a first set of event groupings using an event parser based on text information and parser rules according to a text template of one or more keywords, wherein the event parser is a log parser modified to handle specific keywords when creating event templates; in response to determining to group the IT operations data at the second level of granularity based on the user input, transform the IT operations data to multi-dimensional vector data, the multi-dimensional vector data generated by separately embedding data from different sources and merging them using a statistical method; and in response to transforming the IT operations data to multi-dimensional vector data, determine a second set of event groupings using a density-based spatial clustering algorithm with the multi-dimensional vector data as input.
  16. 16 . The system of claim 15 , wherein the program instructions are further executable to: obtain user feedback indicating the first set of event groupings require modification; automatically determine one or more keywords of the IT operations data using an adaptive artificial intelligence model in response to the user feedback; and automatically update the parser rules based on the one or more keywords, thereby obtaining updated parser rules.
  17. 17 . The system of claim 15 , wherein the determining the one or more keywords of the IT operations data comprises: extracting parameters from the IT operations data; extracting features from the IT operations data; and determining based on an output of a trained classification model with the parameters and the features as inputs, that one or more words are the one or more keywords based on the more or more words have a probability of being keywords greater than a threshold value.
  18. 18 . The system of claim 17 , wherein the program instructions are further executable to update the trained classification model based on the determining the one or more keywords.
  19. 19 . The system of claim 15 , wherein the program instructions are further executable to determine a third set of event groupings using the density-based spatial clustering algorithm with the multi-dimensional vector data as input.
  20. 20 . The system of claim 19 , wherein the program instructions are further executable to update classification labels of the trained classification model based on user feedback regarding the third set of event groupings.

Description

BACKGROUND Aspects of the present invention relate generally to Artificial Intelligence Operations (AIOps) and, more particularly, to systems and methods for adaptive multi-granularity event grouping of information technology (IT) operations data. With the proliferation of DevOps (development and operations) software and the rapid adaption of advanced technologies like cloud computing, information technology (IT) data volumes have exploded and become a challenge in recent years. To address this pressing problem, artificial intelligence for IT operations (AIOps) tools have been adopted to help IT teams manage data volumes. The term AIOps generally refers to machine learning analytics technology that enhances IT operations analytics. One AIOps task of note is event grouping. In general, the term event grouping refers to a process of searching for similar or related individual data records, such as logs and tickets, and grouping the similar or related data records together. Event grouping has played an important role in recent years with the increasing complexity and scalability of IT services. With the help of event grouping, AIOps systems can analyze root causes, detect anomalies, and discovery underlying patterns in data records (e.g., big data). However, although the function of event grouping has been employed in many tools and products, existing event grouping methods have many shortcomings. As an example, it is difficult for existing event grouping solutions to fully adapt to requirements of different customers, since the solutions are developed from basic log parsers or cluster methods, and only allow limited customization. Therefore, such event grouping solutions require engineers to manually go through massive data records, which is time consuming and makes the event grouping performance extremely dependent on the expertise of engineers. SUMMARY In a first aspect of the invention, there is a computer-implemented method including: determining, by a computing device, to group IT operations data at a first level of granularity for similar events or at a second level of granularity for related events based on user input of a data grouping event; parsing, by an event parser of the computing device, the IT operations data into one or more groups of similar events based on text information and parser rules in response to determining to group the IT operations data at the first level of granularity; obtaining, by the computing device, user feedback indicating the one or more groups of similar events require modification; determining, by the computing device, one or more keywords of the IT operations data using an artificial intelligence model in response to the user feedback; and updating, by the computing device, the parser rules for the event parser based on the one or more keywords, thereby generating updated parser rules. In another aspect of the invention, there is a computer program product including one or more computer readable storage media having program instructions collectively stored on the one or more computer readable storage media. The program instructions are executable to: determine whether to group IT operations data at a first granularity for similar events or a second granularity for related events based on user input of a data grouping event; in response to determining to group the IT operations data at the first level of granularity based on the user input, parse the IT operations data into a first set of event groupings using an event parser based on text information and parser rules; in response to determining to group the IT operations data at the second level of granularity based on the user input, transform the IT operations data to multi-dimensional vector data; and in response to transforming the IT operations data to multi-dimensional vector data, determine a second set of event groupings using a clustering method with the multi-dimensional vector data as input. In another aspect of the invention, there is system including a processor, a computer readable memory, one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media. The program instructions are executable to: determine whether to group IT operations data at a first level of granularity for similar events or a second level of granularity for related events based on user input of a data grouping event; in response to determining to group the IT operations data at the first level of granularity based on the user input, parse the IT operations data into a first set of event groupings using an event parser based on text information and parser rules; in response to determining to group the IT operations data at the second level of granularity based on the user input, transform the IT operations data to multi-dimensional vector data; and in response to transforming the IT operations data to multi-dimensional vector data, determine a second set of e