TLDR: MicroRCA-Agent is an innovative system that uses large language model agents to automatically identify the root causes of faults in microservice architectures. It achieves this by combining advanced log parsing (Drain algorithm), dual anomaly detection for service traces (Isolation Forest and status codes), and a two-stage large language model approach for summarizing performance metrics across different system levels. The system integrates these diverse data types through carefully designed prompts, enabling comprehensive reasoning and providing structured fault analysis results, ultimately achieving a high score of 50.71 in complex microservice fault scenarios.
In the intricate world of microservices, identifying the exact cause of a system failure can be a daunting task. Traditional methods often fall short in dealing with the sheer volume and complexity of data generated by these distributed systems. This is where MicroRCA-Agent steps in, offering an innovative solution for microservice root cause analysis (RCA) powered by large language model (LLM) agents. Developed by Pan Tang, Shixiang Tang, Huanqi Pu, Zhiqing Miao, and Zhixing Wang, this system aims to construct an intelligent fault root cause localization system by fusing multimodal data.
The MicroRCA-Agent introduces three key technical innovations to tackle the challenges of microservice fault diagnosis. First, it efficiently compresses massive log data into high-quality fault features by combining the pre-trained Drain log parsing algorithm with a multi-level data filtering mechanism. This significantly reduces the noise and redundancy in logs, making them more manageable for analysis. Second, the system employs a dual anomaly detection approach for service traces. It integrates Isolation Forest, an unsupervised learning algorithm, with status code validation to achieve comprehensive identification of trace anomalies. This means it can detect both performance deviations and explicit error codes in service call chains. Third, MicroRCA-Agent utilizes a statistical symmetry ratio filtering mechanism coupled with a two-stage LLM analysis strategy. This allows for full-stack phenomenon summarization across node, service, and pod hierarchies, providing a holistic view of the system’s state.
The overall design of MicroRCA-Agent is modular, comprising five core components: a data preprocessing module, a log fault extraction module, a trace anomaly detection module, a metric fault summarization module, and a multimodal root cause analysis module. This modularity ensures system integrity, module independence, and enhanced scalability.
Data Preprocessing
This module is responsible for standardizing system data. It parses fault time period information and standardizes timestamp formats across log, trace, and metric data, ensuring accuracy for subsequent cross-modal data correlation.
Log Fault Extraction
Based on a “template + rule” processing architecture, this module uses the pre-trained Drain model to automatically extract log templates. It merges log entries with similar semantics, effectively compressing raw logs into high-quality fault features through a multi-level filtering mechanism that includes file localization, time window filtering, error keyword filtering, and sample deduplication.
Trace Fault Detection
Adopting a hybrid detection strategy, this module leverages the Isolation Forest algorithm to detect duration anomalies in parent pod-child pod call chains. Additionally, it implements a status analysis function to identify call failure patterns by extracting status codes and messages. It outputs the top 20 most frequent anomalous call combinations and detailed status anomaly information.
Metric Fault Summarization
This module designs a statistical symmetric ratio filtering strategy combined with a hierarchical two-stage LLM analysis approach. It first filters out normal data, significantly reducing the context length for the LLM. The first stage of LLM analysis summarizes phenomena at the service and pod levels using Application Performance Monitoring (APM) and database component (TiDB) data. The second stage combines this with node-level infrastructure data for a comprehensive analysis across service, pod, and node levels.
Also Read:
- AI Learns to Fix C++ Code: A New Approach to Compilation Repair
- Navigating Industrial Monitoring: A Look at Rule-Based Versus Data-Driven Systems
Multimodal Root Cause Analysis
This is the core decision-making component. It integrates the processed log, trace, and metric data. Using specialized cross-modal prompts, it leverages the LLM’s cross-modal understanding and logical reasoning capabilities to generate structured analysis results, including fault components, root cause descriptions, and reasoning traces.
The innovation of MicroRCA-Agent lies in its multi-level feature extraction and reasoning architecture. Each module employs highly targeted processing and filtering strategies, tailored to its specific data type, to compress information and reduce computational overhead. The metric analysis component, with its statistical symmetric ratio filtering and two-stage summarization, provides semantically interpretable evidence for root cause localization. In terms of practicality, the solution’s modular and scalable design allows for flexible adaptation to different business and system environments, making it suitable for high-concurrency, large-data-volume production environments.
A comprehensive ablation study validated the complementary value of each data modality and the effectiveness of the system architecture. The metric module showed the most prominent performance when used alone, while the combination of log and metric data achieved the best performance, highlighting their strong synergy. The complete three-modal fusion system achieved a final score of 50.71, demonstrating superior performance in complex microservice fault scenarios. For more details, you can refer to the research paper.
