Specifying event pattern criteria
Specify the criteria for your pattern, and the method by which to identify the parent event for any resulting event groups: synthetic parent or most important event. You can also test the pattern to see what groups it would generate based on existing live data.
Procedure
- Start the Events Pattern portlet for a group. For more information about starting the portlet, see Creating a pattern from an unallocated group.
-
Complete the parameter fields in the Pattern Criteria tab of the Events Pattern portlet.
- Merge into
- Merge a Related Event Group into an existing pattern or select NONE to create new pattern. To merge a group into a pattern, select from the list of patterns with one or more event types in common. NONE is the default option.
- Name
- The name of the pattern. The name must contain alphanumeric characters. Special characters are not permitted.
- Pattern Filter
- The ObjectServer SQL filter that is applied to the pattern. This filter is used to restrict the events to which the pattern is applied. For example, enter Summary NOT LIKE '%maintenance%'.
- If a pattern filter was provided at the time that the configuration was created, then this text
box is populated with that filter. Note: If there is a pattern filter set for the configuration, then this is known as the default pattern filter. The default pattern filter applies to any patterns, generated after the configuration is saved. For more details, see the information on the Pattern tab in Creating a new or modifying an existing analytics configuration.In addition, this default filter appears to the left of the text box, so that if you change the filter and then want to revert to the default, you can simply copy and paste without having to leave this screen.
- If there is no default filter for the configuration then this text box is empty.
- You should also be aware of the following:
- If a pattern is deployed or watched with a given filter applied, then the deployed or watched pattern remains unchanged even if the default filter for the underlying configuration is changed.
- If you merge this pattern into another pattern using the Merge Into drop-down list on this screen and that pattern has an associated filter, then that filter will populate this text box.
- Time between first and last event
- The maximum time that can elapse between the occurrence of the first event and the last event in this pattern, which is measured in minutes. The default value is determined by the Related Events Group on which the pattern is based. Events that occur outside of this time window are not considered part of this group.
- Trigger Action
- Select the Trigger Action check box to group the live events when the selected event comes into the ObjectServer. When an event with the selected event type occurs, the grouping is triggered to start. The created grouping includes events that contain all of the selected event types.
- For example, if the following three event types are part of the pattern criteria,
A
,B
, andC
, with only the Trigger Action check box for eventC
selected, the grouping only occurs when an event with event typeC
occurs. The grouping contains events that contain all three event types.Note: A group will be triggered even if only one event with the triggering event type occurs. In this case a group will be created in the Event Viewer made up of either of a synthetic and the triggering event as a child event, or of the triggering event as both parent and child event, depending on how you configure the Parent Event tab of the Events Pattern portlet, in step 3. - Event Type
- The event type or types that are included in the pattern. The Event Type
is prepopulated with existing event types for the selected pattern, and can be
modified.Note: Origin of event typeTriangle, circle, and square icons signify where the event types originate from, when a group is merged into an existing pattern.
- Triangle: Common to both the existing pattern and the group.
- Circle: Part of the group.
- Square: Part of the existing pattern.
- Resource Column(s)
- The resource or resources to which the action is applied. The Resource
Column(s) is prepopulated with existing event type resources for the selected pattern,
and can be modified. To modify the selection, click the drop-down list arrow and select one or more
columns from the checklist.
- Name similarity and regular expressions
- In contrast to exact match, name similarity and regular expressions provide the ability to
identify patterns where the names of the resources in the pattern are not exactly the same.
- In the case of name similarity, the resources in the pattern must be sufficiently similar to
meet the name similarity algorithm criteria. By default name similarity is enabled.
Table 1. More information on name similarity For more information on... See... How name similarity works Extending patterns A name similarity example Examples of name similarity How to configure name similarity Configuring name similarity - In the case of regular expressions, the resources in the pattern must match the defined regular expression.
- In the case of name similarity, the resources in the pattern must be sufficiently similar to
meet the name similarity algorithm criteria. By default name similarity is enabled.
- Multiple resource columns
-
If you specify multiple resource columns, then by default these columns will be combined using OR logic. You can configure whether multiple resource columns should be combined using AND or OR logic. For more information, see Configuring multiple resource columns.
- OR logic: correlates two events by resource as soon as the criteria are met for just one pattern resource definition.
- AND logic: correlates two events by resource only once criteria are met for all of the pattern resource definitions.
Note: If you configureAND
logic, and an event comes in with any one of its multiple resource columns set to NULL, then that event is automatically excluded from pattern processing.
Note: Duplicate Event Type and Resource Columns pairs are not permitted.- Regular Expression
- (Optional) Click the regular expression icon to specify a regular expression to test for matches within unstructured resource information in the selected resource column.
-
Exact match only creates groups if all the resource strings in the resource field (for example, in the
Node
field) are identical. Using regular expressions, you can extract a portion of the resource string from the resource field and group on that portion.The following example demonstrates how regular expressions can be used to provide more fine grained related event groups. Assume your Node field contains resources made up of country, a city, and a suffix such as.com
, such as the following:Italy-Rome.com
Italy-Milan.com
UK-London.com
UK-Belfast.com
Node
field using the regular expression grouping capability.
Based on the four examples, the following would be extracted:([a-zA-Z].*)-([a-zA-Z].*).com
Note that the first group extracted by the regular expression is the one that is used. In the example, two event groups would be created: the first based on the extracted resource stringExtracted group 1 Extracted group 2 Italy-Rome.com
Italy Rome Italy-Milan.com
Italy Milan UK-London.com
UK London UK-Belfast.com
UK Belffast Italy
, the second based on the extracted resource stringUK
.Resource names that match the regular expression are identified when the Events Pattern is created. A single group in the Event Viewer is created for all events whose resource columns contain text that matches the regular expression.
Note: A regular expression can only be specified under the following conditions:- One column has been selected for the resource.
- Multiple columns with OR logic have been selected for the resource. OR logic is the default.
For more information about creating and editing regular expressions, see Applying a regular expression to the pattern criteria.
- In the Parent Event tab of the Events Pattern
portlet, select one of the following parent event options.
- Most Important Event by Type
- The system checks the events as they occur. The events are ranked based on the order defined in the UI. The highest ranking event is the parent. The parent event changes if a higher ranking event occurs after a lower ranking event. To prevent a dynamically changing parent event, select Synthetic Event.
- You can manually reorder the ranking by selecting an event and clicking the Move Up and Move Down arrows.
- Synthetic Event
- Create an event to act as the parent event or select Use Selected Event as Template to use an existing event as the parent event.
To create or modify a synthetic event, populate the following parameter fields, as required. All of the synthetic event fields are optional.- Node
- The managed entity from which the event originated. Displays the managed entity from which the seasonal event originated.
- Summary
- The event description.
- Severity
- The severity of the event. Select one of the following values from the
Severity drop-down list.
- Critical
- Major
- Minor
- Warning
- Indeterminate
- Clear
- Alert Group
- The Alert Group to which the event belongs.
- Add additional fields
- Select the Add additional fields check box to add more fields to the synthetic parent event.
- In the Test tab of the Events Pattern portlet, you can run a test to display the existing auto-discovered groups that match the pattern criteria. The test displays the types of events that are matched by the chosen criteria. To run the test, select Run Test. To cancel the test at any time, select Cancel Test.
- To save, watch, or deploy the pattern, select one of the following options.
- Select Save to save the pattern details to the View Related Events New tab.
- Select Watch to add the pattern to the View Related Events Watched tab.
- Select Deploy to add the pattern to the View Related Events Active tab.
Results
- If the patterns display 0 group and 0 events, the pattern creation process might not be
finished. To confirm that the process is running,
- Append the policy name to the policy logger file from the Services tab, Policy Logger service. For more information about configuring the Policy logger, see https://www.ibm.com/docs/SSSHYH_7.1.0/user/policy_logger_service_window.html.
- Check the following log
file.
$IMPACT_HOME/logs/<serverName>_policylogger_PG_ALLOCATE_PATTERNS_GROUPS.log
- After creating a new pattern, the allocation of groups to the pattern happens in the background, via a policy. If the new pattern does not have any groups allocated (this is determined by the data set) then the new pattern will be deleted. For more information, see the following technote: http://www.ibm.com/support/docview.wss?uid=swg22012714.
- A pattern will not have any groups allocated under the following conditions:
- Name similarity has been switched off. By default it is on.
- No regular expressions have been associated with the pattern.
- Resource names identified in any potential groups are different.