Examples of multiple resource pattern processing

This topic presents some very simple examples of event pattern processing with multiple resources fields.

Before you begin

In order to process multiple resource columns, you must have configured multiple resource fields in the pattern definitions. For more information on creating pattern definitions, see Creating and editing event patterns.

About this task

For the sake of simplicity, these examples keep the value of the event type constant, in order to present the impact of changing the settings associated with multiple resource columns. The event type is held in the AlertGroup field, and the value of event type used for this example is power, indicating that the event is associated with a power issue.

Example 1: Single event type value with two resource fields

The resource information is distributed across two different event columns:
  • Node
  • NodeAlias
Distribution of resource information across two different event columns simulates a scenario where resource data is held in different event columns. One possible reason for this is consolidation of event data from different sources within an organization.
The following event snippet displays the dataset used in this example.
1     Identifier          Node               NodeAlias               AlertGroup       FirstOccurrence
2     event00000000       node00000000       aliasnode00000000       power            2020-04-07 00:11:00
3     event00000001       node00000001       aliasnode00000001       power            2020-04-07 00:09:00
4     event00000002       node00000002       aliasnode00000002       power            2020-04-07 00:07:00
5     event00000003       node00000003       aliasnode00000003       power            2020-04-07 00:05:00
6     event00000004       node00000004       aliasnode00000004       power            2020-04-07 00:03:00
7     event00000005       node00000005       aliasnode00000005       power            2020-04-07 00:01:00
8     event00000006       node00000006       aliasnode00000006       power            2020-04-06 23:59:00
9     event00000007       node00000007       aliasnode00000007       power            2020-04-06 23:57:00
10    event00000008       node00000008       aliasnode00000008       power            2020-04-06 23:55:00
11    event00000009       node00000009       aliasnode00000009       power            2020-04-06 23:53:00
The following configuration settings can be applied to this dataset:
Name similarity
Name similarity can be switched ON or OFF. For more information about name similarity, see Extending patterns.
Multiple resource correlation logic parameter
The repattern_multiresource_correlation_logic parameter specifies the Boolean logic to be applied by the event pattern processing system when resource data is held in multiple event columns. This parameter can take the values OR and AND. For more information about this parameter, see Configuring multiple resource columns.
The following table shows how event pattern results vary when these settings are configured in different ways:
Table 1. Event patterns results
  Name similarity Multiple resource correlation logic Number of event pattern instances Number of events in each pattern instance
1 ON OR 1 10 events
2 ON AND 10 1 event
3 OFF OR 10 1 event
4 OFF AND 10 1 event
The results demonstrate the following rules:
  • Name similarity is ignored when AND logic is being applied. This can be seen from row 2, where even though name similarity is set to ON, the events are not grouped into a single pattern instance, meaning that the pattern processing treats all of the Node and NodeAlias values as if they are different, even though they meet the name similarity criteria.
    Note: The same rule applies to regular expressions. These are also ignored when AND logic is being applied.
  • AND logic is order specific, meaning that the resource values are strictly matched with the respective resource name. This can be seen from row 1, where a single pattern instance is produced, and this is because the resource values within Node and NodeAlias are consistent: the Node column always contains a resource value of the form node0000000x and the Node Alias column always contains a resource value of the form aliasnode0000000x.

Example 2: Single event type value with two resource fields including empty strings

The resource information is distributed across two different event columns:
  • Node
  • NodeAlias
Distribution of resource information across two different event columns simulates a scenario where resource data is held in different event columns. One possible reason for this is consolidation of event data from different sources within an organization.
The following event snippet displays the dataset used in this example. Notice that some of the resource values are empty strings.
1     Identifier          Node               NodeAlias               AlertGroup       FirstOccurrence
2     event00000000       node00000000                               power            2020-04-07 00:11:00
3     event00000001                          node00000001       power            2020-04-07 00:09:00
4     event00000002       node00000002                               power            2020-04-07 00:07:00
5     event00000003                          node00000003       power            2020-04-07 00:05:00
6     event00000004       node00000004                               power            2020-04-07 00:03:00
7     event00000005                          node00000005       power            2020-04-07 00:01:00
8     event00000006       node00000006                               power            2020-04-06 23:59:00
9     event00000007                          node00000007       power            2020-04-06 23:57:00
10    event00000008       node00000008                               power            2020-04-06 23:55:00
11    event00000009                          node00000009       power            2020-04-06 23:53:00
The following configuration settings can be applied to this dataset:
Name similarity
Name similarity can be switched ON or OFF. For more information about name similarity, see Extending patterns.
Multiple resource correlation logic parameter
The repattern_multiresource_correlation_logic parameter specifies the Boolean logic to be applied by the event pattern processing system when resource data is held in multiple event columns. This parameter can take the values OR and AND. For more information about this parameter, see Configuring multiple resource columns.
The following table shows how event pattern results vary when these settings are configured in different ways:
Table 2. Event patterns results
  Name similarity Multiple resource correlation logic Number of event pattern instances Number of events in each pattern instance
1 ON OR 1 10 events
2 ON AND 0 Not applicable
3 OFF OR 10 1 event
4 OFF AND 0 Not applicable
The results demonstrate the following rules:
  • Name similarity is effective when OR logic is being applied. This can be seen from row 1, where the events are not grouped into a single pattern instance. This happens because the OR logic enables name similarity to be applied to all of the events on both resource columns. By eliminating the leading and trailing edge characters, name similarity determines that all of the resource names are similar and this results in a single pattern instance.
    Note: The same rule applies to regular expressions. These are also effective when OR logic is being applied.
  • AND logic is only effective when an event being considered for inclusion in a pattern has more than one resource defined. This can be seen from rows 2 and 4, where no pattern instances at all are produced.
  • NULL and empty strings render the resource specified in the event invalid. This is illustrated by rows 2 and 4, where no pattern instances are created when AND logic is applied.