Examples of multiple resource pattern processing
This topic presents some very simple examples of event pattern processing with multiple resources fields.
Before you begin
In order to process multiple resource columns, you must have configured multiple resource fields in the pattern definitions. For more information on creating pattern definitions, see Creating and editing event patterns.
About this task
For the sake of simplicity, these examples keep the value of the event type constant, in order to
present the impact of changing the settings associated with multiple resource columns. The event
type is held in the AlertGroup
field, and the value of event type used for this
example is power
, indicating that the event is associated with a power issue.
Example 1: Single event type value with two resource fields
The resource information is distributed across two different event columns:
Node
NodeAlias
The following event snippet displays the dataset used in this
example.
1 Identifier Node NodeAlias AlertGroup FirstOccurrence
2 event00000000 node00000000 aliasnode00000000 power 2020-04-07 00:11:00
3 event00000001 node00000001 aliasnode00000001 power 2020-04-07 00:09:00
4 event00000002 node00000002 aliasnode00000002 power 2020-04-07 00:07:00
5 event00000003 node00000003 aliasnode00000003 power 2020-04-07 00:05:00
6 event00000004 node00000004 aliasnode00000004 power 2020-04-07 00:03:00
7 event00000005 node00000005 aliasnode00000005 power 2020-04-07 00:01:00
8 event00000006 node00000006 aliasnode00000006 power 2020-04-06 23:59:00
9 event00000007 node00000007 aliasnode00000007 power 2020-04-06 23:57:00
10 event00000008 node00000008 aliasnode00000008 power 2020-04-06 23:55:00
11 event00000009 node00000009 aliasnode00000009 power 2020-04-06 23:53:00
The following configuration settings can be applied to this dataset:
- Name similarity
- Name similarity can be switched
ON
orOFF
. For more information about name similarity, see Extending patterns. - Multiple resource correlation logic parameter
- The
repattern_multiresource_correlation_logic
parameter specifies the Boolean logic to be applied by the event pattern processing system when resource data is held in multiple event columns. This parameter can take the valuesOR
andAND
. For more information about this parameter, see Configuring multiple resource columns.
The following table shows how event pattern results vary when these settings are configured in
different ways:
Name similarity | Multiple resource correlation logic | Number of event pattern instances | Number of events in each pattern instance | |
---|---|---|---|---|
1 | ON |
OR |
1 | 10 events |
2 | ON |
AND |
10 | 1 event |
3 | OFF |
OR |
10 | 1 event |
4 | OFF |
AND |
10 | 1 event |
The results demonstrate the following rules:
- Name similarity is ignored when
AND
logic is being applied. This can be seen from row 2, where even though name similarity is set to ON, the events are not grouped into a single pattern instance, meaning that the pattern processing treats all of theNode
andNodeAlias
values as if they are different, even though they meet the name similarity criteria.Note: The same rule applies to regular expressions. These are also ignored whenAND
logic is being applied. AND
logic is order specific, meaning that the resource values are strictly matched with the respective resource name. This can be seen from row 1, where a single pattern instance is produced, and this is because the resource values withinNode
andNodeAlias
are consistent: the Node column always contains a resource value of the formnode0000000x
and the Node Alias column always contains a resource value of the formaliasnode0000000x
.
Example 2: Single event type value with two resource fields including empty strings
The resource information is distributed across two different event columns:
Node
NodeAlias
The following event snippet displays the dataset used in this example. Notice that some of the
resource values are empty
strings.
1 Identifier Node NodeAlias AlertGroup FirstOccurrence
2 event00000000 node00000000 power 2020-04-07 00:11:00
3 event00000001 node00000001 power 2020-04-07 00:09:00
4 event00000002 node00000002 power 2020-04-07 00:07:00
5 event00000003 node00000003 power 2020-04-07 00:05:00
6 event00000004 node00000004 power 2020-04-07 00:03:00
7 event00000005 node00000005 power 2020-04-07 00:01:00
8 event00000006 node00000006 power 2020-04-06 23:59:00
9 event00000007 node00000007 power 2020-04-06 23:57:00
10 event00000008 node00000008 power 2020-04-06 23:55:00
11 event00000009 node00000009 power 2020-04-06 23:53:00
The following configuration settings can be applied to this dataset:
- Name similarity
- Name similarity can be switched
ON
orOFF
. For more information about name similarity, see Extending patterns. - Multiple resource correlation logic parameter
- The
repattern_multiresource_correlation_logic
parameter specifies the Boolean logic to be applied by the event pattern processing system when resource data is held in multiple event columns. This parameter can take the valuesOR
andAND
. For more information about this parameter, see Configuring multiple resource columns.
The following table shows how event pattern results vary when these settings are configured in
different ways:
Name similarity | Multiple resource correlation logic | Number of event pattern instances | Number of events in each pattern instance | |
---|---|---|---|---|
1 | ON |
OR |
1 | 10 events |
2 | ON |
AND |
0 | Not applicable |
3 | OFF |
OR |
10 | 1 event |
4 | OFF |
AND |
0 | Not applicable |
The results demonstrate the following rules:
- Name similarity is effective when
OR
logic is being applied. This can be seen from row 1, where the events are not grouped into a single pattern instance. This happens because the OR logic enables name similarity to be applied to all of the events on both resource columns. By eliminating the leading and trailing edge characters, name similarity determines that all of the resource names are similar and this results in a single pattern instance.Note: The same rule applies to regular expressions. These are also effective whenOR
logic is being applied. AND
logic is only effective when an event being considered for inclusion in a pattern has more than one resource defined. This can be seen from rows 2 and 4, where no pattern instances at all are produced.NULL
and empty strings render the resource specified in the event invalid. This is illustrated by rows 2 and 4, where no pattern instances are created whenAND
logic is applied.