In message
<9f9834e0731f874c9ef5cd03980b489f07163...@srp00576wn.juliusbaer.com> ,
"Schmid, Christof" writes:
>By the way: I've migrated part of our monitoring from AMiT CEP (which
>means Complex Event Processing, provided by IBM) to SEC.
Cool.
>noticed that for rules within SEC, "window" with a relative time is
>the only parameter that determines the end of an event correlation
>operation. CEP (apart from its weaknesses, i.e. no regex support
>etc)
Yeah I hate that. I have had to write 500 rules where one rule in SEC
will do the trick.
>on the other hand offers a range of possibilities to terminate a
>lifespan (that's their name for event correlation operation),
>including absolute time
SEC can do that as well. It's a little wacky to implement. I usually
use calendar rules, the event action and reset action if I need to
clear a set of possible correlation actions. E.G.
# set up a correlation and store it's description/handle in a context
# when it triggers. For PairWithWindow or Threshold rules, you may
# need to use a single rule (with continue = takenext) to perform
# the storage action when an event that starts the correlation
# is seen.
type = pair
desc = something $1 $2
action = add reset_correlation_1 "RESET_CORR: %s"
...
# this actually resets the correlation in response to a specifically
# formatted synthetic event (verified by looking for the
# _INTERNAL_EVENT context) generated by the "event" action.
type = single
desc = reset a correlation whose name is stored in reset_correlation_1
ptype = regexp
context = _INTERNAL_EVENT
pattern = ^RESET_CORR: (.*)$
action = reset $1
# at some specific time run the event action on the multiline contents
# of the reset_correlation_1 context.
type = calendar
... [ a cron spec to specify an absolute time say start of day etc ]
action = empty %{clear_correlation} reset_correlation_1; \
event %{clear_correlation}
>and, even more useful, other events.
This is easier in SEC. Uuse the reset action from a rule that matches
your termination event(s) to cancel any correlation operation defined
in the *same* file.
Also if you use pair* rules you can start multiple correlations that
match different termination paths and then use reset to kill the other
correlation operations once one matches.
type = pair
desc = find X
continue = takenext
pattern = start X
...
pattern2 = normal termination
action2 = reset +1 find X; reset +2 find X;
type = pair
desc = find X
continue = takenext
pattern = start X
...
pattern2 = abnormal termination 1
action2 = reset -1 find X; reset +1 find X;
type = pair
desc = find X
continue = dontcont
pattern = start X
...
pattern2 = abnormal termination 2
action2 = reset -1 find X; reset -2 find X;
To use reset, you need to be able to create the description of the
correlation from the terminating event (in this case the description
is static 'find X' so easy to create). Alternatively you can store
the description of the correlation in a context whose name can be
derived from the terminating action. E.G. for an event:
jobrun[345]: starting example.com job 25
type = pair
desc = host $2 job $3
# some pattern that stores hostname in $2, job in $3
# and pid of the process in $1
action = add reset_context_from_pid_$1 %s;
# and a termination event of
# jobrun[345]: crashed
type = single
desc = if process with pid crashes reset correlation
pattern = \[([0-9]+)\]: crashed
action = empty %a reset_context_from_pid_$1; \
delete reset_context_from_pid_$1; \
reset %a
On the other hand if the termination event was:
jobrun[345]: crashed example.com starting job 25
You don't need the add action in the pair rule and can just use:
type = single
# some pattern that stores hostname in $2, job in $3
# and pid of the process in $1
...
action = reset host $2 job $3;
Hopefully this helps if you need to implement some of the other
termination mechanisms.
Feel free to read the man page for the details on the reset command
and ask the list if you have questions.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
