hi, is my understanding correct that you are trying to detect sets of events, where the ordering of events inside a set can be arbitrary? In other words, instead of arriving in the order (a1, a2, a3, a4, a5), events could also come in the order (a5, a3, a2, a4, a1)?
If that is the case, then in the SEC faq there is a recipe for this: http://simple-evcorr.sourceforge.net/FAQ.html#3.20 However, for the next major release of SEC I have planned a separate rule type for recognizing unordered sets of events. with kind regards, risto On 10/12/2010 03:55 PM, M Haris Farooque wrote: > Hello, > > I have several set of problem-scenarios (around 20) which i anaylzed > within a network. each problem-scenario generates a set of alerts or events. > > scenario1: a1, a2, a3, a4, a5 > scenario2: a3, a2, a4, a5, a6 > scenario3: a4, a6, a5, a7 > ... > > for example, > > Scenario #1: MM-application Down: > ----------------------------------------- > possible generated alerts are: */a1, a2, a3, a4, a5/* > which occurs in total time interval, say 300 seconds (5 mins). > I need to propose the correct failure situation to my network > administrator. what i am doing is, when 1st time, any such event occurs, > I am creating a Context and adding this event in to it. Then for all > subsequent events I am adding them in the same context. > > > # Rule 1: Create Context when 1st time event occurs > type=Single > ptype=RegExp > pattern=.*a1|a2|a3|a4|a5.* > desc=MM Application Problem > context=!MM_Problem > action=create MM_Problem 300; add MM_Problem "1st Event: $0" > > ## > # Rule 2: Add subsequent Events > # > type=Single > ptype=RegExp > pattern=.*ssh_tcp_dd|ssh_gprsstatus.* > desc=Adding Subsequent events because of MM Problem > context=MM_Problem > action=add MM_Problem "Additional Event: $0"; > > The events are adding in the context but how would i take final action > when all events occurred. That is, how can I notify SEC to send an email > to administrator with particular information. In Rule 2: I tried with > 'SingleWith2Thresholds', but it didn't work! > > What is the better way to handle such problem? > > Is there any possibility to add all occuring events in a context > instantly until a threshold limit exceeds and then take some action? > let me know If I didn't clarify my query. > > -- > > Kind Reagrds/Mit freundlichen Grüßen > > M Haris > Daimler-Fleetboard GmbH > D-70546 Stuttgart > Tel: +49 (711) 179 56 10 > Mob: +49 (176) 470 96 991 > > > > ------------------------------------------------------------------------------ > Beautiful is writing same markup. Internet Explorer 9 supports > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2& L3. > Spend less time writing and rewriting code and more time creating great > experiences on the web. Be a part of the beta today. > http://p.sf.net/sfu/beautyoftheweb > > > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
