Context

Tool mentors explain how a tool can perform tasks, which are part of ITUP processes and activities. The tasks are listed as Related Elements in the Relationships section.

You can see the details of how processes and activities are supported by this tool mentor, by clicking the links next to the icons:

•   Event Management
  •   Filter Event

Details

The IBM® Tivoli® Enterprise Console® product uses a system of prolog rules to correlate discrete monitoring data into significant events. It is a progression of evolution that a customer will undergo to move from monitoring data into correlated events. The first phase of this evolution usually involves monitoring the uncorrelated events and reporting the condition to the appropriate responsible party. Later, as a result of writing more intelligent rules, sophistication will increase and only significant events will be passed on to the responsible parties.

Included with the product are sample rules for duplicate detection and correlation for network and various business situations. You can use these examples to speed the development of your own correlation rules.

Predicates have been written for your use in identifying and managing duplicate events. The following example from the Tivoli Enterprise Console Rule Builder's Guide illustrates the use of a rule that involves duplicate detection. For more information, consult the Rule Builder's Guide. All current manuals can be located on the IBM Web site in the Tivoli Information Center at http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/index.jsp?toc=/com.ibm.itec.doc_3.9/toc.xml

reception_action: 'duplicate_detect'(first_duplicate(_ev,event: _dup_ev
where [status: outside ['CLOSED']],_ev -3600 -0),
add_to_repeat_count(_dup_ev, 1),
drop_received_event,
commit_set
),

The duplicate_detect action searches the event cache for duplicate events that have been received within one hour. If a duplicate is found, its repeat_count attribute is incremented, the event under analysis is dropped, and processing exits.

In addition to the prolog rules engine, a standalone, state-based correlation engine (SCE) is included in the product.

The purpose of this technology is to avert the flood of events coming to your Tivoli Enterprise Console server and to reduce the event flow to something that is more manageable and meaningful. The Tivoli Field Guide entitled Tivoli Field Guide - TEC 3.8 State Correlation Engine: How to Prevent TEC from Becoming Flooded by Arend Berg and Marc Purnell deals with this topic. This Tivoli Field Guide contains a very good set of details about the SCE and its function and programming rules, and identifies things to avoid. The SCE enhances filtering of events by putting the processing much closer to the source of the event.

There are six basic types of rules that you can write for the SCE. Those include 5 state-based rule types (Duplicate, Collector, Threshold, Passthrough, and Reset On Match) and one stateless rule type (Match).

• Duplicate has the effect to send the first event when the time interval is reached. The duplicates are discarded.
• Collector has the effect of delaying event traffic by holding events for the time interval prior to sending ALL the events.
• Threshold has the effect of sending the single event only if a threshold is reached during the time interval. If not, ALL events are discarded.
• Passthrough looks for a specified set of events to follow an initial event in a given time interval and they can either be restricted in specific order or set to be allowed in any order. If the conditions are not met, the events are discarded.
• Reset on Match is kind of the opposite purpose of Passthrough as the event is sent only if the specified events do NOT arrive during the time interval.
• Match (the stateless one) will forward the event to the next action or rule if the conditions are met. The action can be any of the list. Match is different than the preceding rule type in that it acts on a single event. It is most closely related to Collector except that there is no time interval (and therefore it has a stateless nature).

For More Information

For more information about this tool, click on the link for this tool at the top of this page.