We are migrating this community website to cloud instance on 04 Jun and 05 Jun 2024. Please do not make any changes to the wiki pages during the migration.
opEvents does not just automatically suppress duplicate events (stateful or custom-matched); it can also create new events based on correlating recent event occurrences.
In opEvents versions 2.0.4 (and newer) you can use more fine-grained controls to deal with the triggering events.
This event correlation and synthesis feature is configured in the same way as the duplicate suppression, namely by putting event creation rules into conf/EventRules.nmis.
...
- an event
name, which specifies the name of the newly created event, - a list of
events(more precisely, their names), which are the events to consider for correlation, - a (minimum)
countof events that have to be detected to trigger the rule, - an optional list of
groupbyclauses, which define whether the count is interpreted globally for all named events, or separately within smaller groups, - optional optional
delayedactionandautoacknowledgeclauses, which define how the triggering events should be handled, - an optional
enrichclause, which adjustsenrichclauses, which adjust the handling of the newly created event, - and finally a
windowparameter, which defines the time window to examine.
...
At this point the new event is inserted into the database, and is ready for further action processing. This action processing (e.g. escalation, mail notification, custom logging) is performed either immediately or delayed after a custom delay period (if the delayedaction property is present in the rule)immediately.
Handling of the Triggering Events
Please note: this feature is only available in opEvents 2.0.4 and newer.
- If your rule contains a
delayedactionclause (with a numeric value), then all potentially triggering events will have their action processing delayed by the given number of seconds.
This affects all events whose name is in the event list of your rule, no matter whether the limits for triggering a synthetic event have been met or not. Thedelayactionvalue should therefore be set to a relatively small value. - If your rule has the property
autoacknowledgeset totrueor 1, then all triggering events will be automatically acknowledged and all action processing for them will be aborted.
The combination of these two controlling properties provides fine-grained storm control and the ability to create "combination events" that subsume and close any number of triggering events:
"Plain" Synthetic Events
If your rule sets neither delayedaction nor autoacknowledge, then the incoming potential trigger events will be processed as per normal and immediately, and any policy actions for them will be taken as soon as possible (but possible after being delayed by the state_flap_window - see Deduplication and storm control in opEvents for details). The trigger events are thus completed, and visible as current/unacknowledged, completely independent of any synthetic events that might get triggered by them later.
"Combination" Events
If your rule sets delayedaction (and optionally autoacknowledge), then the incoming events are delayed and held for the given time before any policy actions are taken for them. (The delayedaction setting should be the same as or larger than the rule's window setting.)
If the requirements for a synthetic event are met during that time, then the new synthetic event can "combine" and supersede the triggering events. If autoacknowledge is set, then all the triggering events will be acknowledged, closed and no actions will be taken for them at all. (Without autoacknowledge the triggering events would not have actions performed but would remain unacknowledged.)
The net effect is that the current events view would show only the new synthetic event as 'current' and all the underlying triggering events would be categorized as closed (and optionally acknowledged), and thus be mostly hidden.
Grouping
If no groupby clause is present, then the set of matching events is counted directly, which may be too generic for many common scenarios. For example creating new events for a particular customer or service group only wouldn't be possible. Grouping solves this problem: the set is split into groups with matching property values and the count threshold is applied to those groups.
...