The following example event policy file detects when a Windows service shuts down within 30 seconds after starting. These operations are tracked in separate events, so an event rule is required to correlate the events and trigger an appropriate action. The event policy creates an event to replace the other events with a message and severity that reflect the more serious nature of the situation. This evaluate operation contains a rule and does not require a separate action.
Note: This is a simple example that is easily configurable using the Event Policies dialog in the Operations Console. Always use the Event Policies dialog to create event policies, unless the interface does not support the operation. For information about creating more complex Drools rules, see the Drools documentation. For other syntax examples (for example, if you want to create a complex enrichment evaluate operation and need a frame of reference), create and deploy event policies from the Event Policies dialog and see the resultant syntax at SOI_HOME\resources\Core\Catalogpolicy\extensions.
The deployed event policy file for this example is as follows:
<Catalog version='1.0' globalextends='GLOBAL!'>
<EventClass name='Alert'>
<Evaluate>
<Field input='Service Crash' output='DRL'>
<![CDATA[
package com.ca.eventplus.catalog;
import com.ca.eventplus.catalog.util.EPEvent;
import java.util.HashMap;
declare EPEvent
@role(event)
end
rule "Service Crash
no-loop true
when
pattrn1 : EPEvent((alertedMdrElementID=="?" && message matches ".*entered the running state.*") && reEvaluate!="Service Crash")
pattrn2 : EPEvent((alertedMdrElementID=="?" && message matches ".*entered the stopped state.*") && reEvaluate!="Service Crash", this after[0s,30s] pattrn1)
then
pattrn1.createEvent("Service Crash",true,false,pattrn1,pattrn2);
end
]]>
</Field>
</Evaluate>
</EventClass>
<EventClass name='Service Crash' extends='Alert'>
<FormatPostN>
<Field output='AlertType' format='Quality' input='' />
<Field conditional='pattern1.AlertedMdrProduct'
output='AlertedMdrProduct' format='{0}'
input='pattern1.AlertedMdrProduct' />
<Field conditional='pattern1.AlertedMdrProdInstance'
output='AlertedMdrProdInstance' format='{0}'
input='pattern1.AlertedMdrProdInstance' />
<Field conditional='pattern1.AlertedMdrElementID'
output='AlertedMdrElementID' format='{0}'
input='pattern1.AlertedMdrElementID' />
<Field conditional='pattern2.OccurrenceTimestamp'
output='OccurrenceTimestamp' format='{0}'
input='pattern2.OccurrenceTimestamp' />
<Field output='Severity' format='Major' input='' />
<Field output='Summary' format='Service Crash' input='' />
<Field output='MdrProduct' format='{0}' input='pattern1.MdrProduct' />
<Field output='MdrProdInstance' format='{0}'
input='pattern1.MdrProdInstance' />
<Field conditional='pattern1.MdrElementID' output='MdrElementID'
format='{0}' input='pattern1.MdrElementID' />
</FormatPostN>
</EventClass>
</Catalog>
Note: Some of the field attributes from the event policy are omitted from the Format syntax.
When the event policy deployment occurs, this file is generated at SOI_HOME\resources\Core\Catalogpolicy\extensions and named according to the deployed connector and policy name. In a typical manual refinement scenario, you deploy a simple policy then add the elements unsupported by the user interface in the deployed policy file. Using this method, you only have to work with and refine an existing policy file; you do not create one.
The input and output properties define the rule name and output. The Drools rule is embedded in the '![CDATA[' property. The Drools rule contains the following sections:
Defines Java methods to import for use in the rule. This declaration must include the EPEvent method, which describes the event properties that the Drools engine can use.
Declares EPEvent as an event role, enabling correlation between events.
Starts the event rule that contains the event search patterns.
Defines the rule criteria. The when clause in this example looks for the following events occurring within 30 seconds of one another:
Note the format of the clause, specifically how it uses the EPEvent method to retrieve and evaluate the properties. Also note the syntax of the clause that defines the time interval between events.
Defines the action that runs when the criteria in the when clause are met. The then clause in this example creates an event that is based on the properties of the correlated events.
Sets the properties for the new event. This syntax uses the Format operation to establish the new event properties, and the event class matches the name of the event policy. The AlertType, Summary, and Severity properties have new values that reflect the new event condition. The other properties use the values from the first or second event.
Note: Several properties have been omitted from this example.
For more examples and information about the syntax and requirements of the Drools language version 5, see the following page: http://www.jboss.org/drools/documentation.html.
|
Copyright © 2013 CA.
All rights reserved.
|
|