Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Operations Manager 2007 R2
The System.ConsolidatorCondition condition detection module type is used to consolidate multiple incoming data items based on a specific schedule or a time interval. A module of this type accepts data of any type and outputs System.ConsolidatorData.
Type Definition
<ConditionDetectionModuleType ID="System.ConsolidatorCondition" Stateful="true" Accessibility="Public" PassThrough="false" Batching="false">
<Configuration>
<IncludeSchemaTypes>
<SchemaType>System.ExpressionEvaluatorSchema</SchemaType>
</IncludeSchemaTypes>
<xsd:element name="Consolidator" type="ConsolidatorType"/>
</Configuration>
<ModuleImplementation Isolation="Any">
<Native>
<ClassID>1E06AAF5-C4E0-4F57-A4F6-2C8A6A5E8E53</ClassID>
</Native>
</ModuleImplementation>
<OutputType>System.ConsolidatorData</OutputType>
<InputTypes>
<InputType>System.BaseData</InputType>
</InputTypes>
</ConditionDetectionModuleType>
Parameters
The System.ConsolidatorCondition supports the following configuration parameters:
| Parameter | Type | Overrideable | Description |
|---|---|---|---|
Consolidator |
False |
Required parameter. Defines the criteria and schedule for data correlation. |
For more information about the Consolidator parameter, see ConsolidatorType.
Composition
The System.ConsolidatorCondition module is a native module.
Related Modules
| Module Type | Usage |
|---|---|
Correlates a sequence of difference data items. |
External Module References
None.
Remarks
The following code example shows a data item that is output from the consolidator module for Windows event data: The contents of the data item element are dependent on the type of data that is being consolidated.
<DataItem type="System.ConsolidatorData" time="2008-10-23T14:16:29.0013505-07:00" sourceHealthServiceId="B0BE86FA-56AD-1F2E-EE87-8DF72FC53818">
<TimeWindowStart>2008-10-23T14:16:17.0000000-07:00</TimeWindowStart>
<TimeWindowEnd>2008-10-23T14:16:26.9999999-07:00</TimeWindowEnd>
<TimeFirst>2008-10-23T14:16:17.0000000-07:00</TimeFirst>
<TimeLast>2008-10-23T14:16:23.0000000-07:00</TimeLast>
<Count>3</Count>
<Context>
<DataItem type="Microsoft.Windows.EventData" time="2008-10-23T14:16:23.0000000-07:00" sourceHealthServiceId="B0BE86FA-56AD-1F2E-EE87-8DF72FC53818">
<EventOriginId>{C9D083CE-9C36-42B9-82CE-5051C8BA180C}</EventOriginId>
<PublisherId>{D5C9D62E-11DA-4A04-242C-50418B1286A0}</PublisherId>
<PublisherName>EventCreate</PublisherName>
<EventSourceName>EventCreate</EventSourceName>
<Channel>Application</Channel>
<LoggingComputer>testmachine.example.com</LoggingComputer>
<EventNumber>206</EventNumber>
<EventCategory>0</EventCategory>
<EventLevel>4</EventLevel>
<UserName>DOMAIN\username</UserName>
<RawDescription><![CDATA[%1 ]]></RawDescription>
<LCID>1033</LCID>
<Params>
<Param>Test Event</Param>
</Params>
<EventData>
<DataItem type="System.XmlData" time="2008-10-23T14:16:23.9418446-07:00" sourceHealthServiceId="B0BE86FA-56AD-1F2E-EE87-8DF72FC53818">
<EventData>
<Data>test</Data>
</EventData>
</DataItem>
</EventData>
<EventDisplayNumber>206</EventDisplayNumber>
<EventDescription><![CDATA[Test Event ]]></EventDescription>
<Keywords>36028797018963968</Keywords>
</DataItem>
</Context>
</DataItem>
In the preceding code example, consider the following sequence of events that are input to the consolidator module that begin at midnight (0:00:00):
Event 1 – 0:00:00
Event 2 – 0:00:08
Event 3 – 0:00:15
Event 4 – 0:00:17
Event 5 – 0:00:23
For each counting method, the time control is configured to be a simple WithinTimeSchedule of 10 seconds, and there are no excludes specified. The two counting methods that take a count as configuration are set to 3.
The following consolidator output occurs for each counting method:
| Counting Method | Output |
|---|---|
OnNewItemNOP_OnTimerOutputRestart |
Occurs at 00:00:10 after the end of the first window, which was started by event 1. Output has a consolidated count of 2 (event 1 and 2). Occurs at 00:00:25 after the end of the second window, which was started by event 3. Output has a consolidated count of 3 (event 3, 4 and 5) |
OnNewItemTestOutputRestart_OnTimerRestart |
Outputs at 00:00:23 after the third event that is received, following the start of the window that was started by event 3. Output has a consolidated count of 3 (event 3, 4 and 5) |
OnNewItemTestOutputRestart_OnTimerSlideByOne |
Outputs at 00:00:17 after the third event that was received, following the sliding window that was moved to start at event 2. Output has a consolidated count of 3 (event 2, 3 and 4). |
Sample
The following rule looks for an event from the Windows application event log and consolidates, based on the sliding window counting method over a 10-second window. An alert is generated if there are more than three events received. The latency is set to 10 seconds.
<Rule ID="Microsoft.Samples.EventConsolidationTest1" Target="Microsoft.Samples.ApplicationX">
<Category>ConfigurationHealth</Category>
<DataSources>
<DataSource ID="Event" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type='Windows!Microsoft.Windows.Computer']/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>EventCreate</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>401</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<ConditionDetection ID="Consolidator" TypeID="System!System.ConsolidatorCondition">
<Consolidator>
<ConsolidationProperties/>
<TimeControl>
<Latency>10</Latency>
<WithinTimeSchedule>
<Interval>10</Interval>
</WithinTimeSchedule>
</TimeControl>
<CountingCondition>
<Count>3</Count>
<CountMode> OnNewItemTestOutputRestart_OnTimerSlideByOne</CountMode>
</CountingCondition>
</Consolidator>
</ConditionDetection>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>0</Priority>
<Severity>0</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Samples.EventConsolidationTest1.AlertMessage"]$</AlertMessageId>
<Suppression/>
</WriteAction>
</WriteActions>
</Rule>
The following rule uses the non-sliding window counting method and uses a simple recurring schedule to consolidate every 5 minutes. An alert is generated if more than 10 events are received during a given window:
<Rule ID="Microsoft.Samples.EventConsolidationTest2" Target="Microsoft.Samples.ApplicationX">
<Category>ConfigurationHealth</Category>
<DataSources>
<DataSource ID="Event" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type='Windows!Microsoft.Windows.Computer']/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>EventCreate</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>401</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<ConditionDetection ID="Consolidator" TypeID="System!System.ConsolidatorCondition">
<Consolidator>
<ConsolidationProperties/>
<TimeControl>
<GenericSchedule>
<SimpleReccuringSchedule>
<Interval Unit='Minutes'>5</Interval>
<SyncTime>00:00</SyncTime>
</SimpleReccuringSchedule>
<ExcludeDates/>
</GenericSchedule>
</TimeControl>
<CountingCondition>
<Count>10</Count>
<CountMode>OnNewItemTestOutputRestart_OnTimerRestart</CountMode>
</CountingCondition>
</Consolidator>
</ConditionDetection>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>0</Priority>
<Severity>0</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Samples.EventConsolidationTest2.AlertMessage"]$</AlertMessageId>
<Suppression/>
</WriteAction>
</WriteActions>
</Rule>
Information
Module Type |
|
InputType |
|
Output Type |
|
Implementation |
Native |
Library |
System.Library |