System.CorrelatorCondition
Applies To: Operations Manager 2007 R2
The System.CorrelatorCondition condition detection module type is used to correlate two incoming data item types, to detect a specific counting and/or ordering pattern of data items. A module of this type accepts data of any type and outputs filtered System.CorrelatorData data.
Usage
This module provides all the functionality of the System.Correlator module, except that it allows you to filter the outgoing data. The primary correlation scenarios are related-events detection and missing-related-events detection. Both of these usage scenarios are time-based and correlate the occurrence or lack of occurrence of an event pattern within a specific time delta.
Type Definition
<ConditionDetectionModuleType ID="System.CorrelatorCondition" Stateful="true" Accessibility="Public" PassThrough="false" Batching="false">
<Configuration>
<IncludeSchemaTypes>
<SchemaType>System.ExpressionEvaluatorSchema</SchemaType>
</IncludeSchemaTypes>
<xsd:element name="Correlator" type="CorrelatorType"/>
<xsd:element name="Expression" type="ExpressionType"/>
</Configuration>
<ModuleImplementation Isolation="Any">
<Composite>
<MemberModules>
<ConditionDetection TypeID="System.Correlator" ID="Correlator">
<Correlator>$Config/Correlator$</Correlator>
</ConditionDetection>
<ConditionDetection TypeID="System.ExpressionFilter" ID="Filter">
<Expression>$Config/Expression$</Expression>
</ConditionDetection>
</MemberModules>
<Composition>
<Node ID="Filter">
<Node ID="Correlator"/>
</Node>
</Composition>
</Composite>
</ModuleImplementation>
<OutputType>System.CorrelatorData</OutputType>
<InputTypes>
<InputType>System.BaseData</InputType>
<InputType>System.BaseData</InputType>
</InputTypes>
</ConditionDetectionModuleType>
Parameters
The System.CorrelatorCondition supports the configuration parameters described in the following table.
| Parameter | Type | Overrideable | Description |
|---|---|---|---|
Correlator |
False |
Required parameter. Defines the configuration of the correlator module. |
|
Expression |
False |
Required parameter. Contains the filter expression to apply to the correlation data. |
For more information about the Correlator parameter and how to configure its elements, see CorrelatorType.
For more information about the Expression parameter and how to configure its elements, see ExpressionType.
Remarks
For remarks, see System.Correlator.
Composition
The System.CorrelatorCondition module is a composite module that contains the member modules described in the following table.
| Workflow Run Order | Module Type | Usage |
|---|---|---|
1 |
Correlates two incoming data item types, to detect a specific counting and/or ordering pattern of data items. This module provides no filtering on the output data. |
|
2 |
System.ExpressionFilter |
Filters the incoming System.CorrelatorData data. |
Related Modules
| Module Type | Usage |
|---|---|
Correlates two incoming data item types to detect a specific counting and/or ordering pattern of data items. Returns data only when the value specified in the Count parameter has been met. |
|
Correlates two incoming data item types to detect a specific counting and/or ordering pattern of data items. Returns data only when the value specified in the Count parameter has not been met by the time the correlation window ends. |
External Module References
None.
Sample
The following rule generates an alert whenever a pattern of incoming data items is not met. It will output data under any one of the following conditions:
When the output returns either 0 primary data items or 0 incoming secondary items.
When the output returns 1 primary data item and less than number of secondary data items indicated by the Count parameter value.
When the correlation order is “AnyOrder” and the output returns 1 secondary data item and less than the number of primary data items indicated by the Count value.
<Rule ID="Microsoft.Samples.CorrelationRule.InSequenceFirstOccurence " Enabled="true" Target="Windows!Microsoft.Windows.OperatingSystem" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Custom</Category>
<DataSources>
<DataSource ID="DS1" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">EventCreate</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">101</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
<DataSource ID="DS2" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">EventCreate</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">102</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<ConditionDetection ID="Correlator" TypeID="System!System.CorrelatorCondition">
<Correlator>
<Count>3</Count>
<Interval>30</Interval>
<CorrelationOrder>InSequence</CorrelationOrder>
<CorrelationItemPolicy>First</CorrelationItemPolicy>
</Correlator>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">Item0Count</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">0</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">Item1Count</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">0</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">Item0Count</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">Item1Count</XPathQuery>
</ValueExpression>
<Operator>Less</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">$Config/Correlator/Count$</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<Value Type="String">$Config/Correlator/CorrelationOrder$</Value>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">AnyOrder</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">Item0Count</XPathQuery>
</ValueExpression>
<Operator>Less</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">$Config/Correlator/Count$</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">Item1Count</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</Or>
</Expression>
</ConditionDetection>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="Microosft.Samples.CorrelationRule.InSequenceFirstOccurence.AlertMessage"]$</AlertMessageId>
<Suppression>
<SuppressionValue />
</Suppression>
</WriteAction>
</WriteActions>
</Rule>
Information
Module Type |
|
InputType |
|
Output Type |
|
Implementation |
Native |
Library |
System.Library |