System.CorrelatorAutoCondition
Applies To: Operations Manager 2007 R2
The System.CorrelatorAutoCondition condition detection module type is used to correlate two incoming data item types, to detect a specific counting and/or ordering pattern of data items. It will return items only when the specified Count value has been reached. A module of this type accepts data of any type and outputs filtered System.CorrelatorData data.
Usage
This module provides all the functionality of the System.Correlator module, except that it will output data at the end of correlation window only if the value specified in the Count parameter has been met. The primary correlation scenarios are related-events detection and missing-related-events detection. Both of these usage scenarios are time-based and correlate the occurrence or lack of occurrence of an event pattern within a specific time delta.
Type Definition
<ConditionDetectionModuleType ID="System.CorrelatorAutoCondition" Accessibility="Public" Batching="false" Stateful="true" PassThrough="false">
<Configuration>
<IncludeSchemaTypes>
<SchemaType>System.ExpressionEvaluatorSchema</SchemaType>
</IncludeSchemaTypes>
<xsd:element name="Correlator" type="CorrelatorType" xmlns:xsd="http://www.w3.org/2001/XMLSchema" />
</Configuration>
<ModuleImplementation Isolation="Any">
<Composite>
<MemberModules>
<ConditionDetection ID="Correlator" TypeID="System.Correlator">
<Correlator>$Config/Correlator$</Correlator>
</ConditionDetection>
<ConditionDetection ID="Filter" TypeID="System.ExpressionFilter">
<Expression>
<Or>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">Item0Count</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">Item1Count</XPathQuery>
</ValueExpression>
<Operator>GreaterEqual</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">$Config/Correlator/Count$</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<Value Type="String">$Config/Correlator/CorrelationOrder$</Value>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">AnyOrder</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">Item0Count</XPathQuery>
</ValueExpression>
<Operator>GreaterEqual</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">$Config/Correlator/Count$</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">Item1Count</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</Or>
</Expression>
</ConditionDetection>
</MemberModules>
<Composition>
<Node ID="Filter">
<Node ID="Correlator" />
</Node>
</Composition>
</Composite>
</ModuleImplementation>
<OutputType>System.CorrelatorData</OutputType>
<InputTypes>
<InputType>System.BaseData</InputType>
<InputType>System.BaseData</InputType>
</InputTypes>
</ConditionDetectionModuleType>
Parameters
The System.CorrelatorAutoCondition supports the configuration parameters described in the following table.
| Parameter | Type | Overrideable | Description |
|---|---|---|---|
Correlator |
False |
Required parameter. Defines the configuration of the correlator module. |
For more information about the Correlator parameter and how to configure its elements, see CorrelatorType.
Remarks
For remarks, see System.Correlator.
Composition
The System.CorrelatorAutoCondition composite module contains the member modules described in the following table.
| Workflow Run Order | Module Type | Usage |
|---|---|---|
1 |
Correlates two incoming data item types, to detect a specific counting and/or ordering pattern of data items. This module provides no filtering on the output data. |
|
2 |
System.ExpressionFilter |
Filters the incoming System.CorrelatorData. |
Related Modules
| Module Type | Usage |
|---|---|
Correlates two incoming data item types to detect a specific counting and/or ordering pattern of data items. Allows for the filtering of the output data. |
External Module References
None.
Sample
The following rule generates an alert whenever a pattern of incoming data items is met. It will output the data only when the value of the Count parameter has been met.
<Rule ID="Microsoft.Samples.AutoCorrelationRule.InSequenceFirstOccurence " Enabled="true" Target="Windows!Microsoft.Windows.OperatingSystem" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Custom</Category>
<DataSources>
<DataSource ID="DS1" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">EventCreate</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">101</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
<DataSource ID="DS2" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">EventCreate</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">102</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<ConditionDetection ID="Correlator" TypeID="System!System.CorrelatorAutoCondition">
<Correlator>
<Count>3</Count>
<Interval>30</Interval>
<CorrelationOrder>InSequence</CorrelationOrder>
<CorrelationItemPolicy>First</CorrelationItemPolicy>
</Correlator>
</ConditionDetection>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Samples.AutoCorrelationRule.InSequenceFirstOccurence.AlertMessage"]$</AlertMessageId>
<Suppression>
<SuppressionValue />
</Suppression>
</WriteAction>
</WriteActions>
</Rule>
Information
Module Type |
|
InputType |
|
Output Type |
|
Implementation |
Native |
Library |
System.Library |