CorrelationExpressionType
Applies To: Operations Manager 2007 R2
The CorrelatorExpressionType complex data type is used within the CorrelatorType complex data schema provide a condition to the correlation process.
The CorrelatorExpressionType data type allows only for simple equivalence filtering. You would define an expression within your correlation module only when you want to correlate under a condition of equivalence between properties of the two incoming data items. For example, if event A is a ping event and event B is a reply event, you might want to correlate only when the pingevent.TargetURL equals replyevent.ResponseURL.
Schema Definition
<xsd:complexType name="CorrelatorExpressionType">
<xsd:choice minOccurs="0" maxOccurs="1">
<xsd:element name="SimpleExpression">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="ValueExpression" type="ValueExpressionType"/>
<xsd:element name="Operator">
<xsd:complexType>
<xsd:simpleContent>
<xsd:extension base="CorrelationCriteriaCompareType">
<xsd:attribute name="CaseSensitive" type="xsd:boolean" use="optional" default="false"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
</xsd:element>
<xsd:element name="ValueExpression" type="ValueExpressionType"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="And">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="Expression" type="CorrelatorExpressionType" minOccurs="2" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:choice>
</xsd:complexType>
Remarks
The CorrelatorExpressionType data type contains the parameters described in the following table.
Parameter | Type | Description |
---|---|---|
SimpleExpression |
Complex |
Not used if And is included. Defines the simple equivalence expression to use for providing conditioned correlation. |
And |
Complex |
Not used if SimpleExpression is included. Defines multiple simple equivalence expressions to use for providing conditioned correlation. |
The following sample illustrates a rule that correlates two events (ping sent and ping received). Both events are generated from application log entries. The primary data source (DS1) returns event data when the ping request is logged. The secondary data source (DS2) returns event data when a ping response is logged. Assuming that the param[2] value of the incoming event data items is the IP address of the pinged device, the correlator expression makes sure that the module correlates only between between primary (item0) and secondary (item1) data items, but only if they refer to the same IP address as specified in param[2].
<Rule ID="Microsoft.Samples.CorrelatePingEvents.Rule" Enabled="true" Target="Windows!Microsoft.Windows.OperatingSystem" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Custom</Category>
<DataSources>
<DataSource ID="DS2" TypeID="AppLog!System.ApplicationLog.GenericCSVLog.FilteredEventProvider">
<LogFileDirectory>C:\PingLogs</LogFileDirectory>
<LogFilePattern>pingresponse.log</LogFilePattern>
<LogIsUTF8>false</LogIsUTF8>
<Separator>,</Separator>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">Params/Param[1]</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>Received</Pattern>
</RegExExpression>
</Expression>
</DataSource>
<DataSource ID="DS1" TypeID="AppLog!System.ApplicationLog.GenericCSVLog.FilteredEventProvider">
<LogFileDirectory>C:\PingLogs</LogFileDirectory>
<LogFilePattern>ping.log</LogFilePattern>
<LogIsUTF8>false</LogIsUTF8>
<Separator>,</Separator>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">Params/Param[1]</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>Sent</Pattern>
</RegExExpression>
</Expression>
</DataSource>
</DataSources>
<ConditionDetection ID="Correlator" TypeID="System!System.Correlator">
<Correlator>
<CorrelationExpression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>Item0:EventData/DataItem/Params/Param[2]</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>Item1:EventData/DataItem/Params/Param[2]</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</CorrelationExpression>
<Count>1</Count>
<Interval>30</Interval>
<CorrelationOrder>InSequence</CorrelationOrder>
<CorrelationItemPolicy>First</CorrelationItemPolicy>
</Correlator>
</ConditionDetection>
<WriteActions>
<WriteAction ID="WriteEvent" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
</WriteActions>
</Rule>
Information
Schema Type |
System.ExpressionEvaluatorSchema |
Library |
System.Library |