Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

CorrelationExpressionType

System Center

Updated: August 10, 2011

Applies To: Operations Manager 2007 R2

The CorrelatorExpressionType complex data type is used within the CorrelatorType complex data schema provide a condition to the correlation process.

The CorrelatorExpressionType data type allows only for simple equivalence filtering. You would define an expression within your correlation module only when you want to correlate under a condition of equivalence between properties of the two incoming data items. For example, if event A is a ping event and event B is a reply event, you might want to correlate only when the pingevent.TargetURL equals replyevent.ResponseURL.


<xsd:complexType name="CorrelatorExpressionType">
  <xsd:choice minOccurs="0" maxOccurs="1">
    <xsd:element name="SimpleExpression">
      <xsd:complexType>
        <xsd:sequence>
          <xsd:element name="ValueExpression" type="ValueExpressionType"/>
          <xsd:element name="Operator">
            <xsd:complexType>
              <xsd:simpleContent>
                <xsd:extension base="CorrelationCriteriaCompareType">
                  <xsd:attribute name="CaseSensitive" type="xsd:boolean" use="optional" default="false"/>
                </xsd:extension>
              </xsd:simpleContent>
            </xsd:complexType>
          </xsd:element>
          <xsd:element name="ValueExpression" type="ValueExpressionType"/>
        </xsd:sequence>
      </xsd:complexType>
    </xsd:element>
    <xsd:element name="And">
      <xsd:complexType>
        <xsd:sequence>
          <xsd:element name="Expression" type="CorrelatorExpressionType" minOccurs="2" maxOccurs="unbounded"/>
        </xsd:sequence>
      </xsd:complexType>
    </xsd:element>
  </xsd:choice>
</xsd:complexType>

The CorrelatorExpressionType data type contains the parameters described in the following table.

 

Parameter Type Description

SimpleExpression

Complex

Not used if And is included. Defines the simple equivalence expression to use for providing conditioned correlation.

And

Complex

Not used if SimpleExpression is included. Defines multiple simple equivalence expressions to use for providing conditioned correlation.

The following sample illustrates a rule that correlates two events (ping sent and ping received). Both events are generated from application log entries. The primary data source (DS1) returns event data when the ping request is logged. The secondary data source (DS2) returns event data when a ping response is logged.  Assuming that the param[2] value of the incoming event data items is the IP address of the pinged device, the correlator expression makes sure that the module correlates only between between primary (item0) and secondary (item1) data items, but only if they refer to the same IP address as specified in param[2].


<Rule ID="Microsoft.Samples.CorrelatePingEvents.Rule" Enabled="true" Target="Windows!Microsoft.Windows.OperatingSystem" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
  <Category>Custom</Category>
  <DataSources>
    <DataSource ID="DS2" TypeID="AppLog!System.ApplicationLog.GenericCSVLog.FilteredEventProvider">
      <LogFileDirectory>C:\PingLogs</LogFileDirectory>
      <LogFilePattern>pingresponse.log</LogFilePattern>
      <LogIsUTF8>false</LogIsUTF8>
      <Separator>,</Separator>
      <Expression>
        <RegExExpression>
          <ValueExpression>
            <XPathQuery Type="String">Params/Param[1]</XPathQuery>
          </ValueExpression>
          <Operator>ContainsSubstring</Operator>
          <Pattern>Received</Pattern>
        </RegExExpression>
      </Expression>
    </DataSource>
    <DataSource ID="DS1" TypeID="AppLog!System.ApplicationLog.GenericCSVLog.FilteredEventProvider">
      <LogFileDirectory>C:\PingLogs</LogFileDirectory>
      <LogFilePattern>ping.log</LogFilePattern>
      <LogIsUTF8>false</LogIsUTF8>
      <Separator>,</Separator>
      <Expression>
        <RegExExpression>
          <ValueExpression>
            <XPathQuery Type="String">Params/Param[1]</XPathQuery>
          </ValueExpression>
          <Operator>ContainsSubstring</Operator>
          <Pattern>Sent</Pattern>
        </RegExExpression>
      </Expression>
    </DataSource>
  </DataSources>
  <ConditionDetection ID="Correlator" TypeID="System!System.Correlator">
    <Correlator>
      <CorrelationExpression>
        <Expression>
          <SimpleExpression>
            <ValueExpression>
              <XPathQuery>Item0:EventData/DataItem/Params/Param[2]</XPathQuery>
            </ValueExpression>
            <Operator>Equal</Operator>
            <ValueExpression>
              <Value>Item1:EventData/DataItem/Params/Param[2]</Value>
            </ValueExpression>
          </SimpleExpression>
        </Expression>
      </CorrelationExpression>
      <Count>1</Count>
      <Interval>30</Interval>
      <CorrelationOrder>InSequence</CorrelationOrder>
      <CorrelationItemPolicy>First</CorrelationItemPolicy>
    </Correlator>
  </ConditionDetection>
  <WriteActions>
    <WriteAction ID="WriteEvent" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
  </WriteActions>
</Rule>

 

   

Schema Type

System.ExpressionEvaluatorSchema

Library

System.Library

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.