Hitachi

JP1 Version 12 JP1/Integrated Management 2 - Manager Command and Definition File Reference


Correlation event generation definition file

Organization of this page

Format

VERSION={1 | 2}
 
#comment-line
[generation-condition-name]
TARGET=filtering-condition-for-the-correlation-target-range
CON=event-condition
TIMEOUT=timeout-period
TYPE=event-correlation-type
SAME_ATTRIBUTE=duplicate-attribute-value-condition
CORRELATION_NUM=maximum-correlation-number
SUCCESS_EVENT=correlation-approval-event
FAIL_EVENT=correlation-failure-event
 
[generation-condition-name]
TARGET=filtering-condition-for-the-correlation-target-range
CON=event-condition
TIMEOUT=timeout-period
TYPE=event-correlation-type
SAME_ATTRIBUTE=duplicate-attribute-value-condition
CORRELATION_NUM=maximum-correlation-number
SUCCESS_EVENT=correlation-approval-event
FAIL_EVENT=correlation-failure-event
          :

File

Use any file. However, the following limitations apply:

Storage directory

In Windows

Any folder

In UNIX

Any directory

Description

This file defines JP1 event conditions that result in generation of correlation events and the correlation events that are generated when the JP1 event conditions are satisfied. Use the language encoding that is used by JP1/IM - Manager to specify this file.

When the definitions are applied

The definitions take effect after the correlation event generation definitions are applied by the jcoegschange command.

Information that is specified

VERSION={1 | 2}

Specifies the version of the correlation event generation definition file.

Specify either 1 or 2.

If you specify 1, none of the parameters listed below can be specified. To specify all the parameters described here, specify 2 in the VERSION parameter.

Table 2‒37: Parameters that cannot be specified

Version

Parameter

1

TARGET

SAME_ATTRIBUTE

CORRELATION_NUM

2

None

Any zeros that are specified preceding the value are ignored. For example, VERSION=0001 is the same as VERSION=1. If this parameter is omitted, VERSION=1 is assumed.

If the specified value is neither 1 nor 2, a definition error results. Specifying VERSION more than once also results in a definition error.

#comment-line

A line beginning with a hash mark (#) is treated as a comment.

[generation-condition-name]

This is the start tag for a definition block that defines a correlation event generation condition. The information from the[generation-condition-name] tag to the information immediately before the next [generation-condition-name] tag constitutes one definition block. This tag cannot be omitted. You can define a maximum of 1,000 correlation event generation conditions. If more than 1,000 correlation event generation conditions are defined, a definition error occurs.

You must enclose the generation condition name in square brackets ([ ]). The generation condition name can consist of from 1 to 32 alphanumeric characters, the hyphen (-). underscore (_), and forward slash (/).

This name is case sensitive. For example, [JP1_HAKKOUZYOUKEN]is treated as being different from [jp1_hakkouzyouken].

Each generation condition name specified in the correlation event generation definition file must be unique. If the same generation condition name is specified more than once, the first name specified in the file is effective. A generation condition name cannot begin with IM_ (whether upper- or lowercase letters are used). If such a name is specified, a definition error occurs.

If you wish to specify a comment immediately following [generation-condition-name], use the format [generation-condition-name]#comment-on-generation-condition.

TARGET=filtering-condition-for-the-correlation-target-range

Specifies a filtering condition to narrow the range of JP1 events that are to be subject to generation of correlation events. If this parameter is omitted, all JP1 events that are acquired are subject to correlation event generation processing.

You can specify only one filtering condition for the correlation target range for each correlation event generation condition. If multiple filtering conditions are specified, a definition error results.

The following is the format:

- TARGET=event-attribute-condition-1[,event-attribute-condition-2...]

Separate multiple event attribute conditions with the comma (,). When multiple event attribute conditions are specified, it is assumed that they are connected with the AND condition, in which case the condition is satisfied only when a JP1 event that satisfies all the specified event attribute conditions is issued.

Specify an event attribute condition in the following format:

attribute-name comparison-condition attribute-value

The following table lists and describes the items that can be set for an event attribute condition.

Table 2‒38: Items to be set for an event attribute condition

No.

Item

Description

1

attribute-name

Specifies a JP1 event basic or extended attribute. Prefix a basic attribute with B. and an extended attribute with E.. For example, to specify a message, specify B.MESSAGE.

If you specify an extended attribute, express the character string that follows E. using from 1 to 32 bytes of characters. The following rules apply:

  • The character string must begin with an uppercase letter.

  • The character string beginning with byte 2 must be expressed using uppercase alphanumeric characters and the underscore (_).

For details about the specifiable attribute names, see Table 2-39 List of attribute names that can be specified in the filtering condition for the correlation target range.

2

comparison-condition

Specifies a comparison condition. The supported comparison conditions and their meanings are listed below. If any other comparison condition is used, a definition error results.

  • ==: Match

  • !=: Does not match

  • ^=: First characters

  • >=: Is contained

  • <=: Is not contained

  • *=: Regular expression

Note: For details about regular expressions, see Appendix G. Regular Expressions in the JP1/Integrated Management 2 - Manager Overview and System Design Guide.

3

attribute-value

Specifies the value to be compared. You can specify a character string with a maximum of 2,048 bytes (1,023 bytes for JP1/IM - Manager version 09-10 or earlier) for an attribute value. If the value exceeds 2,048 bytes (1,023 bytes for JP1/IM - Manager version 09-10 or earlier), the definition is not valid.

When specifying multiple event attribute conditions, you can specify a maximum of 2,305 bytes (1,280 bytes for JP1/IM - Manager version 09-10 or earlier) for the total of the attribute values for all conditions. If the value exceeds 2,305 bytes (1,280 bytes for JP1/IM - Manager version 09-10 or earlier), the definition is not valid.

For example, if five event attribute conditions are specified, the total of these attributes must be equal to or smaller than 2,305 bytes (1,280 bytes for JP1/IM - Manager version 09-10 or earlier).

Separate multiple attribute values with the semicolon (;). Any number of consecutive semicolons between attribute values is treated as a single semicolon (;). For example, B.ID==A;;;;;B is treated as B.ID==A;B.

Example: If E.xxx==A;B is specified, the condition is satisfied when E.xxx matches A or B.

To use a comma (,) or semicolon (;) as an attribute value, or use a space on each end of an attribute value, enclose the part you want to use as an attribute value in double quotation marks (").

To specify a double-quotation mark (") or a backslash sign (\) in an attribute value, prefix it with a backslash sign (\).

  • If you specify multiple attribute values for a single attribute name, the condition is satisfied as shown in the following examples:

    Example 1: If E.xxx==A;B is specified, the condition is satisfied when E.xxx matches A or B.

    Example 2: If E.xxx!=A;B is specified, the condition is satisfied when E.xxx matches neither A nor B.

    Example 3: If E.xxx^=A;B is specified, the condition is satisfied when E.xxx begins with A or B.

    Example 4: If E.xxx>=A;B is specified, the condition is satisfied when E.xxx contains either A or B.

    Example 5: If E.xxx<=A;B is specified, the condition is satisfied when E.xxx contains neither A nor B.

    Example 6: If E.xxx*=A;B is specified, the condition is satisfied when E.xxx matches the regular expression of either A or B.

  • Be careful about specifying the same attribute name more than once in the same attribute condition. The following combinations result in a definition error:

    • A combination that never matches

    - The message (B.MESSAGE) begins with KAVB and does not include KAVB.

    • Redundant combinations

    - The message (B.MESSAGE) begins with KAVB and contains KAVB.

  • The system ignores any space (space and ASCII codes from 0x01 to 0x1F) between an attribute name, a comparison condition, and an attribute value, at both ends of an attribute value separated by a semicolon, and at both ends of an event attribute condition.

    Example: The message matches KAJVxxxx-IΔExecuted or Error.

    A space is ignored if it is specified at the location of Δ below:

    ΔB.MESSAGEΔ==Δ"KAJVxxxx-IΔExecuted";ΔErrorΔ

    The following specifications are the same as the above example:

    B.MESSAGE==KAJVxxxx-IΔExecuted;Error

    B.MESSAGE=="KAJVxxxx-IΔExecuted";Error

  • If you specify the event ID (B.ID) as the attribute name, the comparison condition must be a complete match (==).

The following table lists the attribute names that can be specified in the filtering condition for the correlation target range.

Table 2‒39: List of attribute names that can be specified in the filtering condition for the correlation target range

No.

Attribute name

Item

1

B.SOURCESERVER#1

Event-issuing server name

2

B.DESTSERVER#1

Target event server name

3

B.MESSAGE

Message

4

B.ID

Event ID

5

B.REASON

Reason for registration

6

B.USERID

Source user ID

7

B.GROUPID

Source group ID

8

B.USERNAME

Source user name

9

B.GROUPNAME

Source group name

10

E.JP1_SOURCEHOST#1

Event source host name

11

E.xxxxxxx#2

Extended attribute (common information, user-specific information)

#1

If the integrated monitoring database and the IM Configuration Management database are enabled, the business group name can be specified in a path format.

If the integrated monitoring database and the IM Configuration Management database are disabled, a business group name specified in a path format is treated as a host name.

If the -ignorecasehost option of the jcoimdef command is set to ON, and a comparison keyword other than Regular expression is selected, the character string is no longer case sensitive.

#2

You can also specify a JP1 product-specific extended attribute. For example, the program-specific extended attribute for the JP1/AJS job execution host is E.C0. For details about the product-specific extended attributes, consult the documentation for the products that issue JP1 events.

CON=event-condition

Defines the targets of correlation event generation processing or a condition for JP1 events that are to be excluded as targets. You can specify multiple event conditions. There must be at least one definition in each correlation event generation condition. You can define a maximum of 10 event conditions. If no event condition is defined or the specified definition is invalid, a definition error results.

The following is the specification format:

CON={NOT|[CID:n]},event-attribute-condition-1 [, event-attribute-condition-2[, event-attribute-condition-3 ...] ]

If you specify multiple event attribute conditions, separate them with the comma (,). When multiple event attribute conditions are specified, they are assumed to be connected with the AND condition, in which case the condition is satisfied only when a JP1 event that satisfies all the specified event attribute conditions is issued.

The following table lists and describes the items to be set for the event condition.

Table 2‒40: Items to be set for the event condition

No.

Item

Description

1

NOT

Specifies that JP1 events are to be excluded as targets of correlation event generation processing.

When you specify NOT as an event condition, that condition is applied first, regardless of the sequence in which the event conditions (CON statements) are defined.

2

CID:n

Specifies an ID for the condition. Specify this item to use a variable to pass the correlation source event information to another parameter (SAME_ATTRIBUTE, SUCCESS_EVENT). The permitted values are the integers in the range from 1 to 999.

For example, if the correlation source event consists of multiple JP1 events and the $EVn_B.MESSAGE variable is specified in the SUCCESS_EVENT parameter, message information for the correlation source event can be passed to the correlation event.

If this parameter is omitted, information cannot be passed to another parameter. If the specified value is preceded by zeros or the same CID is specified more than once, a definition error results.

3

event -attribute-condition

Specifies the event attribute condition in the following format:

Format:

attribute-name comparison-condition attribute-value

attribute-name

Specifies a JP1 event basic or extended attribute.

Prefix a basic attribute with B. and an extended attribute with E..

For example, to specify the message, specify B.MESSAGE.

If you specify an extended attribute, express the character string that follows E. using from 1 to 32 bytes of characters. The following rules apply:

The character string must begin with an uppercase letter.

The character string beginning in byte 2 must be expressed using uppercase alphanumeric characters and the underscore (_).

For details about basic and extended attributes, see 3.1 Attributes of JP1 events. To specify a product-specific extended attribute, consult the documentation for that product.

If you specify product-specific extended attributes, consult the documentation for the products that issue the JP1 events.

Note that you cannot specify the source IP address (SOURCEIPADDR).

comparison-condition and attribute value

The rules for specifying the comparison condition and attribute value are the same as for specifying the event attribute condition in TARGET.

See Table 2-38 Items to be set for an event attribute condition and the information following the table.

TIMEOUT=timeout-period

Specifies the timeout period for the correlation event generation condition. The permitted value range is from 1 to 86,400 (seconds). If this parameter is omitted, 60 seconds is assumed.

TYPE=event-correlation-type

Specifies the event correlation type.

The three event correlation types that can be specified are sequence, combination, and threshold, which are explained below:

  • sequence

    The correlation event generation condition is satisfied if the JP1 events that satisfy the defined event condition are issued in the order defined.

  • combination

    The correlation event generation condition is satisfied if a JP1 event that satisfies the combination of defined event conditions is issued regardless of the sequence.

  • threshold:n

    The correlation event generation condition is satisfied if the number of JP1 events that satisfy the defined event condition reaches the threshold. If multiple event conditions are defined, the correlation event generation condition is satisfied if the total number of JP1 events that satisfy any of the defined conditions reaches the threshold.

    The value permitted for the threshold is from 1 to 100 (count). For example, if the threshold is 10, specify as follows:

    threshold:10

This parameter is not case sensitive. If the event correlation type is omitted, combination is assumed.

SAME_ATTRIBUTE=duplicate-attribute-value-condition

Specifies the duplicate attribute value condition.

Define this parameter to group the JP1 events (correlation source events) that satisfy the event condition for an attribute value and to generate a correlation event for the group.

You can define a maximum of 3 duplicate attribute value conditions per correlation event generation condition. This parameter is optional.

The following shows the format:

- SAME_ATTRIBUTE=attribute-name | {$EVn_attribute-name | $EVn_ENVo} [, {$EVn_attribute-name | $EVn_ENVo} ...]

The following table lists and describes the items to be set for the duplicate attribute value condition.

Table 2‒41: Items to be set for the duplicate attribute value condition

No.

Item

Description

1

attribute-name

Specifies a JP1 event basic or extended attribute.

The attribute value of the correlation source event that corresponds to the attribute name specified here becomes the grouping key.

You can specify only one attribute-name per duplicate-attribute-value-condition.

Prefix a basic attribute with B. and an extended attribute with E. If you specify an extended attribute, express the character string that follows E. using from 1 to 32 bytes of characters. The following rules apply:

  • The character string must begin with an uppercase letter.

  • The character string beginning in byte 2 must be expressed as uppercase alphanumeric characters and the underscore (_).

For details about the specifiable attribute names, see Table 2-42 List of attribute names that can be specified in the duplicate attribute value condition.

2

Variable

$EVn_attribute-name

Specify this parameter if the attribute value to be used as the grouping key belongs to an attribute that varies for each correlation source event.

For example, specify this parameter to use attribute A' of correlation source event A and attribute B' of correlation source event B as the grouping key.

You can specify a maximum total of 10 $EVn_attribute-name and $EVn_ENVo parameters per duplicate attribute value condition.

For details, see (1)(a) Using an attribute value of the correlation source event as the duplicate attribute value condition.

3

Variable

$EVn_ENVo

Specify this parameter to use part of the attribute value of a correlation source event as the duplicate attribute value condition.

For example, specify this parameter to use part of the message (B.MESSAGE) as the grouping key.

You can specify a maximum total of 10 $EVn_ENVo and $EVn_attribute-name parameters per duplicate attribute value condition.

For details, see (1)(b) Using part of an attribute value of the correlation source event as the duplicate attribute value condition.

  • The attribute name and the value that is replaced with a variable (an attribute value or part of an attribute value) are case sensitive. Only values that perfect matches are able to be a duplicate attribute value condition.

  • If the attribute name and the value that is replaced with a variable (attribute value or part of an attribute value) are not in the correlation source event, they are replaced with the null character (0 byte). This means that the null character is used as the grouping key. If this occurs, the following character string is output to the correlation event generation history file:

    A JP1 event that matches the correlation event generation condition occurred and correlation event generation processing started, but the event attribute defined in that attribute value condition was not found in the JP1 event. (generation-condition-name(generation-processing-number) serial-number attribute-name)

  • If you specify SAME_ATTRIBUTE=duplicate-attribute-value-condition more than once, a correlation event is generated for each duplicate attribute value condition.

    For example, to issue a correlation event for each host name (B.SOURCESERVER) and user name (B.USERNAME), define as follows:

    :

    SAME_ATTRIBUTE=B.SOURCESERVER

    SAME_ATTRIBUTE=B.USERNAME

    :

  • If you specify multiple variables in the duplicate attribute value condition, separate them with the comma (,). A correlation event is generated for each attribute value that is replaced with a variable.

  • The system ignores any space (space and ASCII codes from 0x01 to 0x1F) between an attribute name and a variable ($EVn_attribute-name, $EVn_ENVo) and at both ends of a duplicate attribute value condition (Δ in the following example):

    Example:

    ΔSAME_ATTRIBUTEΔ=Δ$EV1_ENV1Δ,Δ$EV2_ENV2Δ

The following table lists the attribute names that can be specified in the duplicate attribute value condition

Table 2‒42: List of attribute names that can be specified in the duplicate attribute value condition

No.

Attribute name

Item

1

B.SOURCESERVER

Event-issuing server name

2

B.DESTSERVER

Target event server name

3

B.MESSAGE

Message

4

B.ID

Event ID

5

B.REASON

Reason for registration

6

B.USERID

Source user ID

7

B.GROUPID

Source group ID

8

B.USERNAME

Source user name

9

B.GROUPNAME

Source group name

10

E.xxxxxxx#

Extended attribute (common information, user-specific information)

#

You can also specify a JP1 product-specific extended attribute. For example, the product-specific extended attribute for the JP1/AJS job execution host is E.C0. For details about the product-specific extended attributes, consult the documentation for the products that issue JP1 events.

CORRELATION_NUM=maximum-correlation-number

Specifies the maximum number of JP1 event sets that can be held by the correlation event generation condition. Only one maximum correlation number can be defined for a single correlation event generation condition.

The permitted value range is from 1 to 1,024 (sets). If this parameter is omitted, 10 sets is assumed.

Note:

It is not recommended to specify CORRELATION_NUM for many correlation event generation conditions and a large value for the maximum correlation number.

Doing so will increase the number of JP1 event sets that need to be processed concurrently by the Event Generation Service, and result in an increase in the amount of memory required and a reduction in processing speed.

The maximum number of JP1 event sets that can be issued concurrently by all correlation event generation conditions is 20,000 sets. When 20,000 sets have been issued concurrently, a JP1 event (event ID: 00003F28) is output; until the number of sets drops below 20,000, no more processing is performed even if new JP1 events that satisfy the event conditions are issued.

SUCCESS_EVENT=correlation-approval-event

Defines the JP1 event (correlation event) that is to be issued when the correlation event generation condition results in correlation approval. Only one correlation approval event can be defined for a correlation event generation condition. For details about the conditions that result in correlation approval, see 4.3.6(1) Generation condition satisfied in the JP1/Integrated Management 2 - Manager Overview and System Design Guide.

If you have defined FAIL_EVENT=correlation-failure-event in the correlation event generation condition, you can omit this parameter. When this parameter is omitted, no correlation approval event is issued, even when the correlation event generation condition results in correlation approval.

Specify the correlation approval event in the following format:

attribute-name:attribute-value

The following describes each item.

attribute-name

Specifies a JP1 event basic or extended attribute (correlation source event). Prefix a basic attribute with B. and an extended attribute with E. If you specify an extended attribute, express the character string that follows E. using from 1 to 32 bytes of characters. The following rules apply:

• The character string must begin with an uppercase letter.

• The character string beginning in byte 2 must be expressed as uppercase alphanumeric characters and the underscore (_).

You can specify any value for the following attributes:

• Event ID (B.ID)

• Message (B.MESSAGE)

• Extended attributes, except for those listed in the table below.

Table 2‒43: Extended attributes for which a value cannot be specified

Attribute type

Item

Attribute name

Description

Common information

Product name

E.PRODUCT_NAME

/HITACHI/JP1/IM/GENERATE_EVENT

Object type

E.OBJECT_TYPE

SERVICE

Object name

E.OBJECT_NAME

EGS

Occurrence

E.OCCURRENCE

SUCCESS

User-specific information

Relation Event serial number

E.JP1_GENERATE_SOURCE_SEQNO

Stores the serial numbers of the correlation source events separated by the space:

serial-number-1Δserial-number-2Δserial-number-3...serial-number-n

The maximum value of n is 100.

Correlation event generation condition name

E.JP1_GENERATE_NAME

Name of correlation event generation condition that is satisfied

Reserved word

Extended attribute beginning with E.JP1_

Extended attribute reserved by JP1/IM - Manager (other than the event source host name (E.JP1_SOURCEHOST))

If you want to pass the attribute value of a correlation source event to the correlation event, specify a variable. Specify correlation-approval-event in the following format:

attribute-name:$EVn_attribute-name

In this case, specify the correlation source event to be inherited by CID of the event condition and then specify the value of CID in n. Specify a variable to the right of the colon.

For details, see (2)(a) Passing an attribute value of the correlation source event to an attribute value of the correlation event.

If you want to specify a threshold (threshold) as the event correlation type and pass an attribute value of the correlation source event to the correlation event, specify correlation-approval-event in the following format:

attribute-name:$EVn_m_attribute-name

In this case, specify the correlation source event to be inherited by CID and then specify in n the value of CID. Specify a variable to the right of the colon. Also, specify in m the location of the correlation source event whose attribute value is to be passed.

For details, see (2)(b) Passing an attribute value of the correlation source event to an attribute value of the correlation event (when the event correlation type is threshold).

If you wish to pass a portion of an attribute value of the correlation source event to the correlation event, specify the $EVn_ENVo variable. Use a regular expression to specify the event condition and enclose the portion of the attribute value to be acquired in parentheses.

Specify correlation-approval-event in the following format:

attribute-name:$EVn_ENVo

In this case, specify the correlation source event to be passed to CID and specify the value of CID in n. In o of ENVo, specify the acquisition order.

For details, see (2)(c) Passing part of an attribute value of the correlation source event to the correlation event.

For details about basic and extended attributes, see 3.1 Attributes of JP1 events. If you specify product-specific extended attributes, consult the documentation for the products that issue JP1 events.

  • You can specify multiple items in correlation source event by separating them with the comma (,).

  • Make sure that you specify the event ID of a basic attribute (B.ID). The permitted range of event IDs is from 0 to 1FFF and from 7FFF8000 to 7FFFFFFF. If the event ID is not specified, 0 is set as the event ID.

  • The maximum length of a single correlation approval event is 8,192 bytes. The maximum length of B.MESSAGE is 1,023 bytes. These maximum lengths include spaces but do not include linefeed codes.

  • The system ignores any space (space and ASCII codes from 0x01 to 0x1F) between an attribute name and an attribute value and at both ends of SUCCESS_EVENT=correlation-approval-event (the space is represented by Δ in the following example).

    Example:

    ΔSUCCESS_EVENTΔ=ΔB.IDΔ:Δ1Δ

  • To use a comma (,) or a space in an attribute value, enclose it in double-quotation marks (").

  • To specify a double-quotation mark (") or a backslash (\), prefix it with a backslash (\) so that the value becomes \" or \\.

    To restore a special character (^ $ . * + ? | ( ) { } [ ] \) to its original meaning, prefix it with two backslash signs so that the value becomes \\special-character.

    For example, to treat $ as a normal character, specify it as \\$. Also, to give \ its original meaning, specify \\\\.

  • If you omit an attribute value, nothing is set when a correlation event is generated. If you omit the attribute value of an attribute name (B.ID), 0 is set.

  • To specify a setting following the $EVn_attribute-name variable, specify a space (indicated by Δ in the example below) after the variable.

    Example:

    SUCCESS_EVENT=B.MESSAGE:"$EVn_B.IDΔ$EVn_B.TIMEΔ..."

  • If you use a variable and there is no matching attribute name, the variable is replaced with a space. If the variable would be replaced when the correlation event is generated with an attribute value that exceeds the permitted maximum value, the correlation event is not generated.

  • Up to 94 extended attributes can be specified.

FAIL_EVENT=correlation-failure-event

Defines a JP1 event (correlation event) that is to be issued when the correlation event generation condition results in a correlation failure. You can define only one correlation failure event per correlation event generation condition. For details about the conditions that result in a correlation failure, see 4.3.6(2) Generation condition fails in the JP1/Integrated Management 2 - Manager Overview and System Design Guide.

If you have specified SUCCESS_EVENT=correlation-approval-event in the correlation event generation conditions, you can omit this parameter. When this parameter is omitted, no correlation failure event is issued even if a correlation event generation condition results in a failure.

Specify correlation-failure-event in the same format as used for a correlation approval event. For details, see SUCCESS_EVENT=correlation-approval-event.

(1) Using a variable in the duplicate attribute value condition (SAME_ATTRIBUTE)

This subsection describes how to use a variable ($EVn or $EVn_ENVo) in the duplicate attribute value condition (SAME_ATTRIBUTE).

(a) Using an attribute value of the correlation source event as the duplicate attribute value condition

To use an attribute value of the correlation source event as the duplicate attribute value condition, use the $EVn_attribute-name variable. The format is as follows:

- SAME_ATTRIBUTE=$EVn_attribute-name

For n, specify the value that corresponds to the condition ID (CID) of the event condition. A value from 1 to 999 can be specified for the condition ID.

For attribute-name, specify the attribute name that is to be used as the grouping key. For details about the specifiable attributes names, see Table 2-42 List of attribute names that can be specified in the duplicate attribute value condition.

For example, the following definition associates JP1 events that have attribute values whose host information is different, such as a JP1 event of Windows log trapping (event ID: 00003A71) and a JP1 event issued by JP1/AJS (event ID: 00004107), and generates a correlation event for each host:

CON=CID:1,B.ID==3A71,E.A0==host1;host2
CON=CID:2,B.ID==4107,E.C0==host1;host2
          :
SAME_ATTRIBUTE=$EV1_E.A0,$EV2_E.C0
          :
(b) Using part of an attribute value of the correlation source event as the duplicate attribute value condition

To use part of the attribute value of a correlation source event as the duplicate attribute value condition, use the $EVn_ENVo variable. The format is as follows:

- SAME_ATTRIBUTE=$EVn_ENVo

When you specify $EVn_ENVo, use a regular expression (*=) to specify the event condition and enclose the part of the attribute value that is to be acquired in parentheses. For n, specify the value that corresponds to the condition ID (CID) of the event condition. A value from 1 to 999 can be specified for the condition ID.

In o of ENVo, specify the acquisition order. The acquisition order is based on the order of the parentheses in the right-hand term of the event condition, counting the pairs of parentheses from left to right. A value from 1 to 9 can be specified for the acquisition order.

The following figure shows the correspondence between the event condition (CON) and the part that is acquired by $EVn_ENVo.

Figure 2‒2: Correspondence between the event condition (CON) and the part that is acquired by $EVn_ENVo

[Figure]

If there are multiple event attribute conditions that specify regular expressions in a single event condition (CON), count the pairs of parentheses from left to right and set in o the order of the pair enclosing the attribute value that is to be acquired.

For example, if you want to issue correlation events for each event that has the same host name in the message in the correlation source event, define as follows:

CON=CID:1, B.ID==1001, B.MESSAGE*=.*HOST=(.*\\))
TYPE=threshold:5
SAME_ATTRIBUTE=$EV1_ENV1
          :

(2) Using a variable in the correlation approval event (SUCCESS_EVENT)

To pass an attribute value of the correlation source event to the correlation event, use a variable in the correlation approval event (SUCCESS_EVENT).

(a) Passing an attribute value of the correlation source event to an attribute value of the correlation event

To pass an attribute value of the correlation source event to an attribute value of the correlation event, use the $EVn_attribute-name variable. The format is as follows:

- SUCCESS_EVENT=attribute-name:$EVn_attribute-name

For n, specify the condition ID (CID) that was specified in the event condition. For the right-hand attribute-name, specify the attribute that is to be passed from the correlation source event. Note that if the event ID (B.ID) is specified in the left-hand attribute-name, an attribute value of the correlation source event cannot be passed.

The following table lists the attribute names that can be specified in the variable.

Table 2‒44: List of attribute names that can be specified in the variable

No.

Attribute name

Item

Format

1

B.SEQNO

Serial number

Numeric value

2

B.ID

Event ID

basic-part:extended-part in hexadecimal notation

3

B.PROCESSID

Source process ID

Numeric value

4

B.TIME

Registered time

YYYY/MM/DD hh:mm:ss#1

5

B.ARRIVEDTIME

Arrived time

YYYY/MM/DD hh:mm:ss#1

6

B.REASON

Reason for registration

Character string

7

B.USERID

Source user ID

Numeric value

8

B.GROUPID

Source group ID

Numeric value

9

B.USERNAME

Source user name

Character string

10

B.GROUPNAME

Source group name

Character string

11

B.SOURCESERVER

Event-issuing server name

Character string

12

B.DESTSERVER

Target event server name

Character string

13

B.SOURCESEQNO

Source serial number

Numeric value

14

B.MESSAGE

Message

Character string

15

E.SEVERITY

Event level

Character string

16

E.USER_NAME

User name

Character string

17

E.PRODUCT_NAME

Product name

Character string

18

E.OBJECT_TYPE

Object type

Character string

19

E.OBJECT_NAME

Object name

Character string

20

E.ROOT_OBJECT_TYPE

Root object type

Character string

21

E.ROOT_OBJECT_NAME

Root object name

Character string

22

E.OBJECT_ID

Object ID

Character string

23

E.OCCURRENCE

Occurrence

Character string

24

E.START_TIME

Start time

YYYY/MM/DD hh:mm:ss#1

25

E.END_TIME

End time

YYYY/MM/DD hh:mm:ss#1

26

E.xxxxxx#2

Other extended attribute

Character string

#1

This value is obtained by converting the JP1 event's time in GMT to the time zone of JP1/IM - Manager.

#2

You can also specify a JP1 product-specific extended attribute. For example, the program-specific extended attribute for the JP1/AJS job execution host is E.C0. For details about the product-specific extended attributes, consult the documentation for the products that issue JP1 events.

The following figure shows an example of passing an attribute value from the correlation source event.

Figure 2‒3: Example of using a variable to pass an attribute value to the correlation approval event

[Figure]

In this example, the event levels issued by JP1/AJS and JP1/Base associate the JP1 event for an error, resulting in generation of a correlation event.

This example defines correlation-approval-event as follows:

(b) Passing an attribute value of the correlation source event to an attribute value of the correlation event (when the event correlation type is threshold)

This subsection describes how to define a correlation approval event using a variable when the event correlation type is threshold.

When the event correlation type is threshold, multiple JP1 events can satisfy a single event condition (CON). The following figure shows an example.

Figure 2‒4: When the event correlation type is threshold

[Figure]

As shown in this figure, three JP1 events (Event 1, Event 2, and Event 3) match $EV1_B.MESSAGE. Therefore, the message to be passed must be specified.

In this case, specify the correlation approval event in the following format:

- SUCCESS_EVENT=attribute-name:$EVn_m_attribute-name

For n, specify the condition ID (CID) that was specified in the event condition as described above. For the right-hand attribute-name, specify the attribute that is to be passed from the correlation source event. Note that if the event ID (B.ID) is specified in the left-hand attribute-name, an attribute value of the correlation source event cannot be passed.

In m, specify the order in which the JP1 events (correlation source events) are processed. To pass the attribute value of the third JP1 event that was processed, specify 3 in m. If the value of m is greater than the value specified in the threshold (threshold:n), a definition error results.

The following figure shows an example of passing attribute values when the event correlation type is threshold.

Figure 2‒5: Example of passing attribute values when the event correlation type is threshold

[Figure]

You can omit both n and m in attribute-name:$EVn_m_attribute-name. The following examples describe how attribute values are passed when n and m are omitted.

Example 1:

If a JP1 event containing Login error in the message is issued three times, generate a correlation event that receives the message in the correlation source event.

Definition in the correlation event generation definition file

[ex.1]

CON=CID:1,B.MESSAGE*="Login error"

TYPE=threshold:3

SUCCESS_EVENT=B.ID:A00,E.SEVERITY:Error,B.MESSAGE:setting

Table 2‒45: Conditions to be satisfied and settings (in Example 1)

No.

Condition to be satisfied

Setting

1

Pass to the correlation event the message in the first JP1 event that satisfies the event condition

$EV1_1_B.MESSAGE

or $EV_1_B.MESSAGE

2

Pass the message in the second JP1 event that satisfies the event condition

$EV1_2_B.MESSAGE

or $EV_2_B.MESSAGE

3

Pass the message in the third (last) JP1 event that satisfies the event condition

$EV1_3_B.MESSAGE,

$EV1_B.MESSAGE,

$EV_3_B.MESSAGE,

or $EV_B.MESSAGE

Example 2:

If a JP1 event that satisfies either of the conditions listed below is issued 10 times, generate a correlation event that receives the message in the correlation source event.

  • Event ID is 100 and the message contains Warning.

  • Event ID is 200 and the message contains Warning or Error.

Definition in the correlation event generation definition file:

[ex.2]

CON=CID:100,B.ID==100,B.MESSAGE*="Warning"

CON=CID:200,B.ID==200,B.MESSAGE*="Warning";"Error"

TYPE=threshold:10

SUCCESS_EVENT=B.ID:B00,E.SEVERITY:Error,B.MESSAGE:setting

Table 2‒46: Conditions to be satisfied and settings (in Example 2)

No.

Condition

Setting

1

Pass to the correlation event the message in the first JP1 event that satisfies the event condition (condition ID: 100)

$EV100_1_B.MESSAGE

2

Pass to the correlation event the message in the fifth JP1 event that satisfies the event condition (condition ID: 100)

$EV100_5_B.MESSAGE

3

Pass to the correlation event the message in the 10th JP1 event that satisfies the event condition (condition ID: 100)

$EV100_10_B.MESSAGE

4

Pass to the correlation event the message in the first JP1 event processed, regardless of the event conditions

$EV_1_B.MESSAGE

5

Pass to the correlation event the message in the fifth JP1 event processed, regardless of the event conditions

$EV_5_B.MESSAGE

6

Pass to the correlation event the message in the 10th (last) JP1 event processed, regardless of the event conditions

$EV_10_B.MESSAGE

or $EV_B.MESSAGE

The following summarizes the processing:

When n is omitted:

If n is omitted, only the correlation source event with the order specified in m is used for checking the conditions. For example, if 3 is specified in m, the attribute value of the third correlation source event processed is passed to the correlation event.

When m is omitted:

If m is omitted, the last correlation source event processed is the target, regardless of the order. For example, if the threshold is 10, the attribute value of the 10th correlation source event processed is passed.

If n is specified, the attribute value of the last correlation source event processed by the event condition is passed.

When n and m are both omitted:

If n and m are both omitted, the last correlation source event processed is the target, regardless of the event conditions or the order of processing.

Note that regardless of whether n or m is specified, if no (source) JP1 event satisfies the conditions, the variable is replaced with the null character (0 bytes).

(c) Passing part of an attribute value of the correlation source event to the correlation event

To pass part of an attribute value of the correlation source event to the correlation event, use the $EVn_ENVo variable. In this case, use a regular expression (*=) to specify the event condition and enclose the part of the attribute value that is to be acquired in parentheses.

Specify correlation-approval-event in the following format:

SUCCESS_EVENT=attribute-name:$EVn_ENVo

Specify the correlation source event to be received by CID and specify the value of CID in n. In o of ENVo, specify the acquisition order. The following figure shows an example of receiving part of an attribute value.

Figure 2‒6: Example of receipt by the correlation approval event when the $EVn_ENVo variable is used

[Figure]

This example uses parentheses to acquire the right-hand term of ErrorCode= from the correlation source event that is specified by the conditions of condition ID (CID) =1 and condition ID (CID) =2.

If you use the $EVn_ENVo variable, when a correlation source event that has an attribute value containing a specific character string is issued, you can generate a correlation event, and then pass the portion of the character string contained in the attribute value to the correlation event.

In this case, specify in o of ENVo the numeric value that determines the parentheses pair that follows the regular expression (*=) specified in the event conditions. In other words, count parentheses pairs from left to right for the attribute value in the correlation source event that follows the regular expression (*=) in the event conditions, and then specify in o the location that is to be passed.

The part acquired by $EVn_ENVo is the same as when $EVn_ENVo is specified in the duplicate attribute value condition. For details, see Figure 2-2 Correspondence between the event condition (CON) and the part that is acquired by $EVn_ENVo.

The example shown below generates a correlation event if a correlation source event with an attribute value that contains a specific character string is issued, and passes part of the character string contained in that attribute value to the correlation event.

Figure 2‒7: Example of passing part of a character string contained in an attribute value to the correlation event

[Figure]

This example specifies the definition in such a manner that whenever a correlation source event that satisfies the conditions listed below is generated, an attribute value is passed from it to the correlation event:

  • host= is followed by MANAGER_A, AGENT_A, AGENT_B, or AGENT_C.

  • ErrorCode= is followed by a character string of at least 4 characters.#

#
  • If the character string consists of more than four characters, only the first four characters are passed.

    For example, in the case of ErrorCode=12345678, 1234 is passed.

  • If the character string consists of fewer than four characters, the necessary number of characters that follow ErrorCode= character-string are included so that four characters are passed.

    For example, in the case of ErrorCode=1 2006/11/11, 1 20 is passed.

If the character string that follows ErrorCode= consists of fewer than 4 characters, no correlation event is generated.

Example definition

Example 1: Generate a correlation event for any JP1 event whose event level is Error or higher:
VERSION=2
 
#Generate a correlation event for any a JP1 event
#whose event level is Error or higher
[filter_over_error]
CON=CID:1,B.ID==1,E.SEVERITY==Error;Critical;Alert;Emergency
SUCCESS_EVENT=E.SEVERITY:Emergency,B.MESSAGE:$EV1_B.MESSAGE
Example 2: Generate a correlation event for any JP1 event whose event level is Error or higher and for any JP1 event issued by JP1/AJS whose event level is Error:

If the following definition is specified and JP1/AJS issues a JP1 event whose event level is Error, two correlation events will be generated because the JP1 event satisfies the two correlation event generation conditions over_error and ajs2_over_error:

VERSION=2
 
#Generate a correlation event for any JP1 event whose
#event level is Error or higher.
[over_error]
CON=CID:1,E.SEVERITY==Error;Critical;Alert;Emergency
SUCCESS_EVENT=E.SEVERITY:Emergency,B.MESSAGE:$EV1_B.MESSAGE
 
#Generate a correlation event for any JP1 event issued by
#JP1/AJS@ whose event level is Error.
[ajs2_over_error]
CON=CID:1,E.SEVERITY==Error,E.PRODUCT_NAME==/HITACHI/JP1/AJS2
SUCCESS_EVENT=E.SEVERITY:Emergency,B.MESSAGE:$EV1_B.MESSAGE

To generate only one correlation event when JP1/AJS issues a JP1 event whose event level is Error, specify the first correlation event generation condition as follows:

VERSION=2
 
#Generate a correlation event for any JP1 event whose
#event level is Error or higher.
#Exclude events issued by JP1/AJS2.
[over_error_and_not_ajs2]
CON=NOT,E.SEVERITY==Error,E.PRODUCT_NAME==/HITACHI/JP1/AJS2
CON=CID:1,E.SEVERITY==Error;Critical;Alert;Emergency
SUCCESS_EVENT=E.SEVERITY:Emergency,B.MESSAGE:$EV1_B.MESSAGE
 
#Generate a correlation event for any JP1 event issued by
#JP1/AJS2 whose event level is Error.
[ajs2_over_error]
CON=CID:1,E.SEVERITY==Error,E.PRODUCT_NAME==/HITACHI/JP1/AJS2
SUCCESS_EVENT=E.SEVERITY:Emergency,B.MESSAGE:$EV1_B.MESSAGE
Example 3: Define a timeout period:
VERSION=2
 
[condition]
CON=NOT,E.SEVERITY==Error,E.PRODUCT_NAME==/HITACHI/JP1/AJS2
 
CON=CID:1,B.ID==1,B.MESSAGE==TEST,E.SEVERITY==Warning
CON=CID:2,B.ID==1,B.MESSAGE==TEST,E.SEVERITY==Error
CON=CID:3,B.ID==1,B.MESSAGE==TEST,E.SEVERITY==Critical
 
TIMEOUT=10
SUCCESS_EVENT=E.SEVERITY:Emergency,B.MESSAGE:$EV1_B.MESSAGE
Example 4: Generate a single correlation event that combines the messages in JP1 events issued by JP1/AJS2 and JP1/Base and whose event level is Error:
VERSION=2
 
[cond1]
 
CON=CID:1,E.SEVERITY==Error,E.PRODUCT_NAME>=HITACHI/JP1/AJS2
CON=CID:5,E.SEVERITY==Error,E.PRODUCT_NAME>=HITACHI/JP1/Base
 
SUCCESS_EVENT=E.SEVERITY:$EV1_E.SEVERITY,B.MESSAGE:"$EV1_B.MESSAGE $EV5_B.MESSAGE"
Example 5: Acquire a value by using the $EVn_ENVo variable:

This example acquires the detail code errorΔcodeΔ=ΔnΔ that is included in the message and then places it in the message in the correlation event (n: any character string; Δ: Space).

VERSION=2
 
[SAMPLE]
 
CON=CID:100, B.MESSAGE*=(errorΔcodeΔ=.*Δ)
SUCCESS_EVENT=B.ID:100,E.SEVERITY:Emergency,B.MESSAGE: error-information[$EV100_ENV1Δ]
Example 6: Narrow down the target range for correlation by the host and generate a correlation event for each user with the maximum correlation number set to 20:
VERSION=2
 
[condition2]
TARGET=B.SOURCESERVER==host1;host2;host3
CON=NOT, E.SEVERITY==Error, E.PRODUCT_NAME==/HITACHI/JP1/AJS2
 
CON=CID:1, B.ID==1, B.MESSAGE==TEST, E.SEVERITY==Warning
CON=CID:2, B.ID==1, B.MESSAGE==TEST, E.SEVERITY==Error
CON=CID:3, B.ID==1, B.MESSAGE==TEST, E.SEVERITY==Critical
 
SAME_ATTRIBUTE=E.USERNAME
CORRELATION_NUM=20
TIMEOUT=10
SUCCESS_EVENT=B.MESSAGE:$EV1_B.MESSAGE