ECDL

This is a brief description of the use of a functional programming language in the real world product Hewlett-Packard Event Correlation Services (HP ECS) which has been recently announced. HP ECS is part of the HP Openview product.

The Problem Domain

A telecommunication network sends event messages, such as failure alarms, to a network management station. These will be displayed for the operators. But some incidents in a telecommunication network may generate large numbers of events per incident, called an event storm. An example is when a trunk cable is cut. Typically each channel in the cable will generate an alarm message when it is cut and another notification when it is restored.

An event storm overloads the operators with information making it difficult to tell what kind of incident and where the incident occurred. To solve this problem an event correlation stage is inserted between the network and the management station. The correlator translates a groups of events into a single event that better describes the nature of the incident.

The correlator applies the expertise of the operator in judging the cause of the event storm. Some commercial products use an expert system to perform the correlation. These tend to be slow, too slow for event storms in large networks. The other extreme is to encode the expertise in the logic of a program in some conventional language such as C. This will give a fast correlator but one that is difficult to maintain.

The event correlation technology in HP ECS falls in between these extremes. The correlator algorithm is implemented as a network of processing nodes called the correlation circuit. Each node operates on one or more input streams of events to produce an output stream of events. The final output from the circuit is the correlated event stream.

An example of a node is the filter node. This splits a stream of events into two streams depending on a predicate applied to each event.

The System Structure

The system is composed of the following major parts.

ECDL

ECDL has a structural side and a functional side. The structural side descibes how a circuit is assembled from nodes. It won't be described any further here. The functional side is for implementing the functions that parameterise a node e.g. the predicate of a filter node. It is a mini eager functional language modeled after Standard ML. The types in ECDL include:

An event may be of different formats, used by different kinds of networks. These include ASN.1 for CMIP, a restricted ASN.1 for SNMP or sometimes ASCII strings. Since ECS is expected to cope with any of these formats it only provides more general data structures such as tuples and lists. The engine maps the event into ECDL data structures.

An event is represented as a kind of (a subtype of) a dictionary from attributes to values. The type of an attribute value may not be known until run-time so ECDL is dynamically typed (along the lines of Scheme).

The type system includes subtyping to better describe the possible types a variable may have at run-time. The compiler uses a simple form of "soft typing" to report statically knowable type errors at compile time.

To simplify writing loops in ECDL there are a number of predefined looping constructs, summarised below. (P is a predicate and f some function).

	exists x in xlist :- P x

	forall x in xlist :- P x

	find x in xlist :- P x	  
		(finds an element and the list tail following it)

	[f x | x in xlist :- P x]

	foldl and foldr

The features of functional languages that are especially useful to the event correlation domain include:

Compiling

The compiler produces 3-address code for a virtual machine (VM). This is interpreted within the engine. The performance of this is sufficient for correlation purposes. The compiler has been implemented using SML/NJ 0.93.

Further Information

Further information on Hewlett-Packard Event Correlation Services can be obtained from Hewlett-Packard

This page was prepared by Anthony Shipman on 25 June 1996.