A telecommunication network sends event messages, such as failure alarms, to a network management station. These will be displayed for the operators. But some incidents in a telecommunication network may generate large numbers of events per incident, called an event storm. An example is when a trunk cable is cut. Typically each channel in the cable will generate an alarm message when it is cut and another notification when it is restored.
An event storm overloads the operators with information making it difficult to tell what kind of incident and where the incident occurred. To solve this problem an event correlation stage is inserted between the network and the management station. The correlator translates a groups of events into a single event that better describes the nature of the incident.
The correlator applies the expertise of the operator in judging the cause of the event storm. Some commercial products use an expert system to perform the correlation. These tend to be slow, too slow for event storms in large networks. The other extreme is to encode the expertise in the logic of a program in some conventional language such as C. This will give a fast correlator but one that is difficult to maintain.
The event correlation technology in HP ECS falls in between these extremes. The correlator algorithm is implemented as a network of processing nodes called the correlation circuit. Each node operates on one or more input streams of events to produce an output stream of events. The final output from the circuit is the correlated event stream.
An example of a node is the filter node. This splits a stream of events into two streams depending on a predicate applied to each event.
An event may be of different formats, used by different kinds of networks. These include ASN.1 for CMIP, a restricted ASN.1 for SNMP or sometimes ASCII strings. Since ECS is expected to cope with any of these formats it only provides more general data structures such as tuples and lists. The engine maps the event into ECDL data structures.
An event is represented as a kind of (a subtype of) a dictionary from attributes to values. The type of an attribute value may not be known until run-time so ECDL is dynamically typed (along the lines of Scheme).
The type system includes subtyping to better describe the possible types a variable may have at run-time. The compiler uses a simple form of "soft typing" to report statically knowable type errors at compile time.
To simplify writing loops in ECDL there are a number of predefined looping constructs, summarised below. (P is a predicate and f some function).
exists x in xlist :- P x forall x in xlist :- P x find x in xlist :- P x (finds an element and the list tail following it) [f x | x in xlist :- P x] foldl and foldr
The features of functional languages that are especially useful to the event correlation domain include:
node my_filter is filter parameters condition => red_alert andP battery_fail endwhere 'red_alert' and 'battery_fail' are predicates on events and 'andP' produces a predicate that tests if the event matches both predicates.
This page was prepared by Anthony Shipman on 25 June 1996.