Event rules define how to process events and what situations generate event alerts. Event rules (called Situation Types in the Eclipse-basedtm CEP Rule Author tool) are included in the cep.xml event rules file that Event Manager and the CEP engine use to process incoming event data. The complex event rules that you define are unique to your organization.
Before you begin defining event rules, keep the following considerations in mind, so that the rule works with Event Manager:
To return event data from the complex event processor to the entity database, you must manually add the required situation attributes to each event business rule that you create. These attributes are not part of the starting cep.xml event rules file, so importing that starting file does not automatically create event business rules (situations) or add these attributes to any new or existing rules.
Attribute name | Attribute type | Attribute expression | Attribute description |
---|---|---|---|
EVENT_SIT_STATUS | string | "PENDING" | Indicates the event alert status for the event alert. In the Visualizer, the event alert status is displayed as part of the Alert Summary. All newly generated alerts typically receive the pending status, indicating that a Visualizer user needs to analyze and disposition that alert. Keep in mind that an event alert status can be anything that makes sense for your organization and is configured as an event status in the Configuration Console. If you do not want the event to display in the Visualizer, use the "CLOSED" event alert status. |
REASON_DESC | string | "Description_of_event_rule_or_alert" | Describes the event rule that triggered the event alert. Make this description as meaningful as possible for your analysts. For example, if the event rule generates an alert when an entity transacts over $1500 in a 24-hour period, you might enter "SumOver1500" as the REASON_DESC. |
ALERT_GROUP | string | "Visualizer_user_group" | Indicates which Visualizer user group to assign event alerts generated from this event rule. Typically, this value is "DEFAULT", but you can enter any Visualizer user group configured in the Configuration Console. |
Typically, event alerts are triggered from more than one complex event. You can display event alerts in the Visualizer or a client application, but by default, the details of the events that made up that alert are not included.
Name | Type | Expression | Dimension (Show Advanced button) |
---|---|---|---|
EVENTS | integer | Event.EventID | [] (to indicate that the EventID is an array] You must edit the Situation Attribute and click the Show Advanced button to see and define the setting for this column. |
If you display your event alerts in the Visualizer, keep the REASON_DESC situation attribute a simple string of text, rather than adding values from the event to the message. The Visualizer groups common alerts into one alert summary that includes a count of the number of alerts included in the summary. Analysts click on an alert summary to disposition all the alerts contained in that summary.
If you define values from the event in the REASON_DESC, each event alert displays as a separate alert summary with a count of 1, which means that your analysts see every event alert in both the alert summary and the alert detail areas of the Alert Summary window.