IM InfoSphere Identity Insight, Version 8.0

Creating an event rule to count complex events

Create a basic COUNT event rule to count events and create an event alert if the total count exceeds a set threshold. For example, you could create an event rule that counts all wire transfer transactions within 24 hours and sends an event alert if the transaction count is more than 500.

Before you begin

You must have an existing CEP project, which groups events rules and all rules configuration.

About this task

These steps provide the basic instructions for creating a simple business rule that counts the value of your choosing. For some steps, there are multiple ways to achieve the same end result. For more options, refer to the Situations section of the IBM Advanced Middlewaretm Technology User's Guide (guide for the Eclipse-basedtm CEP Rule Author tool), which is included with your product.

Procedure

  1. In the left navigation pane, right-click Situation and select New > Situation. Make sure the correct project name displays in Event Processing Project.
  2. Enter a unique rule name in Situation name. The situation name is the event rule name that displays in the entity database and in the Visualizer component, if you choose to display event alerts there. Make the name meaningful to those who analyze the event alerts. For example, if you are creating a rule to count all the events that occurred at a particular branch location, you might name this rule CountBranch102Transactions.
  3. In Select source, select Empty of Type and then select one of the following values from the drop-down list:
    • atleast: At least n or more events have arrived during the life span.
    • atmost: No more than n events have arrived by the end of the life span.
    Both situation types can count event values, as well as preserve the information of each event that met the event rule. For more information about situation types, refer to Situation Properties in the User's Guide .
  4. Click Finish. When the main situations screen displays, you might notice several errors in the Problems section. These errors indicate missing values, but you can ignore these errors for now. As you complete these steps, the errors go away.
  5. In the Events section, select EVENT as the base event for this rule. EVENT is the always the base event for every event business rule. It contains the necessary mapping to the entity database GEM_TABLE and the EVENT data segment.
  6. You can build a threshold condition to filter events before they are evaluated against this rule, so that the events must meet the threshold condition specified to be considered.
  7. On the Condition & Results tab in Lifespan, select EASLifeSpan. Notice that until you make the selection, this field displays in red. The red color indicates that this is a required field, and it is one of the errors listed in the Problems section. When you make the lifespan selection, the error disappears from the Problems section.
  8. In Quantity, enter the "atleast" or "atmost" quantity that the event rule counts to before generating the event alert.
  9. In Detection Mode, notice that immediate is selected. Keep this selection. The detection mode determines when to calculate and report the results of the events. The immediate selection generates an alert as soon as the count reaches the quantity.
  10. In Situation Attributes, enter the required situation attribute names, types, and expressions:
    • EVENT_SIT_STATUS
    • REASON_DESC
    • ALERT_GROUP
  11. To preserve the details of all the events that make up the count, add the EVENTS situation attribute, using the following information:
    1. In Name, enter EVENTS,
    2. In Type, enter integer.
    3. In Expression, enter EVENT_ID (or select it in the Expression Builder).
    4. Click Show Advanced to display the Dimensions column, and enter [] in the column to indicate that the type is an array of events.
    These values instruct CEP to send the internal EVENT_ID of each event included in the total sum back to the pipeline along with the event alert. The pipeline writes each EVENT_ID to the entity database and sends the information to the Visualizer or the client application used to display event alerts. The EVENT_ID is an internal sequential number (ID) created by the pipeline when it sends event data to the CEP engine.
  12. Save the event rule.


Feedback

Last updated: 2011