IM InfoSphere Identity Insight, Version 8.0

Creating an event rule to sum complex events

Create a basic SUM event rule to sum the totals of events and create an event alert if the sum of those events exceeds a set threshold. For example, you could create an event rule that sums all money transfers sent by one person within 24 hours and send an event alert if the sum of those money transfers (events) is more than $15,000.

Before you begin

You must have an existing CEP project, which groups events rules and all rules configuration.

About this task

These steps provide the basic instructions for creating a simple business rule that sums the value of your choosing. For some steps, there are multiple ways to achieve the same end result. For more options, refer to the Situations section of the IBM Advanced Middlewaretm Technology User's Guide (guide for the Eclipse-basedtm CEP Rule Author tool), which is included with your product.

Procedure

  1. In the left navigation pane, right-click Situation and select New > Situation. Make sure the correct project name displays in Event Processing Project.
  2. Enter a unique rule name in Situation name. The situation name is the event rule name that displays in the entity database and in the Visualizer component, if you choose to display event alerts there. Make the name meaningful to those who analyze the event alerts. For example, if you are creating a rule to sum the value of all events and then send an alert if the sum of the events crosses the $15,000 limit, you might name this rule SumOver15K.
  3. In Select source, select Empty of Type and then select atleast from the drop-down list. The atleast situation can sum event values, as well as preserve the information of each event that met the event rule. For more information about situation types, refer to Situation Properties in the User's Guide .
  4. Click Finish. When the main situations screen displays, you might notice several errors in the Problems section. These errors indicate missing values, but you can ignore these errors for now. As you complete these steps, the errors go away.
  5. In the Events section, select EVENT as the base event for this rule. EVENT is the always the base event for every event business rule. It contains the necessary mapping to the entity database GEM_TABLE and the EVENT data segment.
  6. You can build a threshold condition to filter events before they are evaluated against this rule so that events must meet the threshold condition specified to be considered.
  7. To build the summing expression, click Show Advanced and then Edit.
  8. In Quantifier, select each. This selection ensures that each incoming event record that satisfies the conditions of this event rule are included in the total sum.
  9. In Weight, click ... to edit the field. Use the Expression Builder to select the event field to sum. Make sure that the expression displays in the Expression Builder Text area and then click OK. By default, the weight of each event is equal to 1. When the event rule is evaluated, the sum of all weights is compared to the Quantity attribute on the Condition & Results tab. When the total equals at least the quantity indicated, an event alert is generated. For example, to sum the values of each event that meets the event rule, select EVENT.EVENT_VALUE.
  10. If the field selected as the weight contains decimal digits (double type), use the Expression Builder to build an expression to do the following: .
    1. Multiply the calculation results by 100 to keep the decimal digits a convert the dollars to cents.
    2. Convert the double type to an integer. You can achieve this using functions.
    For example, if you are totalling the values of events (EVENT.EVENT_VALUE), you might enter EVENT.EVENT_VALUE*100 in the Expression Builder Text. area. Then you might select Functions > Math > Round to round the result to the closest integer value. The final expression displays as Round(EVENT.EVENT_VALUE*100).
  11. In Sum Expression, click ...to edit the field and select the event field to sum. For example, to sum the value of each event that meets or exceeds the event rule, select EVENT_VALUE .
  12. To sum only events that meet a specific condition, enter the condition in Threshold Condition or use the Expression Builder to assist you. For example, to only sum the values of events that occurred at Branch 102, enter EVENT.EVENT_LOC="102". This field acts as a filter, automatically skipping events that do not meet or exceed the condition.
    Tip: To simplify your view and see Threshold Condition more easily, click Hide Advanced.
  13. On the Condition & Results tab in Lifespan, select EASLifeSpan. Notice that until you make the selection, this field displays in red. The red color indicates that this is a required field, and it is one of the errors listed in the Problems section. When you make the lifespan selection, the error disappears from the Problems section.
  14. In Quantity, enter the "atleast" quantity that the event rule sums up to before generating the event alert. Remember to multiply dollar amounts by 100. For example, to generate an event alert when the sum reaches at least $15,000, enter 150000.
  15. In Detection Mode, notice that immediate is selected. Keep this selection. The detection mode determines when to calculate and report the results of the events. The immediate selection generates an alert as soon as the sum reaches the quantity.
  16. In Situation Attributes, enter the required situation values for the following situation attributes:
    • EVENT_SIT_STATUS
    • REASON_DESC
    • ALERT_GROUP
  17. Optional: To preserve the details of all the events that make up the sum, add the EVENTS situation attribute, using the following information:
    1. In Name, enter EVENTS,
    2. In Type, enter integer.
    3. In Expression, enter EVENT_ID (or select it in the Expression Builder).
    4. Click Show Advanced to display the Dimensions column, and enter [] in the column to indicate that the type is an array of events.
    These values instruct CEP to send the internal EVENT_ID of each event included in the total sum back to the pipeline along with the event alert. The pipeline writes each EVENT_ID to the entity database and sends the information to the Visualizer or the client application used to display event alerts. The EVENT_ID is an internal sequential number (ID) created by the pipeline when it sends event data to the CEP engine.
  18. Save the event rule.


Feedback

Last updated: 2011