Graphical workshop for designing and simulating event correlation rules with time constraints.
Correlation Studio helps case study designers relate events which must happen within a specific time frame in order for a particular situation to be identified, when not only a given set of events must occur in a strict order but each event must happen within a limited time range. Dealing with pending conditions or related events which can be notified in different orders is no more a puzzle.
Often, correlation system designers are overwhelmed by the problem. They are facing logs with thousands of alarms and they have only a vague idea of how some of them might be related. Correlation Studio includes a search engine which can help finding events which are repeated during a given period of time. From just a small set of events, the engine can find other events which were repeated too over the same period. This gives the designer a good starting point.
A set of events related by time constraints is called a chronicle.
Choose a log of alarms, specify a time range and run the search engine. You obtain a table of events which are repeated during this period of time. A pattern begins to appear. It can used to define a chronicle.
An event, in a broad sense, is just a filter on a list of values (eventType equipmentAlarm probableCause processorProblem ...). It's described by combining comparison functions on individual fields ((eventType = equipmentAlarm) AND (probableCause = processorProblem)).
The different events in a chronicle are represented by a graph. The time constraint between two events is shown on their link.
Designing rules with chronicles is one part of the problem. Checking that chronicles indeed correlate events is just as essential.
Correlation Studio can apply a chonicle on different sets of events, showing how many times the chonicle proved to be true. A time line showing the sequences of events can be displayed.
The designer can then validate the chonicle.
Export to Excel
Export logs and sequences of events to Excel to use the spreadsheet's ability to display data in graphics.
A case in 3 steps
Specifying correlated events
For each chronicle, you define the different events by describing filters, you link them with a graph and you specify the time range between two events directly on the graph.
Loading a log of events
To test a chronicle, you load a series of events from an XML file.
Applying the chronicle
Apply a chronicle on a log to check if the different sequences of events which have been found are correct.