CN1352768A - Method and apparatus for a user extensible event structure - Google Patents

Method and apparatus for a user extensible event structure Download PDF

Info

Publication number
CN1352768A
CN1352768A CN99815179A CN99815179A CN1352768A CN 1352768 A CN1352768 A CN 1352768A CN 99815179 A CN99815179 A CN 99815179A CN 99815179 A CN99815179 A CN 99815179A CN 1352768 A CN1352768 A CN 1352768A
Authority
CN
China
Prior art keywords
event
incident
value
field
key word
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN99815179A
Other languages
Chinese (zh)
Other versions
CN1211733C (en
Inventor
威廉N·波尔曼
肯尼思D·马特森
戴维·阿斯贝尔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
UNITED IMAGINATIVE COMPUTER CO
CA Inc
Original Assignee
UNITED IMAGINATIVE COMPUTER CO
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by UNITED IMAGINATIVE COMPUTER CO filed Critical UNITED IMAGINATIVE COMPUTER CO
Publication of CN1352768A publication Critical patent/CN1352768A/en
Application granted granted Critical
Publication of CN1211733C publication Critical patent/CN1211733C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/542Event management; Broadcasting; Multicasting; Notifications
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2209/00Indexing scheme relating to G06F9/00
    • G06F2209/54Indexing scheme relating to G06F9/54
    • G06F2209/544Remote

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Multimedia (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for extending an event structure including submitting a keyname and a corresponding value for the event structure and determining whether the keyname exists in a keys field array of the event structure. If the keyname does not exist in the keys field array, the method includes incrementing an index of the event structure, adding the keyname to a position in the keys field array based on the index and adding the corresponding value to a position in the values field array based on the index. If the keyname does exist in the keys field array, the method includes determining the position of a previously stored value in the values field array associated with the keyname and replacing the previously stored value in the values field array with the corresponding value.

Description

The method and apparatus of user extensible event structure
The present invention relates to the field of event management system, relate in particular to the user extensible event structure of an event management system.
Infotech (IT) has been complicated from only being that the calculating of giant computer develops into, cross over the height profile formula computer system of desktop and department by network.The benefit that these distributed computing environment provide comprises selects any amount of platform, territory, instrument and network configuration flexibility.But described distributed environment may be complicated.Further, may between Software tool and platform, there be compatible and integrated shortage.For example, conventional end prod (pointproduct) (for example, by Platinum technology, inc.of Oak Brook, the Platinum DBVision product that Illinois makes) usually at the specific function or the zone of technical skill, for example is used for the solution of database monitoring and management, job scheduling or management database reorganization.Each end prod provides a specific performance properties and each also to comprise a distinct interface.On the other hand, utilize framework technology that an integrated solution is provided, although sacrificed instrumental function significantly.Further, utilize conventional end prod or framework technology to keep current corporate environment will relate to a large amount of resource and fund from the IT tissue.
Therefore, need a kind of integrated system, but be used to provide the instrument of utilization with the compatibility interface of an event structure, this event structure can be defined uniquely according to the needs of instrument.
An object of the present invention is to provide a kind of being used for monitors the integrated system of product event endways by the public event management system that comprises user extensible event structure.
One aspect of the present invention provides a kind of method that is used to expand an event structure, is included as this event structure and submits a key word name and an analog value to, and judge whether described key word name is present in the key field array of this event structure.If the key word name is not present in the key field array, described method comprises the index that increases progressively described event structure, the key word name is added to based on a position in the key field array of this index, and analog value is added to based on a position in the value field array of this index.If the key word name is present in the key field array, described method comprises the position of judging previous storing value in the value field array that interrelates with the key word name, and replaces previous storing value in the value field array with analog value.
Fig. 1 has shown an illustrative embodiments of an enterprise of the present invention that comprises a plurality of nodes.
Fig. 2 has shown an illustrative embodiments of one group of integrated end prod of the present invention.
Fig. 3 has shown an illustrative embodiments of the block diagram of an event management system of the present invention.
Fig. 4 has shown an illustrative embodiments of the event information of communicating by letter between a plurality of nodes of event management system of the present invention.
Fig. 5 has shown the illustrative embodiments of the process flow diagram of a process expanding event structure of the present invention.
Event management system of the present invention is managed an enterprise (for example a computer network, for example Local Area Network or wide area network (WAN)), makes the event information that occurs in the enterprise interrelated, and takes corrective action based on predetermined policy.For example, event management system receive from the enterprise can compatible end prod event message.As shown in fig. 1, enterprise 100 can comprise a plurality of nodes 110,120,130, and these nodes are for example connected by a network (not shown).For example, node is the physical box of an operating system of an operation, for example personal computer, server etc.In illustrative embodiments of the present invention, node can be have one be installed in above it can compatible end prod personal computer.In illustrative embodiments of the present invention, the incident on the node 110,120,130 of event management system 140 management generation incidents minimizes moving of data on the network, and keeps approaching data source such as data estimation, report and the action from normal moveout correction.
In an illustrative embodiments of the present invention as shown in Figure 2, event management system 270 can be included in one of the integration tool combination 200, it comprise be used for for example managing application program, database, desktop, network and system can compatible end prod.Instrument 230,240,250,260 can use a series of utility 210 to share the data relevant with incident.For example, director (director) the 220th, in a traditional server computer, move be used for can compatible end prod 230,240,250,260 a shared common graphics user interface (GUI).In an illustrative embodiments of the present invention, director 220 is in 95 times operations of WindowsNT and Windows, and as one allow the user for comprise in the enterprise can compatible end prod 230,240,250,260 all resources observe and mutual independent control desk is operated.
But the basic administrative unit by the information of event management system utilization of the present invention is a structured message that is called as incident.The representative of incident is relevant because resource or at the information of some validity events of resource in the enterprise in the enterprise.Incident by in the event management system can compatible end prod and task manager send and receive.For example, incident is the basic building block piece that is used for the real-time information processing of management enterprise.Event definition can disclose, the elementary cell of sharable information and the form that incident should be saved and transmit.For example, the structure of incident comprises the predefine field that is used for the required essential information of any logout.Predetermined field is divided into two categories: identification field; With non-identification field.The field that identification field is a unique key word forming incident jointly, separate itself and another event zone.Non-identification field is to add about the additional information of an incident but do not join field in the key word of incident.Event management system of the present invention allow event structure by the user by dynamically adding key value to expanding, and therefore allow to define uniquely each event structure.Therefore, key value is made openly this uniquely defined incident of an end prod to adding an event structure to, otherwise this incident will can not be disclosed, because it can not be defined uniquely by the predetermined field of incident.
Below for example with the illustration event structure of C language definition according to one embodiment of the present of invention.
typedef struct_PT_EVENT{<!--SIPO<dP n="3">--<dp n="d3"/>Int Version; / * event structure version */PT_CHAR_T * Node; / * event node */PT_CHAR_T * Class; / * event category */PT_CHAR_T * Instance/* product example */PT_CHAR_T * Name that starts; / * incident title */PT_CHAR_T * Time; / * event time (yyyymmdd hh 24miss) */PT_CHAR_T * CondTime; / * condition time (yyyymmdd hh 24miss) */PT_CHAR_T * AgentNode; / * operation detects the node */PT_CHAR_T * EvmgrNode of Agent; Node */PT_EVENT_TYPE the Type of/* response events mgr operation; / * event type (EV_DISCRETE...) */PT_RESP_TYPE Response; / * respond style (EVRE_SILENCE...) */PT_CHAR_T * RespPolicy; / * response policy */PT_CHAR_T * Descr; / * describes */PT_CHAR_T * DescrId; The message string key word * of/* MsgPut/PT_CHAR_T * DescrFields; The list of fields * of the replacement the in/* message/double Value; / * value (condition/alert event) */int Level; / * warning level (for type=EV_ALARM_SET) */PT_CHAR_T * IntKeys; The inner key word * of/* application-specific/int NumKey; The key word that/* follows/value logarithm */PT_CHAR_T * * Keys; Other key word arrays (attribute) of/* title */PT_CHAR _ T * * Values; Other key word array (attribute) values of/* */BOOL Archived; / * Boolean denotation is true */PT_CHAR_T * Id if incident files; Event id */PT_CHAR_T * CondId that/* is unique; / * condition ID*/int RepeatCount; The such count value */int HopCount that is used for the duplicate event of storm inhibition of/*; / * Here Comes Peter Cotton Tail...*/PT_CHAR_T * GMTOffset; / * GMT is offset */int ActionTaken; / * Boolean denotation, the response action */BOOL Silenced in the process; / * Boolean denotation, making report to the police to suppress */<!--SIPO<dP n="4">--<dp n="d4"/>PT_CHAR_T * ProductName; / * submits the name of product */PT_CHAR_T * InstanceType of product to; Example types * in the/* example/void * localParam; The unusual branch of/* is to allow the local data * relevant with incident/PT_CHAR_T * AuthString; / * authorizes the placeholder of string, the form */PT_CHAR_T * TTId of event content signature; / * Trouble ticket ID*/PT_CHAR_T * TTStatus; / * Trouble ticket state */} _ PT_EVENT;
The identification field of illustration incident is node, title, product, example, type, condition _ time (if type is not discrete), event time (if type is discrete), comprise that all key values of content of key field array and value field array are to (field, NumKeys for example comprises the number of the number that the key value of an indication in their field arrays separately is right).All other predefined fields are non-identification fields.
Incident can be divided into a plurality of types, for example comprises discrete event, condition and warning.Discrete event is that those indication somethings occur and complete self-contained incident at a special time.The appearance of discrete event does not have state and is not updated.For example, the login attempt of a failure can cause the generation of a discrete event.Condition is that those indications have continued a period of time and can have the incident of state of something of the attribute of renewal.Incident by a product statement is had by that product.Usually, only separately end prod can upgrade or remove the conditional event that produces on this end prod.The content representative of discrete and conditional event is about the real information of enterprise, and these information can not be changed when have change to cause the appearance of incident.For example, warning is based on the explanation of other incident of the configurable strategy of user.Therefore, the user can at any time remove a warning under the situation that does not solve the condition that causes it.Similarly, report to the police based on incident report to the police after being eliminated and also can continue.
As shown in Figure 3, event management system 300 of the present invention illustrative embodiments comprises task manager 310, incident archives 320, incident correlator 330, alarm rule storer 340 and responder 350.In an illustrative embodiments of the present invention, task manager 310, incident archives 320, incident correlator 330 and responder 350 are included on whole nodes of enterprise and alarm rule storer 340 is included on the central memory, allow at this locality storage and Admin Events.
In an illustrative embodiments of the present invention, event management system for example can receive event message from the end prod that for example spreads all over an enterprise.Admin Events on a node of enterprise, wherein incident is received by the task manager 310 that is positioned on each node.Task manager 310 for example can receive whole incidents, keeps the state of the previous incident that sends, and keeps the tabulation of reservation, and incident is sent to suitable user.In an illustrative embodiments of the present invention, incident and their state and the tabulation of reservation can be preserved in this locality.
As shown in Figure 4, the task manager 411 of the task manager 402 of node a 401 and node b 410 also receives the event information from the incident correlator 413 of node b 410.The task manager 411 of the node b 410 also incident correlator 413 on node b 410 provides incident.Task manager 411 also receives the event information from end prod 415, and just in fact incident is occurring in the product endways.Task manager 402,411 for example keeps incident and their correlation behavior and subscription list.Each task manager can have a local memory data storer, and for example, a blackboard has wherein been stored the complete state incident.Blackboard can continue to keep in based on the storer of file, is used to stride for recovering information (invocation of procedure of task manager).The client of subscribed event crosses over newly calling of task manager and is responsible for rebuilding each reservation.Therefore, reservation can be kept in the storer.For the whole incidents that receive by task manager, also can preserve the local event archives.Event management system of the present invention also can make the incident from a plurality of nodes be associated.In an illustrative embodiments of the present invention, event management system provides the view of the incident that merges to single management station or crosses over event view in the view/category of node boundary.
Construct event management system of the present invention so that inquire about with the standard that is different from node or represent interest to event group by event booking.Event booking allows the explanation of the standard on the content of the field of incident.Can with to the interested incident of a particular procedure really usual practice as the data base querying of the record of the standard that is extrapolated to each field that writes a relevant record of request coupling.The difference of request of the present invention and general data library inquiry is that it not merely is the request to the data that existed, still to the ongoing request of the event sets that also will occur or exist.
For example when to an incident, for example appear at incident on the end prod 415 and make when subscribing, reservation request is sent to the task manager 411 on the node b 410.Task manager 411 receives these requests and this request is added in its tabulation of unresolved request, and these requests for example can be stored in the storer.Task manager 411 inspection for example be stored in advance in separately the blackboard Open Cases, with check it whether with the request matches criteria.Transmit, for example openly give requestor (for example user of incident) with the incident of each coupling.Any new events that receive and that be matched with the reservation standard also is transmitted.Till this process can be cancelled to reservation continuously.
In illustrative embodiments of the present invention, be unique ID of its distribution when forming when subscribing.The data set that unique ID and this request are originated from defines described reservation uniquely.For example, cancel a reservation by being used to ask handle to call an API from returning of original subscriptions.This has caused will cancelling message with separately request ID and has sent to task manager.Task manager can mate the cancellation request with original being scheduled to then, and removes it from the processing queue of task manager.
Disclosed all incidents are received by the task manager of this node on a node.Task manager also receives and preserves by process all requests from its node and the transmission of other node.When receiving incident, task manager also distributes an event id.Task manager judges whether incident is a condition, and if a task manager inspection for example blackboard judges whether this incident mates an existence conditions.If be a condition ID of this conditional event distribution existence conditions.Further, if allow to file, this incident is filed.For example, in an illustrative embodiments of the present invention, file can comprise described incident is stored in the database (for example flat file archives).Can use an independent file for each calendar day.Incident can be delimited record as newline according to their received orders and is written in the archives of the time stamp day that is used for incident.
Task manager is also checked all unsolved reservation requests.For any incident except condition is upgraded, if incident that is received and request are complementary, task manager is sent to the requestor with incident.More under the news, be that incident and the request of upgrading is complementary to condition.Therefore, task manager sends to the requestor with update event.Event booking of the present invention comprises an event filter, this event filter is at Platinum Provision Common ServicesReference Guide, Version 1.08 (in October, 1998, Platinum technology inc.) has a detailed description in, here as a reference in conjunction with its integral body.
On Dec 31st, 1998 application, attorney docket is 22074661/25546, described event filter in the co-pending patent application of title for " dynamic event filters and the method and apparatus of route ", wherein here as a reference in conjunction with its integral body, this event filter has been described the criterion of identification of institute's events of interest, and allows to be the explanation of the various forms comparison of each field appointment that comprises the incident that the key value of expand event structure is right.Event filter for example is a Boolean expression of being made up of subexpression, and a field of incident and the value of user's appointment are compared.Event filter for example with Structured Query Language (SQL) (SQL) in " WHERE " clause similar.The basic subexpression of event filter for example is a field and the phrase that value compares with incident, for example, and node=ptisun20.The meaning of subexpression node=ptisun20 is that the node field of incident must accurately be mated with character string " ptisun20 ".Except the key field array and value field array of needs one specific syntax, any field of event structure can be as used in this example node field.For example, if a key value that is increased is to being:
Key value
FileSystem??/usr,
Then will be keyfield.FileSystem="/usr " to the right accurate matching filter of this key value.=" ".Event filter can be used as C source code (for example, hard coded in program) or the like and is stored in and can stores text string Anywhere, for example is stored in the configuration file such as the plane text, in the database, in the storer.
On the right value of the key value of incident, also can adopt filtration.With the same in example early, a key word " FileSystem " that has correlation can be arranged, this correlation is the title of a specific file system.Desirable incident can only be those incidents that are used for a specific file system, for example/and usr.The filter mechanism that is used for the analog value of a key word is specified this key word and is tested correlation.Adopt a specific syntax that other fields of key word and incident are made a distinction, allow to be used for different name spaces key word and predefine field incident.This grammer is " keyfield.[name] ".Test example to the right value/usr of key value for example is keyfield.FileSystem=/usr.
In illustrative embodiments of the present invention, event filter can comprise comparison operator, for example=and with the full regular expression coupling of operational character " like " appointment.For example, filtrator can be node=ptisun05.Coupling is followed ptisun[#] filtrator of all nodal values of pattern is node like " ptisun[0-9]+".Be the illustration tabulation of event filter comparison operator below:>=(more than or equal to),<=(being less than or equal to),>(greater than),<(less than),=(equaling), like (mating a regular expression), the likeci string of the case-insensitive (coupling) and!=(being not equal to).
In illustrative embodiments of the present invention, mark, generation rule and the event filter definition that can use the another kind of compiler-compiler of following usefulness (yacc) to implement.
    %token NO_MORE_TOKENS  %token FILTER  %token <symp> NAME  %token <symp> FUNC_PART  %token <keywp> BOOLEAN  %token <keywp> COMPOP  %token <keywp> SEPARATOR<!-- SIPO <DP n="9"> --><dp n="d9"/>  %token <keywp> LEFTPAREN  %token <keywp> RIGHTPAREN  %left BOOLEAN  %type <evalp> filter  %type <evalp> statement  %%  statement:FILTER filter NO_MORE_TOKENS  filter:NAME COMPOP NAME  |FUNC_PART SEPARATOR NAME COMPOP NAME  |NAME COMPOP FUNC_PART SEPARATOR NAME  |filter BOOLEAN filter  |LEFTPAREN filter RIGHTPAREN
In illustrative embodiments of the present invention, task manager 411 may be embodied as a daemon (daemon) (Agent of resource for example, is provided at continued operation on the unix server and the client machine system on network).After receiving an incident, task manager 411 is determined the configuration of incident, comprises whether it has received incident and whether state-event changes.Task manager 411 is also write incident local event archives 412, and incident is sent to the All Clients of subscribing this event content.For example, task manager 411 can provide event information to the incident correlator 413 on the node 402.Incident archives 412 can comprise an incident archives service processor.Incident archives 412 service processors are read incident from the incident archives.The user can comprise the director that has the alarm rule of subscribing this incident and for example comprise a resource object or subscribe any incident correlator 413 examples about the product of the update event (for example data exchange service (DEX)) of the content in the central memory.
Incident correlator 413 on Dec 31st, 1998 application, attorney docket is 22074661/25548, title is described in the co-pending patent application of " system and method for the dynamical correlation of incident ", here in conjunction with its integral body as a reference, this incident correlator for example can comprise an incident correlator service processor.Incident correlator 413 is implemented in the subscriber policy of appointment in the alarm rule.Warning is the event type that a kind of user to condition for validity or appearance provides notice.The appearance of determining to comprise individual event of a warning, when another incident occurs certain (some) standing state appearance or in a set time window the repeating an of particular event.Further, warning can be the combination that repeats of a particular event in a set time window when certain state or some state exist.
The incident whether definite warning occurs can perhaps can come from one or more other nodes 401,410 owing to the incident on the same node of incident correlator 413.Warning can also interrelate with the automatic response policy of the statement of any automatic notice that allows a responder 414 to handle to report to the police or correction.Incident correlator 413 for example can generate the brand-new incident that the revision of a warning, the incident that receives or can be associated by another alarm rule.
Incident can be correlated with by an alarm rule.The basis of alarm rule is definite incident that should be analyzed.Alarm rule can be generated so that define which individual event or one group of effective appearance that the incident representative will respond.Alarm rule can comprise the description of describing the incident represent an appearance and logic and the event management system definition to the response of this appearance.Relevant result generates one or more incidents.Alarm rule for example can be by director 404 definition.
Responder 414 is carried out a response policy.Responder 414 comprises a plurality of processes.Response policy for example is a logical expression that comprises the tabulation of the action that logical statement connected of being called by the triggering warning of incident correlator 413 generations.A plurality of actions can be defined and carry out in response policy.In illustrative embodiments of the present invention, a plurality of actions can be in a sequence of listing, and perhaps are added with logic, make that each action is contingent when return code that receives another action or the specific field that sends in warning.Response policy can and be formed an one or more expression formula of quoting in these actions by logical order by the definition set and generate.Action can be overall, and is called by a plurality of response policies.In an illustrative embodiments of the present invention, responder 414 is also reported to the police adding to trigger about the information of the success of each action when each step is finished.This for example can upgrade alert event and finish by sending one, upgrade alert event with the step number of just having finished, step type (for example, Email/page or leaf) and in the incident archives title of action step come update event.This information can visit by a director.
In illustrative embodiments of the present invention, responder 414 for example can comprise first process, second process and the 3rd process.First process is subscribed by the incident of incident correlator 413 transmissions that moves on same node 410 of machine 414 in response.After receiving a warning with relevant response strategy, first invocation of procedure, second process is carried out this strategy.First process can be called a plurality of examples of second process, and this depends on the setting in the configuration file that interrelates with each process.Second process is carried out an action that requires the transmission incident, and the 3rd process of calling is carried out any other action.The 3rd process of responder 414 also can be carried out a response policy action that requires the call operation system, for example send Email message, call a script, send one page, write message or incident is sent as Simple Network Management Protocol (SNMP) trap (trap) to file.
In an illustrative embodiments of the present invention, event structure comprises a key field and a value field, and each field all has extendible character array.Event structure can also comprise a field, NumKeys for example, and this field is included in the right number of key value that comprises in its each field array.Fig. 5 has shown the illustrative embodiments of key value to the process flow diagram that adds event structure of the present invention to.In step 510, the user is that a corresponding event structure is submitted an incident key word name and an analog value that will add this event structure to by an end prod for example.In an illustrative embodiments of the present invention, for example can realize expanding event structure by adding key value, for example by a function call
int????????????PtEventSetKeyValuePair(PT_EVENT????????PtEvent,PT_CHAR_T *KeyName,PT_CHAR_T *Value)。
In step 520, if any one in incident, key word name and the value is empty, then the event application routine interface (API) of event management system of the present invention will provide an error messages, and withdraw from key value to adding the process of event structure to, shown in step 530.Otherwise in step 540, incident API will judge that whether Already in the key word name in the key field array.
In an illustrative embodiments of the present invention, incident API has been stored under the situation in the key field array by checking that input key word name judges whether a key word name exists in other key word names, this for example is by function intPtEventFindKeyByIndex (PT_EVENT PtEvent, PT_CHAR_T *KeyName, int *Index) carry out.In step 580, if in the key field array, find this key word name, then determine the index of the position of indication key word name in array, and can for example to offer one be the call function of variable with the index.If find this key word name, a return code for example can be offered a call function, this call function for example is PT_SUCCESS, and if do not find this key word name, this call function for example is PT_FAIL.Further, in illustrative embodiments of the present invention, key field array and value field array big or small identical, key word has identical index with analog value in its array separately.Therefore, if the key word name is positioned, then the analog value of being submitted to by the user is provided in the value field array by the indicated relevant position of corresponding index, for example replaces preceding value shown in step 590.Perhaps, the analog value of the key word name of input can be provided to a call function by a function, and this function for example is
int????????PtEventGetKeyValuePair????(PT_EVENT??????PtEvent,PT_CHAR_T *KeyName,const?PT_CHAR_T **KeyValue)。This function will obtain analog value from correspondent keyword name, and the current analog value that will import key word offers calling program.
If the key word name of input does not find in step 550, incident API index is set to next available index in key field array and value field array, and is for example, big by 1 than the currency of NumKeys.In step 560, incident API is provided to the position of being indicated by index (for example value among the field NumKeys) in the key field array with the key word name of input.In an illustrative embodiments of the present invention, key word can be by a function, for example int PtEventSetKeyNameByIndex (PT_EVENT PtEvent, int Index, PT_CHAR_T *Key) be provided with.If the key field array has comprised a key word in the position by the index indication, then Shu Ru key word name is replaced previously stored key word.Incident API also judge corresponding event, for example PtEvent and key word whether be empty and index whether less than 1.If any one in PtEvent and the key word be empty and index less than 1, incident API provides an error messages, and key word is not set.
In step 570, incident API is provided to the position of being indicated by index (for example value among the field NumKeys) in the value field array with the analog value of the key word name of input.In an illustrative embodiments of the present invention, the analog value of input key word name can be by a function, for example int PtEventSetKeyValueByIndex (PT_EVENT PtEvent, int Index, PT_CHAR_T *Value) be provided with.Incident API also judge corresponding event, for example PtEvent and value whether be empty and index whether less than 1.If any one in PtEvent and the value be sky and index less than 1, incident API provides an error messages, and the value of setting not.
In an illustrative embodiments of the present invention, adopt Function e xtern intPtEventSetKeyValuePair (PT_EVENT, PT_CHAR_T *, PT_CHAR_T *) a new key value generating in the incident is right.For example, if an adeditive attribute of incident is the title of the file system under the incident, call PtEventSetKeyValuePair (PtEvent, " FileSystem ", "/usr ") for example will on a node of the enterprise of this incident of report, increase file system/usr a key value right.Call this function with same key word once more and will upgrade this value.
In an illustrative embodiments of the present invention, function, for example extern intPtEventRemoveKeyValuePair (PT_EVENT, PT_CHAR_T *) allow user's reversing to increase the action that key value is right to an incident.For example by from its respective array, locating and remove key value to reversing this action.Further, with in the array than the key value of removing to all high key values to all moving one backward, the size of respective array subtracts 1, and the index value in the field, for example NumKeys subtract 1.In an illustrative embodiments of the present invention, Function e xtern int PtEventGetKeys (PT_EVENT, PT_CHAR_T * *, int *) for example obtain to be used to corresponding event to expand the tabulation of the additive keyword of an event structure.
Event management system of the present invention comprises a compatible mechanism, is used to allow the incident in the enterprise and the event structure of different editions to communicate.The event structure of different editions can not be removed the predefine field of an incident, if a newer field is increased to event structure, must distribute a default value under the situation that is used in void value to this newer field.The message how event management system of the present invention describes event structure with the description self-described message structure (for example, this message comprises that data in the field name back in the describing message are predefine field names of the version flag of what and event structure) of packing into.Version flag comprises a predefine field name, the version that event structure is provided, and the version number of event structure is loaded into message.Message structure of the present invention comprises the descriptor of field to (for example, field name), and it is constant between different editions that its respective field (for example, field contents) allows message.For example it is finished the required field of message structure message is organized into message structure by search in message in the compatible mechanism of event structure.Search for example comprise the field ignored in the version that adds the event structure newer to than current popular version or when the version of the event structure of opening during less than the current event structure (for example, when the current event structure may have than newer field) provide default value for the field that does not find.Default value can be a hard coded, perhaps can be determined by the algorithm of the content of other fields in the inspection incident.For example, if newer field only is that Geju City field is divided into a plurality of independent fields, then an algorithm can be applied on the old field and provide suitable value for newer field.
From an event structure, do not remove the predefine field and guarantee a new process, for example end prod can with the communicating of event management system than older version, other end prods or director.This is particular importance for any other reason (for example event correlation rule) when incident is merging or crossover node border.If the compatible version that intersects does not exist, the upgrading of structure need be in intercommunication mutually so that all processes simultaneously on Sheng Ji all nodes.Early process will be expected and can be found it to fill all required fields of its event structure.Be that newer field specifies a default value to allow a more recent version process (for example end prod that receives message from process early) to fill the more recent version of an event structure not from the field of input message the time under the situation of void value.This value for example can be specified according to the value of other fields.
The foregoing description is an illustrative example of the present invention, it be not desired to limit the invention to these certain embodiments.Under the situation that does not depart from the spirit or scope of the present invention that limits by subsidiary claims, can make various changes and modification by those of ordinary skills.

Claims (1)

1. a method that is used to expand an event structure comprises the steps:
For described event structure is submitted a key word name and an analog value to;
Judge whether described key word name is present in the key field array of described event structure;
If described key word name is not present in the described key field array,
Increase progressively an index of described event structure,
Add described key word name in the described key field array a position based on described index, and
Add described analog value in the value field array a position based on described index; And
If described key word name is present in the described key field array,
Judge the position of the previous storing value in the value field array that interrelates with described key word name, and
Replace described previous storing value in the described value field array with described analog value.
CNB998151793A 1998-12-31 1999-12-29 Method and apparatus for a user extensible event structure Expired - Fee Related CN1211733C (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US22480898A 1998-12-31 1998-12-31
US09/224,808 1998-12-31

Publications (2)

Publication Number Publication Date
CN1352768A true CN1352768A (en) 2002-06-05
CN1211733C CN1211733C (en) 2005-07-20

Family

ID=22842299

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB998151793A Expired - Fee Related CN1211733C (en) 1998-12-31 1999-12-29 Method and apparatus for a user extensible event structure

Country Status (11)

Country Link
EP (1) EP1149336A4 (en)
JP (1) JP2002533829A (en)
KR (1) KR20010103729A (en)
CN (1) CN1211733C (en)
AU (1) AU775155B2 (en)
BR (1) BR9916597A (en)
CA (1) CA2358110A1 (en)
HK (1) HK1043209A1 (en)
IL (2) IL143515A0 (en)
WO (1) WO2000039675A1 (en)
ZA (1) ZA200104582B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107660283A (en) * 2015-04-03 2018-02-02 甲骨文国际公司 For realizing the method and system of daily record resolver in Log Analysis System
US11226975B2 (en) 2015-04-03 2022-01-18 Oracle International Corporation Method and system for implementing machine learning classifications
US11681944B2 (en) 2018-08-09 2023-06-20 Oracle International Corporation System and method to generate a labeled dataset for training an entity detection system
US11727025B2 (en) 2015-04-03 2023-08-15 Oracle International Corporation Method and system for implementing a log parser in a log analytics system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5237684A (en) * 1991-08-12 1993-08-17 International Business Machines Corporation Customized and versatile event monitor within event management services of a computer system
US5305454A (en) * 1991-08-12 1994-04-19 International Business Machines Corporation Notification of event handlers in broadcast or propagation mode by event management services in a computer system
US5583983A (en) * 1994-11-17 1996-12-10 Objectware, Inc. Multi-platform object-oriented software development and deployment system
US5842223A (en) * 1995-07-03 1998-11-24 Sun Microsystems Inc. Method and apparatus for information state management

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107660283A (en) * 2015-04-03 2018-02-02 甲骨文国际公司 For realizing the method and system of daily record resolver in Log Analysis System
US11055302B2 (en) 2015-04-03 2021-07-06 Oracle International Corporation Method and system for implementing target model configuration metadata for a log analytics system
US11194828B2 (en) 2015-04-03 2021-12-07 Oracle International Corporation Method and system for implementing a log parser in a log analytics system
CN107660283B (en) * 2015-04-03 2021-12-28 甲骨文国际公司 Method and system for implementing a log parser in a log analysis system
US11226975B2 (en) 2015-04-03 2022-01-18 Oracle International Corporation Method and system for implementing machine learning classifications
US11727025B2 (en) 2015-04-03 2023-08-15 Oracle International Corporation Method and system for implementing a log parser in a log analytics system
US11971898B2 (en) 2015-04-03 2024-04-30 Oracle International Corporation Method and system for implementing machine learning classifications
US11681944B2 (en) 2018-08-09 2023-06-20 Oracle International Corporation System and method to generate a labeled dataset for training an entity detection system

Also Published As

Publication number Publication date
KR20010103729A (en) 2001-11-23
IL143515A (en) 2007-03-08
CA2358110A1 (en) 2000-07-06
ZA200104582B (en) 2005-03-09
CN1211733C (en) 2005-07-20
AU2220600A (en) 2000-07-31
HK1043209A1 (en) 2002-09-06
EP1149336A1 (en) 2001-10-31
WO2000039675A1 (en) 2000-07-06
BR9916597A (en) 2002-06-04
EP1149336A4 (en) 2003-05-14
IL143515A0 (en) 2002-04-21
AU775155B2 (en) 2004-07-22
JP2002533829A (en) 2002-10-08

Similar Documents

Publication Publication Date Title
US6446136B1 (en) System and method for dynamic correlation of events
AU775791B2 (en) Method and apparatus for the dynamic filtering and routing of events
US7117491B2 (en) Method, system, and program for determining whether data has been modified
US9165047B2 (en) Data synchronization system and method
US5819272A (en) Record tracking in database replication
US20040143599A1 (en) System and method for command line administration of project spaces using XML objects
US20030167333A1 (en) System and method for state saves in a distributed data system
US20030167331A1 (en) System and method for state data back-up in a distributed data system
US20020026448A1 (en) Caching of distributed dynamic sql statements in a multiple node rdbms.
US7320035B2 (en) Object mutation determination for incremental state saves
US7559048B1 (en) System and method for managing objects between projects
CN1211733C (en) Method and apparatus for a user extensible event structure
US7085852B2 (en) Deterministic immutable access elimination for efficient distributed state saves
US8336021B2 (en) Managing set membership
US20030167285A1 (en) Incremental saves for efficient distributed state stores
US6748454B1 (en) Method and apparatus for a user extensible event structure
US8005791B1 (en) Methods and systems for publishing aggregated data to a business logic tier

Legal Events

Date Code Title Description
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C06 Publication
PB01 Publication
C14 Grant of patent or utility model
GR01 Patent grant
C19 Lapse of patent right due to non-payment of the annual fee
CF01 Termination of patent right due to non-payment of annual fee