Typically, each active rule has one rule instance, or copy, that is running in the Active Correlation Technology engine. However, sometimes the same rule is needed for different groups of events, which are often related to different groups of resources. The grouping key is one or more event attributes, or parts of event attributes, that can be used to separate the selected events into different groups for unique processing as a group. The <groupingKey> element defines the grouping key for a rule. The purpose of the <groupingKey> element is to direct the rule to create a separate rule instance (or copy of itself) for each group of events that share common characteristics (as defined by the values of their attributes that comprise the grouping key).
The following two scenarios illustrate the importance of the grouping key.
If the sequence rule is defined without the grouping key, and a DB2down event is received from computer A, a DB2up event from any of the computers would complete the sequence, but this would not accomplish what was intended. However, if the grouping key were defined as the hostname attribute, a unique copy, or instance, of the rule would be created for each unique value of the hostname attribute in the selected events. The Active Correlation Technology engine would send each event to the correct rule instance (the rule instance for that event's hostname value). Therefore, if a DB2down event is received from computer A, the Active Correlation Technology engine would create a rule instance for computer A. If a DB2down event is received from computer B, the Active Correlation Technology engine would create a second rule instance for computer B. When a DB2up event is received from computer B, the Active Correlation Technology engine processes that event in the second rule instance. The sequence is complete, and the operator is alerted because the DB2down and DB2up events from computer B are correctly correlated.
A grouping key could be defined as the user ID. Then, a new rule instance would be created for each unique user ID. Each user's login attempts would be tracked in a unique threshold rule instance, with each instance having a separate count of the number of login attempts by that user. The operator would receive a warning if any user ID exceeds 10 incorrect logins in 5 minutes.
If the same attribute is in all event types that are specified for a rule, the use of the <attributeName> element is the simplest and most common way to define a grouping key.
<groupingKey> has the following attribute:
Name | Description | Data type | Required? |
---|---|---|---|
missingAttributeHandling | Defines the action that the rule must take under either
of these conditions:
The valid values for the missingAttributeHandling attribute are:
|
xsd:string | No |
<groupingKey> contains the following elements.
Element | Required or optional? |
---|---|
<attributeAlias> | 1 of these elements is required. Coding more than 1 of these elements is optional. Multiple occurrences of all three elements are allowed. These elements can be coded in any order. |
<attributeName> | |
<computedValue> |