Event Triggers

An Event trigger raises the alert when a certain event fires in a context, and conforms to a condition specified in trigger settings. This event may be generated by AggreGate Server itself or may come from a Data Terminal.

The event trigger's properties are described here. Each trigger causes AggreGate Server to "listen" for the event specified by the Event setting in every context that matches the Context Mask setting. When such an event is detected, the server evaluates the expression specified by the Expression setting. This expression usually refers to some data associated with the event, but it may also refer to any other data, such as the values of some context variables.

If the Expression parameter is not specified, every occurrence of the event will raise the alert.

Example of event trigger:

Let's say we're running a vehicle monitoring system, which has Devices in various factory vehicles. These Devices fire various events, such as the Impact event, which fires when the vehicle bumps (or crashes...) against something. So the Context Mask would match the Device monitoring the vehicle, the event would be something like impact, and we could also have an expression, referring to the strength field of the impact event, which would cause the trigger to activate if the strength of the impact exceeds a certain value.

In this case, the Event Trigger parameters may be as follows:

Context Mask	users.user123.devices.vehicle12_controller (This mask matches a single Data Terminal context - could be a wildcard matching several, too)
Event	impact
Expression	{strength} > 5.5

(Of course, impact and strength are just theoretical events coming from some made-up Device - they're not built-in AggreGate Server system events).

Multiple Events Trigger

Count and Period trigger parameters work together to allow trigger activation only if event occurred X times within last Y seconds.

If Count is set to 1 (default), any event matching trigger Expression will activate the trigger and alert. If Count is 3 and Period is 10 minutes, the trigger will be activated upon an occurrence of event if two previous occurrences happened not more than 10 minutes ago and all three occurrences match an Expression.

Event Correlation

Event correlation is a technique for making sense of a large number of events and pinpointing the few events that are really important in that mass of information.

In terms of AggreGate alerts, event correlation is a way to activate the alert by an event trigger when one ("primary") event occurs, and deactivate the alert upon another ("correlated") event.

To enable event correlation for a certain event trigger, specify the name of the Correlated event in the trigger settings. In this case:

•	Event trigger (and the alert itself) will be activated by the event named in the Event setting (which is the "primary" event in this case).

•	It will be deactivated if Correlated event occurs in the same context with Event, and additionally, Correlator expression evaluates to TRUE. (It can happen that the Correlated event occurs, but Correlator expression evaluates to FALSE, thus leaving the trigger active.)

Once a trigger has been activated, it switches the alert to Active state and adds an Active Instance.

The following picture illustrates activation/deactivation of event trigger by Primary and Correlated events:

ls_alerts_trigger_correlated

Count and Period settings also work for correlated events. For example, if Count equals to 5 and Period is 1 minute, trigger will be deactivated only if five Correlated events occur within one minute and all five will match Correlator expression.

Examples of event triggers using event correlation:

Sometimes we may want to view an alert in the Active Alerts list when a certain device is offline (not available for AggreGate Server). Assuming that we have connection and disconnection events in the Device context of this device, we may use the following event trigger settings to force an alert remain active when device is disconnected:

Context Mask	users.user123.devices.critical_device
Event	disconnection
Correlated	connection

This trigger will activate alert on disconnection event and deactivate it on connection event.

If there are no connection/disconnection events in the Device context, we can still use a contextStatusChanged event for the same functionality. In this case we'll have a slightly more complicated trigger setup:

Context Mask	users.user123.devices.critical_device
Event	contextStatusChanged
Expression	{status} == 0 (Assuming that status 0 means "device is disconnected")
Correlated	contextStatusChanged
Correlator	{status} == 1 (Assuming that status 1 means "device is connected")

This trigger will be activated when contextStatusChanged event occurs and status field of event data equals to zero. The same event with a status of 1 deactivates the trigger.

Resolution Environment

Event Trigger Expression and Correlator Expression Resolution Environment:
Default Context	None.
Default Data Table	Data Table containing event-specific data for trigger event or correlated event.
Default Row	0
Environment Variables	Standard variables only.