Cross-cutting detection of event patterns

US 8,661,113 B2
Filed: 05/09/2006
Issued: 02/25/2014
Est. Priority Date: 05/09/2006
Status: Expired due to Fees

First Claim

Patent Images

1. An enterprise computing monitoring and management data processing system comprising:

an event management computing platform coupled to a computing hierarchy of multiple nodes;

event processing logic disposed in the event management computing platform, the event processing logic comprising program code enabled to collect a plurality of events from different ones of the multiple nodes;

proximity detection logic comprising program code enabled to classify the plurality of the events according to a set of event attributes;

determine a temporal proximity of occurrence of first and second classified events;

further determine a frequency of occurrence of the temporal proximity between the first and the second classified events; and

,report a causal relationship, not previously identified, between the first and the second classified events when the frequency of occurrence exceeds a threshold value; and

a time based rolling window configured to display the different ones of the events of differing attribute sets in a specified time frame along parallel lines for different event source attributes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention provide a method, system and computer program product for the detection of correlation rules in an enterprise computing monitoring and management system. In one embodiment of the invention, a method for detection of correlation rules can be provided. The method can include receiving events from multiple event sources, classifying the events according to a set of event attributes, determining a temporal proximity of occurrence of different classified events, further determining a frequency of occurrence of temporal proximity for particular classified events, and reporting a causal relationship between the particular classified events when the frequency of occurrence exceeds a threshold value.

Citations

16 Claims

1. An enterprise computing monitoring and management data processing system comprising:
- an event management computing platform coupled to a computing hierarchy of multiple nodes;
  
  event processing logic disposed in the event management computing platform, the event processing logic comprising program code enabled to collect a plurality of events from different ones of the multiple nodes;
  
  proximity detection logic comprising program code enabled to classify the plurality of the events according to a set of event attributes;
  
  determine a temporal proximity of occurrence of first and second classified events;
  
  further determine a frequency of occurrence of the temporal proximity between the first and the second classified events; and
  
  ,report a causal relationship, not previously identified, between the first and the second classified events when the frequency of occurrence exceeds a threshold value; and
  
  a time based rolling window configured to display the different ones of the events of differing attribute sets in a specified time frame along parallel lines for different event source attributes.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the differing attribute sets comprises different sets of source, severity and type attributes.
  - 3. The system of claim 1, further comprising a plurality of queues, each corresponding to a different one of the differing attribute sets, each further storing only event instances within the specified time frame.
  - 4. The system of claim 1, wherein the time based rolling window is further configured to display the different ones of the events of differing attribute sets in a specified time frame according to different display characteristics for each event instance having a particular one of the differing attribute sets.

5. A method for the detection of event correlation rules, the method comprising:
- receiving a plurality of events from multiple event sources in a computer hierarchy of multiple nodes;
  
  classifying the plurality of the events according to a set of event attributes;
  
  determining a temporal proximity of occurrence of first and second classified events;
  
  further determining a frequency of occurrence of the temporal proximity between the first and the second classified events;
  
  reporting a causal relationship, not previously identified, between the first and the second classified events when the frequency of occurrence exceeds a threshold value; and
  
  rendering the different classified events in a time based rolling window for a specified time frame.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. The method of claim 5, wherein classifying a plurality of the events according to a set of event attributes, comprises classifying a plurality of the events according to a set of event attributes selected from the group consisting of source, severity and type.
  - 7. The method of claim 5, wherein rendering the different classified events in a time based rolling window for a specified time frame, comprises rendering the different classified events utilizing different display characteristics for each of the classified events according to a corresponding attribute set.
  - 8. The method of claim 5, wherein receiving a plurality of events from multiple event sources over an event bus, further comprises queuing different events of different attribute sets in different queues each corresponding to a different attribute set.
  - 9. The method of claim 5, wherein the reporting comprises reporting, for first and second classified events, a percentage of occurrences of the first classified event for a first specified source that either precede or follow occurrences of a second classified event for a second specified source.
  - 10. The method of claim 5, wherein the reporting comprises creating a correlation rule upon the frequency of occurrence approaches one-hundred percent (100%).

11. A computer program product comprising a computer usable storage medium embodying computer usable program code for the detection of event correlation rules, the computer program product including:
- computer usable program code for receiving a plurality of events from multiple event sources in a computer hierarchy of multiple nodes;
  
  computer usable program code for classifying the plurality of the events according to a set of event attributes;
  
  computer usable program code for determining a temporal proximity of occurrence of first and second classified events;
  
  computer usable program code for further determining a frequency of occurrence of the temporal proximity between the first and the second classified events;
  
  computer usable program code for reporting a causal relationship, not previously identified, between the first and the second classified events when the frequency of occurrence exceeds a threshold value; and
  
  computer usable program code for rendering the different classified events in a time based rolling window for a specified time frame.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The computer program product of claim 11, wherein the computer usable program code for classifying a plurality of the events according to a set of event attributes, comprises computer usable program code for classifying a plurality of the events according to a set of event attributes selected from the group consisting of source, severity and type.
  - 13. The computer program product of claim 11, wherein the computer usable program code for rendering the different classified events in a time based rolling window for a specified time frame, comprises computer usable program code for rendering the different classified events utilizing different display characteristics for each of the classified events according to a corresponding attribute set.
  - 14. The computer program product of claim 11, wherein the computer usable program code for receiving a plurality of events from multiple event sources over an event bus, further comprises computer usable program code for queuing different events of different attribute sets in different queues each corresponding to a different attribute set.
  - 15. The computer program product of claim 11, wherein the computer usable program code for the reporting comprises reporting, for first and second classified events, a percentage of occurrences of the first classified event for a first specified source that either precede or follow occurrences of a second classified event for a second specified source.
  - 16. The computer program product of claim 11, wherein the computer usable program code for the reporting comprises creating a correlation rule upon the frequency of occurrence approaches one-hundred percent (100%).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Nastacio, Denilson
Primary Examiner(s)
SALL, EL HADJI MALICK

Application Number

US11/382,364
Publication Number

US 20070266142A1
Time in Patent Office

2,849 Days
Field of Search

709/224, 709/200, 709/202, 709/223, 706/47, 706/48
US Class Current

709/224
CPC Class Codes

G06F 11/0709   in a distributed system con...

G06F 11/079   Root cause analysis, i.e. e...

H04L 41/044   comprising hierarchical man...

H04L 41/065   involving logical or physic...

Cross-cutting detection of event patterns

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Cross-cutting detection of event patterns

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links