System.ConsolidatorCondition

Applies To: Operations Manager 2007 R2

The System.ConsolidatorCondition condition detection module type is used to consolidate multiple incoming data items based on a specific schedule or a time interval. A module of this type accepts data of any type and outputs System.ConsolidatorData.

Type Definition

<ConditionDetectionModuleType ID="System.ConsolidatorCondition" Stateful="true" Accessibility="Public" PassThrough="false" Batching="false">
  <Configuration>
    <IncludeSchemaTypes>
      <SchemaType>System.ExpressionEvaluatorSchema</SchemaType>
    </IncludeSchemaTypes>
    <xsd:element name="Consolidator" type="ConsolidatorType"/>
  </Configuration>
  <ModuleImplementation Isolation="Any">
    <Native>
      <ClassID>1E06AAF5-C4E0-4F57-A4F6-2C8A6A5E8E53</ClassID>
    </Native>
  </ModuleImplementation>
  <OutputType>System.ConsolidatorData</OutputType>
  <InputTypes>
    <InputType>System.BaseData</InputType>
  </InputTypes>
</ConditionDetectionModuleType>

Parameters

The System.ConsolidatorCondition supports the following configuration parameters:

Parameter Type Overrideable Description

Consolidator

ConsolidatorType

False

Required parameter. Defines the criteria and schedule for data correlation.

For more information about the Consolidator parameter, see ConsolidatorType.

Composition

The System.ConsolidatorCondition module is a native module.

Module Type Usage

System.Correlator

Correlates a sequence of difference data items.

External Module References

None.

Remarks

The following code example shows a data item that is output from the consolidator module for Windows event data: The contents of the data item element are dependent on the type of data that is being consolidated.

<DataItem type="System.ConsolidatorData" time="2008-10-23T14:16:29.0013505-07:00" sourceHealthServiceId="B0BE86FA-56AD-1F2E-EE87-8DF72FC53818">
  <TimeWindowStart>2008-10-23T14:16:17.0000000-07:00</TimeWindowStart>
  <TimeWindowEnd>2008-10-23T14:16:26.9999999-07:00</TimeWindowEnd>
  <TimeFirst>2008-10-23T14:16:17.0000000-07:00</TimeFirst>
  <TimeLast>2008-10-23T14:16:23.0000000-07:00</TimeLast>
  <Count>3</Count>
  <Context>
    <DataItem type="Microsoft.Windows.EventData" time="2008-10-23T14:16:23.0000000-07:00" sourceHealthServiceId="B0BE86FA-56AD-1F2E-EE87-8DF72FC53818">
      <EventOriginId>{C9D083CE-9C36-42B9-82CE-5051C8BA180C}</EventOriginId>
      <PublisherId>{D5C9D62E-11DA-4A04-242C-50418B1286A0}</PublisherId>
      <PublisherName>EventCreate</PublisherName>
      <EventSourceName>EventCreate</EventSourceName>
      <Channel>Application</Channel>
      <LoggingComputer>testmachine.example.com</LoggingComputer>
      <EventNumber>206</EventNumber>
      <EventCategory>0</EventCategory>
      <EventLevel>4</EventLevel>
      <UserName>DOMAIN\username</UserName>
      <RawDescription><![CDATA[%1  ]]></RawDescription>
      <LCID>1033</LCID>
      <Params>
        <Param>Test Event</Param>
      </Params>
      <EventData>
        <DataItem type="System.XmlData" time="2008-10-23T14:16:23.9418446-07:00" sourceHealthServiceId="B0BE86FA-56AD-1F2E-EE87-8DF72FC53818">
          <EventData>
            <Data>test</Data>
          </EventData>
        </DataItem>
      </EventData>
      <EventDisplayNumber>206</EventDisplayNumber>
      <EventDescription><![CDATA[Test Event  ]]></EventDescription>
      <Keywords>36028797018963968</Keywords>
    </DataItem>
  </Context>
</DataItem>

In the preceding code example, consider the following sequence of events that are input to the consolidator module that begin at midnight (0:00:00):

  • Event 1 – 0:00:00

  • Event 2 – 0:00:08

  • Event 3 – 0:00:15

  • Event 4 – 0:00:17

  • Event 5 – 0:00:23

For each counting method, the time control is configured to be a simple WithinTimeSchedule of 10 seconds, and there are no excludes specified. The two counting methods that take a count as configuration are set to 3.

The following consolidator output occurs for each counting method:

Counting Method Output

OnNewItemNOP_OnTimerOutputRestart

Occurs at 00:00:10 after the end of the first window, which was started by event 1.

Output has a consolidated count of 2 (event 1 and 2).

Occurs at 00:00:25 after the end of the second window, which was started by event 3.

Output has a consolidated count of 3 (event 3, 4 and 5)

OnNewItemTestOutputRestart_OnTimerRestart

Outputs at 00:00:23 after the third event that is received, following the start of the window that was started by event 3.

Output has a consolidated count of 3 (event 3, 4 and 5)

OnNewItemTestOutputRestart_OnTimerSlideByOne

Outputs at 00:00:17 after the third event that was received, following the sliding window that was moved to start at event 2.

Output has a consolidated count of 3 (event 2, 3 and 4).

Sample

The following rule looks for an event from the Windows application event log and consolidates, based on the sliding window counting method over a 10-second window. An alert is generated if there are more than three events received. The latency is set to 10 seconds.

<Rule ID="Microsoft.Samples.EventConsolidationTest1" Target="Microsoft.Samples.ApplicationX">
  <Category>ConfigurationHealth</Category>
  <DataSources>
    <DataSource ID="Event" TypeID="Windows!Microsoft.Windows.EventProvider">
      <ComputerName>$Target/Host/Property[Type='Windows!Microsoft.Windows.Computer']/NetworkName$</ComputerName>
      <LogName>Application</LogName>
      <Expression>
        <And>
          <Expression>
            <SimpleExpression>
              <ValueExpression>
                <XPathQuery>PublisherName</XPathQuery>
              </ValueExpression>
              <Operator>Equal</Operator>
              <ValueExpression>
                <Value>EventCreate</Value>
              </ValueExpression>
            </SimpleExpression>
          </Expression>
          <Expression>
            <SimpleExpression>
              <ValueExpression>
                <XPathQuery>EventDisplayNumber</XPathQuery>
              </ValueExpression>
              <Operator>Equal</Operator>
              <ValueExpression>
                <Value>401</Value>
              </ValueExpression>
            </SimpleExpression>
          </Expression>
        </And>
      </Expression>
    </DataSource>
  </DataSources>
  <ConditionDetection ID="Consolidator" TypeID="System!System.ConsolidatorCondition">
    <Consolidator>
      <ConsolidationProperties/>
      <TimeControl>
        <Latency>10</Latency>
        <WithinTimeSchedule>
          <Interval>10</Interval>
        </WithinTimeSchedule>
      </TimeControl>
      <CountingCondition>
        <Count>3</Count>
        <CountMode> OnNewItemTestOutputRestart_OnTimerSlideByOne</CountMode>
      </CountingCondition>
    </Consolidator>
  </ConditionDetection>
  <WriteActions>
    <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
      <Priority>0</Priority>
      <Severity>0</Severity>
      <AlertMessageId>$MPElement[Name="Microsoft.Samples.EventConsolidationTest1.AlertMessage"]$</AlertMessageId>
      <Suppression/>
    </WriteAction>
  </WriteActions>
</Rule>

The following rule uses the non-sliding window counting method and uses a simple recurring schedule to consolidate every 5 minutes. An alert is generated if more than 10 events are received during a given window:

<Rule ID="Microsoft.Samples.EventConsolidationTest2" Target="Microsoft.Samples.ApplicationX">
  <Category>ConfigurationHealth</Category>
  <DataSources>
    <DataSource ID="Event" TypeID="Windows!Microsoft.Windows.EventProvider">
      <ComputerName>$Target/Host/Property[Type='Windows!Microsoft.Windows.Computer']/NetworkName$</ComputerName>
      <LogName>Application</LogName>
      <Expression>
        <And>
          <Expression>
            <SimpleExpression>
              <ValueExpression>
                <XPathQuery>PublisherName</XPathQuery>
              </ValueExpression>
              <Operator>Equal</Operator>
              <ValueExpression>
                <Value>EventCreate</Value>
              </ValueExpression>
            </SimpleExpression>
          </Expression>
          <Expression>
            <SimpleExpression>
              <ValueExpression>
                <XPathQuery>EventDisplayNumber</XPathQuery>
              </ValueExpression>
              <Operator>Equal</Operator>
              <ValueExpression>
                <Value>401</Value>
              </ValueExpression>
            </SimpleExpression>
          </Expression>
        </And>
      </Expression>
    </DataSource>
  </DataSources>
  <ConditionDetection ID="Consolidator" TypeID="System!System.ConsolidatorCondition">
    <Consolidator>
      <ConsolidationProperties/>
      <TimeControl>
        <GenericSchedule>
          <SimpleReccuringSchedule>
            <Interval Unit='Minutes'>5</Interval>
            <SyncTime>00:00</SyncTime>
          </SimpleReccuringSchedule>
          <ExcludeDates/>
        </GenericSchedule>
      </TimeControl>
      <CountingCondition>
        <Count>10</Count>
        <CountMode>OnNewItemTestOutputRestart_OnTimerRestart</CountMode>
      </CountingCondition>
    </Consolidator>
  </ConditionDetection>
  <WriteActions>
    <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
      <Priority>0</Priority>
      <Severity>0</Severity>
      <AlertMessageId>$MPElement[Name="Microsoft.Samples.EventConsolidationTest2.AlertMessage"]$</AlertMessageId>
      <Suppression/>
    </WriteAction>
  </WriteActions>
</Rule>

Information

   

Module Type

ConditionDetectionModuleType

InputType

System.BaseData

Output Type

System.ConsolidatorData

Implementation

Native

Library

System.Library