How to create a problem specification

Defining problems using the statistical engine

The stastical engine is responsible for counting event occurrences and reporting the information to the probmgr module. Count Requests are specified as Problem Definitions in the Definitions dialog box.

Use the following format to specify counts of event occurrences.

COUNT("filter_name",
<window>,
[<report_interval>],
("attribute" ...),
( <threshold> ... )
[, {option} ...] )

Everything else is literal, as shown below.

{option} is one of:

TYPE: { MEAN | TOTAL }
REPORTLEVEL: <level>
THRESHOLD: { COUNT | "attribute_name" }
LIMIT: <event_limit>
NOTE_SEVERITY_CHANGE
INVERT_THRESHOLDS

[ ] indicates optional part
< > indicates an integer
"" indicates a quoted string
{a|b} indicates either a or b
... indicates repetition, comma separated

filter_name
The name of a previously installed Event Filter. Only events that pass through this filter are counted.
window Time in minutes, zero indicates infinite. Only events occurring in the most recent window are included in the count.
report_interval
Time in minutes, defaults to one year. Describes how often to generate updates regarding counter values.
attribute
The name of an attribute for an Event Type. Must match an attribute of the Event Type of the Event Filter specified. The attribute should be of type "int", "float", or "string". All incoming counters are categorized based on the values of the specified attributes, and a separate count is kept for each category.
threshold
Positive integer value. When the counter value reaches or exceeds the lowest threshold value, the reported severity level goes to one, the second lowest raises it to two, and so on. The counter considers zero severity as no problem.
For compatibility with TONICS severity levels, you should specify four threshold values. The first will be for Blue, the second for Yellow, the third for Orange, and the fourth for Red.
TYPE: MEAN
The values generated by the counter reflect the mean rate of event arrivals. This is the default.
TYPE: TOTAL The values generated by the counter reflect the total number of events received.
REPORTLEVEL: level Positive integer value, defaults to zero. The counter will not report anything until the counter value reaches or exceeds this number. If the counter value falls below the REPORTLEVEL the severity is set to zero.
THRESHOLD: COUNT The values compared to the threshold values is the counter value. This is the default.
THRESHOLD: "attribute_name" The name of an attribute for an Event Type. Must match an attribute of the Event Type of the Event Filter specified and be of type "int". The values compared to the threshold values are obtained from the given attribute of the event that causes the report. The counter value must still exceed the REPORTLEVEL for the report to be generated.
LIMIT: <event_limit> Positive integer value, defaults to infinite. When doing TOTAL counts, limits the number of events counted to the given value. Use this option to avoid running out of memory in case of a flood of events.
NOTE_SEVERITY_CHANGE Normally, reports are only sent when a counter first passes a threshold (start problem), when a counter falls below the lowest threshold (end problem), and every report_interval (if given). This option causes the counter to send additional messages whenever it detects that the severity level has changed.
INVERT_THRESHOLDS
Indicates that the value compared to the thresholds gets worse as it gets lower. Therefore, as long as the value is at least the highest threshold value, the severity is zero. If it falls below the highest threshold the severity is one, and so on.

Monitoring filter definitions

You can view raw events passing through a filter by using the Monitor Problem Definition. You can also use this to verify the correctness of a filter before using it as an argument to a counter problem definition. Use the following format to specify the filters you want to monitor.

MONITOR("filter_name1",.."filter_nameN")

Return to TIAS Overview

{option} is one of:	TYPE: { MEAN \| TOTAL } REPORTLEVEL: <level> THRESHOLD: { COUNT \| "attribute_name" } LIMIT: <event_limit> NOTE_SEVERITY_CHANGE INVERT_THRESHOLDS
[ ]	indicates optional part
< >	indicates an integer
""	indicates a quoted string
{a\|b}	indicates either a or b
...	indicates repetition, comma separated

The name of a previously installed Event Filter. Only events that pass through this filter are counted.
window	Time in minutes, zero indicates infinite. Only events occurring in the most recent window are included in the count.
report_interval	Time in minutes, defaults to one year. Describes how often to generate updates regarding counter values.
attribute	The name of an attribute for an Event Type. Must match an attribute of the Event Type of the Event Filter specified. The attribute should be of type "int", "float", or "string". All incoming counters are categorized based on the values of the specified attributes, and a separate count is kept for each category.
threshold	Positive integer value. When the counter value reaches or exceeds the lowest threshold value, the reported severity level goes to one, the second lowest raises it to two, and so on. The counter considers zero severity as no problem. For compatibility with TONICS severity levels, you should specify four threshold values. The first will be for Blue, the second for Yellow, the third for Orange, and the fourth for Red.
TYPE: MEAN	The values generated by the counter reflect the mean rate of event arrivals. This is the default.
TYPE: TOTAL	The values generated by the counter reflect the total number of events received.
REPORTLEVEL: level	Positive integer value, defaults to zero. The counter will not report anything until the counter value reaches or exceeds this number. If the counter value falls below the REPORTLEVEL the severity is set to zero.
THRESHOLD: COUNT	The values compared to the threshold values is the counter value. This is the default.
THRESHOLD: "attribute_name"	The name of an attribute for an Event Type. Must match an attribute of the Event Type of the Event Filter specified and be of type "int". The values compared to the threshold values are obtained from the given attribute of the event that causes the report. The counter value must still exceed the REPORTLEVEL for the report to be generated.
LIMIT: <event_limit>	Positive integer value, defaults to infinite. When doing TOTAL counts, limits the number of events counted to the given value. Use this option to avoid running out of memory in case of a flood of events.
NOTE_SEVERITY_CHANGE	Normally, reports are only sent when a counter first passes a threshold (start problem), when a counter falls below the lowest threshold (end problem), and every report_interval (if given). This option causes the counter to send additional messages whenever it detects that the severity level has changed.
INVERT_THRESHOLDS	Indicates that the value compared to the thresholds gets worse as it gets lower. Therefore, as long as the value is at least the highest threshold value, the severity is zero. If it falls below the highest threshold the severity is one, and so on.