Example 1: The following rule records high disk utilization events per disk type, in the infopad mytable and implements the following monitoring scenario:
"Every time an event of type disk_alarm and of value overload occurs over the network, record (count) the warning in a table indexed by disk_type. The monitoring session should last from September 2001 to December 2001."
rule record_overload
activated by event1 of disk_alarm::overload
if (event1.date >= YEAR:2001/MONTH:9)
and (event1.date < YEAR:2001/MONTH:12)
then { mytable[event1.disk_type][1].total += 1;}
In this rule:
"event1" is an event variable. Each time an event of type "disk_alarm" and value "overload" is received, this rule is triggered and the event1 variable is substituted with the new event object.
The conditions require event date attribute placement in the interval: September 1st, 2001 to November 30th, 2001 inclusive.
If the event satisfies the rule condition, then the rule is triggered successfully and the action is executed. Here, the action is to increment the total number of disk failures into a table element. The table is indexed by disk type. The type of the failing disk is recorded as an attribute (disk_type) of the context of the event.
"event1" is an event variable. Each time an event of type "disk_alarm" and value "overload" is received, this rule is triggered and the event1 variable is substituted with the new event object.