gr8 questions, and they certainly need clarification.<br>cc'ing the group s.t. others could contribute too.<br><br><div class="gmail_quote">On Sun, Jun 12, 2011 at 8:48 PM, Mihai Balea <span dir="ltr"><<a href="mailto:mihai@hates.ms">mihai@hates.ms</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div style="word-wrap:break-word"><div><div></div><div class="h5"><br><div><div>On Jun 12, 2011, at 10:51 AM, Banibrata Dutta wrote:</div>
<br><blockquote type="cite"><div class="gmail_quote">Prematurely sent.<br><br>On Sun, Jun 12, 2011 at 7:59 PM, Banibrata Dutta <span dir="ltr"><<a href="mailto:banibrata.dutta@gmail.com" target="_blank">banibrata.dutta@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex">
<br>What would be a good way to correlate asynchronous events, spot patterns over a sliding window (s.a. of no. of events elapsed or time elapsed), with millions of events occurring simultaneously, using Erlang ?<br>
<br>The set of possible events is known, and any unknown event is just flagged as 'unknown' (so all unknowns are similar). The set of possible event patterns can be enumerated, but is possibly quite a large set of patterns.<br>
</blockquote></div><br>Was wondering as to what could be the approach taken to implement such a thing in pure Erlang. My initial thoughts were along the line of maintaining FSMs per event source, but with so many events and so many possible/valid patterns, the thing seems kind of unwieldy. Also, I'd like a non-programmer to be able to define new events and valid event patterns.<br>
<br>I believe 'Complex Event Processing' is quite likely to be the standard
approach for such things, as I've found from some posts, and solutions
exist in Java world for same, but both as an academic exercise (for the fun of learning) and for a potentially simpler + better solution, would like to try doing this is Erlang.<br></blockquote></div><br></div></div><div>
I think you need to define your problem better. </div></div></blockquote><div><br>Sure, let me try.<br> <br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div style="word-wrap: break-word;"><div>What exactly do you mean by "millions of events occurring simultaneously"? </div></div></blockquote><div><br>Okay, so I can say something like 500 events/second handled for correlation would be a more realistic number.<br>
<br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div style="word-wrap: break-word;"><div>At exactly the same time? </div></div></blockquote>
<div><br>Yes... some of the events might be from same source, but spaced by as little as 50ms, but mostly from different sources. There could be some heirarchical relationship between sources. Very typical case of network management scenario. E.g. a fault port on a switch, could probably cause hundreds of destination unreachable events, application response timeouts, heartbeat losses etc..<br>
</div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div style="word-wrap: break-word;"><div>Millions of events per second? Minute? Is that peak rate, average rate or minimum rate? </div>
</div></blockquote><div><br>Okay, I got over-enthusiastic :-) . Say 100 events/second typical, 500 events/second peak, no real minimum.<br><br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div style="word-wrap: break-word;"><div>What exactly is a pattern? </div></div></blockquote><div><br>Node-A failed, Power in room-X where Node-A is kept failed, Nodes B,C,D which are served thru Node-A became unreachable, due to which Services L & M became unavailable, and due to which another dependent service N started giving inconsistent answers. So this is a pattern. However in this case, there's a possibility that Power-failure had nothing to do with Noda-A's failure, as backup power was available.<br>
<br>Another pattern is, Power in room X failed, then Noda A failed, leading to failure of only Node D, because somehow Nodes B & C were dynamically configured to reroute. This is another pattern.<br><br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div style="word-wrap: break-word;"><div>What do you mean by "quite a large set of patterns"? Hundreds, thousands, millions? </div></div></blockquote><div><br>Several hundreds is a distinct possibility, and thousands are not impossible, but millions -- probably not.<br>
</div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div style="word-wrap: break-word;"><div>How long is that sliding window? </div></div>
</blockquote><div><br>From few minutes (for certain type of events), to few days (for another type of events).<br> <br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div style="word-wrap: break-word;"><div>Can patterns encompass events coming from multiple sources or just one source? </div></div></blockquote><div><br>Yes, indeed. However in this case, there needs to a "relationship" between the event sources, that is pre-defined. E.g. some sense of "topology" exists. However it is likely that only 2% of the event sources are interrelated.<br>
<br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div style="word-wrap: break-word;"><div>Are patterns concerned only with event ordering and occurrence or there are timing issues involved as well?</div>
</div></blockquote><div> <br>Ordering, Timing, or any kind of causal relationship.<br></div></div>