<div class="gmail_quote">On Sun, Jun 12, 2011 at 10:16 PM, Darach Ennis <span dir="ltr"><<a href="mailto:darach@gmail.com">darach@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="#FFFFFF"><br><div>An excellent book introducing event processing is Opher Etzion's Event Processing in action:</div><div><br></div><div><a href="http://www.manning.com/etzion/" target="_blank">http://www.manning.com/etzion/</a></div>
</div></blockquote><div><br>Read reviews and some sample pages on google-books, looks very interesting.<br> <br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div bgcolor="#FFFFFF"><div></div><div>The Event Processing Technical Society also has a wealth of resources & use cases online:</div><div><br></div><a href="http://www.ep-ts.com/" target="_blank">http://www.ep-ts.com/</a></div>
</blockquote><div><br>Okay, will go through. One of my doubts still is, whether I really need a CEP framework (based on little I've read on CEP so far -- mostly on Esper site). Given your extensive background in this domain, and my requirements (happy to answer more questions if needed), do you believe CEP is the way to go ? Or, can I hope to achieve with a pure FSM based approach ?<br>
<br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div bgcolor="#FFFFFF"><div>Generally speaking you will want to separate the mechanics of windowing and correlation/combination from their utilisation </div>
</div></blockquote><div><br>I think I understand this part...<br> <br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div bgcolor="#FFFFFF">
<div>so that you can compose synthetic events derived from external or 'ordinary' events easily and reuse windowed or other functions processed in the <br></div></div></blockquote><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div bgcolor="#FFFFFF"><div>context of a window or other correlation/combination.</div></div></blockquote><div><br>...though not too sure about this. My external / raw events could be SNMP traps, lines from log-file or even be OA&M activity. I intend to convert them to a homogeneous form, which at-least identifies the event-type, some kind of hierarchical position (if possible), and other data.<br>
<br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div bgcolor="#FFFFFF"><div></div><div>A good example of windowing in Erlang projects is slide.erl/spiraltime.erl in riak core:</div>
<div><br></div><a href="https://github.com/basho/riak_core/blob/master/src/slide.erl" target="_blank">https://github.com/basho/riak_core/blob/master/src/slide.erl</a><div><br></div><div><a href="https://github.com/basho/riak_core/blob/master/src/spiraltime.erl" target="_blank">https://github.com/basho/riak_core/blob/master/src/spiraltime.erl</a></div>
<div><br></div><div>Event processing engines such as the open source Esper engine or commercial StreamBase (disclaimer: I work there) provide documentation online that could also be good references.<br></div></div></blockquote>
<div> </div><div>Thanks for all the tips. I am sure I'd be spending sometime going through some of that. I've gone thru the introduction to Esper -- definitely like what I see, although I am not quite sure (yet), if I really need all of that. <br>
<br><br>On 12 Jun 2011, at 16:38, Banibrata Dutta <<a href="mailto:banibrata.dutta@gmail.com" target="_blank">banibrata.dutta@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div bgcolor="#FFFFFF"><div><div><div class="h5"><div></div><blockquote type="cite"><div>gr8 questions, and they certainly need clarification.<br>cc'ing the group s.t. others could contribute too.<br><br><div class="gmail_quote">
On Sun, Jun 12, 2011 at 8:48 PM, Mihai Balea <span dir="ltr"><<a href="mailto:mihai@hates.ms" target="_blank">mihai@hates.ms</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div><div></div><div><br><div><div>On Jun 12, 2011, at 10:51 AM, Banibrata Dutta wrote:</div>
<br><blockquote type="cite"><div class="gmail_quote">Prematurely sent.<br><br>On Sun, Jun 12, 2011 at 7:59 PM, Banibrata Dutta <span dir="ltr"><<a href="mailto:banibrata.dutta@gmail.com" target="_blank">banibrata.dutta@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex">
<br>What would be a good way to correlate asynchronous events, spot patterns over a sliding window (s.a. of no. of events elapsed or time elapsed), with millions of events occurring simultaneously, using Erlang ?<br>
<br>The set of possible events is known, and any unknown event is just flagged as 'unknown' (so all unknowns are similar). The set of possible event patterns can be enumerated, but is possibly quite a large set of patterns.<br>
</blockquote></div><br>Was wondering as to what could be the approach taken to implement such a thing in pure Erlang. My initial thoughts were along the line of maintaining FSMs per event source, but with so many events and so many possible/valid patterns, the thing seems kind of unwieldy. Also, I'd like a non-programmer to be able to define new events and valid event patterns.<br>
<br>I believe 'Complex Event Processing' is quite likely to be the standard
approach for such things, as I've found from some posts, and solutions
exist in Java world for same, but both as an academic exercise (for the fun of learning) and for a potentially simpler + better solution, would like to try doing this is Erlang.<br></blockquote></div><br></div></div><div>
I think you need to define your problem better. </div></div></blockquote><div><br>Sure, let me try.<br> <br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div style="word-wrap:break-word"><div>What exactly do you mean by "millions of events occurring simultaneously"? </div></div></blockquote><div><br>Okay, so I can say something like 500 events/second handled for correlation would be a more realistic number.<br>
<br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex"><div style="word-wrap:break-word"><div>At exactly the same time? </div></div></blockquote>
<div><br>Yes... some of the events might be from same source, but spaced by as little as 50ms, but mostly from different sources. There could be some heirarchical relationship between sources. Very typical case of network management scenario. E.g. a fault port on a switch, could probably cause hundreds of destination unreachable events, application response timeouts, heartbeat losses etc..<br>
</div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex"><div style="word-wrap:break-word"><div>Millions of events per second? Minute? Is that peak rate, average rate or minimum rate? </div>
</div></blockquote><div><br>Okay, I got over-enthusiastic :-) . Say 100 events/second typical, 500 events/second peak, no real minimum.<br><br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div style="word-wrap:break-word"><div>What exactly is a pattern? </div></div></blockquote><div><br>Node-A failed, Power in room-X where Node-A is kept failed, Nodes B,C,D which are served thru Node-A became unreachable, due to which Services L & M became unavailable, and due to which another dependent service N started giving inconsistent answers. So this is a pattern. However in this case, there's a possibility that Power-failure had nothing to do with Noda-A's failure, as backup power was available.<br>
<br>Another pattern is, Power in room X failed, then Noda A failed, leading to failure of only Node D, because somehow Nodes B & C were dynamically configured to reroute. This is another pattern.<br><br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div style="word-wrap:break-word"><div>What do you mean by "quite a large set of patterns"? Hundreds, thousands, millions? </div></div></blockquote><div><br>Several hundreds is a distinct possibility, and thousands are not impossible, but millions -- probably not.<br>
</div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex"><div style="word-wrap:break-word"><div>How long is that sliding window? </div></div>
</blockquote><div><br>From few minutes (for certain type of events), to few days (for another type of events).<br> <br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div style="word-wrap:break-word"><div>Can patterns encompass events coming from multiple sources or just one source? </div></div></blockquote><div><br>Yes, indeed. However in this case, there needs to a "relationship" between the event sources, that is pre-defined. E.g. some sense of "topology" exists. However it is likely that only 2% of the event sources are interrelated.<br>
<br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex"><div style="word-wrap:break-word"><div>Are patterns concerned only with event ordering and occurrence or there are timing issues involved as well?</div>
</div></blockquote><div> <br>Ordering, Timing, or any kind of causal relationship.<br></div></div>
</div></blockquote></div></div></div></div></blockquote></div>-- <br>regards,<br>Banibrata<br><a href="http://www.linkedin.com/in/bdutta">http://www.linkedin.com/in/bdutta</a><br><a href="http://twitter.com/edgeliving">http://twitter.com/edgeliving</a><br>