shezaf1 Acclaimed Contributor.
Acclaimed Contributor.
2314 views

Correlation rules flow and optimization

If you would like more information, you can read

Rules Execution Flow

This following is the order of execution for every incoming event:

  1. Pre-persistence rules phase (available for ESM 5.5, 6.5c and 6.8c):
    1. Evaluate all lightweight rule conditions and global variables
    2. Execute actions for every matched pre-persistence rule (actions are limited to setting event fields)
    3. Persist the event, i.e. store it to the event database
  2. Lightweight rules phase (available in ESM 5.2 and above and in Express 4.0):
    1. Clear out global variable results.
    2. Evaluate all lightweight rule conditions and global variables.
    3. Execute actions for every matched lightweight rule
  3. Regular rules phase:
    1. Clear out global variable results.
    2. Evaluate all standard rule conditions  and global variables
    3. Execute actions for every matched standard rule

Global Variables Optimization

Global variables are evaluated once for each phase independently if used by the phase rules. So:

  1. If a global variable is used by rules in several phases, it is evaluate for each phase with the previous phase result deleted prior to the subsequent phase.
  2. If a global variable is not used by any rule in a phase, it is not evaluated.
  3. If a global variable is not use to by any active rule it is not evaluated during rule execution.

Note that if a global variable is short circuited as described below, it is not used and not evaluated.

Filters

Atomic filter conditions are evaluated once per phase (light-weight rules phase and regular rules phase). The boolean operators connecting them as well as inclusion ("MatchesFilter" condition) are calculated every time they are encountered in an rule, even if the same named filter was already evaluated.

Side Effects

Since all conditions are performed before any action in each of the phases, changes made by actions do not affect conditions for the same phase. If such side effects are necessary, for example rule A results should affect rule B conditions, the following options can be used:

  • Rule A is implemented as a light weight rule (if lightweight rules capabilities are sufficient, those are: no joins, no aggregation, only OnEveryEvent trigger, no correlation event, and only actions to update AL/SL).
  • Rule B triggers on the correlated event generated by rule A.

Short Circuit Evaluation

ESM supports short circuit evaluation of boolean expressions implies that if a first condition in the expression is sufficient to determine the result the others are not evaluates.

So:

  • For the expression "x AND y" if x is false, y is not evaluated.
  • For the expression "x OR y" if x is true, y is not evaluated.
Labels (2)
1 Reply
deeshu Contributor.
Contributor.

Re: Correlation rules flow and optimization

Hi Shzaf1... Nice Article. I am little curious to know if there is any script available for rule optimization so that we can know how much time particular rule is taking for processing.

Would be glad to hear from you...

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.