The present invention relates to computer networks and more particularly to predictive monitoring for anticipating the occurrence of an event at a computer network resource.
The term “network resource” is a term that should be interpreted broadly enough to cover almost any hardware or software included in a computer network. The term includes, but is not limited to, special-purpose hardware devices such as switches, routers, hubs, content servers, network storage devices, etc., including the control programs for such hardware devices. The term also includes application programs that execute on either special-purpose or general-purpose hardware components.
It is common to monitor a network resource for the purpose of detecting the occurrence of a defined, primary event at the resource. In some cases, the primary event can be detected directly; e.g., the activation (or deactivation) of a particular port in a router. In other cases, the primary event is directed indirectly by detecting two or more secondary events and correlating the detections of the secondary events in accordance with a predefined event correlation rule in order to support a conclusion that the primary event has occurred at the resource.
Event correlation rules can be used not only to infer a conclusion that a primary event has occurred but also to identify possible causes for the primary event and thus possible network management actions that might be taken to remedy any problems that might be caused by the primary event. As an example, assume that a network monitor tracks both utilization levels for a web application server threadpool (secondary event A) and response times for the web application server (secondary event B). If the network monitor detects the web application server threadpool is 100% utilized at the same time the web application server's response time has risen to greater than four seconds, an existing event correlation rule might support a primary event conclusion that the web application server response time is exceeding four seconds because the web application server is too small and should be enlarged.
Event correlation technology can be extremely useful in filtering and correlating large number of “raw” network events to support conclusion that a particular network management action is all that is needed to deal with what appears to be a large number of network problems. However, event correlation technology is reactive in nature. That is, network management action is not initiated until the event correlation rule indicates the primary event has already occurred.