Complex event processing (CEP) systems, also known as event processing systems (EPS), apply rules to streams of incoming events based on the timing and parameters of the events as well as additional data. CEP systems deal with the task of processing multiple events from an event stream with the goal of generating new events based on predefined rules.
An example prior art system utilizing CEP techniques is shown in FIG. 1. The automobile, generally referenced 10, comprises chassis 11, tires 12, 13, 14, 15, tire pressure sensor 16, speed sensor 17, airbag sensor 18 and emergency communication device 19. If automobile 10 blows a tire, which results in automobile 10 leaving the road, striking a tree and inflating the airbags. Sensors on board automobile 10 record the following sequence of events transpiring in rapid succession: (1) tire pressure sensor 16 identifies a rapid loss of tire pressure, generating a “BlowOutTire” event, (2) speed sensor 17 identifies that the car has stopped, generating a “ZeroSpeed” event and (3) airbag sensor 18 identifies that the airbags have inflated, generating a “AirbagInflate” event. Based on previously defined manually described rules, a CEP system will determine that an accident has likely occurred, and instruct communication device 19 to notify the police. Even though there is no direct measurement that can determine conclusively that the car struck a tree (or that there was even an accident for that matter), the combination of events enables the situation to be detected and a new event to be created to signify the detected situation. This is the essence of a complex (or composite) event. It is complex because the situation cannot be directly detected; the situation is inferred or deduced from the occurrence of a combination of specific events.
CEP systems can be implemented by technical support help desks to identify the cause of system problems through system log analysis. An example prior art entry in a system log is shown in FIG. 2. The log entry, generally referenced 20, describes an event and comprises system log message class 22, event time 24, event identifier 26, system log name 28, event description 30 and event source 32.
For example, a system log records the following information: (1) a user group is deleted and (2) there are multiple unsuccessful login attempts to that user group. Using machine learning methods to automatically analyze system log data coupled with records of phone calls to the help desk to notify a problem enables a rule to be written that identifies a situation where a user group is deleted and there are multiple unsuccessful logins. The rule can then be used to inform the system administrator that the user group is deleted. Alternatively, the rule can be used to assist the help desk representative in identifying the problem.