Complex event processing is a method of computing that performs operations on complex events. Typical examples of complex event processing include server management, risk management, supply chain and retail operation automations, airline operations management, fraud detection, and infrastructure monitoring. The goal of complex event processing is to derive or infer significant output events from a large number of input events, using patterns or relationships that can exist between these input events. A complex event is an event which is an abstraction of other events. Operations performed on the events in a complex event processor can include (but are not limited to) reading, creating, transforming or abstracting the events.
Complex event processing involves monitoring many sources of event data. An event is anything that happens in a monitored system, such as a CPU load, a sensor output, a keystroke, a financial trade or any other detectable action. These source events are then analyzed in terms of key performance indicators that are expressed in terms of event rules or operators. These source events are then acted on in real-time by creating a continuous output of complex events.
However, it is generally difficult to understand from the output of a complex event processor which specific source input events contributed to the output. For example, in the case of a web-based email service which operates using a large number of servers, a complex event processor can receive information from each of the servers regarding their status (e.g. CPU load, storage space) and the number of emails they are processing. The complex event processor can analyze these source events and determine if the performance of the email service is falling. Whilst this can provide a rapid notification of a decline in the service, it does not readily indicate which particular server or group of servers are causing the decline, nor what the fault is.
Root cause analysis is a method of taking an output from a process and attempting to define the original source inputs (i.e. the root causes) that gave rise to the investigated event. To apply root cause analysis to a complex event processor, a record of all source events, outputs, and preferably all intermediate events need to be accessible to the root cause analysis. Therefore every event needs to be stored by the complex event processor along with information linking it to its preceding events. Since complex event processing engines can typically handle tens of thousands of events per second this leads to the utilization of a very large amount of storage space. Storing all these events also results in performance overheads at the complex event processing engine. Furthermore, many of these stored events are never even used, as they are not relevant to the root cause analysis.
In addition, the construction and understanding of the root cause analysis requires navigation of large amounts of data which has to be manually analyzed by a user. In particular, the user has to manually analyze and filter the data to find the events which contributed to a particular output.
The embodiments described below are not limited to implementations which solve any or all of the disadvantages of known complex event processors.