In the network management domain various approaches have been proposed for event correlation including rule-based systems, model-based reasoning systems, fault propagation models, and the code-book approach.
A traditional approach to event correlation is that of rule-based analysis. Rule-based systems are composed of rules in the form of “conclusion if condition” which are used to match incoming events. Based on the results of each test, and the combination of events in the system, the rule-processing engine analyzes data until it reaches a final state. The condition part is a logical combination of propositions about the current set of received alarms and the system state; the conclusion is determined by the state of the correlation process. Rule-based systems require a time-consuming translation of the processes to model into rules and large amounts of processing power to apply all rules in a real-time environment.
Another group of approaches incorporates an explicit representation of the structure and function of the system being diagnosed. The representation provides information about dependencies of components in the network or about cause-effect relationships between network events. The fault discovery process explores the network model to verify correlation between events. While these approaches can be used for a wide range of continuous queries, the actual processing of the selected data has to be specified in a query statement and the processing of the query is hidden from the developers. This makes it difficult for developers to implement user-defined functions because all processing is limited to the functionality provided by the query language.