Use Correlated Events to Trigger an Event Policy
Configure an event policy to execute when two or more correlated events occur.
How to Represent Triggering and Correlating Events in an Event Policy
In event script arguments and supported event policy statements such as the
execute-commands
statement, you can use event policy variables
to differentiate between a triggering event and a correlating event.
Triggering and correlating events are configured in the following statements at the
[edit event-options policy policy-name]
hierarchy level:
- Triggering event—Configured in the
events
statement - Correlating event—Configured in the
within seconds events
statement
You can use event policy variables of the following forms to represent triggering and correlating events:
-
{$$.attribute-name}
—The double dollar sign ($$
) notation represents the event that triggers the policy. When combined with an attribute name, the variable resolves to the value of the attribute associated with the triggering event. For example,{$$.interface-name}
resolves to the interface name associated with the triggering event. -
{$event.attribute-name}
—The single dollar sign with the event name ($event
) notation represents the most recent event that matchesevent
. When combined with an attribute name, the variable resolves to the value of the attribute associated with that event. For example, when a policy issues theshow interfaces {$COSD_CHAS_SCHED_MAP_INVALID.interface-name}
command, the{$COSD_CHAS_SCHED_MAP_INVALID.interface-name}
variable resolves to the interface name associated with the most recentCOSD_CHAS_SCHED_MAP_INVALID
event cached by the event process. -
{$*.attribute-name}
—The dollar sign with the asterisk ($*
) notation represents the most recent event that matches any of the correlating events. The variable resolves to the value of the attribute associated with most recent event that matches any of the correlated events specified in the policy configuration.
In event policies, you can reference specific events by using event policy variables. Consider the following event policy:
[edit event-options] policy p1 { events [ e1 e2 e3 ]; within 60 events [ e4 e5 e6 ]; then { execute-commands { commands { "show interfaces {$$.interface-name}"; "show interfaces {$e4.interface-name}"; "show interfaces {$*.interface-name}"; } output-filename command-output.txt; destination some-dest; } } }
In the show interfaces {$$.interface-name}
command, the value of the
interface-name
attribute of event e1
,
e2
, or e3
is substituted for the
{$$.interface-name}
variable.
In the show interfaces {$e4.interface-name}
command, the value of
the interface-name
attribute of the most recent e4
event is substituted for the {$e4.interface-name}
variable.
In the show interfaces {$*.interface-name}
command, the value of the
interface-name
attribute of the most recent
e4
, e5
, or e6
event is
substituted for the {$*.interface-name}
variable. If one of
e1
, e2
, or e3
occurs within
60 seconds after e4
, e5
, or e6
,
the value of the interface-name
attribute for that correlating
event (e4
, e5
, or e6
) is
substituted for the {$*.interface-name}
variable. If the
correlating event does not have an interface-name
attribute, the
software does not execute the show interfaces {$*.interface-name}
command.
If e1
occurs within 60 seconds of both e4
and
e5
, then the value of the interface-name
attribute for e4
is substituted for the
{$*.interface-name}
variable. This is because the event process
(eventd) searches for correlating events in sequential order as configured in the
within
statement. In this case, the order is
e4
> e5
> e6
.
Example: Correlating Events Based on Receipt of Other Events Within a Specified Time Interval
The event policy in this example issues a set of commands and uploads the resulting output file
to an archive site. The policy executes if one of the trigger events,
event3
,
event4
, or
event5
, occurs within 60 seconds after
one of the correlating events, event1
or
event2
, occurs. The pseudocode for the
policy is as follows:
if trigger event is (event3 or event4 or event5) and (event1 or event2 has been received within the last 60 seconds) then { run a set of commands; log the output of these commands to a location; }
The event policy specifies two archive sites in the configuration. The device attempts to transfer to the first archive site in the list, moving to the next site only if the transfer fails. The event policy configuration is:
[edit event-options] policy 1 { events [ event3 event4 event5 ]; within 60 events [ event1 event2 ]; then { execute-commands { commands { "command"; } output-filename my_cmd_out; destination policy-1-command-dest; } } } destinations { policy-1-command-dest { archive-sites { scp://robot@my.big.com/a/b; scp://robot@my.little.com/a/b; } } }
Example: Correlating Events Based on Event Attributes
In the following event policy, the two events are correlated if their event attribute values match. Matching on the attributes of both events ensures that the two events are related. In this case, the interface addresses must match and the physical interface (ifd) names must match.
The RPD_KRT_IFDCHANGE
error occurs when the routing protocol process
(rpd) sends a request to the kernel to change the state of an interface and the
request fails. The RPD_RDISC_NOMULTI
error occurs when an interface
is configured for router discovery but the interface does not support IP multicast
operations as required.
In this example, rpd_rdisc_nomulti.interface-name
might be
so-0/0/0.0, and rpd_krt_ifdchange.ifd-index
might be so-0/0/0.
[edit event-options] policy 1 { events rpd_rdisc_nomulti; within 500 events rpd_krt_ifdchange; attributes-match { rpd_rdisc_nomulti.interface-address equals rpd_krt_ifdchange.address; rpd_rdisc_nomulti.interface-name starts-with rpd_krt_ifdchange.ifd-index; } then { ... actions ... } }