Creating Rule Sets

You can display existing Rule Sets and create new ones in the Insight Pack editor.

Before you begin

Before you create a Rule set, you must complete the following prerequisite tasks:
  • You must create an Insight Pack Eclipse project.
  • You must import the Annotation Query Language (AQL) rules and save them in the /src-files/extractors/ruleset directory.
    Important: Ensure that the /src-files/extractors/ruleset directory contains valid Annotation Query Language (AQL) rules. You may write these AQL rules yourself or import them from another project and then edit the rules as necessary.
    You can add custom annotation logic in two ways. You can add custom .aql files or precompiled AQL modules, which are stored in .tam files, to the rule set directory.

About this task

You use a Rule Set to define the rules that are used to split or annotate a log record that belongs to a specified data type.
Note: If you manually edit the metadata\rulesets.json for a project that you have opened in the Log Analysis Insight Pack Tooling, any changes you make are not displayed and are overwritten by changes made within the Tooling.

Procedure

  1. Open the Insight Pack editor.
  2. To open the Rule sets tab, click Rule sets.
  3. To create a Rule Set, click Add and complete the following fields:
    Name
    Enter a name for the Rule Set.
    Type
    Select Split or Annotate from the Type list.
    Rule file directory
    This directory denotes the path relative to the main AQL module and related modules located in the src-files/extractors/ruleset directory. There are two ways to specify the directory: you can enter the path by hand, or click Specify rule file directory.. to select the AQL module or modules.
    Table 1. Rule File Directory Path options
    Choice Procedure
    Entering the directory by hand Type the directory path you need in the Rule file directory field. To delimit each module, add a semicolon (;). For example, enter the following directory path to denote the splitter directory: 
    extractors/ruleset/splitter
    Specify rule file directory ... option
    1. Click Specify rule file directory...
    2. Select AQL module or modules you want from the list that opens, and click Finish.

      The Rule file directory is updated with the AQL module or modules you specified. If you specify multiple modules, the modules are delimited by a semicolon.
    Warning messages: If you edit the Rule file directory field, these warning messages may appear:
    Rule set directory must contain AQL module or modules
    Rule set rule file directory must contain AQL module(s)
 located in directory: extractors/ruleset
    Possible causes include:
    • If you are editing Rule file directory field by hand, you may have entered an invalid the AQL module name.
    • You may have deleted an AQL module from extractors/ruleset after the Rule set was created.
    • You specified an AQL module that resides in another Insight Pack project.
    Ensure the Rule Set file directory contains AQL module or modules
    Rule set rule file directory please ensure that AQL module(s)
 contain AQL files.
    Possible causes include:
    • The AQL module does not contain any AQL files.
    • You may have deleted a module after the Rule set was created.
    Note: To use an existing Rule set as a basis for a new Rule set, select a Rule set and click Copy. The copied Rule set instance is displayed in the Rule set tab and is named with the prefix CopyOf. Edit the name in the Attributes field and make any additional changes you require before you proceed.
  4. To save the Rule Set, click Save on the toolbar.