Definition of correlation

BMC Defender Server performs semantic correlation. This semantic correlation is contrasted with purely statistical correlation methods, although statistical functions are also provided in various locations in the product.

In terms of expressed function, the input to BMC Defender Server (that is, the independent variable) is an arbitrary textual message generated by a device or generated internally by BMC Defender Server. The output of BMC Defender Server (that is, the dependent variable) is a specific meaning associated with those messages, or in many cases a very specific action that is executed by the program.

Operationally, BMC Defender Server finds meaning in the messages by using simple or complex match patterns that divide messages into threads. Additionally, BMC Defender Server employs triggers to establish context to messages, and Alerts to monitor specific message rates. Once the meaning of a message (or group of messages) is determined, BMC Defender Server takes a specific action, such as sending a syslog message, running a program, or opening a ticket and assigning it to a user or group.

The various algorithms and rules implemented by BMC Defender Server provide wide flexibility in establishing one-to-many and many-to-one types of relationships. The correlation process is easy to start but has considerable depth. Because the terms correlation and semantic can be abstract, any correlation that applies meaning to an arbitrary input stream of data requires depth and flexibility. Some of this flexibility might appear intimidating at first, so make sure that you follow the explanations and procedures in the Using section.