What you have written counts how many times a connection to the same endpoint (I'm assuming the connectionInformationId represents the target endpoint, in some way) has been reopened shortly after being closed. I don't know how your connection protocols work, but I could see a perfectly legit use case where your client connects to your server, closes the connection, then "hey I forgot something" - so it opens (and closes) a new connection. If this scenario happens more than once in the lifetime of your monitoring system, the rule fires.
I'm not sure that this applies to your usecase, but maybe a better way to model the problem would be something like this? (please fix the details to match your data structures) *Server( $ep : connectionEP )* accumulate( $c : ConnectionEvent( type == CLOSE, target == $ep ) *over window:time(5m)* and $o : ConnectionEvent( type == OPEN, target == $ep, this after[0,5s] $c ), $count : count( $c ); $count > // I'd increase the threshold to 2 or 3... unless you want to capture glitches in the connection too ) In a nutshell, I would scope the pairs to the context of the same endpoint (especially if you can have different connections in parallel!), and I would also frame the temporal context within a time window. Is it possible that, occasionally, your client "forgets" somehting and opens two (succesful) connections in a row? If this scenario occurred twice in, say, a day, the rule you proposed would still fire. Best Davide -- View this message in context: http://drools.46999.n3.nabble.com/Accumulate-a-on-event-combinations-tp4020104p4020119.html Sent from the Drools: User forum mailing list archive at Nabble.com. _______________________________________________ rules-users mailing list [email protected] https://lists.jboss.org/mailman/listinfo/rules-users
