You should look into the Expert and Fusion manuals, especially: Expert for the syntax and most features, sliding "window" in Fusion, "timer" in Expert, "accumulate" and "from collect" in Expert.
Your text is a little too hazy to try and concoct a set of rules demonstrating what needs to be done - they may be off in more than one respect. -W On 11 August 2013 09:57, Elran Dvir <[email protected]> wrote: > Hi all,**** > > ** ** > > I am new to drools and I’m trying to understand whether the following use > case is supported – any help on the following will be greatly appreciated: > **** > > ** ** > > I would like to create a new event based on *multiple* events (all of the > same type meeting a set of conditions) occurring *over a given period of > time T1*.**** > > For each combination of values for fieldA and fieldB, a new group of event > candidates should be opened (fieldA and fieldB are *group by* fields. > Each combination of values of these fields, should be treated separately). > **** > > The event should be created when *at least X events* occurred over the > period. Count the events based on *unique* values of fieldC and fieldD > (for a given combination of fieldA and fieldB, if you notice an event with > already existing values of the combination of fieldC and fieldD, it should > not be counted).**** > > If all conditions described above are met, create the desired new event. *The > new event will stay open for duration of T2, and update will be sent for it > every T3.* > > * * > > Aside from the above, I need an *aggregation function (besides count) of > “collect”* : in the new event the value of fieldE will be the collection > of (preferably distinct) values of fieldE in originating events*. * > > * * > > Example:**** > > Port scan event – the basic event is connection. For each combination of > source_ip and destination_ip (group by fields), detect a port scan event if > over a minute (T1) there more than 20 (X) events with different ports > (unique field).**** > > The event will stay open for 10 minutes (T2) and an update will be sent > every 1 minute (T3). Every update will contain the count of events, > source_ip, destination_ip and collection of services.**** > > * * > > Thanks a lot.**** > > ** ** > > _______________________________________________ > rules-users mailing list > [email protected] > https://lists.jboss.org/mailman/listinfo/rules-users >
_______________________________________________ rules-users mailing list [email protected] https://lists.jboss.org/mailman/listinfo/rules-users
