On 12/08/2013, Elran Dvir <[email protected]> wrote: > Hi Wolfgang, > > Thanks for your quick response. > Which aspect of the requirement is hazy? > I'll be happy to clarify.
Are you prepared to write a (small) set of individual rules for each set of parameters like the one in your example? What should happen if the last T1-interval of T2 fulfills the condition of creating a "new event" with the same set of parameters? Or the first T2-interval after the end of T2? Should the initial condition be observed in a sliding window? Anyway, the features are as I've enumerated them, and I see no reason why it shouldn't be possible to do this in Drools. -W > > Thanks. > > From: [email protected] > [mailto:[email protected]] On Behalf Of Wolfgang Laun > Sent: Sunday, August 11, 2013 5:41 PM > To: Rules Users List > Subject: Re: [rules-users] Is my use case suuported in Drools? > > You should look into the Expert and Fusion manuals, especially: > Expert for the syntax and most features, > sliding "window" in Fusion, > "timer" in Expert, > "accumulate" and "from collect" in Expert. > Your text is a little too hazy to try and concoct a set of rules > demonstrating what needs to be done - they may be off in more than one > respect. > > -W > > > On 11 August 2013 09:57, Elran Dvir > <[email protected]<mailto:[email protected]>> wrote: > Hi all, > > I am new to drools and I'm trying to understand whether the following use > case is supported - any help on the following will be greatly appreciated: > > I would like to create a new event based on multiple events (all of the same > type meeting a set of conditions) occurring over a given period of time T1. > For each combination of values for fieldA and fieldB, a new group of event > candidates should be opened (fieldA and fieldB are group by fields. Each > combination of values of these fields, should be treated separately). > The event should be created when at least X events occurred over the period. > Count the events based on unique values of fieldC and fieldD (for a given > combination of fieldA and fieldB, if you notice an event with already > existing values of the combination of fieldC and fieldD, it should not be > counted). > If all conditions described above are met, create the desired new event. The > new event will stay open for duration of T2, and update will be sent for it > every T3. > > Aside from the above, I need an aggregation function (besides count) of > "collect" : in the new event the value of fieldE will be the collection of > (preferably distinct) values of fieldE in originating events. > > Example: > Port scan event - the basic event is connection. For each combination of > source_ip and destination_ip (group by fields), detect a port scan event if > over a minute (T1) there more than 20 (X) events with different ports > (unique field). > The event will stay open for 10 minutes (T2) and an update will be sent > every 1 minute (T3). Every update will contain the count of events, > source_ip, destination_ip and collection of services. > > Thanks a lot. > > > _______________________________________________ > rules-users mailing list > [email protected]<mailto:[email protected]> > https://lists.jboss.org/mailman/listinfo/rules-users > > _______________________________________________ rules-users mailing list [email protected] https://lists.jboss.org/mailman/listinfo/rules-users
