[rules-users] Accumulate a on event combinations
Davide Sottara
dsotty at gmail.com
Wed Oct 3 14:52:57 EDT 2012
What you have written counts how many times a connection to the same endpoint
(I'm assuming the connectionInformationId represents the target endpoint, in
some way) has been reopened shortly after being closed. I don't know how
your connection protocols work, but I could see a perfectly legit use case
where your client connects to your server, closes the connection, then "hey
I forgot something" - so it opens (and closes) a new connection. If this
scenario happens more than once in the lifetime of your monitoring system,
the rule fires.
I'm not sure that this applies to your usecase, but maybe a better way to
model the problem would be something like this?
(please fix the details to match your data structures)
*Server( $ep : connectionEP )*
accumulate(
$c : ConnectionEvent( type == CLOSE, target == $ep ) *over
window:time(5m)*
and
$o : ConnectionEvent( type == OPEN, target == $ep, this after[0,5s] $c ),
$count : count( $c );
$count > // I'd increase the threshold to 2 or 3... unless you want to
capture glitches in the connection too
)
In a nutshell, I would scope the pairs to the context of the same endpoint
(especially if you can have different connections in parallel!), and I would
also frame the temporal context within a time window. Is it possible that,
occasionally, your client "forgets" somehting and opens two (succesful)
connections in a row? If this scenario occurred twice in, say, a day, the
rule you proposed would still fire.
Best
Davide
--
View this message in context: http://drools.46999.n3.nabble.com/Accumulate-a-on-event-combinations-tp4020104p4020119.html
Sent from the Drools: User forum mailing list archive at Nabble.com.
More information about the rules-users
mailing list