<div dir="ltr"><div><div><div><div>You should look into the Expert and Fusion manuals, especially: <br></div><div>Expert for the syntax and most features,<br></div>sliding "window" in Fusion,<br></div>"timer" in Expert,<br>
</div>"accumulate" and "from collect" in Expert.<br><br></div>Your text is a little too hazy to try and concoct a set of rules demonstrating what needs to be done - they may be off in more than one respect.<br>
<div><div><br></div><div>-W<br></div><div><div><br></div></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 11 August 2013 09:57, Elran Dvir <span dir="ltr"><<a href="mailto:elrand@checkpoint.com" target="_blank">elrand@checkpoint.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal">Hi all,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I am new to drools and I’m trying to understand whether the following use case is supported – any help on the following will be greatly appreciated:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I would like to create a new event based on <b>multiple</b> events (all of the same type meeting a set of conditions) occurring
<b>over a given period of time T1</b>.<u></u><u></u></p>
<p class="MsoNormal">For each combination of values for fieldA and fieldB, a new group of event candidates should be opened (fieldA and fieldB are
<b>group by</b> fields. Each combination of values of these fields, should be treated separately).<u></u><u></u></p>
<p class="MsoNormal">The event should be created when <b>at least X events</b> occurred over the period. Count the events based on
<b>unique</b> values of fieldC and fieldD (for a given combination of fieldA and fieldB, if you notice an event with already existing values of the combination of fieldC and fieldD, it should not be counted).<u></u><u></u></p>
<p class="MsoNormal">If all conditions described above are met, create the desired new event.
<b>The new event will stay open for duration of T2, and update will be sent for it every T3.<u></u><u></u></b></p>
<p class="MsoNormal"><b><u></u> <u></u></b></p>
<p class="MsoNormal">Aside from the above, I need an <b>aggregation function (besides count) of “collect”</b> : in the new event the value of fieldE will be the collection of (preferably distinct) values of fieldE in originating events<b>. <u></u><u></u></b></p>
<p class="MsoNormal"><b><u></u> <u></u></b></p>
<p class="MsoNormal">Example:<u></u><u></u></p>
<p class="MsoNormal">Port scan event – the basic event is connection. For each combination of source_ip and destination_ip (group by fields), detect a port scan event if over a minute (T1) there more than 20 (X) events with different ports (unique field).<u></u><u></u></p>
<p class="MsoNormal">The event will stay open for 10 minutes (T2) and an update will be sent every 1 minute (T3). Every update will contain the count of events, source_ip, destination_ip and collection of services.<u></u><u></u></p>
<p class="MsoNormal"><b><u></u> <u></u></b></p>
<p class="MsoNormal">Thanks a lot.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<br>_______________________________________________<br>
rules-users mailing list<br>
<a href="mailto:rules-users@lists.jboss.org">rules-users@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br></blockquote></div><br></div>