Re: [rules-users] Is my use case suuported in Drools?

Hi all,**** ** ** I am new to drools and I’m trying to understand whether the following use case is supported – any help on the following will be greatly appreciated: **** ** ** I would like to create a new event based on *multiple* events (all of the same type meeting a set of conditions) occurring *over a given period of time T1*.**** For each combination of values for fieldA and fieldB, a new group of event candidates should be opened (fieldA and fieldB are *group by* fields. Each combination of values of these fields, should be treated separately). **** The event should be created when *at least X events* occurred over the period. Count the events based on *unique* values of fieldC and fieldD (for a given combination of fieldA and fieldB, if you notice an event with already existing values of the combination of fieldC and fieldD, it should not be counted).**** If all conditions described above are met, create the desired new event. *The new event will stay open for duration of T2, and update will be sent for it every T3.* * * Aside from the above, I need an *aggregation function (besides count) of “collect”* : in the new event the value of fieldE will be the collection of (preferably distinct) values of fieldE in originating events*. * * * Example:**** Port scan event – the basic event is connection. For each combination of source_ip and destination_ip (group by fields), detect a port scan event if over a minute (T1) there more than 20 (X) events with different ports (unique field).**** The event will stay open for 10 minutes (T2) and an update will be sent every 1 minute (T3). Every update will contain the count of events, source_ip, destination_ip and collection of services.**** * * Thanks a lot.**** ** ** _______________________________________________ rules-users mailing list rules-users(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users