Hi Wolfgang,
Thanks for your quick response.
Which aspect of the requirement is hazy?
I'll be happy to clarify.
Thanks.
From: rules-users-bounces(a)lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On
Behalf Of Wolfgang Laun
Sent: Sunday, August 11, 2013 5:41 PM
To: Rules Users List
Subject: Re: [rules-users] Is my use case suuported in Drools?
You should look into the Expert and Fusion manuals, especially:
Expert for the syntax and most features,
sliding "window" in Fusion,
"timer" in Expert,
"accumulate" and "from collect" in Expert.
Your text is a little too hazy to try and concoct a set of rules demonstrating what needs
to be done - they may be off in more than one respect.
-W
On 11 August 2013 09:57, Elran Dvir
<elrand@checkpoint.com<mailto:elrand@checkpoint.com>> wrote:
Hi all,
I am new to drools and I'm trying to understand whether the following use case is
supported - any help on the following will be greatly appreciated:
I would like to create a new event based on multiple events (all of the same type meeting
a set of conditions) occurring over a given period of time T1.
For each combination of values for fieldA and fieldB, a new group of event candidates
should be opened (fieldA and fieldB are group by fields. Each combination of values of
these fields, should be treated separately).
The event should be created when at least X events occurred over the period. Count the
events based on unique values of fieldC and fieldD (for a given combination of fieldA and
fieldB, if you notice an event with already existing values of the combination of fieldC
and fieldD, it should not be counted).
If all conditions described above are met, create the desired new event. The new event
will stay open for duration of T2, and update will be sent for it every T3.
Aside from the above, I need an aggregation function (besides count) of
"collect" : in the new event the value of fieldE will be the collection of
(preferably distinct) values of fieldE in originating events.
Example:
Port scan event - the basic event is connection. For each combination of source_ip and
destination_ip (group by fields), detect a port scan event if over a minute (T1) there
more than 20 (X) events with different ports (unique field).
The event will stay open for 10 minutes (T2) and an update will be sent every 1 minute
(T3). Every update will contain the count of events, source_ip, destination_ip and
collection of services.
Thanks a lot.
_______________________________________________
rules-users mailing list
rules-users@lists.jboss.org<mailto:rules-users@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/rules-users