Re: [rules-users] Implementation of my use case - what am I doing wrong?
On 15/09/2013, Elran Dvir <elrand(a)checkpoint.com> wrote:
my questions:
1) If I have only one stream of data , can I omit the use of entry
point and insert logs to the session ? Or the use of entry points is
mandatory in Drools Fusion?
Yes. No. An entry point is just an additional attribute added "on the fly",
where you don't have a source identification in the pojo.
2) When I tested it with matching data, rule "Create Port Scan Event -
update" was never fired. When I replaced "(this meets $ce || this during $ce
|| this metby $ce)" with "this after $ce.getStartTime() , this before
$ce.getEndTime()" everything worked fine.
Why?
Just take the constraints and replace the temporal operator by its
definition in the "Fusion" manual and use a little elementary math:
A meets || A during B || A metby B
becomes
abs( B.startTimestamp - A.endTimestamp ) == 0 ||
B.startTimestamp < A.startTimestamp && A.endTimestamp <
B.endTimestamp || abs( A.startTimestamp - B.endTimestamp ) == 0
becomes
...
3) I tried to use sliding windows in rule "Create Port Scan Event" and
an exception was thrown at runtime. I decided to use "this after[0s,5s]
$log" instead. Is it correct?
A sliding window is not the same as the temporal relation of two
events. If the rule does what it ought to, I'd say, yes, it is
correct.
4) Is my basic Implementation correct?
A bit much to ask, don't you think?
-W