Need your help to know what went wrong in the rule. global java.lang.String output declare OMNewTicket @role( event ) @timestamp (timeStampAttr) @expires (10m) end # Find 'critical' events of 'Windows' which occured after 1minute but before 10 minutes # of 'warning' events of 'Symantec' provided no 'Security' with severity 'normal' exist in between rule "Sample Temporal" no-loop true when $ticket : OMNewTicket($severity1 : severity == "warning", appName == "Symantec", $timeStampAttr1 : timeStampAttr) $ticket1 : OMNewTicket(this after[1m, 10m] $ticket, severity == "critical", $appName1 : appName == "Windows", $timeStampAttr2 : timeStampAttr) not (OMNewTicket( timeStampAttr <= $timeStampAttr2, timeStampAttr >= $timeStampAttr1, appName == "Login_failure", severity == "normal")) then drools.getWorkingMemory().setGlobal( "output", "found"); end For the input : e6382090-a259-71dd-12b9-92dfda160000 14178 10/25/2008:5:59:AM warning Symantec Application 956cb3a0-a22d-71dd-09d7-c0195b7b0000 14178 10/25/2008:6:00:AM warning Login_failure Security 28bdb2e0-a25a-71dd-1bc3-c01959f40000 14178 10/25/2008:6:05:AM critical Windows Application 956cb3a0-a22d-71dd-09d7-c0195b7b0000 14178 10/25/2008:10:04:AM normal Login_failure Security 20f39930-a27d-71dd-0369-81f8b3ee0000 14178 10/25/2008:10:04:AM warning Symantec Application 648d5010-a27c-71dd-1bc3-c01959f40000 14178 10/25/2008:10:05:AM critical Windows Application 8bcb9bb0-a32f-71dd-10c5-c01959dc0000 14179 10/26/2008:7:23:AM warning Login_failure Security 8882ee70-a331-71dd-1fbc-c0068f170000 14179 10/26/2008:7:37:AM warning Symantec Application I get the below output: 405000 405000 0 warning Symantec Sat Oct 25 05:59:00 406000 406000 0 warning Login_failure Sat Oct 25 06:00:00 407000 407000 0 critical Windows Sat Oct 25 06:05:00 found 408000 408000 0 normal Login_failure Sat Oct 25 10:04:00 409000 409000 0 warning Symantec Sat Oct 25 10:04:00 410000 410000 0 critical Windows Sat Oct 25 10:05:00 411000 411000 0 warning Login_failure Sun Oct 26 07:23:00 found 412000 412000 0 warning Symantec Sun Oct 26 07:37:00 I use pseudo clock and I set the time in the third column(example 10/25/2008:5:59:AM) of the input as the 'timeStampAttr' by converting it to long. I also adjust the clock accordingly. My requirement is to get the those 'critical-windows' event which happens after 1 to 10minutes of 'warning-Symantec' provided no 'normal-Login_Failure' between them. Problem here is, I could not get convinced with the occurance of found in row #7. Coz 'Login_failure' did not occur between 10minute interval of a symantec and windows event. Also my intention is to identify the windows event.

View this message in context: Rule with temporal operators
Sent from the drools - user mailing list archive at Nabble.com.