Need your help to know what went wrong in the rule.

global java.lang.String output

declare OMNewTicket
    @role( event )
    @timestamp (timeStampAttr)
    @expires (10m)
end 

# Find 'critical' events of 'Windows' which occured after 1minute but before 10 minutes
# of 'warning' events of 'Symantec' provided no 'Security' with severity 'normal' exist in between
rule "Sample Temporal"
no-loop true
when
	$ticket  : OMNewTicket($severity1 : severity == "warning",
					       appName == "Symantec",
					       $timeStampAttr1 : timeStampAttr)
	$ticket1 : OMNewTicket(this after[1m, 10m] $ticket,
						   severity == "critical",
						   $appName1 : appName == "Windows",
						   $timeStampAttr2 : timeStampAttr)
	not (OMNewTicket( timeStampAttr <= $timeStampAttr2,
					  timeStampAttr >= $timeStampAttr1,
		 			  appName == "Login_failure", severity == "normal"))
then
	drools.getWorkingMemory().setGlobal( "output", "found");
end

<b>For the input :</b>

e6382090-a259-71dd-12b9-92dfda160000    14178     10/25/2008:5:59:AM     warning         Symantec                        Application
956cb3a0-a22d-71dd-09d7-c0195b7b0000    14178     10/25/2008:6:00:AM     warning        Login_failure                   Security  
28bdb2e0-a25a-71dd-1bc3-c01959f40000    14178     10/25/2008:6:05:AM     critical           Windows                        Application
956cb3a0-a22d-71dd-09d7-c0195b7b0000    14178     10/25/2008:10:04:AM    normal         Login_failure                  Security
20f39930-a27d-71dd-0369-81f8b3ee0000    14178     10/25/2008:10:04:AM    warning          Symantec                      Application
648d5010-a27c-71dd-1bc3-c01959f40000    14178     10/25/2008:10:05:AM    critical            Windows                       Application  
8bcb9bb0-a32f-71dd-10c5-c01959dc0000    14179     10/26/2008:7:23:AM     warning          Login_failure                  Security     
8882ee70-a331-71dd-1fbc-c0068f170000    14179     10/26/2008:7:37:AM     warning           Symantec                       Application

<b>I get the below output:</b>

405000              405000              0                   warning             Symantec            Sat Oct 25 05:59:00                     
406000              406000              0                   warning             Login_failure        Sat Oct 25 06:00:00                     
407000              407000              0                   critical            Windows                Sat Oct 25 06:05:00    found           
408000              408000              0                   normal              Login_failure        Sat Oct 25 10:04:00                     
409000              409000              0                   warning             Symantec            Sat Oct 25 10:04:00                     
410000              410000              0                   critical            Windows                Sat Oct 25 10:05:00                     
411000              411000              0                   warning             Login_failure        Sun Oct 26 07:23:00   found           
412000              412000              0                   warning             Symantec            Sun Oct 26 07:37:00  

I use pseudo clock and I set the time in the third column(example 10/25/2008:5:59:AM) of the input as the 'timeStampAttr' by converting it to long.
I also adjust the clock accordingly.

My requirement is to get the those 'critical-windows' event which happens after 1 to 10minutes of 'warning-Symantec' provided no 'normal-Login_Failure' between them.
 
Problem here is, I could not get convinced with the occurance of found in row #7. Coz 'Login_failure' did not occur between 10minute interval of a symantec and windows event. Also my intention is to identify the windows event.
<br><hr align="left" width="300">
View this message in context: <a href="http://www.nabble.com/Rule-with-temporal-operators-tp24370166p24370166.html">Rule with temporal operators</a><br>
Sent from the <a href="http://www.nabble.com/drools---user-f11823.html">drools - user mailing list archive</a> at Nabble.com.<br>