Re: [rules-users] Accumulate a on event combinations

What you have written counts how many times a connection to the same endpoint (I'm assuming the connectionInformationId represents the target endpoint, in some way) has been reopened shortly after being closed. I don't know how your connection protocols work, but I could see a perfectly legit use case where your client connects to your server, closes the connection, then "hey I forgot something" - so it opens (and closes) a new connection. If this scenario happens more than once in the lifetime of your monitoring system, the rule fires. I'm not sure that this applies to your usecase, but maybe a better way to model the problem would be something like this? (please fix the details to match your data structures)

Server( $ep : connectionEP )

accumulate( $c : ConnectionEvent( type == CLOSE, target == $ep )

over window:time(5m)

and $o : ConnectionEvent( type == OPEN, target == $ep, this after[0,5s] $c ), $count : count( $c ); $count > // I'd increase the threshold to 2 or 3... unless you want to capture glitches in the connection too ) In a nutshell, I would scope the pairs to the context of the same endpoint (especially if you can have different connections in parallel!), and I would also frame the temporal context within a time window. Is it possible that, occasionally, your client "forgets" somehting and opens two (succesful) connections in a row? If this scenario occurred twice in, say, a day, the rule you proposed would still fire. Best Davide