Hi,
I am trying to figure out a rule for matching an incoming sequence of
events, but so far I was not really successful. Basically, I want to
process events from devices. Every event has a timestamp (long), an id
(a UUID string), a deviceId and an error code (both are strings).
What I want to have is a simple rule that fires, if a single device
reports a certain error code (e.g. ABCD) 3 times within 5 minutes (i.e.,
getting 3 such events within 5 minutes). So far, I suceeded in counting
the ABCD error codes in the time window as follows:
rule "Detect 3 occurrences of code ABCD for a certain device"
when
Number( intValue == 3 ) from accumulate(
Event( $i : id, code == "ABCD") over window:time( 5m ),
count( $i ) )
then
System.out.println("Raise alarm");
end
This first attempt does not distinguish which device sent the error
code. But how can I express to fire only if the events share the same
deviceId? I found many solutions that use a fact (e.g., a device fact)
to group by the device and do the accumulation. I successfully
implemented the group-by using the following when-part of the rule.
when
Device($deviceId : id)
Number( intValue == 2 ) from accumulate(
Event( $i : id, deviceId == $deviceId, code == "ABCD") over
window:time( 5m ),
count( $i ) )
then
Adding a device fact is however not practical in my case. Are there any
alternatives for expressing this group-by?
Thanks,
Ingo