Ok, this is a very tricky situation. The engine is behaving as it is designed to behave, but I can see how the situation is misleading, and it is an edge case. I will explain what is happening and then I am open to ideas on how to fix that.

   I executed this example with the audit log. See attached screenshot.

   So, first of all, you are running your example with the engine set to STREAM mode, meaning that the engine will automatically garbage collect events when they can no longer match or when they are expired. So, from the audit log you see that events 1, 2 and 3 are inserted, rule is activated and fired and when the clock is advanced to match event 4 timestamp, the first 3 events are garbage collected (expired).
  
   Now, the edge case. It happens that you are using a minute based precision and the events 4 and 5 happen exactly at the same minute, in the given order. Your rule, although, considers events happening at the same minute as valid events to avoid the rule firing (timeStampAttr >= $timeStampAttr1). That is fine and the rule does not fire. But when the clock advances to match timestamp of event 7, the engine expires the old events in the order they arrived. The expiration of event 4 before event 5 causes the engine to activate the rule. If the order of the events is reversed in the rule file (just to mention one example), then the rule never fires because the event "warning Symantec" expires before the "normal Login_failure".

   Now the event semantics state that an event "expiration", different from a fact "retraction", does NOT cancel previously activated rules. That is why, even when event 5 expires, the rule still fires.

   I am asking Kris if we can add the session clock timestamp to the audit log, to make this kind of analysis easier, but if you follow the code and the audit log, it will make sense.

   Now what I am thinking is: since fact expiration does not causes activated rules to be canceled, maybe fact expirations should not cause new activations either. But as these things are never simple (what would be the fun?), that clashes with sliding window semantics. For instance:

Number( doubleValue > 100 ) from accumulate(
    StockTick( $p : price ) over window:time( 10m ),
    average( $p ) )

   On the previous statement, imagine that a StockTick that is about to expire will cause the average price of the non-expired stock ticks to go over 100. In this case, it is expected that the fact expiration triggers an activation.

   So, please I am open to ideas.

    Edson

2009/7/7 PriyaSha <nash.8103@gmail.com>

global java.lang.String output

declare OMNewTicket
   @role( event )
   @timestamp (timeStampAttr)
   @expires (10m)
end

# Find 'critical' events of 'Windows' which occured after 1minute but before
10 minutes
# of 'warning' events of 'Symantec' provided no 'Security' with severity
'normal' exist in between
rule "Sample Temporal"
no-loop true
when
       $ticket  : OMNewTicket($severity1 : severity == "warning",
                                              appName == "Symantec",
                                              $timeStampAttr1 : timeStampAttr)
       $ticket1 : OMNewTicket(this after[1m, 10m] $ticket,
                                                  severity == "critical",
                                                  $appName1 : appName == "Windows",
                                                  $timeStampAttr2 : timeStampAttr)
       not (OMNewTicket( timeStampAttr <= $timeStampAttr2,
                                         timeStampAttr >= $timeStampAttr1,
                                         appName == "Login_failure", severity == "normal"))
then
       drools.getWorkingMemory().setGlobal( "output", "found");
end

For the input :

e6382090-a259-71dd-12b9-92dfda160000    14178     10/25/2008:5:59:AM
warning         Symantec                        Application
956cb3a0-a22d-71dd-09d7-c0195b7b0000    14178     10/25/2008:6:00:AM
warning        Login_failure                   Security
28bdb2e0-a25a-71dd-1bc3-c01959f40000    14178     10/25/2008:6:05:AM
critical           Windows                        Application
956cb3a0-a22d-71dd-09d7-c0195b7b0000    14178     10/25/2008:10:04:AM
normal         Login_failure                  Security
20f39930-a27d-71dd-0369-81f8b3ee0000    14178     10/25/2008:10:04:AM
warning          Symantec                      Application
648d5010-a27c-71dd-1bc3-c01959f40000    14178     10/25/2008:10:05:AM
critical            Windows                       Application
8bcb9bb0-a32f-71dd-10c5-c01959dc0000    14179     10/26/2008:7:23:AM
warning          Login_failure                  Security
8882ee70-a331-71dd-1fbc-c0068f170000    14179     10/26/2008:7:37:AM
warning           Symantec                       Application

I get the below output:

405000              405000              0                   warning
Symantec            Sat Oct 25 05:59:00
406000              406000              0                   warning
Login_failure        Sat Oct 25 06:00:00
407000              407000              0                   critical
Windows                Sat Oct 25 06:05:00    found
408000              408000              0                   normal
Login_failure        Sat Oct 25 10:04:00
409000              409000              0                   warning
Symantec            Sat Oct 25 10:04:00
410000              410000              0                   critical
Windows                Sat Oct 25 10:05:00
411000              411000              0                   warning
Login_failure        Sun Oct 26 07:23:00   found
412000              412000              0                   warning
Symantec            Sun Oct 26 07:37:00

I use pseudo clock and I set the time in the third column(example
10/25/2008:5:59:AM) of the input as the 'timeStampAttr' by converting it to
long.
I also adjust the clock accordingly.

My requirement is to get the those 'critical-windows' event which happens
after 1 to 10minutes of 'warning-Symantec' provided no
'normal-Login_Failure' between them.

Problem here is, I could not get convinced with the occurance of found in
row #7. Coz 'Login_failure' did not occur between 10minute interval of a
symantec and windows event. Also my intention is to identify the windows
event.

--
View this message in context: http://www.nabble.com/Rule-with-temporal-operators-tp24370198p24370198.html
Sent from the drools - user mailing list archive at Nabble.com.

_______________________________________________
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users



--
 Edson Tirelli
 JBoss Drools Core Development
 JBoss by Red Hat @ www.jboss.com