The events contain a field with a source time. Refering this time
the events can be compared. It has to be done this way, because
unlike the source times the receive times aren't synchron.
In my case, the testing for missing elements is more complex than:
$a: EventA()
not EventB(this after[1d] $a)
Because there may be the events A, C, D, E and F and it should be
noticed, that there's B missing between A and C. But I have no hint
about that, because the events are neither numbered nor do I know
there should be a event B with a time A.time+Xseconds.
You can use it without time.. but each time that you
have an EventA and not an EventB the will be activated
I'm working on a use case where I want to know
if 20 events with a
specific value are contained in at maximum the
last 150 events. So far I
know what have to do. ;-)
My problem is that as extension to my condition,
the rule shall also
trigger if one ore more events are missing. But
I don't know the time
interval with which the events arrive, so that I
don't know when a new
event should arrive and by implication I don't
know about the absence of
an event.
In our environment events arrive in "counts" and
not in a specific time
interval as e.g. ever 1 second. So we talk
about the last two or 150
counts if we talk about the last two ore 150
data packages received.
Yes, behind a count always is a time interval,
but only the data source
knows about the time interval. My recipient
doesn't
Also the data of a data package is inserted in
the working memory
independently, so that I have e.g. 10 data
events instead of a single
package event.
(Now that you know that, my first sentence would
be correctly: I want to
know if 20 counts of the max. last 150 counts
have contained a specific
event.)
If my explanation (or my attempt to explain) is
difficult to understand,
please ask me what you want to know.