4:52 a.m.
global java.lang.String output
declare OMNewTicket
@role( event )
@timestamp (timeStampAttr)
@expires (10m)
end
# Find 'critical' events of 'Windows' which occured after 1minute but
before
10 minutes
# of 'warning' events of 'Symantec' provided no 'Security' with
severity
'normal' exist in between
rule "Sample Temporal"
no-loop true
when
$ticket : OMNewTicket($severity1 : severity == "warning",
appName == "Symantec",
$timeStampAttr1 : timeStampAttr)
$ticket1 : OMNewTicket(this after[1m, 10m] $ticket,
severity == "critical",
$appName1 : appName == "Windows",
$timeStampAttr2 : timeStampAttr)
not (OMNewTicket( timeStampAttr <= $timeStampAttr2,
timeStampAttr >= $timeStampAttr1,
appName == "Login_failure", severity == "normal"))
then
drools.getWorkingMemory().setGlobal( "output", "found");
end
For the input :
e6382090-a259-71dd-12b9-92dfda160000 14178 10/25/2008:5:59:AM
warning Symantec Application
956cb3a0-a22d-71dd-09d7-c0195b7b0000 14178 10/25/2008:6:00:AM
warning Login_failure Security
28bdb2e0-a25a-71dd-1bc3-c01959f40000 14178 10/25/2008:6:05:AM
critical Windows Application
956cb3a0-a22d-71dd-09d7-c0195b7b0000 14178 10/25/2008:10:04:AM
normal Login_failure Security
20f39930-a27d-71dd-0369-81f8b3ee0000 14178 10/25/2008:10:04:AM
warning Symantec Application
648d5010-a27c-71dd-1bc3-c01959f40000 14178 10/25/2008:10:05:AM
critical Windows Application
8bcb9bb0-a32f-71dd-10c5-c01959dc0000 14179 10/26/2008:7:23:AM
warning Login_failure Security
8882ee70-a331-71dd-1fbc-c0068f170000 14179 10/26/2008:7:37:AM
warning Symantec Application
I get the below output:
405000 405000 0 warning
Symantec Sat Oct 25 05:59:00
406000 406000 0 warning
Login_failure Sat Oct 25 06:00:00
407000 407000 0 critical
Windows Sat Oct 25 06:05:00 found
408000 408000 0 normal
Login_failure Sat Oct 25 10:04:00
409000 409000 0 warning
Symantec Sat Oct 25 10:04:00
410000 410000 0 critical
Windows Sat Oct 25 10:05:00
411000 411000 0 warning
Login_failure Sun Oct 26 07:23:00 found
412000 412000 0 warning
Symantec Sun Oct 26 07:37:00
I use pseudo clock and I set the time in the third column(example
10/25/2008:5:59:AM) of the input as the 'timeStampAttr' by converting it to
long.
I also adjust the clock accordingly.
My requirement is to get the those 'critical-windows' event which happens
after 1 to 10minutes of 'warning-Symantec' provided no
'normal-Login_Failure' between them.
Problem here is, I could not get convinced with the occurance of found in
row #7. Coz 'Login_failure' did not occur between 10minute interval of a
symantec and windows event. Also my intention is to identify the windows
event.
--
View this message in context:
http://www.nabble.com/Rule-with-temporal-operators-tp24370198p24370198.html
Sent from the drools - user mailing list archive at Nabble.com.
4:05 p.m.
Ok, this is a very tricky situation. The engine is behaving as it is
designed to behave, but I can see how the situation is misleading, and it is
an edge case. I will explain what is happening and then I am open to ideas
on how to fix that.
I executed this example with the audit log. See attached screenshot.
So, first of all, you are running your example with the engine set to
STREAM mode, meaning that the engine will automatically garbage collect
events when they can no longer match or when they are expired. So, from the
audit log you see that events 1, 2 and 3 are inserted, rule is activated and
fired and when the clock is advanced to match event 4 timestamp, the first 3
events are garbage collected (expired).
Now, the edge case. It happens that you are using a minute based
precision and the events 4 and 5 happen exactly at the same minute, in the
given order. Your rule, although, considers events happening at the same
minute as valid events to avoid the rule firing (timeStampAttr >=
$timeStampAttr1). That is fine and the rule does not fire. But when the
clock advances to match timestamp of event 7, the engine expires the old
events in the order they arrived. The expiration of event 4 before event 5
causes the engine to activate the rule. If the order of the events is
reversed in the rule file (just to mention one example), then the rule never
fires because the event "warning Symantec" expires before the "normal
Login_failure".
Now the event semantics state that an event "expiration", different from
a fact "retraction", does NOT cancel previously activated rules. That is
why, even when event 5 expires, the rule still fires.
I am asking Kris if we can add the session clock timestamp to the audit
log, to make this kind of analysis easier, but if you follow the code and
the audit log, it will make sense.
Now what I am thinking is: since fact expiration does not causes
activated rules to be canceled, maybe fact expirations should not cause new
activations either. But as these things are never simple (what would be the
fun?), that clashes with sliding window semantics. For instance:
Number( doubleValue > 100 ) from accumulate(
StockTick( $p : price ) over window:time( 10m ),
average( $p ) )
On the previous statement, imagine that a StockTick that is about to
expire will cause the average price of the non-expired stock ticks to go
over 100. In this case, it is expected that the fact expiration triggers an
activation.
So, please I am open to ideas.
Edson
2009/7/7 PriyaSha <nash.8103(a)gmail.com>
global java.lang.String output
declare OMNewTicket
@role( event )
@timestamp (timeStampAttr)
@expires (10m)
end
# Find 'critical' events of 'Windows' which occured after 1minute but
before
10 minutes
# of 'warning' events of 'Symantec' provided no 'Security' with
severity
'normal' exist in between
rule "Sample Temporal"
no-loop true
when
$ticket : OMNewTicket($severity1 : severity == "warning",
appName == "Symantec",
$timeStampAttr1 :
timeStampAttr)
$ticket1 : OMNewTicket(this after[1m, 10m] $ticket,
severity == "critical",
$appName1 : appName ==
"Windows",
$timeStampAttr2 :
timeStampAttr)
not (OMNewTicket( timeStampAttr <= $timeStampAttr2,
timeStampAttr >= $timeStampAttr1,
appName == "Login_failure",
severity == "normal"))
then
drools.getWorkingMemory().setGlobal( "output", "found");
end
For the input :
e6382090-a259-71dd-12b9-92dfda160000 14178 10/25/2008:5:59:AM
warning Symantec Application
956cb3a0-a22d-71dd-09d7-c0195b7b0000 14178 10/25/2008:6:00:AM
warning Login_failure Security
28bdb2e0-a25a-71dd-1bc3-c01959f40000 14178 10/25/2008:6:05:AM
critical Windows Application
956cb3a0-a22d-71dd-09d7-c0195b7b0000 14178 10/25/2008:10:04:AM
normal Login_failure Security
20f39930-a27d-71dd-0369-81f8b3ee0000 14178 10/25/2008:10:04:AM
warning Symantec Application
648d5010-a27c-71dd-1bc3-c01959f40000 14178 10/25/2008:10:05:AM
critical Windows Application
8bcb9bb0-a32f-71dd-10c5-c01959dc0000 14179 10/26/2008:7:23:AM
warning Login_failure Security
8882ee70-a331-71dd-1fbc-c0068f170000 14179 10/26/2008:7:37:AM
warning Symantec Application
I get the below output:
405000 405000 0 warning
Symantec Sat Oct 25 05:59:00
406000 406000 0 warning
Login_failure Sat Oct 25 06:00:00
407000 407000 0 critical
Windows Sat Oct 25 06:05:00 found
408000 408000 0 normal
Login_failure Sat Oct 25 10:04:00
409000 409000 0 warning
Symantec Sat Oct 25 10:04:00
410000 410000 0 critical
Windows Sat Oct 25 10:05:00
411000 411000 0 warning
Login_failure Sun Oct 26 07:23:00 found
412000 412000 0 warning
Symantec Sun Oct 26 07:37:00
I use pseudo clock and I set the time in the third column(example
10/25/2008:5:59:AM) of the input as the 'timeStampAttr' by converting it to
long.
I also adjust the clock accordingly.
My requirement is to get the those 'critical-windows' event which happens
after 1 to 10minutes of 'warning-Symantec' provided no
'normal-Login_Failure' between them.
Problem here is, I could not get convinced with the occurance of found in
row #7. Coz 'Login_failure' did not occur between 10minute interval of a
symantec and windows event. Also my intention is to identify the windows
event.
--
View this message in context:
http://www.nabble.com/Rule-with-temporal-operators-tp24370198p24370198.html
Sent from the drools - user mailing list archive at Nabble.com.
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
--
Edson Tirelli
JBoss Drools Core Development
JBoss by Red Hat @ www.jboss.com
5648
days inactive
5651
days old
1 comments
2 participants
participants (2)
-
Edson Tirelli -
PriyaSha