[rules-users] Is my use case suuported in Drools?

Wolfgang Laun wolfgang.laun at gmail.com
Sun Aug 11 10:40:58 EDT 2013 

You should look into the Expert and Fusion manuals, especially:
Expert for the syntax and most features,
sliding "window" in Fusion,
"timer" in Expert,
"accumulate" and "from collect" in Expert.

Your text is a little too hazy to try and concoct a set of rules
demonstrating what needs to be done - they may be off in more than one
respect.

-W



On 11 August 2013 09:57, Elran Dvir <elrand at checkpoint.com> wrote:

>  Hi all,****
>
> ** **
>
> I am new to drools and I’m trying to understand whether the following use
> case is supported – any help on the following will be greatly appreciated:
> ****
>
> ** **
>
> I would like to create a new event based on *multiple* events (all of the
> same type meeting a set of conditions) occurring *over a given period of
> time T1*.****
>
> For each combination of values for fieldA and fieldB, a new group of event
> candidates should be opened (fieldA and fieldB are *group by* fields.
> Each combination of values of these fields, should be treated separately).
> ****
>
> The event should be created when *at least X events* occurred over the
> period. Count the events based on *unique* values of fieldC and fieldD
> (for a given combination of fieldA and fieldB, if you notice an event with
> already existing values of the combination of fieldC and fieldD, it should
> not be counted).****
>
> If all conditions described above are met, create the desired new event. *The
> new event will stay open for duration of T2, and update will be sent for it
> every T3.*
>
> * *
>
> Aside from the above, I need an *aggregation function (besides count) of
> “collect”* : in the new event the value of fieldE will be the collection
> of (preferably distinct) values of fieldE in originating events*.  *
>
> * *
>
> Example:****
>
> Port scan event – the basic event is connection. For each combination of
> source_ip and destination_ip (group by fields), detect a port scan event if
> over a minute (T1) there more than 20 (X) events with different ports
> (unique field).****
>
> The event will stay open for 10 minutes (T2) and an update will be sent
> every 1 minute (T3). Every update will contain the count of events,
> source_ip, destination_ip and collection of services.****
>
> * *
>
> Thanks a lot.****
>
> ** **
>
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/rules-users/attachments/20130811/bf27bc33/attachment.html

More information about the rules-users mailing list