[rules-users] Is my use case suuported in Drools?
Wolfgang Laun
wolfgang.laun at gmail.com
Mon Aug 12 13:49:51 EDT 2013
On 12/08/2013, Elran Dvir <elrand at checkpoint.com> wrote:
> Hi Wolfgang,
>
> Thanks for your quick response.
> Which aspect of the requirement is hazy?
> I'll be happy to clarify.
Are you prepared to write a (small) set of individual rules for each
set of parameters like the one in your example?
What should happen if the last T1-interval of T2 fulfills the
condition of creating a "new event" with the same set of parameters?
Or the first T2-interval after the end of T2?
Should the initial condition be observed in a sliding window?
Anyway, the features are as I've enumerated them, and I see no reason
why it shouldn't be possible to do this in Drools.
-W
>
> Thanks.
>
> From: rules-users-bounces at lists.jboss.org
> [mailto:rules-users-bounces at lists.jboss.org] On Behalf Of Wolfgang Laun
> Sent: Sunday, August 11, 2013 5:41 PM
> To: Rules Users List
> Subject: Re: [rules-users] Is my use case suuported in Drools?
>
> You should look into the Expert and Fusion manuals, especially:
> Expert for the syntax and most features,
> sliding "window" in Fusion,
> "timer" in Expert,
> "accumulate" and "from collect" in Expert.
> Your text is a little too hazy to try and concoct a set of rules
> demonstrating what needs to be done - they may be off in more than one
> respect.
>
> -W
>
>
> On 11 August 2013 09:57, Elran Dvir
> <elrand at checkpoint.com<mailto:elrand at checkpoint.com>> wrote:
> Hi all,
>
> I am new to drools and I'm trying to understand whether the following use
> case is supported - any help on the following will be greatly appreciated:
>
> I would like to create a new event based on multiple events (all of the same
> type meeting a set of conditions) occurring over a given period of time T1.
> For each combination of values for fieldA and fieldB, a new group of event
> candidates should be opened (fieldA and fieldB are group by fields. Each
> combination of values of these fields, should be treated separately).
> The event should be created when at least X events occurred over the period.
> Count the events based on unique values of fieldC and fieldD (for a given
> combination of fieldA and fieldB, if you notice an event with already
> existing values of the combination of fieldC and fieldD, it should not be
> counted).
> If all conditions described above are met, create the desired new event. The
> new event will stay open for duration of T2, and update will be sent for it
> every T3.
>
> Aside from the above, I need an aggregation function (besides count) of
> "collect" : in the new event the value of fieldE will be the collection of
> (preferably distinct) values of fieldE in originating events.
>
> Example:
> Port scan event - the basic event is connection. For each combination of
> source_ip and destination_ip (group by fields), detect a port scan event if
> over a minute (T1) there more than 20 (X) events with different ports
> (unique field).
> The event will stay open for 10 minutes (T2) and an update will be sent
> every 1 minute (T3). Every update will contain the count of events,
> source_ip, destination_ip and collection of services.
>
> Thanks a lot.
>
>
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org<mailto:rules-users at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/rules-users
>
>
More information about the rules-users
mailing list