[rules-users] Is my use case suuported in Drools?

Elran Dvir elrand at checkpoint.com
Tue Aug 13 06:31:29 EDT 2013


Thanks for the really quick response.

I hope I am not asking too much, but can you or anyone else please write my example in Drools syntax?
It will help me a lot to see an example, so I can understand how all drools excellent features may be combined to address my use case.

Thanks a lot.   

-----Original Message-----
From: rules-users-bounces at lists.jboss.org [mailto:rules-users-bounces at lists.jboss.org] On Behalf Of Wolfgang Laun
Sent: Tuesday, August 13, 2013 12:54 PM
To: Rules Users List
Subject: Re: [rules-users] Is my use case suuported in Drools?

I guess it's clear enough now. Once more, I'm sure that all the required features are available; even if there were no sliding window it would be possible to work around that. For keeping track of the state w.r.t. an open group by fields you'll have to insert an auxiliary fact and use that as a starting point for monitoring the T2 period. Timers will help to do the T3 interval-spaced operations.

-W

On 13/08/2013, Elran Dvir <elrand at checkpoint.com> wrote:
> Hi,
>
> I am prepared to write as many rule sets needed for each required use case.
>
> I'll try to clarify the use case:
> If an event meeting a set of conditions is detected (in the example, 
> any connection event), a new (sliding) window of events candidates 
> will be opened for T1.
> The window will be opened based on "group by fields" - any event  with 
> the same group by fields' within the time frame values should go the 
> matching window.
> So, at any given time there will be as  many windows as there were 
> unique combination of "group by" fields values in last T1.
> For any window, the events will be counted only for unique values of 
> predefined unique fields.
>
> Maybe the semantics  of creation of new event was confusing.
> Instead of creating new event, let's simply it and say I want to print 
> the data.
> Once the count threshold (X) is reached,  I would like to print the 
> data of originating events  and extend the window with time of T2.
> I would like to print an update of the data of all originating events 
> arrived so far every T3 (this feature is the least important. I can 
> just print the summary of all accumulated data in the end of T2).
>
> Is this behavior supported?
>
> I hope it's clearer now.
> If needed, I will be happy to elaborate.
>
> Thanks a lot.
>
> -----Original Message-----
> From: rules-users-bounces at lists.jboss.org
> [mailto:rules-users-bounces at lists.jboss.org] On Behalf Of Wolfgang 
> Laun
> Sent: Monday, August 12, 2013 8:50 PM
> To: Rules Users List
> Subject: Re: [rules-users] Is my use case suuported in Drools?
>
> On 12/08/2013, Elran Dvir <elrand at checkpoint.com> wrote:
>> Hi Wolfgang,
>>
>> Thanks for your quick response.
>> Which aspect of the requirement is hazy?
>> I'll be happy to clarify.
>
> Are you prepared  to write a (small) set of individual rules for each 
> set of parameters like the one in your example?
>
> What should happen if the last T1-interval of T2 fulfills the 
> condition of creating a "new event" with the same set of parameters?
> Or the first T2-interval after the end of T2?
>
> Should the initial condition be observed in a sliding window?
>
> Anyway, the features are as I've enumerated them, and I see no reason 
> why it shouldn't be possible to do this in Drools.
>
> -W
>
>>
>> Thanks.
>>
>> From: rules-users-bounces at lists.jboss.org
>> [mailto:rules-users-bounces at lists.jboss.org] On Behalf Of Wolfgang 
>> Laun
>> Sent: Sunday, August 11, 2013 5:41 PM
>> To: Rules Users List
>> Subject: Re: [rules-users] Is my use case suuported in Drools?
>>
>> You should look into the Expert and Fusion manuals, especially:
>> Expert for the syntax and most features, sliding "window" in Fusion, 
>> "timer" in Expert, "accumulate" and "from collect" in Expert.
>> Your text is a little too hazy to try and concoct a set of rules 
>> demonstrating what needs to be done - they may be off in more than 
>> one respect.
>>
>> -W
>>
>>
>> On 11 August 2013 09:57, Elran Dvir
>> <elrand at checkpoint.com<mailto:elrand at checkpoint.com>> wrote:
>> Hi all,
>>
>> I am new to drools and I'm trying to understand whether the following 
>> use case is supported - any help on the following will be greatly
>> appreciated:
>>
>> I would like to create a new event based on multiple events (all of 
>> the same type meeting a set of conditions) occurring over a given 
>> period of time T1.
>> For each combination of values for fieldA and fieldB, a new group of 
>> event candidates should be opened (fieldA and fieldB are group by 
>> fields. Each combination of values of these fields, should be treated 
>> separately).
>> The event should be created when at least X events occurred over the 
>> period.
>> Count the events based on unique values of fieldC and fieldD (for a 
>> given combination of fieldA and fieldB, if you notice an event with 
>> already existing values of the combination of fieldC and fieldD, it 
>> should not be counted).
>> If all conditions described above are met, create the desired new event.
>> The
>> new event will stay open for duration of T2, and update will be sent 
>> for it every T3.
>>
>> Aside from the above, I need an aggregation function (besides count) 
>> of "collect" : in the new event the value of fieldE will be the 
>> collection of (preferably distinct) values of fieldE in originating 
>> events.
>>
>> Example:
>> Port scan event - the basic event is connection. For each combination 
>> of source_ip and destination_ip (group by fields), detect a port scan 
>> event if over a minute (T1) there more than 20 (X) events with 
>> different ports (unique field).
>> The event will stay open for 10 minutes (T2) and an update will be 
>> sent every 1 minute (T3). Every update will contain the count of 
>> events, source_ip, destination_ip and collection of services.
>>
>> Thanks a lot.
>>
>>
>> _______________________________________________
>> rules-users mailing list
>> rules-users at lists.jboss.org<mailto:rules-users at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/rules-users
>>
>>
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
> Email secured by Check Point
>
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
_______________________________________________
rules-users mailing list
rules-users at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

Email secured by Check Point



More information about the rules-users mailing list