[rules-users] Group-by rule without using a fact for grouping purposes

Wed Dec 4 18:39:02 EST 2013

Hi,

I am trying to figure out a rule for matching an incoming sequence of 
events, but so far I was not really successful. Basically, I want to 
process events from devices. Every event has a timestamp (long), an id 
(a UUID string), a deviceId and an error code (both are strings).

What I want to have is a simple rule that fires, if a single device 
reports a certain error code (e.g. ABCD) 3 times within 5 minutes (i.e., 
getting 3 such events within 5 minutes). So far, I suceeded in counting 
the ABCD error codes in the time window as follows:

rule "Detect 3 occurrences of code ABCD for a certain device"
when
     Number( intValue == 3 ) from accumulate(
         Event( $i : id, code == "ABCD") over window:time( 5m ),
         count( $i ) )
then
	System.out.println("Raise alarm");
end

This first attempt does not distinguish which device sent the error 
code. But how can I express to fire only if the events share the same 
deviceId? I found many solutions that use a fact (e.g., a device fact) 
to group by the device and do the accumulation. I successfully 
implemented the group-by using the following when-part of the rule.

when
     Device($deviceId : id)
     Number( intValue == 2 ) from accumulate(
         Event( $i : id, deviceId == $deviceId, code == "ABCD") over 
window:time( 5m ),
         count( $i ) )
then

Adding a device fact is however not practical in my case. Are there any 
alternatives for expressing this group-by?

Thanks,
Ingo