[rules-users] using eval(function(this))) in rule LHS

Wed Oct 16 04:14:16 EDT 2013

Replace this with a variable bound to the fact, which would be "$log"
in the 1st instance.
-W

On 16/10/2013, Elran Dvir <elrand at checkpoint.com> wrote:
> Hi all,
>
> I have the a drl similar to the following drl:
>
> package com.checkpoint.correlation.impl.drools.package1;
>
> import java.util.Date
> import java.util.HashMap
> import com.checkpoint.correlation.impl.drools.Log
> import com.checkpoint.correlation.impl.drools.CorrelatedEvent
>
> global com.checkpoint.correlation.server.EventsHandler
> externalEventsHandler;
>
> function boolean filter(Log log) {
>                 return (log.fieldsMap.get("port")!= null &&
> (!log.fieldsMap.get("product").toString().equals("-1")));
> }
>
> function String calcSeverity(Log log) {
>                 return "High";
> }
>
> declare Log
>       @role( event)
> end
>
> declare CorrelatedEvent
>         @role( event)
>         @expires( 10s )
> end
>
> // this rule will create a "Port Scan" event if none exist for this group-by
> values
> rule "Create Port Scan Event"
> dialect "java"
> no-loop
> when
>                 $log : Log(eval(filter(this)))
>                 accumulate(Log(eval(filter(this)) , this after[0s,5s] $log,
> fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") ==
> $log.fieldsMap.get("dst"), $port : fieldsMap.get("port"));
>                                $portSet : collectSet($port);
>                                $portSet.size > 2 )
>                 accumulate( CpLog(eval(filter(this)), this after[0s,5s]
> $log, fieldsMap.get("src") == $log.fieldsMap.get("src") ,
> fieldsMap.get("dst") == $log.fieldsMap.get("dst"),
> $portSet.contains(fieldsMap.get("port")), $marker :
> fieldsMap.get("marker"));
>                                $markerSet : collectSet($marker))
>                 not CorrelatedEvent(getId() == "portScan" ,
> groupByFieldsMap.get("src") == $log.fieldsMap.get("src") ,
> groupByFieldsMap.get("dst") == $log.fieldsMap.get("dst"))
> then
>   System.out.println("port scan");
>   System.out.println(drools.getRule().getId());
>
>   CorrelatedEvent $ce = new CorrelatedEvent("portScan");
>   $ce.groupByFieldsMap.put("src", $log.fieldsMap.get("src"));
>   $ce.groupByFieldsMap.put("dst", $log.fieldsMap.get("dst"));
>   insert($ce);
>
>   HashMap<String,Object> fieldsMap = new HashMap<String,Object>();
>   fieldsMap.put("src",$log.fieldsMap.get("src"));
>   fieldsMap.put("dst",$log.fieldsMap.get("dst"));
>   fieldsMap.put("cu_rule_severity", calcSeverity($log));
>   fieldsMap.put("markers",$markerSet.toString());
>
>   externalEventsHandler.handleEvent(fieldsMap);
> end
>
> when I compile it, I am getting the error "Cannot use this in a static
> context".
> This is because the use of filter(this).
> I know that in this example, I can write my conditions inside the fact, but
> I have more complicated cases, so I prefer to use a function.
>
> So, how can I use a function with the fact being processed?
>
> Thanks!
>