[rules-users] Implementation of my use case - what am I doing wrong?
Wolfgang Laun
wolfgang.laun at gmail.com
Sun Sep 15 13:08:16 EDT 2013
On 15/09/2013, Elran Dvir <elrand at checkpoint.com> wrote:
> my questions:
>
> 1) If I have only one stream of data , can I omit the use of entry
> point and insert logs to the session ? Or the use of entry points is
> mandatory in Drools Fusion?
Yes. No. An entry point is just an additional attribute added "on the fly",
where you don't have a source identification in the pojo.
>
> 2) When I tested it with matching data, rule "Create Port Scan Event -
> update" was never fired. When I replaced "(this meets $ce || this during $ce
> || this metby $ce)" with "this after $ce.getStartTime() , this before
> $ce.getEndTime()" everything worked fine.
> Why?
Just take the constraints and replace the temporal operator by its
definition in the "Fusion" manual and use a little elementary math:
A meets || A during B || A metby B
becomes
abs( B.startTimestamp - A.endTimestamp ) == 0 ||
B.startTimestamp < A.startTimestamp && A.endTimestamp <
B.endTimestamp || abs( A.startTimestamp - B.endTimestamp ) == 0
becomes
...
>
> 3) I tried to use sliding windows in rule "Create Port Scan Event" and
> an exception was thrown at runtime. I decided to use "this after[0s,5s]
> $log" instead. Is it correct?
A sliding window is not the same as the temporal relation of two
events. If the rule does what it ought to, I'd say, yes, it is
correct.
>
> 4) Is my basic Implementation correct?
A bit much to ask, don't you think?
-W
More information about the rules-users
mailing list