<br> Ok, this is a very tricky situation. The engine is behaving as it is designed to behave, but I can see how the situation is misleading, and it is an edge case. I will explain what is happening and then I am open to ideas on how to fix that.<br>
<br> I executed this example with the audit log. See attached screenshot.<br><br> So, first of all, you are running your example with the engine set to STREAM mode, meaning that the engine will automatically garbage collect events when they can no longer match or when they are expired. So, from the audit log you see that events 1, 2 and 3 are inserted, rule is activated and fired and when the clock is advanced to match event 4 timestamp, the first 3 events are garbage collected (expired).<br>
<br> Now, the edge case. It happens that you are using a minute based precision and the events 4 and 5 happen exactly at the same minute, in the given order. Your rule, although, considers events happening at the same minute as valid events to avoid the rule firing (timeStampAttr >= $timeStampAttr1). That is fine and the rule does not fire. But when the clock advances to match timestamp of event 7, the engine expires the old events in the order they arrived. The expiration of event 4 before event 5 causes the engine to activate the rule. If the order of the events is reversed in the rule file (just to mention one example), then the rule never fires because the event "warning Symantec" expires before the "normal Login_failure".<br>
<br> Now the event semantics state that an event "expiration", different from a fact "retraction", does NOT cancel previously activated rules. That is why, even when event 5 expires, the rule still fires.<br>
<br> I am asking Kris if we can add the session clock timestamp to the audit log, to make this kind of analysis easier, but if you follow the code and the audit log, it will make sense.<br><br> Now what I am thinking is: since fact expiration does not causes activated rules to be canceled, maybe fact expirations should not cause new activations either. But as these things are never simple (what would be the fun?), that clashes with sliding window semantics. For instance:<br>
<br>Number( doubleValue > 100 ) from accumulate( <br> StockTick( $p : price ) over window:time( 10m ),<br> average( $p ) )<br><br> On the previous statement, imagine that a StockTick that is about to expire will cause the average price of the non-expired stock ticks to go over 100. In this case, it is expected that the fact expiration triggers an activation.<br>
<br> So, please I am open to ideas.<br><br> Edson<br>
<br><div class="gmail_quote">2009/7/7 PriyaSha <span dir="ltr"><<a href="mailto:nash.8103@gmail.com" target="_blank">nash.8103@gmail.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div><br>
global java.lang.String output<br>
<br>
declare OMNewTicket<br>
@role( event )<br>
@timestamp (timeStampAttr)<br>
@expires (10m)<br>
end<br>
<br>
# Find 'critical' events of 'Windows' which occured after 1minute but before<br>
10 minutes<br>
# of 'warning' events of 'Symantec' provided no 'Security' with severity<br>
'normal' exist in between<br>
rule "Sample Temporal"<br>
no-loop true<br>
when<br>
$ticket : OMNewTicket($severity1 : severity == "warning",<br>
appName == "Symantec",<br>
$timeStampAttr1 : timeStampAttr)<br>
$ticket1 : OMNewTicket(this after[1m, 10m] $ticket,<br>
severity == "critical",<br>
$appName1 : appName == "Windows",<br>
$timeStampAttr2 : timeStampAttr)<br>
not (OMNewTicket( timeStampAttr <= $timeStampAttr2,<br>
timeStampAttr >= $timeStampAttr1,<br>
appName == "Login_failure", severity == "normal"))<br>
then<br>
drools.getWorkingMemory().setGlobal( "output", "found");<br>
end<br>
<br>
For the input :<br>
<br>
e6382090-a259-71dd-12b9-92dfda160000 14178 10/25/2008:5:59:AM<br>
warning Symantec Application<br>
956cb3a0-a22d-71dd-09d7-c0195b7b0000 14178 10/25/2008:6:00:AM<br>
warning Login_failure Security<br>
28bdb2e0-a25a-71dd-1bc3-c01959f40000 14178 10/25/2008:6:05:AM<br>
critical Windows Application<br>
956cb3a0-a22d-71dd-09d7-c0195b7b0000 14178 10/25/2008:10:04:AM<br>
normal Login_failure Security<br>
20f39930-a27d-71dd-0369-81f8b3ee0000 14178 10/25/2008:10:04:AM<br>
warning Symantec Application<br>
648d5010-a27c-71dd-1bc3-c01959f40000 14178 10/25/2008:10:05:AM<br>
critical Windows Application<br>
8bcb9bb0-a32f-71dd-10c5-c01959dc0000 14179 10/26/2008:7:23:AM<br>
warning Login_failure Security<br>
8882ee70-a331-71dd-1fbc-c0068f170000 14179 10/26/2008:7:37:AM<br>
warning Symantec Application<br>
<br>
I get the below output:<br>
<br>
405000 405000 0 warning<br>
Symantec Sat Oct 25 05:59:00<br>
406000 406000 0 warning<br>
Login_failure Sat Oct 25 06:00:00<br>
407000 407000 0 critical<br>
Windows Sat Oct 25 06:05:00 found<br>
408000 408000 0 normal<br>
Login_failure Sat Oct 25 10:04:00<br>
409000 409000 0 warning<br>
Symantec Sat Oct 25 10:04:00<br>
410000 410000 0 critical<br>
Windows Sat Oct 25 10:05:00<br>
411000 411000 0 warning<br>
Login_failure Sun Oct 26 07:23:00 found<br>
412000 412000 0 warning<br>
Symantec Sun Oct 26 07:37:00<br>
<br>
I use pseudo clock and I set the time in the third column(example<br>
10/25/2008:5:59:AM) of the input as the 'timeStampAttr' by converting it to<br>
long.<br>
I also adjust the clock accordingly.<br>
<br>
My requirement is to get the those 'critical-windows' event which happens<br>
after 1 to 10minutes of 'warning-Symantec' provided no<br>
'normal-Login_Failure' between them.<br>
<br>
Problem here is, I could not get convinced with the occurance of found in<br>
row #7. Coz 'Login_failure' did not occur between 10minute interval of a<br>
symantec and windows event. Also my intention is to identify the windows<br>
event.<br>
<br>
--<br>
</div></div>View this message in context: <a href="http://www.nabble.com/Rule-with-temporal-operators-tp24370198p24370198.html" target="_blank">http://www.nabble.com/Rule-with-temporal-operators-tp24370198p24370198.html</a><br>
<div><div></div><div>Sent from the drools - user mailing list archive at Nabble.com.<br>
<br>
_______________________________________________<br>
rules-users mailing list<br>
<a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br> Edson Tirelli<br> JBoss Drools Core Development<br> JBoss by Red Hat @ <a href="http://www.jboss.com" target="_blank">www.jboss.com</a><br>