This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Esper EPL rule gets fired only once

Go to solution
GianlucaCoviell
Beginner
Beginner

‎2020-01-30 05:45 AM

I am trying to create a pattern in EPL, but i do not get why it gets matched only one. Here is what I did on the web page Esper EPL online. The EPL I input in the left textbox is:

create schema StockTick(signature string, source string, destination string, action string);
 @Name('Monitor') select * from StockTick;
 @Name('Out') select * from pattern [A=StockTick -> B=StockTick(B.source = A.source and B.destination = A.destination and B.action='block') where timer:within(2 seconds)];

and the events I input in the middle textbox are:

StockTick={signature='sig1', source ='s1', destination ='d1'}
 t=t.plus(0.4 seconds)
 
 StockTick={source ='s1', destination ='d1', action='block'}
 t=t.plus(0.4 seconds)
 
 StockTick={signature='sig2', source ='s2', destination ='d2'}
 t=t.plus(0.4 seconds)
 
 StockTick={source ='s2', destination ='d2', action='block'}
 t=t.plus(0.4 seconds)

The output I get in the right box:

At: 2001-01-01 08:00:00.000
 Statement: Monitor
 Insert
 StockTick={signature='sig1', source='s1', destination='d1', action=(null)}

At: 2001-01-01 08:00:00.400
 Statement: Monitor
 Insert
 StockTick={signature=(null), source='s1', destination='d1', action='block'}
 Statement: Out
 Insert
 stmt2_pat_0_1={A={StockTick={signature='sig1', source='s1', destination='d1', action=(null)}}, B={StockTick={signature=(null), source='s1', destination='d1', action='block'}}}

At: 2001-01-01 08:00:00.800
 Statement: Monitor
 Insert
 StockTick={signature='sig2', source='s2', destination='d2', action=(null)}
 At: 2001-01-01 08:00:01.200
 Statement: Monitor
 Insert
 StockTick={signature=(null), source='s2', destination='d2', action='block'}

So:

  • after 0 seconds, the Monitor statement gets fired (fine!)
  • after 0.4 seconds, the Monitor statement gets fired again (fine!)
  • after 0.4 seconds, the Out statement gets fired (fine!)
  • after 0.8 seconds, the Monitor statement gets fired again (fine!)
  • after 1.2 seconds, the Monitor statement gets fired again (fine!)

 

What I do not understand is why after 1.2 seconds I do not get fired the Out statement again, as I would expect.

Please note that if I try the first two inserts alone and the second two inserts alone, in both cases I have the Monitor statement fired twice and the Out statement fired once. The problem arises when I concatenate the four insert statements.

 

Would the rule above be matched multiple times, as expected and desired, when deployed to RSA Netwitness Logs & Packet?

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
MarcoMeli
Occasional Contributor Occasional Contributor
Occasional Contributor

‎2020-01-30 06:01 AM

Hi Gianluca,

 

Please have a look at this EPL guide EPL Essentials .

 

As stated there:

"When a pattern successfully matches, it will not start matching again. To ensure that the pattern evaluates to true more than once, you must utilise the ‘Every’ operator."

 

Hope this helps.

View solution in original post

2 REPLIES 2

Go to solution
MarcoMeli
Occasional Contributor Occasional Contributor
Occasional Contributor

‎2020-01-30 06:01 AM

Hi Gianluca,

 

Please have a look at this EPL guide EPL Essentials .

 

As stated there:

"When a pattern successfully matches, it will not start matching again. To ensure that the pattern evaluates to true more than once, you must utilise the ‘Every’ operator."

 

Hope this helps.

Go to solution
GianlucaCoviell
Beginner
Beginner
In response to MarcoMeli

‎2020-01-30 06:27 AM

Great Marco!

Thanks a lot! It worked like a charm.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.