2020-01-30 05:45 AM
I am trying to create a pattern in EPL, but i do not get why it gets matched only one. Here is what I did on the web page Esper EPL online. The EPL I input in the left textbox is:
create schema StockTick(signature string, source string, destination string, action string);
@Name('Monitor') select * from StockTick;
@Name('Out') select * from pattern [A=StockTick -> B=StockTick(B.source = A.source and B.destination = A.destination and B.action='block') where timer:within(2 seconds)];
and the events I input in the middle textbox are:
StockTick={signature='sig1', source ='s1', destination ='d1'}
t=t.plus(0.4 seconds)
StockTick={source ='s1', destination ='d1', action='block'}
t=t.plus(0.4 seconds)
StockTick={signature='sig2', source ='s2', destination ='d2'}
t=t.plus(0.4 seconds)
StockTick={source ='s2', destination ='d2', action='block'}
t=t.plus(0.4 seconds)
The output I get in the right box:
At: 2001-01-01 08:00:00.000
Statement: Monitor
Insert
StockTick={signature='sig1', source='s1', destination='d1', action=(null)}
At: 2001-01-01 08:00:00.400
Statement: Monitor
Insert
StockTick={signature=(null), source='s1', destination='d1', action='block'}
Statement: Out
Insert
stmt2_pat_0_1={A={StockTick={signature='sig1', source='s1', destination='d1', action=(null)}}, B={StockTick={signature=(null), source='s1', destination='d1', action='block'}}}
At: 2001-01-01 08:00:00.800
Statement: Monitor
Insert
StockTick={signature='sig2', source='s2', destination='d2', action=(null)}
At: 2001-01-01 08:00:01.200
Statement: Monitor
Insert
StockTick={signature=(null), source='s2', destination='d2', action='block'}
So:
What I do not understand is why after 1.2 seconds I do not get fired the Out statement again, as I would expect.
Please note that if I try the first two inserts alone and the second two inserts alone, in both cases I have the Monitor statement fired twice and the Out statement fired once. The problem arises when I concatenate the four insert statements.
Would the rule above be matched multiple times, as expected and desired, when deployed to RSA Netwitness Logs & Packet?
2020-01-30 06:01 AM
Hi Gianluca,
Please have a look at this EPL guide EPL Essentials .
As stated there:
"When a pattern successfully matches, it will not start matching again. To ensure that the pattern evaluates to true more than once, you must utilise the ‘Every’ operator."
Hope this helps.
2020-01-30 06:01 AM
Hi Gianluca,
Please have a look at this EPL guide EPL Essentials .
As stated there:
"When a pattern successfully matches, it will not start matching again. To ensure that the pattern evaluates to true more than once, you must utilise the ‘Every’ operator."
Hope this helps.
2020-01-30 06:27 AM
Great Marco!
Thanks a lot! It worked like a charm.