Replace this with a variable bound to the fact, which would be "$log" in the 1st instance. -W
On 16/10/2013, Elran Dvir <[email protected]> wrote: > Hi all, > > I have the a drl similar to the following drl: > > package com.checkpoint.correlation.impl.drools.package1; > > import java.util.Date > import java.util.HashMap > import com.checkpoint.correlation.impl.drools.Log > import com.checkpoint.correlation.impl.drools.CorrelatedEvent > > global com.checkpoint.correlation.server.EventsHandler > externalEventsHandler; > > function boolean filter(Log log) { > return (log.fieldsMap.get("port")!= null && > (!log.fieldsMap.get("product").toString().equals("-1"))); > } > > function String calcSeverity(Log log) { > return "High"; > } > > declare Log > @role( event) > end > > declare CorrelatedEvent > @role( event) > @expires( 10s ) > end > > // this rule will create a "Port Scan" event if none exist for this group-by > values > rule "Create Port Scan Event" > dialect "java" > no-loop > when > $log : Log(eval(filter(this))) > accumulate(Log(eval(filter(this)) , this after[0s,5s] $log, > fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == > $log.fieldsMap.get("dst"), $port : fieldsMap.get("port")); > $portSet : collectSet($port); > $portSet.size > 2 ) > accumulate( CpLog(eval(filter(this)), this after[0s,5s] > $log, fieldsMap.get("src") == $log.fieldsMap.get("src") , > fieldsMap.get("dst") == $log.fieldsMap.get("dst"), > $portSet.contains(fieldsMap.get("port")), $marker : > fieldsMap.get("marker")); > $markerSet : collectSet($marker)) > not CorrelatedEvent(getId() == "portScan" , > groupByFieldsMap.get("src") == $log.fieldsMap.get("src") , > groupByFieldsMap.get("dst") == $log.fieldsMap.get("dst")) > then > System.out.println("port scan"); > System.out.println(drools.getRule().getId()); > > CorrelatedEvent $ce = new CorrelatedEvent("portScan"); > $ce.groupByFieldsMap.put("src", $log.fieldsMap.get("src")); > $ce.groupByFieldsMap.put("dst", $log.fieldsMap.get("dst")); > insert($ce); > > HashMap<String,Object> fieldsMap = new HashMap<String,Object>(); > fieldsMap.put("src",$log.fieldsMap.get("src")); > fieldsMap.put("dst",$log.fieldsMap.get("dst")); > fieldsMap.put("cu_rule_severity", calcSeverity($log)); > fieldsMap.put("markers",$markerSet.toString()); > > externalEventsHandler.handleEvent(fieldsMap); > end > > when I compile it, I am getting the error "Cannot use this in a static > context". > This is because the use of filter(this). > I know that in this example, I can write my conditions inside the fact, but > I have more complicated cases, so I prefer to use a function. > > So, how can I use a function with the fact being processed? > > Thanks! > _______________________________________________ rules-users mailing list [email protected] https://lists.jboss.org/mailman/listinfo/rules-users
