Alexander,
here is a more detailed answer to your question - I've
found some time for thinking about it (I am traveling
at the moment and will be back in the office next
week). The ruleset that attempts to address the
problem consists of 3 parts:
type=PairWithWindow
ptype=PerlFunc
pattern=sub { if ($_[0] =~ /^eventA$/) { return
time(); } return 0; }
context=!EVENT_GENERATED_FOR_$1
continue=TakeNext
desc=Waiting for B since $1
action=none
ptype2=substr
pattern2=eventB
desc2=got event B
action2=eval %delay ($1 - time() + 30); \
tevent %delay Got event B for A that appeared
at $1; \
create EVENT_GENERATED_FOR_$1 1
window=30
type=Single
ptype=SubStr
pattern=eventA
desc=Counting A
action=eval %events ( $time = time(); @keys =
keys(%times); \
foreach $key (@keys) { \
if ($key < $time - 15) { delete
$times{$key}; } } \
@events = (); if (!exists($times{$time})) {
$times{$time} = 0; } \
while ($key = each %times) { ++$times{$key};
\
if ($times{$key} == 3) { \
push @events, "Event A has appeared 3
times starting from $key"; \
} } \
if (!scalar(@events)) { push @events, "empty
event"; } \
return @events; ); \
event %events
type=Single
ptype=RegExp
pattern=Event A has appeared 3 times starting from
(\d+)
desc=create context for 3xA $1
action=create 3xA_FOR_$1 30
type=Single
ptype=RegExp
pattern=Got event B for A that appeared at (\d+)
context=3xA_FOR_$1
desc=Found event 3xA + B (first A was observed at $1)
action=write - %s
1) the first rule starts a PairWithWindow operation
for event A when it appears, and also memorizes the
time moment (second) when A appeared. If event B
appears within 30 seconds, the operation will generate
"Got event B for A that appeared at <time>" event
exactly 30 seconds after A was observed (this is
achieved with 'tevent' action that appeared in
SEC-2.4.2). Note that EVENT_GENERATED_FOR_ context is
used for preventing PairWithWindow operation firing
two operations if a sequence eventA, eventB, eventA,
eventB
appears within the same second.
2) The second and third rule implement an event
counting for event A with a window of 15 seconds and
threshold of 3. Here a Perl miniprogram is used -
the %times array contains a key for each time moment
(second) when an instance of event A was observed, an
the value for this key is the number of times event A
has been observed starting from this particular time
moment (which equals to the key). The second and third
rule create a context for a particular time moment T,
when starting from T three events A were observed
within 15 seconds.
3) The last rule captures the synthetic event "Got
event B for A that appeared at <time>" and checks if a
context is present for <time>. If the context is there
then we can be sure that:
a) B followed A within 30 seconds,
b) A was followed by another 2 instances of A within
15 seconds.
I hope this helps - I can provide more detailed
comments next week when I get back to the office.
br,
risto
> Hi,
> I'm new to SEC and I have a question, how to match
> the following combined event:
> - I have two events, saying event A and event B
> - I want to fire an event, if the following two
> conditions hold:
> - A occurs 3 times during 15 seconds AND
> - B occurs within 30 seconds from the beginning of
> the 3xA-sequence
>
> So, the following sequences should be fire an event:
> - AAAB (with the 3 A's in 15 seconds and B <= 30
> seconds from the first A)
> - ABAA (with the 3 A's in 15 seconds)
> - AAAAB (with each of the first 3 and the second 3
> A's in 15 seconds, but B only in the 30 seconds
> range from the second A, but not from the first A)
> -> so the first A here takes not part in firing the
> event
>
> Typical sequences, which should not fire, are
> - no 3 A's in 15 seconds
> - B more than 30 seconds after the first A of each
> 3xA-sequence
>
> For the third type of sequences (AAAAB) I think I
> need some kind of sliding window, which cannot be
> covered by a SingleWithThreshold rule, since the
> first 3 A's fire this rule, so the second 3 A's will
> not fire anymore. Therefore the sequence is not
> recognized... -> False Negative.
>
> Furthermore I have problems to catch the first and
> the second type of sequences (AAAB, ABAA) with one
> approach.
>
> Do you have any ideas, how to model this kind of
> event?
> Thanks in advance.
>
> Alexander Claus
>
>
>
>
>
-------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008
> JavaOne(SM) Conference
> Register now and save $200. Hurry, offer ends at
> 11:59 p.m.,
> Monday, April 7! Use priority code J8TLD2.
>
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
>
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
