Esper 按模式过滤事件
Esper filter events by pattern
我尝试 select 某些事件流经 match_recognize 函数并收到错误消息。我不明白为什么我的模式不起作用或者我的陈述中遗漏了什么。也许有人可以帮助我陈述。
我有 EPL 声明:
create schema Event1(alert_id string, user_dst string, host_src string, ip_src string);
SELECT * FROM Event1.win:time(5 minute)
MATCH_RECOGNIZE (
partition by ip_src
measures A as a, B as b, C as c
pattern (A B+ C)
define
A as A.alert_id !='account:logout',
B as B.alert_id !='account:logout' and B.user_dst != A.user_dst,
C as C.alert_id !='account:logout' and C.user_dst != A.user_dst and C.user_dst != B.user_dst
)
和事件顺序:
Event1={alert_id='account:logon-success', user_dst='admin1', host_src='xxx.ru', ip_src='10.10.0.1'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin', host_src='xxx.ru', ip_src='10.10.0.1'}
t=t.plus(500 seconds)
Event1={alert_id='account:logon-success', user_dst='admin2', host_src='yyy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logout', user_dst='admin3', host_src='yyy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin4', host_src='yxy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin', host_src='yxy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin', host_src='yxy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin3', host_src='yyy.ru', ip_src='10.10.0.2'}
作为处理语句的结果,我等待这些事件:
Event1={alert_id='account:logon-success', user_dst='admin4', host_src='yxy.ru', ip_src='10.10.0.2'}
Event1={alert_id='account:logon-success', user_dst='admin', host_src='yxy.ru', ip_src='10.10.0.2'}
Event1={alert_id='account:logon-success', user_dst='admin3', host_src='yyy.ru', ip_src='10.10.0.2'}
PS:我在 Esper EPL Online 测试我的陈述:http://esper-epl-tryout.appspot.com/epltryout/mainform.html
我找到了解决方案,需要使用 C.user_dst != B[0].user_dst 而不是 C.user_dst != B.user_dst
我尝试 select 某些事件流经 match_recognize 函数并收到错误消息。我不明白为什么我的模式不起作用或者我的陈述中遗漏了什么。也许有人可以帮助我陈述。
我有 EPL 声明:
create schema Event1(alert_id string, user_dst string, host_src string, ip_src string);
SELECT * FROM Event1.win:time(5 minute)
MATCH_RECOGNIZE (
partition by ip_src
measures A as a, B as b, C as c
pattern (A B+ C)
define
A as A.alert_id !='account:logout',
B as B.alert_id !='account:logout' and B.user_dst != A.user_dst,
C as C.alert_id !='account:logout' and C.user_dst != A.user_dst and C.user_dst != B.user_dst
)
和事件顺序:
Event1={alert_id='account:logon-success', user_dst='admin1', host_src='xxx.ru', ip_src='10.10.0.1'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin', host_src='xxx.ru', ip_src='10.10.0.1'}
t=t.plus(500 seconds)
Event1={alert_id='account:logon-success', user_dst='admin2', host_src='yyy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logout', user_dst='admin3', host_src='yyy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin4', host_src='yxy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin', host_src='yxy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin', host_src='yxy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin3', host_src='yyy.ru', ip_src='10.10.0.2'}
作为处理语句的结果,我等待这些事件:
Event1={alert_id='account:logon-success', user_dst='admin4', host_src='yxy.ru', ip_src='10.10.0.2'}
Event1={alert_id='account:logon-success', user_dst='admin', host_src='yxy.ru', ip_src='10.10.0.2'}
Event1={alert_id='account:logon-success', user_dst='admin3', host_src='yyy.ru', ip_src='10.10.0.2'}
PS:我在 Esper EPL Online 测试我的陈述:http://esper-epl-tryout.appspot.com/epltryout/mainform.html
我找到了解决方案,需要使用 C.user_dst != B[0].user_dst 而不是 C.user_dst != B.user_dst