我尝试从流经match_recognize函数中选择一些事件并接收错误消息。我无法理解为什么我的模式不起作用或我在陈述中遗漏了一些东西。也许有人可以帮助我完成我的陈述。
我有EPL声明:
create schema Event1(alert_id string, user_dst string, host_src string, ip_src string);
SELECT * FROM Event1.win:time(5 minute)
MATCH_RECOGNIZE (
partition by ip_src
measures A as a, B as b, C as c
pattern (A B+ C)
define
A as A.alert_id !='account:logout',
B as B.alert_id !='account:logout' and B.user_dst != A.user_dst,
C as C.alert_id !='account:logout' and C.user_dst != A.user_dst and C.user_dst != B.user_dst
)
和事件序列:
Event1={alert_id='account:logon-success', user_dst='admin1', host_src='xxx.ru', ip_src='10.10.0.1'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin', host_src='xxx.ru', ip_src='10.10.0.1'}
t=t.plus(500 seconds)
Event1={alert_id='account:logon-success', user_dst='admin2', host_src='yyy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logout', user_dst='admin3', host_src='yyy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin4', host_src='yxy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin', host_src='yxy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin', host_src='yxy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin3', host_src='yyy.ru', ip_src='10.10.0.2'}
作为处理声明的结果,我等待那些事件:
Event1={alert_id='account:logon-success', user_dst='admin4', host_src='yxy.ru', ip_src='10.10.0.2'}
Event1={alert_id='account:logon-success', user_dst='admin', host_src='yxy.ru', ip_src='10.10.0.2'}
Event1={alert_id='account:logon-success', user_dst='admin3', host_src='yyy.ru', ip_src='10.10.0.2'}
PS:我在Esper EPL Online测试我的陈述:http://esper-epl-tryout.appspot.com/epltryout/mainform.html
答案 0 :(得分:0)
我找到了解决方案,需要使用C.user_dst != B[0].user_dst代替C.user_dst != B.user_dst