Siddhi - 从事件表中获取,在一定时间内没有更新

时间:2017-09-22 07:36:19

标签: wso2 siddhi

在Siddhi查询中,我正在导入两个流S1和S2。如果我在S1流中收到,我将在事件表T1中插入,当我在S2中收到时,我将根据id在T1表中更新,并且我还将表中的更新值发送到输出流O1。

作为要求的一部分,我需要获取表格T1的内容,该表格在5分钟之前插入(即,如果记录超过5分钟)并发送到另一个输出流O2。

@name('S1')
from S1
select id, srcId, 'null' as msgId, 'INP' as status
insert into StatusTable;

@name('S2')
from S2#window.time(1min) as g join StatusTable[t.status == 'INP'] as t
on ( g.srcId == t.id)
select t.id as id, g.msgId as msgId, 'CMP' as status
update StatusTable on TradeStatusTable.id == id;

@name('Publish')
from S2 as g join StatusTable[t.status == 'CMP'] as t on ( g.srcId == t.id and t.status == 'CMP')
select t.id as id, t.msgId as msgId, t.status as status
insert into O1;

如何在此现有查询中添加查询以从TradeStatus表中获取记录,该记录超过5分钟。由于表不能单独使用,我需要用流加入它,如何做这个场景?

1 个答案:

答案 0 :(得分:0)

String WebAttackSuccess = "" +
           "@info(name = 'found_host_charged1') "+
           "from ATDEventStream[ rid == 10190001 ]#window.timeBatch(10 sec) as a1 "+
           "join ATDEventStream[ rid == 10180004 ]#window.time(10 sec) as a2 on a2.src_ip == a1.src_ip and a2.dst_ip == a1.dst_ip " +
           " select UUID() as uuid,1007 as cid,a1.sensor_id as sensor_id,a1.interface_id as interface_id,a1.other_id as other_id,count(a1.uuid) as event_num,min(a1.timestamp)  as first_seen,max(a2.timestamp) as last_seen,'' as IOC,a1.dst_ip as victim,a1.src_ip as attacker,a1.uuid as NDE4,sample:sample(a2.uuid) as Sample_NDE4 " +
           " insert into found_host_charged1;"+
           ""+
           "@info(name = 'found_host_charged2') "+
           "from every a1 = found_host_charged1 " +
           "-> a2 = ATDEventStream[dns_answers != ''] "+
           "within 5 min "+
           "select UUID() as uuid,1008 as cid,a2.sensor_id as sensor_id,a2.interface_id as interface_id,a2.other_id as other_id,count(a2.uuid) as event_num,a1.first_seen  as first_seen,max(a2.timestamp) as last_seen,a2.dns_answers as IOC,a2.dst_ip as victim,a2.src_ip as attacker,a1.uuid as NDE5,sample:sample(a2.uuid) as Sample_NDE5 " +
           "insert into found_host_charged2; ";

这是我工作的一部分,我使用两个流,也许你可以在第二个流中从StatusTable获取数据。如果还没有解决,你可以将StatusTable更改为S1。

相关问题
最新问题