|
question about using esper to correlate alarms
I apologize for the previous wrong and partial email ... Hi Esper users, I'm evaluating Esper as a correlation engine for alarm coming from network devices The main issue is to be able to recognize sequence of fast switching alarms
Supposing to have this simple alarm event: AlarmEvent { String id, boolean state} where State can be true(alarm on) and false (alarm off) Our aim is: -1) to recognise single events with state=true not followed by an event with same id and state =false within a time t=t0
- 2) to ignore an on-off pair of events with the same id and state=true(the first) and false (the second) within t=t0 -3) to recognize a floating sequence of N pairs of events composed by the above pair within a time T0> t0 (say T0 = 60 sec, t0 = 5 sec)
So far we have tried this approach: 1) This pattern in order to recognize isolate events and avoid to take into account the floating pair of type 2: every alarmOn=AlarmEvent(state=true) -> timer:interval(5 sec) and not AlarmEvent(state=false,id=alarmOn.id)
2) This pattern in order to recognise the sequence of 4 floating pairs within 60 sec every (alarmOn1=AlarmEvent(state=true) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec) -> (AlarmEvent(state=true,id=alarmOn1.id) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)) -> (AlarmEvent(state=true,id=alarmOn1.id) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)) -> (AlarmEvent(state=true,id=alarmOn1.id) -> alarmOff3=AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec))) where timer:within(60 sec)
We have tested these patterns with an Event Generator and it seems that they work well My questions are: 1) there is a better approach? for example how can write a query/pattern that manages a sequence of a parametrized number of pairs (say N instead of 4)?
We tried to use the repeat operator without success because we need to set up a time window and we don/'t know how to use the [] operator with the time window 2) In order to make the second pattern readable we tried to create the pair event using an insert like this but it did not work. I mean no events were collected
insert into Pair select alarmOn1.id as id from pattern[ every alarmOn1=AlarmEvent(state=true) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)]
every p1=Pair -> (p2=Pair(id=p1.id)) ->(p3=Pair(id=p1.id)) -> (p4=Pair(id=p1.id)) where timer:within(60 sec)
Please, can you give me any hints? Thanks in advance Marco Ughetti
|
|
Re: question about using esper to correlate alarms
Some parts of this message have been removed.
Learn more about Nabble's security policy.
Hi Marco,
indeed the "insert into" is the best way to take pairs and do some higher level detection on pairs.
So far example:
insert into PairStream select alarmOn1.id as id from pattern[ every alarmOn1=AlarmEvent(state=true) ->
AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)]
...and...
select * from PairStream // or detect further patterns on PairStream events
The repeat operator should do the job of finding multiple pairs. What is the problem you faced with repeat or insert into? Best regards, Tom
From: marco ughetti <marco.ughetti@...>
To: user@...
Sent: Tuesday, August 25, 2009 6:40:51 AM
Subject: [esper-user] question about using esper to correlate alarms
I apologize for the previous wrong and partial email ... Hi Esper users, I'm evaluating Esper as a correlation engine for alarm coming from network devices The main issue is to be able to recognize sequence of fast switching alarms
Supposing to have this simple alarm event: AlarmEvent { String id, boolean state} where State can be true(alarm on) and false (alarm off) Our aim is: -1) to recognise single events with state=true not followed by an event with same id and state =false within a time t=t0
- 2) to ignore an on-off pair of events with the same id and state=true(the first) and false (the second) within t=t0 -3) to recognize a floating sequence of N pairs of events composed by the above pair within a time T0> t0 (say T0 = 60 sec, t0 = 5 sec)
So far we have tried this approach: 1) This pattern in order to recognize isolate events and avoid to take into account the floating pair of type 2: every alarmOn=AlarmEvent(state=true) -> timer:interval(5 sec) and not AlarmEvent(state=false,id=alarmOn.id)
2) This pattern in order to recognise the sequence of 4 floating pairs within 60 sec every (alarmOn1=AlarmEvent(state=true) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec) -> (AlarmEvent(state=true,id=alarmOn1.id) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)) -> (AlarmEvent(state=true,id=alarmOn1.id) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)) -> (AlarmEvent(state=true,id=alarmOn1.id) -> alarmOff3=AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec))) where timer:within(60 sec)
We have tested these patterns with an Event Generator and it seems that they work well My questions are: 1) there is a better approach? for example how can write a query/pattern that manages a sequence of a parametrized number of pairs (say N instead of 4)?
We tried to use the repeat operator without success because we need to set up a time window and we don/'t know how to use the [] operator with the time window 2) In order to make the second pattern readable we tried to create the pair event using an insert like this but it did not work. I mean no events were collected
insert into Pair select alarmOn1.id as id from pattern[ every alarmOn1=AlarmEvent(state=true) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)]
every p1=Pair -> (p2=Pair(id=p1.id)) ->(p3=Pair(id=p1.id)) -> (p4=Pair(id=p1.id)) where timer:within(60 sec)
Please, can you give me any hints? Thanks in advance Marco Ughetti
|
|
Re: question about using esper to correlate alarms
Hi Thomas, thanks for the reply Currently I'm evaluating esper as a core engine for an alarm correlator and the first scenario is the one pictured in the previous email I did not have problem to recognize isolated alarm start and end. The last version of my queries are:
ISOLATED_ALARM_START insert into IsolatedAlarmOn select alarmOn.id as id, alarmOn.state as state, alarmOn.time as time from pattern [every alarmOn=AlarmEvent(state=true) -> timer:interval(5 sec) and not AlarmEvent(state=false,id=alarmOn.id)]
ISOLATED_ALARM_END select alarmOff from pattern [every alarmOn=IsolatedAlarmOn -> alarmOff=AlarmEvent(id=alarmOn.id, state=false)] Also I was able to recognize the star of a floating sequence of on-off alarm using:
insert into FloatingAlarm select alarmOff.id as id, alarmOff.state as state, alarmOff.time as time\nfrom pattern [every alarmOn=AlarmEvent(state=true) -> alarmOff=AlarmEvent(state=false,id=alarmOn.id) where timer:within(5 sec)].win:time(30 sec) group by alarmOff.id having count(*) = 4
where 4 means that a sequence shall be <=4 events within 30 sec I had some problem to recognise the end of the sequence because the start of the sequence fires a complex event when arrive the fourth alarm but the sequence can last more and more so at the end of the day I found this pattern that it seems to be working (at least with my test scenario)
every floating=FloatingAlarm -> onOffVoid=OnOffVoid(id= floating.id) with OnOffVoid defined by: insert into OnOffVoid select onoff.id as id from pattern[every onoff=OnOff ->timer:interval(10 sec) and not OnOff(id= onoff.id)]
I still have some doubts about the new streams I have defined in order to be used on my queries/pattern For example, I can I delete old events from the streams? I have understood well I have to use named windows is it true?
So I have to define first the named window and then insert into it, is it correct? The other question is about using the repeat operator [] instead of using the group by clause and the count(*) in order to detect the sequence. Is it possible?
Thanks in advance Best Marco Ughetti On Sun, Aug 30, 2009 at 3:50 PM, Thomas Bernhardt <bernhardttom@...> wrote:
Hi Marco,
indeed the "insert into" is the best way to take pairs and do some higher level detection on pairs.
So far example:
insert into PairStream select alarmOn1.id as id from pattern[ every alarmOn1=AlarmEvent(state=true) ->
AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)]
...and...
select * from PairStream // or detect further patterns on PairStream events
The repeat operator should do the job of finding multiple pairs. What is the problem you faced with repeat or insert into? Best regards, Tom
From: marco ughetti <marco.ughetti@...>
To: user@...
Sent: Tuesday, August 25, 2009 6:40:51 AM
Subject: [esper-user] question about using esper to correlate alarms
I apologize for the previous wrong and partial email ... Hi Esper users, I'm evaluating Esper as a correlation engine for alarm coming from network devices The main issue is to be able to recognize sequence of fast switching alarms
Supposing to have this simple alarm event: AlarmEvent { String id, boolean state} where State can be true(alarm on) and false (alarm off) Our aim is: -1) to recognise single events with state=true not followed by an event with same id and state =false within a time t=t0
- 2) to ignore an on-off pair of events with the same id and state=true(the first) and false (the second) within t=t0 -3) to recognize a floating sequence of N pairs of events composed by the above pair within a time T0> t0 (say T0 = 60 sec, t0 = 5 sec)
So far we have tried this approach: 1) This pattern in order to recognize isolate events and avoid to take into account the floating pair of type 2: every alarmOn=AlarmEvent(state=true) -> timer:interval(5 sec) and not AlarmEvent(state=false,id=alarmOn.id)
2) This pattern in order to recognise the sequence of 4 floating pairs within 60 sec every (alarmOn1=AlarmEvent(state=true) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec) -> (AlarmEvent(state=true,id=alarmOn1.id) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)) -> (AlarmEvent(state=true,id=alarmOn1.id) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)) -> (AlarmEvent(state=true,id=alarmOn1.id) -> alarmOff3=AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec))) where timer:within(60 sec)
We have tested these patterns with an Event Generator and it seems that they work well My questions are: 1) there is a better approach? for example how can write a query/pattern that manages a sequence of a parametrized number of pairs (say N instead of 4)?
We tried to use the repeat operator without success because we need to set up a time window and we don/'t know how to use the [] operator with the time window 2) In order to make the second pattern readable we tried to create the pair event using an insert like this but it did not work. I mean no events were collected
insert into Pair select alarmOn1.id as id from pattern[ every alarmOn1=AlarmEvent(state=true) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)]
every p1=Pair -> (p2=Pair(id=p1.id)) ->(p3=Pair(id=p1.id)) -> (p4=Pair(id=p1.id)) where timer:within(60 sec)
Please, can you give me any hints? Thanks in advance Marco Ughetti
|
|
Re: question about using esper to correlate alarms
Some parts of this message have been removed.
Learn more about Nabble's security policy.
Hi Mario, the @Drop could also be used to delete events in a stream. the repeat-until would seem to work as well for this case, yes. Best regards, Tom
From: marco ughetti <marco.ughetti@...>
To: user@...
Sent: Tuesday, September 1, 2009 9:50:10 AM
Subject: Re: [esper-user] question about using esper to correlate alarms
Hi Thomas, thanks for the reply Currently I'm evaluating esper as a core engine for an alarm correlator and the first scenario is the one pictured in the previous email I did not have problem to recognize isolated alarm start and end. The last version of my queries are:
ISOLATED_ALARM_START insert into IsolatedAlarmOn select alarmOn.id as id, alarmOn.state as state, alarmOn.time as time from pattern [every alarmOn=AlarmEvent(state=true) -> timer:interval(5 sec) and not AlarmEvent(state=false,id=alarmOn.id)]
ISOLATED_ALARM_END select alarmOff from pattern [every alarmOn=IsolatedAlarmOn -> alarmOff=AlarmEvent(id=alarmOn.id, state=false)] Also I was able to recognize the star of a floating sequence of on-off alarm using:
insert into FloatingAlarm select alarmOff.id as id, alarmOff.state as state, alarmOff.time as time\nfrom pattern [every alarmOn=AlarmEvent(state=true) -> alarmOff=AlarmEvent(state=false,id=alarmOn.id) where timer:within(5 sec)].win:time(30 sec) group by alarmOff.id having count(*) = 4
where 4 means that a sequence shall be <=4 events within 30 sec I had some problem to recognise the end of the sequence because the start of the sequence fires a complex event when arrive the fourth alarm but the sequence can last more and more so at the end of the day I found this pattern that it seems to be working (at least with my test scenario)
every floating=FloatingAlarm -> onOffVoid=OnOffVoid(id= floating.id) with OnOffVoid defined by: insert into OnOffVoid select onoff.id as id from pattern[every onoff=OnOff ->timer:interval(10 sec) and not OnOff(id= onoff.id)]
I still have some doubts about the new streams I have defined in order to be used on my queries/pattern For example, I can I delete old events from the streams? I have understood well I have to use named windows is it true?
So I have to define first the named window and then insert into it, is it correct? The other question is about using the repeat operator [] instead of using the group by clause and the count(*) in order to detect the sequence. Is it possible?
Thanks in advance Best Marco Ughetti On Sun, Aug 30, 2009 at 3:50 PM, Thomas Bernhardt <bernhardttom@...> wrote:
Hi Marco,
indeed the "insert into" is the best way to take pairs and do some higher level detection on pairs. So far example: insert into PairStream select alarmOn1.id as id from pattern[ every alarmOn1=AlarmEvent(state=true) ->
AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)]...and... select * from PairStream // or detect further patterns on PairStream events
The repeat operator should do the job of finding multiple pairs. What is the problem you faced with repeat or insert into? Best regards, Tom
From: marco ughetti <marco.ughetti@...>
To: user@...
Sent: Tuesday, August 25, 2009 6:40:51 AM
Subject: [esper-user] question about using esper to correlate alarms
I apologize for the previous wrong and partial email ... Hi Esper users, I'm evaluating Esper as a correlation engine for alarm coming from network devices The main issue is to be able to recognize sequence of fast switching alarms
Supposing to have this simple alarm event: AlarmEvent { String id, boolean state} where State can be true(alarm on) and false (alarm off) Our aim is: -1) to recognise single events with state=true not followed by an event with same id and state =false within a time t=t0
- 2) to ignore an on-off pair of events with the same id and state=true(the first) and false (the second) within t=t0 -3) to recognize a floating sequence of N pairs of events composed by the above pair within a time T0> t0 (say T0 = 60 sec, t0 = 5 sec)
So far we have tried this approach: 1) This pattern in order to recognize isolate events and avoid to take into account the floating pair of type 2: every alarmOn=AlarmEvent(state=true) -> timer:interval(5 sec) and not AlarmEvent(state=false,id=alarmOn.id)
2) This pattern in order to recognise the sequence of 4 floating pairs within 60 sec every (alarmOn1=AlarmEvent(state=true) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec) -> (AlarmEvent(state=true,id=alarmOn1.id) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)) -> (AlarmEvent(state=true,id=alarmOn1.id) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)) -> (AlarmEvent(state=true,id=alarmOn1.id) -> alarmOff3=AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec))) where timer:within(60 sec)
We have tested these patterns with an Event Generator and it seems that they work well My questions are: 1) there is a better approach? for example how can write a query/pattern that manages a sequence of a parametrized number of pairs (say N instead of 4)?
We tried to use the repeat operator without success because we need to set up a time window and we don/'t know how to use the [] operator with the time window 2) In order to make the second pattern readable we tried to create the pair event using an insert like this but it did not work. I mean no events were collected
insert into Pair select alarmOn1.id as id from pattern[ every alarmOn1=AlarmEvent(state=true) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)]
every p1=Pair -> (p2=Pair(id=p1.id)) ->(p3=Pair(id=p1.id)) -> (p4=Pair(id=p1.id)) where timer:within(60 sec)
Please, can you give me any hints? Thanks in advance Marco Ughetti
|
|
Re: question about using esper to correlate alarms
Thanks, Can you give me an hint in order to use the repeat-until in my case? I dont'see how to use it Marco On Tue, Sep 8, 2009 at 2:02 PM, Thomas Bernhardt <bernhardttom@...> wrote:
Hi Mario, the @Drop could also be used to delete events in a stream. the repeat-until would seem to work as well for this case, yes. Best regards, Tom
Sent: Tuesday, September 1, 2009 9:50:10 AM
Subject: Re: [esper-user] question about using esper to correlate alarms
Hi Thomas, thanks for the reply Currently I'm evaluating esper as a core engine for an alarm correlator and the first scenario is the one pictured in the previous email I did not have problem to recognize isolated alarm start and end. The last version of my queries are:
ISOLATED_ALARM_START insert into IsolatedAlarmOn select alarmOn.id as id, alarmOn.state as state, alarmOn.time as time from pattern [every alarmOn=AlarmEvent(state=true) -> timer:interval(5 sec) and not AlarmEvent(state=false,id=alarmOn.id)]
ISOLATED_ALARM_END select alarmOff from pattern [every alarmOn=IsolatedAlarmOn -> alarmOff=AlarmEvent(id=alarmOn.id, state=false)] Also I was able to recognize the star of a floating sequence of on-off alarm using:
insert into FloatingAlarm select alarmOff.id as id, alarmOff.state as state, alarmOff.time as time\nfrom pattern [every alarmOn=AlarmEvent(state=true) -> alarmOff=AlarmEvent(state=false,id=alarmOn.id) where timer:within(5 sec)].win:time(30 sec) group by alarmOff.id having count(*) = 4
where 4 means that a sequence shall be <=4 events within 30 sec I had some problem to recognise the end of the sequence because the start of the sequence fires a complex event when arrive the fourth alarm but the sequence can last more and more so at the end of the day I found this pattern that it seems to be working (at least with my test scenario)
every floating=FloatingAlarm -> onOffVoid=OnOffVoid(id= floating.id) with OnOffVoid defined by: insert into OnOffVoid select onoff.id as id from pattern[every onoff=OnOff ->timer:interval(10 sec) and not OnOff(id= onoff.id)]
I still have some doubts about the new streams I have defined in order to be used on my queries/pattern For example, I can I delete old events from the streams? I have understood well I have to use named windows is it true?
So I have to define first the named window and then insert into it, is it correct? The other question is about using the repeat operator [] instead of using the group by clause and the count(*) in order to detect the sequence. Is it possible?
Thanks in advance Best Marco Ughetti On Sun, Aug 30, 2009 at 3:50 PM, Thomas Bernhardt <bernhardttom@...> wrote:
Hi Marco,
indeed the "insert into" is the best way to take pairs and do some higher level detection on pairs. So far example: insert into PairStream select alarmOn1.id as id from pattern[ every alarmOn1=AlarmEvent(state=true) ->
AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)]...and... select * from PairStream // or detect further patterns on PairStream events
The repeat operator should do the job of finding multiple pairs. What is the problem you faced with repeat or insert into? Best regards, Tom
From: marco ughetti <marco.ughetti@...>
To: user@...
Sent: Tuesday, August 25, 2009 6:40:51 AM
Subject: [esper-user] question about using esper to correlate alarms
I apologize for the previous wrong and partial email ... Hi Esper users, I'm evaluating Esper as a correlation engine for alarm coming from network devices The main issue is to be able to recognize sequence of fast switching alarms
Supposing to have this simple alarm event: AlarmEvent { String id, boolean state} where State can be true(alarm on) and false (alarm off) Our aim is: -1) to recognise single events with state=true not followed by an event with same id and state =false within a time t=t0
- 2) to ignore an on-off pair of events with the same id and state=true(the first) and false (the second) within t=t0 -3) to recognize a floating sequence of N pairs of events composed by the above pair within a time T0> t0 (say T0 = 60 sec, t0 = 5 sec)
So far we have tried this approach: 1) This pattern in order to recognize isolate events and avoid to take into account the floating pair of type 2: every alarmOn=AlarmEvent(state=true) -> timer:interval(5 sec) and not AlarmEvent(state=false,id=alarmOn.id)
2) This pattern in order to recognise the sequence of 4 floating pairs within 60 sec every (alarmOn1=AlarmEvent(state=true) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec) -> (AlarmEvent(state=true,id=alarmOn1.id) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)) -> (AlarmEvent(state=true,id=alarmOn1.id) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)) -> (AlarmEvent(state=true,id=alarmOn1.id) -> alarmOff3=AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec))) where timer:within(60 sec)
We have tested these patterns with an Event Generator and it seems that they work well My questions are: 1) there is a better approach? for example how can write a query/pattern that manages a sequence of a parametrized number of pairs (say N instead of 4)?
We tried to use the repeat operator without success because we need to set up a time window and we don/'t know how to use the [] operator with the time window 2) In order to make the second pattern readable we tried to create the pair event using an insert like this but it did not work. I mean no events were collected
insert into Pair select alarmOn1.id as id from pattern[ every alarmOn1=AlarmEvent(state=true) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)]
every p1=Pair -> (p2=Pair(id=p1.id)) ->(p3=Pair(id=p1.id)) -> (p4=Pair(id=p1.id)) where timer:within(60 sec)
Please, can you give me any hints? Thanks in advance Marco Ughetti
|
|
Re: question about using esper to correlate alarms
Some parts of this message have been removed.
Learn more about Nabble's security policy.
Hi Marco, something like select * from pattern [ ([4] OnOffVoid) where timer:within(30)] Best regards, Tom
From: marco ughetti <marco.ughetti@...>
To: user@...
Sent: Tuesday, September 8, 2009 12:01:53 PM
Subject: Re: [esper-user] question about using esper to correlate alarms
Thanks, Can you give me an hint in order to use the repeat-until in my case? I dont'see how to use it Marco On Tue, Sep 8, 2009 at 2:02 PM, Thomas Bernhardt <bernhardttom@...> wrote:
Hi Mario, the @Drop could also be used to delete events in a stream. the repeat-until would seem to work as well for this case, yes. Best regards, Tom
Sent: Tuesday, September 1, 2009 9:50:10 AM
Subject: Re: [esper-user] question about using esper to correlate alarms
Hi Thomas, thanks for the reply Currently I'm evaluating esper as a core engine for an alarm correlator and the first scenario is the one pictured in the previous email I did not have problem to recognize isolated alarm start and end. The last version of my queries are:
ISOLATED_ALARM_START insert into IsolatedAlarmOn select alarmOn.id as id, alarmOn.state as state, alarmOn.time as time from pattern [every alarmOn=AlarmEvent(state=true) -> timer:interval(5 sec) and not AlarmEvent(state=false,id=alarmOn.id)]
ISOLATED_ALARM_END select alarmOff from pattern [every alarmOn=IsolatedAlarmOn -> alarmOff=AlarmEvent(id=alarmOn.id, state=false)] Also I was able to recognize the star of a floating sequence of on-off alarm using:
insert into FloatingAlarm select alarmOff.id as id, alarmOff.state as state, alarmOff.time as time\nfrom pattern [every alarmOn=AlarmEvent(state=true) -> alarmOff=AlarmEvent(state=false,id=alarmOn.id) where timer:within(5 sec)].win:time(30 sec) group by alarmOff.id having count(*) = 4
where 4 means that a sequence shall be <=4 events within 30 sec I had some problem to recognise the end of the sequence because the start of the sequence fires a complex event when arrive the fourth alarm but the sequence can last more and more so at the end of the day I found this pattern that it seems to be working (at least with my test scenario)
every floating=FloatingAlarm -> onOffVoid=OnOffVoid(id= floating.id) with OnOffVoid defined by: insert into OnOffVoid select onoff.id as id from pattern[every onoff=OnOff ->timer:interval(10 sec) and not OnOff(id= onoff.id)]
I still have some doubts about the new streams I have defined in order to be used on my queries/pattern For example, I can I delete old events from the streams? I have understood well I have to use named windows is it true?
So I have to define first the named window and then insert into it, is it correct? The other question is about using the repeat operator [] instead of using the group by clause and the count(*) in order to detect the sequence. Is it possible?
Thanks in advance Best Marco Ughetti On Sun, Aug 30, 2009 at 3:50 PM, Thomas Bernhardt <bernhardttom@...> wrote:
Hi Marco,
indeed the "insert into" is the best way to take pairs and do some higher level detection on pairs. So far example: insert into PairStream select alarmOn1.id as id from pattern[ every alarmOn1=AlarmEvent(state=true) ->
AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)]...and... select * from PairStream // or detect further patterns on PairStream events
The repeat operator should do the job of finding multiple pairs. What is the problem you faced with repeat or insert into? Best regards, Tom
From: marco ughetti <marco.ughetti@...>
To: user@...
Sent: Tuesday, August 25, 2009 6:40:51 AM
Subject: [esper-user] question about using esper to correlate alarms
I apologize for the previous wrong and partial email ... Hi Esper users, I'm evaluating Esper as a correlation engine for alarm coming from network devices The main issue is to be able to recognize sequence of fast switching alarms
Supposing to have this simple alarm event: AlarmEvent { String id, boolean state} where State can be true(alarm on) and false (alarm off) Our aim is: -1) to recognise single events with state=true not followed by an event with same id and state =false within a time t=t0
- 2) to ignore an on-off pair of events with the same id and state=true(the first) and false (the second) within t=t0 -3) to recognize a floating sequence of N pairs of events composed by the above pair within a time T0> t0 (say T0 = 60 sec, t0 = 5 sec)
So far we have tried this approach: 1) This pattern in order to recognize isolate events and avoid to take into account the floating pair of type 2: every alarmOn=AlarmEvent(state=true) -> timer:interval(5 sec) and not AlarmEvent(state=false,id=alarmOn.id)
2) This pattern in order to recognise the sequence of 4 floating pairs within 60 sec every (alarmOn1=AlarmEvent(state=true) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec) -> (AlarmEvent(state=true,id=alarmOn1.id) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)) -> (AlarmEvent(state=true,id=alarmOn1.id) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)) -> (AlarmEvent(state=true,id=alarmOn1.id) -> alarmOff3=AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec))) where timer:within(60 sec)
We have tested these patterns with an Event Generator and it seems that they work well My questions are: 1) there is a better approach? for example how can write a query/pattern that manages a sequence of a parametrized number of pairs (say N instead of 4)?
We tried to use the repeat operator without success because we need to set up a time window and we don/'t know how to use the [] operator with the time window 2) In order to make the second pattern readable we tried to create the pair event using an insert like this but it did not work. I mean no events were collected
insert into Pair select alarmOn1.id as id from pattern[ every alarmOn1=AlarmEvent(state=true) -> AlarmEvent(state=false,id=alarmOn1.id) where timer:within(5 sec)]
every p1=Pair -> (p2=Pair(id=p1.id)) ->(p3=Pair(id=p1.id)) -> (p4=Pair(id=p1.id)) where timer:within(60 sec)
Please, can you give me any hints? Thanks in advance Marco Ughetti
|
