Alerting: Event Processing Language (EPL)

Document created by RSA Information Design and Development on Jul 26, 2016Last modified by RSA Information Design and Development on Jul 26, 2016
Version 2Show Document
  • View in full screen mode

ESA uses Event Processing Language (EPL), a declarative language for dealing with high frequency time-based event data. It is used for express filtering, aggregation, and joins over possibly sliding windows of multiple event streams. EPL also includes pattern semantics to express complex temporal causality among events. It can perform, but is not limited to, the following functions:

  • Filter Events
  • Alert Suppression
  • Compute percentages or rations
  • Average, count, min and max for a given time window
  • Correlate events arriving in multiple streams
  • Correlate events that arrive out of order
  • On-Off Windows
  • Followed-by and Not Followed-by support
  • Regex filter support

Databases require explicit querying to return meaningful data and are not suited to push data as it changes. The developer must implement the temporal and aggregation logic himself. By contrast, the EPL engine provides a higher abstraction and intelligence and can be thought of as a database turned upside-down. Instead of storing the data and running queries against stored data, EPL allows applications to store queries and continuously run the data through. Response from the EPL engine is real-time when conditions occur that match user defined queries.

For the purposes of online help, basic statements are used to illustrate how to set up ESA; however, for more information about writing EPL statements, the site provides tutorials and examples. 

Note: ESA supports Esper version 5.1.0.

You are here: Add Rules to the Rule Library > Add an Advanced EPL Rule > Event Processing Language (EPL)