AnsweredAssumed Answered

Esper EPL rule gets fired only once

Question asked by Gianluca Coviello on Jan 30, 2020
Latest reply on Jan 30, 2020 by Gianluca Coviello

I am trying to create a pattern in EPL, but i do not get why it gets matched only one. Here is what I did on the web page Esper EPL online. The EPL I input in the left textbox is:

create schema StockTick(signature string, source string, destination string, action string);
@Name('Monitor') select * from StockTick;
@Name('Out') select * from pattern [A=StockTick -> B=StockTick(B.source = A.source and B.destination = A.destination and B.action='block') where timer:within(2 seconds)];

and the events I input in the middle textbox are:

StockTick={signature='sig1', source ='s1', destination ='d1'}
t=t.plus(0.4 seconds)

StockTick={source ='s1', destination ='d1', action='block'}
t=t.plus(0.4 seconds)

StockTick={signature='sig2', source ='s2', destination ='d2'}
t=t.plus(0.4 seconds)

StockTick={source ='s2', destination ='d2', action='block'}
t=t.plus(0.4 seconds)

The output I get in the right box:

At: 2001-01-01 08:00:00.000
Statement: Monitor
Insert
StockTick={signature='sig1', source='s1', destination='d1', action=(null)}

At: 2001-01-01 08:00:00.400
Statement: Monitor
Insert
StockTick={signature=(null), source='s1', destination='d1', action='block'}
Statement: Out
Insert
stmt2_pat_0_1={A={StockTick={signature='sig1', source='s1', destination='d1', action=(null)}}, B={StockTick={signature=(null), source='s1', destination='d1', action='block'}}}

At: 2001-01-01 08:00:00.800
Statement: Monitor
Insert
StockTick={signature='sig2', source='s2', destination='d2', action=(null)}
At: 2001-01-01 08:00:01.200
Statement: Monitor
Insert
StockTick={signature=(null), source='s2', destination='d2', action='block'}

So:

  • after 0 seconds, the Monitor statement gets fired (fine!)
  • after 0.4 seconds, the Monitor statement gets fired again (fine!)
  • after 0.4 seconds, the Out statement gets fired (fine!)
  • after 0.8 seconds, the Monitor statement gets fired again (fine!)
  • after 1.2 seconds, the Monitor statement gets fired again (fine!)

 

What I do not understand is why after 1.2 seconds I do not get fired the Out statement again, as I would expect.

Please note that if I try the first two inserts alone and the second two inserts alone, in both cases I have the Monitor statement fired twice and the Out statement fired once. The problem arises when I concatenate the four insert statements.

 

Would the rule above be matched multiple times, as expected and desired, when deployed to RSA Netwitness Logs & Packet?

Outcomes