Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
question about counting pattern?
See original GitHub issuei want use connting pattern with time gap,but the result makes me confused.The example i wrote is a brute force login success dection and below is the execution plan:
@Plan:name('TestExecutionPlan')
define stream rawStream ( catBehavior string, catOutcome string, srcAddress string,
deviceCat string, srcUsername string,
catObject string, destAddress string, appProtocol string );
@info(name = 'condition1')
from rawStream[ catBehavior == '/Authentication/Verify'
and catOutcome == 'FAIL' and not( srcAddress is null ) ]#window.time(1 min)
select srcAddress, deviceCat, srcUsername, destAddress, appProtocol
insert into e1_OutputStream;
@info(name = 'condition2')
from rawStream[ catBehavior == '/Authentication/Verify'
and catOutcome == 'OK' and not( srcAddress is null ) ]#window.time(1 min)
select srcAddress, deviceCat, srcUsername, destAddress, appProtocol
insert into e2_OutputStreamOutputStream;
@info(name = 'result')
from every ( e1 = e1_OutputStream<9:> ) -> e2 = e2_OutputStream[ e1.srcAddress == srcAddress
and e1.deviceCat == deviceCat
and e1.srcUsername == srcUsername
and e1.destAddress == destAddress
and e1.appProtocol == appProtocol ]
within 10 second
select 'relationEvent' as event, e1.srcAddress,
e1.deviceCat, e1.srcUsername, e1.destAddress, e1.appProtocol
insert into resultOutputStream;
and the event stream is below,include 9 FAIL, 1 SUCCESS events
rawStream=[/Authentication/Verify,FAIL,1.1.1.1,deviceCat,srcUsername,catObject,destAddress,appProtocol]
delay(2000)
rawStream=[/Authentication/Verify,FAIL,1.1.1.1,deviceCat,srcUsername,catObject,destAddress,appProtocol]
delay(2000)
rawStream=[/Authentication/Verify,FAIL,1.1.1.1,deviceCat,srcUsername,catObject,destAddress,appProtocol]
delay(2000)
rawStream=[/Authentication/Verify,FAIL,1.1.1.1,deviceCat,srcUsername,catObject,destAddress,appProtocol]
delay(2000)
rawStream=[/Authentication/Verify,FAIL,1.1.1.1,deviceCat,srcUsername,catObject,destAddress,appProtocol]
delay(2000)
rawStream=[/Authentication/Verify,FAIL,1.1.1.1,deviceCat,srcUsername,catObject,destAddress,appProtocol]
delay(2000)
rawStream=[/Authentication/Verify,FAIL,1.1.1.1,deviceCat,srcUsername,catObject,destAddress,appProtocol]
delay(2000)
rawStream=[/Authentication/Verify,FAIL,1.1.1.1,deviceCat,srcUsername,catObject,destAddress,appProtocol]
delay(2000)
rawStream=[/Authentication/Verify,FAIL,1.1.1.1,deviceCat,srcUsername,catObject,destAddress,appProtocol]
delay(2000)
rawStream=[/Authentication/Verify,OK,1.1.1.1,deviceCat,srcUsername,catObject,destAddress,appProtocol]
9 FAIL login and 1 SUC login will trigger the rule,so i wrote e1 = e1_OutputStream<9:>,also i want detect during a time period,so i wrote within 10 second .the event streams i sent should not trigger the rule( the sum of delay time > 10 sec ),but the result is that it do triggered the rule.so i’m wondering the time gap i defined,matches with the first event or the last event?
9 FAIL login and 1 SUC login will trigger the rule,so i wrote e1 = e1_OutputStream<9:>,also i want detect during a time period,so i wrote within 10 second ,the event streams i sent should not trigger the rule,but the result is it do triggered the rule.so i’m wornding
Issue Analytics
- State:
- Created 7 years ago
- Comments:5 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi @tttMelody ,
The time gap is the time between first event and the last event. basically we keep that time constraint so that we won’t keep holding events till infinity. Only an event will be held for that time duration within a pattern. That being said I think your requirement is to detect 9 or more subsequent failures followed by a success login. If so you don’t need the #window.time(1 min) also. You can just have a you filter query to filter success and fail events. And your query would look like
@info(name = ‘result’) from every e1 = e1_OutputStream -> e2 = e1_OutputStream<8:> [e1.srcAddress == srcAddress and e1.deviceCat == deviceCat and e1.srcUsername == srcUsername and e1.destAddress == destAddress and e1.appProtocol == appProtocol ] ->e3 = e2_OutputStream[ e1.srcAddress == srcAddress and e1.deviceCat == deviceCat and e1.srcUsername == srcUsername and e1.destAddress == destAddress and e1.appProtocol == appProtocol ] within 10 second select ‘relationEvent’ as event, e1.srcAddress, e1.deviceCat, e1.srcUsername, e1.destAddress, e1.appProtocol insert into resultOutputStream;
I have added an extra layer to the pattern to make sure that first nine events are for the same src address, device cat etc. Pattern you wrote will match for any nine failed events regardless of src address etc.
@tishan89 thanks so so much.your solution is so brilliant.I always confused about how to do operation with grouped data in a pattern and in the same time join another grouped stream. Your solution use e2 instead of group.it is brilliant.but I wander the performance may not be good,if your data is dispersed. In my use case I am only concerned with the Success happen after Fail,I didn’t concern about the order that the 9 Fail events in its own group.