Re: [siddhi-dev] how can i reset .externalTimeBatch?

[Senthuran Ambalavanar]

Hi Fengj,

Could you explain the use case you are trying to achieve, please?

Is it "Get the total count of events that come through LoginStream per sourceIp, for every 20 seconds"?

Thanks,
Senthuran.

On Sat, Apr 2, 2022 at 11:26 AM fengj victor <vfe...@gmail.com> wrote:

partition with ( sourceIp of LoginStream )

begin
    @info(name='fetchFailedLoginStream')
    from LoginStream#window.externalTimeBatch(eventTime, 20 sec, eventTime, 0 sec)[str:contains(log, 'login failed')]
    select sourceIp, log, min(eventTime) as startTime, max(eventTime) as endTime, count() as count
    insert into FailedLoginStream;
   
    @info(name='detect')
    from every s1=FailedLoginStream
    -> s2=LoginStream[str:contains(log, 'login success') and s1.sourceIp == s2.sourceIp  and s1.count > 3 and (s2.eventTime - s1.endTime < 10000)]
    select s2.sourceIp as sourceIp, s1.startTime as startTime, s2.eventTime as endTime, ifThenElse(s1.count>5,'High','Low') as level
    insert into DetectStream;
end;

This will output

[2022-04-02_13-43-57_425] INFO {io.siddhi.core.stream.output.sink.LogSink} - >>>FailedLoginStream : Event{timestamp=1648878233996, data=[0.0.0.0, login failed, 4000, 4000, 1], isExpired=false} (Encoded)
[2022-04-02_13-43-57_626] INFO {io.siddhi.core.stream.output.sink.LogSink} - >>>FailedLoginStream : Event{timestamp=1648878237222, data=[1.1.1.1, login failed, 1000, 20000, 6], isExpired=false} (Encoded)
[2022-04-02_13-43-57_829] INFO {io.siddhi.core.stream.output.sink.LogSink} - >>>DetectStream : Event{timestamp=1648878237826, data=[1.1.1.1, 1000, 23000, High], isExpired=false} (Encoded)
[2022-04-02_13-44-01_288] INFO {io.siddhi.core.stream.output.sink.LogSink} - >>>FailedLoginStream : Event{timestamp=1648878237425, data=[0.0.0.0, login failed, 21000, 21000, 1], isExpired=false} (Encoded)
[2022-04-02_13-44-01_713] INFO {io.siddhi.core.stream.output.sink.LogSink} - >>>FailedLoginStream : Event{timestamp=1648878240244, data=[1.1.1.1, login failed, 1000, 35000, 9], isExpired=false} (Encoded)
[2022-04-02_13-44-05_575] INFO {io.siddhi.core.stream.output.sink.LogSink} - >>>FailedLoginStream : Event{timestamp=1648878243147, data=[1.1.1.1, login failed, 1000, 49000, 10], isExpired=false} (Encoded)
[2022-04-02_13-44-06_586] INFO {io.siddhi.core.stream.output.sink.LogSink} - >>>FailedLoginStream : Event{timestamp=1648878245171, data=[0.0.0.0, login failed, 21000, 59000, 7], isExpired=false} (Encoded)

It seems sum the count for ip 0.0.0.0: 6->9->10  

my requirement is reset its window and it should be output 6 -> 3 -> 1 every timewindow

thanks ;)

--
Siddhi homepage: http://siddhi.io/
Siddhi Github repo: https://github.com/siddhi-io/siddhi
 
You received this message because you are subscribed to the Google Groups "Siddhi-dev" group.
To post to this group, send email to siddh...@googlegroups.com
To unsubscribe from this group, send email to siddhi-dev+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/siddhi-dev?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "siddhi-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to siddhi-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/siddhi-dev/8986e52c-177c-4c91-beb8-f68e2ed27e01n%40googlegroups.com.

--

Senthuran Ambalavanar | Senior Software Engineer | WSO2 Inc.

(m) +94 757 875 887 | (e) sent...@wso2.com | (b) https://medium.com/@senthuran16