NodeBrain  Demonstration Site
A Rule Engine for State and Event Monitoring     

ThisAfterThat

Next  Prior  Up        Home        
Suppose you have a simple stream of events with attributes of "type" and "user". Now let's say you want to know when any given user has a "this" event following a "that" event. In this demonstration a Tree node is used to keep track of the users with a "that" event until they have a "this" event.
Tutorial: Tree Node     Language: Define Alert     Module: Tree

Rules

Transactions

Log

again after modifications.     Reset to orignal rules and transactions.

N o d e B r a i n   0.9.04 (Columbo) 2015-09-24
Spec 0.0.904 built for x86_64-redhat-linux-gnu
Copyright (C) 2014-2015 Ed Trettevik <eat@nodebrain.org>
MIT or NodeBrain License
----------------------------------------------------------------
/usr/bin/nb = ++safe 
Date       Time     Message
---------- -------- --------------------------------------------
2017-06-23 15:21:42 NB000I NodeBrain nb[24690] apache@ip-172-31-40-21.us-west-2.compute.internal
2017-06-23 15:21:42 NB000I Argument [1] =
2017-06-23 15:21:42 NB000I Reading from standard input.
---------- --------
Rules
| define ThatUser node tree;
| # r1 will fire when a user has a "that" and we are not waiting for "this".
| # By placing the user in ThatUser, we start watching for "this".
| define r1 if(type="that" and ?ThatUser(user)) ThatUser(user);
| # r2 will fire when a user has a "this" following a "that".
| # By removing the user from ThatUser, we start watching for "that" again.
| define r2 if(type="this" and ThatUser(user)) ?ThatUser(user);
Transactions
| alert type="logon",user="fred";
| alert type="that",user="bill"; # r1 fires
2017-06-23 15:21:42 NB000I Rule r1 fired (ThatUser(user))
| alert type="that",user="bill";
| alert type="other",user="sally";
| alert type="that",user="fred"; # r1 fires
2017-06-23 15:21:42 NB000I Rule r1 fired (ThatUser(user))
| alert type="this",user="bill"; # r2 fires
2017-06-23 15:21:42 NB000I Rule r2 fired (?ThatUser(user))
| alert type="this",user="bill";
| alert type="this",user="fred"; # r2 fires
2017-06-23 15:21:42 NB000I Rule r2 fired (?ThatUser(user))
2017-06-23 15:21:42 NB000I NodeBrain nb[24690] terminating - exit code=0