NodeBrain  Demonstration Site
A Rule Engine for State and Event Monitoring     

ThisSoonAfterThat

Next  Prior  Up        Home        
Suppose you have a simple stream of events with attributes "type" and "user". Now let's say you want to know when any given user has a "this" event following a "that" event within some period, say 5 minutes. In this demonstration a Cache node is used to keep track of the users with a "that" event within the last 5 minutes, or until a "this" event for the same user.

Because this demonstration interface runs all the transactions through quickly, you don't get to see that users are removed from ThatUser automatically after 5 minutes. You will have to just trust that they are until you can test it on your own machine.

Tutorial: Cache Node     Language: Define Alert     Module: Cache

Rules

Transactions

Log

again after modifications.     Reset to orignal rules and transactions.

N o d e B r a i n   0.9.04 (Columbo) 2015-09-24
Spec 0.0.904 built for x86_64-redhat-linux-gnu
Copyright (C) 2014-2015 Ed Trettevik <eat@nodebrain.org>
MIT or NodeBrain License
----------------------------------------------------------------
/usr/bin/nb = ++safe 
Date       Time     Message
---------- -------- --------------------------------------------
2017-06-23 15:21:19 NB000I NodeBrain nb[24686] apache@ip-172-31-40-21.us-west-2.compute.internal
2017-06-23 15:21:19 NB000I Argument [1] =
2017-06-23 15:21:19 NB000I Reading from standard input.
---------- --------
Rules
| define ThatUser node cache:(~(5m):user);
| # r1 will fire when a user has a "that".
| # By placing the user in ThatUser, we start watching for "this" for 5 minutes
| define r1 if(type="that") ThatUser(user);
| # r2 will fire when a user has a "this" following a "that".
| # By removing the user from ThatUser, we stop watching for "this"
| # until we get another "that".
| define r2 if(type="this" and ThatUser(user)) !ThatUser(user);
Transactions
| alert type="logon",user="fred";
| alert type="that",user="bill"; # r1 fires
2017-06-23 15:21:19 NB000I Rule r1 fired (ThatUser(user))
| alert type="that",user="bill"; # r1 fires to reset timer
2017-06-23 15:21:19 NB000I Rule r1 fired (ThatUser(user))
| alert type="other",user="sally";
| alert type="that",user="fred"; # r1 fires
2017-06-23 15:21:19 NB000I Rule r1 fired (ThatUser(user))
| alert type="this",user="bill"; # r2 fires
2017-06-23 15:21:19 NB000I Rule r2 fired (!ThatUser(user))
| alert type="this",user="bill";
| alert type="this",user="fred"; # r2 fires
2017-06-23 15:21:19 NB000I Rule r2 fired (!ThatUser(user))
2017-06-23 15:21:19 NB000I NodeBrain nb[24686] terminating - exit code=0