Apama 10.15.0 | Developing Apama Applications | Developing Apama Applications in EPL | Defining Queries | Finding and acting on event patterns | Defining event patterns
 
Defining event patterns
 
Query followed-by operator
Query and operator
Query or operator
Query wait operator
Query conditions
Query condition ranges
Special behavior of the and operator
Aggregating event field values
In a query definition, you specify a find statement when you want to detect a particular event pattern. The find statement specifies the event pattern of interest followed by a procedural block that specifies what you want to happen when a match is found. For example:
query ImprobableWithdrawalLocations
{
inputs {
Withdrawal() key cardNumber within 24 hours;
}
find
Withdrawal as w1 -> Withdrawal as w2 where w2.country != w1.country {
log "Suspicious withdrawal: " + w2.toString() at INFO;
}
}
In this example, the window that the query operates on contains any Withdrawal events that have arrived in the last 24 hours. The key is the card number so each partition contains only Withdrawal events that have the same value in their cardNumber field. In other words, each partition contains the Withdrawal events for one particular account. For more information about input definitions, see Defining query input.
The find statement specifies that the event pattern of interest is a Withdrawal event followed by another Withdrawal event.
In each partition, the where clause filters the Withdrawal events so that there is a match only when the values of their country fields are different. The two event templates in the find statement coassign matching Withdrawal events to w1 and w2, respectively.
In this example, the two matching Withdrawal events might or might not have arrived in the partition consecutively. For details, see Query followed-by operator.
When there is a match the query executes the action in the find block.
The format for defining a find statement is as follows:
find
[every] [wait duration as identifier]
event_type as identifier [find_operator event_type as identifier]...
[wait duration as identifier]
[where_clause] [within_clause] [without_clause]
[select_clause] [having_clause] {
block
}
Syntax Element
Description
event_type
Name of the event type you are interested in. You must have specified this event type in the inputs section.
every
Specify the optional every modifier in conjunction with the select and having clauses. This lets you specify a pattern that aggregates event field values in order to find data based on many sets of events. See Aggregating event field values.
wait
Specify the optional wait modifier followed by a time literal or a float expression. A wait modifier indicates a period of elapsed time at the beginning of the event pattern and/or at the end of the event pattern. A float expression always indicates a number of seconds, See Query wait operator.
identifier
Coassign the matching event to this identifier. A coassignment variable specified in an event pattern is within the scope of the find block and it is a private copy in that block. The exception to this is in an aggregating find statement, only the projection expression can use the coassignments from the pattern. The procedural block of code can use projection coassignments and any parameters, but it cannot use coassignments from the pattern. Changes to the content that the variable points to do not affect any values outside the query.
Unlike EPL event expressions, you need not declare this identifier before you coassign a value to it.
In an event pattern in a find statement, each coassignment variable identifier must be unique. You must ensure that an identifier in an event pattern does not conflict with an identifier in the parameters section, or inputs section.
find_operator
Optionally specify and or -> and then specify an event_type and coassignment variable. Parentheses are allowed in the pattern specification and you can specify multiple operators, each followed by an event_type and coassignment variable. For example, the following is a valid find statement:
find (A as a1 -> ((A as a2)) -> (A as a3) ->
(A as a4 -> A as a5 -> A as a6) ->
(((A as a7) -> A as a8) -> A as a9) ->
A as a10)
{
print "query with 10: "+a1.toString()+ "
- "+a10.toString();
}
You can use either as or the colon (:) as the coassignment operator.
where_clause
To filter which events match, specify where followed by a Boolean expression that refers to the events you are interested in. The Boolean expression must evaluate to true for the events to match. The where clause is optional. Coassignment variables specified in the find or select statements are in scope in the where clause. Also available in a where clause are any parameter values and key values. This where clause applies to the event pattern and is referred to as a find where clause to distinguish it from a where clause that is part of a without cause, which is referred to as a without where clause. See Query conditions.
within_clause
A within clause sets the time period during which events in the match set must have been added to their windows. A pattern can specify zero, one, or more within clauses. See Query conditions.
without_clause
A without clause specifies event types whose presence prevents a match. See Query conditions.
select_clause
A select clause indicates that aggregate values are to be computed. See Aggregating event field values.
having_clause
A having clause restricts when the procedural code is invoked for a pattern that aggregates values. See Aggregating event field values.
block
Specify one or more statements that operate on the matching event(s). For details about code that is permissible in the find block, see Acting on pattern matches.
Items available in a find block can include:
*Any parameters defined in the parameters section
*Coassignment variables specified in the event pattern (or projection coassignments in the case of aggregating find statements).
*Key values