Specifying event duration and maximum number of events
In an input definition, you can specify a within clause that indicates how long an event can remain in the window and a retain clause that indicates how many events can be in the window. When you specify both a within clause and a retain clause the within clause must be before the retain clause. For example:
query FraudulentWithdrawalDetection3 {
inputs {
Withdrawal() key userId within 1 hour retain 3;
}
find Withdrawal:w1 -> Withdrawal:w2 where w1.city != w2.city {
log "Suspicious withdrawal: " + w2.toString() at INFO;
}
}
In this query, a Withdrawal event can be in the window for up to one hour and only the three most recent Withdrawal events, if each one arrived during the previous hour, can be in the window. In other words, the window cannot contain an event that arrived more than an hour ago and it cannot contain more than three events. If only two Withdrawal events arrived in the previous hour then there would be only two events in the window.
Suppose that at the indicated times the following events are added to the window in the partition identified by a userId Dan:
Time | Event Added to Window |
10:00 | Withdrawal("Dan", "Dublin") |
10:10 | Withdrawal("Dan", "London") |
10:20 | Withdrawal("Dan", "London") |
10:30 | Withdrawal("Dan", "London") |
11:30 | Withdrawal("Dan", "Paris") |
For the partition identified by userId Dan, the query evaluates the pattern at the following times:
Time | Window Contents | Matching Events |
10:00 | Withdrawal("Dan", "Dublin") | |
10:10 | Withdrawal("Dan", "Dublin") Withdrawal("Dan", "London") | w1=Withdrawal("Dan","Dublin") w2=Withdrawal("Dan","London") |
10:20 | Withdrawal("Dan", "Dublin") Withdrawal("Dan", "London") Withdrawal("Dan", "London") | w1=Withdrawal("Dan","Dublin") w2=Withdrawal("Dan","London") |
10:30 | Withdrawal("Dan", "London") Withdrawal("Dan", "London") Withdrawal("Dan", "London") | |
11:30 | Withdrawal("Dan", "Paris") | |
It is important to note that at 10:30 the Withdrawal("Dan", "Dublin") event that arrived at 10:00 is no longer in the window because the window retains three events at most and there are three Withdrawal events that have been added to the window more recently. Also, at 11:30 there are no Withdrawal("Dan","London") events in the window as they have been ejected because more than one hour has elapsed since each one was added to the window.