Query wait operator
You can specify the wait operator in an event pattern. The wait operator indicates that there must be a time interval either at the beginning of the matching pattern or at the end of the matching pattern. The format for specifying the wait operator is as follows:
wait ( durationExpression ) as coassignmentId
You can use either as or the colon (:) as the coassignment operator.
Syntax Element | Description |
durationExpression | A time literal (such as 2 min 3 seconds) or a float expression. A float expression can use constants and parameters. It indicates a number of seconds. |
coassignmentId | |
Typically, you specify the wait operator in conjunction with an event pattern condition. For example:
find A as a -> B as b -> wait(10) as t
without X as x between ( b t )
There is a match for this pattern when these things happen in this order:
1. An A event is added to a window in a partition.
2. A B event is added to a window in the same partition.
3. Ten seconds go by without an X event being added to a window in that partition.
The wait operator can be unambiguously at the beginning of a pattern that uses the followed-by operator or unambiguously at the end of a pattern that uses the followed-by operator. For example:
X as x -> wait(1.0) -> Y as y // Not allowed
X as x and wait(1.0) and Y as y // Not allowed
X as x and Y as y and wait(1.0) // Not allowed
wait(1.0) -> (X as x and Y as y) // Allowed
wait(1.0) -> X as x -> Y as y -> wait(1.0) // Allowed
The following code fragment detects the opening of a door without security authorization:
find wait( 5 seconds ) as p -> DoorOpened as e
without SecurityAuthorization as s where s.doorId = e.doorId {
emit UnautorizedAccess(e.doorId);
}
Suppose the following events were received:
Time | Event |
00 | SecurityAuthorization("door1") |
02 | DoorOpened("door1") |
07 | DoorOpened("door1") |
15 | DoorOpened("door2") |
The first DoorOpened event for door1 does not generate an alert because a SecurityAuthorization event was received within the 5 seconds that preceded the first DoorOpened event and the doorId field is the same for both events. That is, because the Boolean expression in the where clause of the without clause evaluates to true, a match is prevented and so an alert is not sent.
The second DoorOpened event for door1 causes an UnautorizedAccess alert because the SecurityAuthorization event was received more than 5 seconds before the second DoorOpened event for door1.
The DoorOpened event for door2 causes an UnauthorizedAccess alert because a SecurityAuthorization event was not received within the 5 seconds that preceded that DoorOpened event. Since there was no SecurityAuthorization event, the Boolean expression in the where clause that is in the without clause evaluates to false, which allows a match.