define stream rawStream ( catBehavior string, catOutcome string, srcAddress string, deviceCat string,
srcUsername string, catObject string, destAddress string, appProtocol string,
testMinCount string , testGroupBy string );
@info(name = 'condition1')
from rawStream[ catBehavior == '/Authentication/Verify' ]
select srcAddress, catOutcome, deviceCat, srcUsername, destAddress, appProtocol,
testMinCount, distinctcount( testMinCount ) as distinctMinCount, testGroupBy, count() as count
group by testGroupBy
insert into e1_OutputStream
this is the query I defined.and the events I sent are
rawStream=[/Authentication/Verify,FAIL,1.1.1.1,deviceCat,srcUsername,catObject,destAddress,appProtocol,dis0,group1]
...
rawStream=[/Authentication/Verify,FAIL,1.1.1.1,deviceCat,srcUsername,catObject,destAddress,appProtocol,dis9,group9]
and the result turns out that the count is ++ per event
[
{
"timestamp": 1482803288482,
"data": [
...
"dis0",
1,
"group1",
1
],
"isExpired": false
}
][
{
"timestamp": 1482803288482,
"data": [
...
"dis9",
9,
"group9",
9
],
"isExpired": false
}
]
but in the correlation part, I want to do correlate and one cond is filter a group(or window) like "if events in group(usename) >20 then" what should I do?