select fraud.accountNumber as accntNum, fraud.warning as warn, withdraw.amount as amount, MAX( fraud.timestamp, withdraw.timestamp) as timestamp, 'withdrawlFraud' as desc from FraudWarningEvent.win:time(30 min) as fraud, WithdrawalEvent.win:time(30 sec) as withdraw where fraud.accountNumber=withdraw.accountNumber</span>
//模式匹配的是在接下来60秒钟IBM股票值大于80的所有事件 every StockTickEvent(symbol="IBM", price>80) where timer:within(60 seconds)
//每小时的第5分钟给出提醒: every timer:at(5, *, *, *, *)
//当A事件发生时,如果后面跟的是B事件或C事件,则给出提醒(输出A事件) A -> ( B or C )
//匹配的是每一个EventX,如果后跟EventY事件,并且其objectID和EventX的objectID一样,则给出提醒(输出a事件): every a=EventX -> every b=EventY(objectID=a.objectID)
select a.id, count(*) from pattern [ every a=Status -> (timer:interval(10 sec) and not Status(id=a.id) ] group by id
create window AlertNamedWindow as (origin string, priority string, alarmNumber long)
当事件到达时,可以触发一个select、update或delete操作。下面是一个select应用,简单的统计数据窗口中的记录行总数:on TriggerEvent select count(*) from AlertNamedWindow
select * from AlertNamedWindow
match_recognize (
partition by origin
measures a1.origin as origin, a1.alarmNumber as alarmNumber1, a2.alarmNumber as alarmNumber2
pattern (a1 a2)
define a1 as a1.priority = 'high',
a2 as a2.priority = 'medium' )
在EPL设计时,根据业务需求,如果能通过标准的SQL语法完成的,尽量不要使用匹配模式,因为在运行时,需要对Pattern进行额外的解析,其规则较SQL复杂,性能上有少许损耗。
数据窗口的使用,能够使得Esper处理更为复杂的应用场景,比如与分布式缓存、静态数据的使用等。变量不难理解,不管是高级的开发语言如java、C/C++,还是脚本语言如ruby、JS等,都有变量的概念,其使用范围,仅限于当前的Esper引擎实例。