Apache Flink - Matching multiple patterns
Question
We have a requirement where multiple events will be matched through the given pattern.
Pattern 1 followed by within 10 mins Pattern 2 followed by within 10 mins Pattern 3.
Pattern 1: 10 failed logins from the same username and same device within 10 mins.
Pattern 2: 10 failed logins from the same username and distinct devices within 10 mins.
Pattern 3: success logins from the same username and any device.
Kindly let me know how apache fink can manage this kind of scenarios
1 answers
solution1
0 2021-11-11 22:02:17
Here's an approach based on hierarchical, or layered, decomposition. Match the inner patterns, creating a new stream based on these matches, and then apply an outer (uber) pattern to this new, higher-level stream.
Implement a query Q1 that uses match_recognize to match Pattern 1, producing a table like this as its result:
Query Username TimeOf10thFailedLogin
----- -------- ---------------------
Q1 david 2021-11-11 22:55:19
Q1 fred 2021-11-11 23:10:16
and a query Q2 that produces a table like this for Pattern 2
Query Username TimeOf1stFailedLogin
----- -------- --------------------
Q2 david 2021-11-11 22:57:19
Q2 fred 2021-11-11 23:11:16
Do something similar with Q3.
Then apply a new uber-pattern to
select * from Q1 union all select * from Q2 ...
or simply join the tables on the appropriate conditions.
For an example of using match_recognize to match the inner patterns, see https://stackoverflow.com/a/69749807/2000823 .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.