We have a requirement where multiple events will be matched through the given pattern.
Pattern 1 followed by within 10 mins Pattern 2 followed by within 10 mins Pattern 3.
Pattern 1: 10 failed logins from the same username and same device within 10 mins.
Pattern 2: 10 failed logins from the same username and distinct devices within 10 mins.
Pattern 3: success logins from the same username and any device.
Kindly let me know how apache fink can manage this kind of scenarios
Here's an approach based on hierarchical, or layered, decomposition. Match the inner patterns, creating a new stream based on these matches, and then apply an outer (uber) pattern to this new, higher-level stream.
Implement a query Q1 that uses match_recognize to match Pattern 1, producing a table like this as its result:
Query Username TimeOf10thFailedLogin
----- -------- ---------------------
Q1 david 2021-11-11 22:55:19
Q1 fred 2021-11-11 23:10:16
and a query Q2 that produces a table like this for Pattern 2
Query Username TimeOf1stFailedLogin
----- -------- --------------------
Q2 david 2021-11-11 22:57:19
Q2 fred 2021-11-11 23:11:16
Do something similar with Q3.
Then apply a new uber-pattern to
select * from Q1 union all select * from Q2 ...
or simply join the tables on the appropriate conditions.
For an example of using match_recognize to match the inner patterns, see https://stackoverflow.com/a/69749807/2000823.
