CEPQ
CEP is a large topic and it has more details which is covered separately here,
For now let’s see few cep queries here that we add in the stream definition
"cepq":[
{
"name":"amount_exceed_fixed",
"type":6,
"tloc":86400,
"fqry":{
"name":"{\"query\":[{\"key\":\"amount\", \"cmp_op\":0, \"val\":10000}]}",
"type":1
},
"notf":12345
},
{
"name":"amount_exceed_avg",
"type":6,
"tloc":86400,
"fqry":{
"name":"{\"query\":[{\"key\":\"amount\", \"cmp_op\":0, \"val\":\"avg(account.amount, h_1, more_10)\"}],\"qtype\":3}",
"type":1
},
"notf":12345
},
{
"name":"txn_fraud_case",
"type":1,
"tloc":1000,
"ratr":[
"txnid",
"loc"
],
"rstm":"account",
"iatr":[
"name",
"balance",
"txnid",
"loc"
],
"jqry":{
"cond":[
"txnid",
"loc"
],
"opid":11,
"args":[
"txnid",
"loc"
],
"cmp":[
"EQ",
"NE"
]
},
"cond":[
{
"name":"NUMT",
"val":1,
"opid":1
},
{
"name":"DUR",
"val":100,
"opid":0
}
],
"ostm":"txn_fraud",
"notf":11111
}
]First one simply applies amount > 10000 rule and if true it notifies using 12345 notification idSecond one does same but it uses amount > avg(amount) of an hour + 10%, which is average amount for an hour and 10% extra
Third one finds the fraud in transaction where same transaction id is used in two different transactions with different locations within 100 sec
These are cep involving single stream only, we can do it for more than one stream.
See cep details for more info
See cep details for more info