Correlate rule syntax

The following figure shows the Correlate rule syntax.

Correlate rule syntax

correlate <RuleName> :  : { description=<Expression> }
   <ClassName> ($<Variable>) ## Effect
      ECF
   with <ClassName> ($<Variable>) ## Cause
      ECF
   within <TimeFrame>
   when <Variable>.<SlotName>: <RelationalOperator> <Value>
   {
      <Call> ;
      <Variable>.<SlotName> = <Value> ;
   }
   with <ClassName> ($<Variable>) ## Cause
      ECF
   within <TimeFrame>
   when <Variable>.<SlotName>: <RelationalOperator> <Value>
      {
         <Call> ;
         <Variable>.<SlotName> = <Value> ;
      }
   ...
END

Option	Description
`description (Variable)`	Description of the rule
`with`	Specifies the attributes for the event If more than one With clause exists in a rule, the order implies the degree of correlation. For example, the first With clause has a stronger correlation than the second With clause. If a correlation already exists for the second With clause and a new event arrives that matches the first With clause, the correlation is broken with the second With clause and established with the first With clause. Note You can use a With clause to create a correlation within a time frame.
`within`	Specifies the maximum time difference, in seconds, between the cause and effect events for them to be considered as correlated You can use the `s`, `m`, `h`, and `d` operators to express time, respectively, in seconds, minutes, hours, or days. The time frame can be an expression although this expression cannot refer to events or data objects. Only global records are permitted in the time expression.
`when`	Are evaluated when either a cause event or an effect event is received and when a slot change has occurred from any of them

Correlate rule syntax

Comments