[Original] streaminsight query series (17th)-query mode to cope with transient and alarm flooding

The previous article introduced the left Outer Join section in the query mode. This blog article describes how to handle alarms and transient conditions in streaminsight.

Transient

We use an example to explain how to use streaminsight to handle transient situations, for example:

Set the "alarm value" for a specific event. If no new event appears within 2 minutes, an alarm is generated?

As shown in the following figure, we want to trigger an alarm for a transient event that does not appear within 2 minutes after the event with status 1 occurs.

var sourceData = new[]{    new { Status = 1, TimeStamp = DateTime.Parse("10/23/2009 4:12:00 PM") },    new { Status = 0, TimeStamp = DateTime.Parse("10/23/2009 4:13:00 PM") },    new { Status = 1, TimeStamp = DateTime.Parse("10/23/2009 4:14:00 PM") },    new { Status = 0, TimeStamp = DateTime.Parse("10/23/2009 4:15:00 PM") },    new { Status = 0, TimeStamp = DateTime.Parse("10/23/2009 4:16:00 PM") },    new { Status = 1, TimeStamp = DateTime.Parse("10/23/2009 4:30:00 PM") },    new { Status = 0, TimeStamp = DateTime.Parse("10/23/2009 4:35:00 PM") },};var source = sourceData.ToPointStream(Application, ev =>    PointEvent.CreateInsert(ev.TimeStamp.ToLocalTime(), ev),    AdvanceTimeSettings.StrictlyIncreasingStartTime);

Modify the lifecycle of an event stream whose status is 0 (2 minutes in advance), and use the left-side outer join and the event stream whose status is 1 to link these events:

var result = from alarm in source.Where(e => e.Status == 1)             where (from nextevent in source                        .AlterEventLifetime(                            e => e.StartTime.Subtract(TimeSpan.FromMinutes(2)),                            e => timeout)                    where nextevent.Status == 0                    select nextevent).IsEmpty()             select alarm;

The result is as follows:

Alert flood

The so-called "alarm flood" refers to the alarm condition for a specific event. If an alarm occurs, the subsequent alarms will be ignored (for example, "I already know that the door is not closed, please stop telling me ").

In the following example, we define "status" as 0 to indicate normal conditions, and "status" as 1 to indicate an alarm. In addition, we set a 10-minute time window to avoid alarm flooding, and hope that the final result is to filter out other events that occur at and.

var sourceData2 = new[]{    new { Status = 0, TimeStamp = DateTime.Parse("10/23/2009 4:00:00 PM") },    new { Status = 0, TimeStamp = DateTime.Parse("10/23/2009 4:10:00 PM") },    new { Status = 1, TimeStamp = DateTime.Parse("10/23/2009 4:12:00 PM") },    new { Status = 1, TimeStamp = DateTime.Parse("10/23/2009 4:13:00 PM") },    new { Status = 1, TimeStamp = DateTime.Parse("10/23/2009 4:14:00 PM") },    new { Status = 1, TimeStamp = DateTime.Parse("10/23/2009 4:15:00 PM") },    new { Status = 0, TimeStamp = DateTime.Parse("10/23/2009 4:20:00 PM") },    new { Status = 0, TimeStamp = DateTime.Parse("10/23/2009 4:30:00 PM") },    new { Status = 1, TimeStamp = DateTime.Parse("10/23/2009 4:35:00 PM") },};var source2 = sourceData2.ToPointStream(Application, ev =>    PointEvent.CreateInsert(ev.TimeStamp.ToLocalTime(), ev),    AdvanceTimeSettings.StrictlyIncreasingStartTime);

To solve this problem, we can:

1. Filter out alarm events;
2. Extend the alert event duration to 10 minutes;
3. Count in the snapshot window;
4. Change the event stream with the number of occurrences of 1 to the event stream of the point type, and connect it with the original event stream to get the result.

Steps 1, 2, and 3 can be written in the same query:

// Extend the alert event duration to 10 minutes and count var counts = from win in source2 In the snapshot window. where (E => E. status = 1 ). altereventduration (E => timespan. fromminutes (10 )). snapshotwindow (snapshotwindowoutputpolicy. clip) Select New {COUNT = win. count ()};

Step 2:

// Events with a count of 1 contain the initial alarm event // convert the event type to a point event and connect it with the original stream to obtain the result var result2 = from C in counts. where (E => E. count = 1 ). topointeventstream () from E in source2 select E;

The final result is as follows:

The next article describes the trend discovery in the streaminsight query mode.