Time windows use a stream policy that specifies how long an entity remains in the window. See Stream Policy.The expiry time is calculated from a start time. You can use the event or concept's timestamp property to define the start time. Otherwise, the time the event or concept entered the window is used as the default start time.
The above query holds PizzaOrderEvents for 45 minutes in a time window. The window uses the default timestamp that is associated with the event when it enters the query.emit: dead clauseWithout an emit: dead clause, the query would produce the event as its output as soon as it arrives. But because of the emit: dead clause, it is delayed for the amount of time specified in the window.
select count(*) from /NetworkPing {policy: maintain last 2 minutes} dosattack group by 1 having count(*) > 120;
The above query maintains the count on a 2 minute time window over network ping events. Whenever the number of pings in the last two minutes goes above 120, it produces output that can be treated as an attack.
Copyright © TIBCO Software Inc. All Rights Reserved.