Rule-processing sessions are associated with Group By tuples (for example, a particular pairing of source and target address).
A match occurs when all the conditions of the rule are met.
The first match associated with a new tuple creates a new session. It also triggers onFirstEvent and an OnEveryEvent. The system then sets the start time for the first time window.
Subsequent matches will trigger onSubsequentEvents and onEveryEvent.
If enough matches occur to pass the threshold count before the time window expires (which is defined as start time + time window > current time), then the Manager triggers onEveryThreshold and one of either onFirstThreshold or onSubsequentThreshold, then resets the start time for the next time window.
If a time window ends without meeting the threshold, then final aggregation occurs. The onTimeWindowExpiraton option is triggered and the session is disassociated from the tuple.
The next match with the same or a new tuple will cause the whole process to repeat.