Rule-triggering Timing
Rule-processing sessions are associated with Group By
tuples (for example, a particular pairing of source and target address).
A match occurs when all the conditions of the rule are met.
The first match associated with a new tuple creates a new session. It also triggers onFirstEvent
and an OnEveryEvent
. The system then sets the start time for the first time window.
Subsequent matches will trigger onSubsequentEvents
and onEveryEvent
.
If enough matches occur to pass the threshold count before the time window expires (which is defined as start time + time window > current time
), then the Manager triggers onEveryThreshold
and one of either onFirstThreshold
or onSubsequentThreshold
, then resets the start time for the next time window.
If a time window ends without meeting the threshold, then final aggregation occurs. The onTimeWindowExpiraton
option is triggered and the session is disassociated from the tuple.
The next match with the same or a new tuple will cause the whole process to repeat.