Skip to main content

Using a window to define an alert threshold

The following could be used to send an alert when the number of events in the window exceeds 15:

CREATE TYPE myEventType (
  EventTime  DateTime,
  KeyVal     String,
  EventText  String
);
...
CREATE WINDOW oneHourSlidingWindow 
  OVER eventStream
  KEEP WITHIN 1 HOUR ON EventTime
  PARTITION BY KeyVal;

CREATE CQ WactionStore_q INSERT INTO WactionStore_ws
SELECT ISTREAM
  KeyVal,
  EventTime,
  EventText,
  COUNT(KeyVal)
FROM oneHourSlidingWindow
GROUP BY KeyVal
HAVING COUNT(KeyVal) > 15;

The ISTREAM option stops the window from emitting events when COUNT(KeyVal) decreases due to events being removed from the window after the one-hour timeout.