Using multiple CQs for complex criteria
Applications often combine multiple CQs and windows to select events based on complex criteria. For example, from MultiLogApp:
CREATE CQ GetLog4JErrorWarning INSERT INTO Log4ErrorWarningStream SELECT l FROM Log4JStream l WHERE l.level = 'ERROR' OR l.level = 'WARN'; CREATE WINDOW Log4JErrorWarningActivity OVER Log4ErrorWarningStream KEEP 300 ROWS; ... CREATE CQ FindLargeRT INSERT INTO LargeRTStream SELECT ale FROM AccessStream ale WHERE ale.responseTime > 2000; CREATE WINDOW LargeRTActivity OVER LargeRTStream KEEP 100 ROWS; ... CREATE CQ MergeLargeRTAPI INSERT INTO LargeRTAPIStream SELECT lrt.accessTime, lrt.sessionId, lrt.srcIp, lrt.userId ... FROM LargeRTActivity lrt, Log4JErrorWarningActivity log4j WHERE lrt.sessionId = log4j.sessionId AND lrt.accessTime = log4j.logTime;
The Log4JErrorWarningActivity window, populated by The GetLog4JErrorWarning CQ, contains the most recent 300 error and warning messages from the application log.
The LargeRTActivity window, populated by the FindLargeRT CQ, contains the most recent 100 messages from the web server access log with response times over 2000 microseconds.
The MergeLargeRTAPI CQ joins events from the two windows that have matching session IDs and access times and filters out unneeded fields. This filtered and joined data triggers alerts about the unusually long response times and is also used to populate dashboard displays.
See MultiLogApp for more details. See TQL programming rules and best practices for discussion of why the windows are required for the join.