Striim 3.9.7 documentation

Using pattern matching

You can use pattern matching in your queries to conveniently specify multiple combinations of events via a MATCH_PATTERN expression. Pattern expressions consist of references to stream and timer events according to this syntax :

CREATE CQ <CQ name>
INSERT INTO <output stream>
SELECT <list of expressions>
FROM <data source> [ <data source alias>] [, <data source> [ <data source alias> ], ...]
MATCH_PATTERN <pattern>
DEFINE <pattern variable> = [<data source or alias name>] ‘(‘ <predicate> ‘)’ 
[ PARTITION BY <data source field name> ];

In this syntax, dataSource is a stream or timer event.

The MATCH_PATTERN clause represents groups of events along with condition variables. New events are referenced in the predicates, where event variables are defined. Condition variables are expressions used to check additional conditions, such as timer events, before continuing to match the pattern.

The pattern matching expression syntax uses the following notation:

Notation

Description

*

0 or more quantifiers

?

0 or 1 quantifiers

+

1 or more quantifiers

{m,n}

m to n quantifiers

|

logical OR (alternative)

&

logical AND (permutation)

( )

grouping

#

restart matching markers for overlapping patterns

For example, the pattern A B* C+ would contain exactly 1 new event matching A, 0 or more new events matching B, and 1 or more new events matching C.

NOTE: You cannot refer to new events in conditions or expressions contained in the SELECT clause.

The DEFINE clause defines a list of event variables and conditions. The conditions are described in the predicates associated with the event variables.

For example, A = S(sensor < 100) matches events on stream S where the sensor attribute is less than 100.

The optional PARTITION BY clause partitions the stream by key on sub-streams, and pattern matching is performed independently for every partition.

Let's examine this example:

CREATE CQ 
SELECT LIST(B.id) as eventValues, count(B.id) as eventCount, A.id as eventTime 
FROM eventStream S
MATCH_PATTERN T A W B* P C
DEFINE
  A = S(sensor < 100), 
  B = S(sensor >= 100),
  C = S(sensor < 100),
  T = TIMER(interval 60 second),
  W = STOP(T), 
  P  = (count(B) > 5)
PARTITION BY eventId;

The pattern of event variables in the MATCH_PATTERN clause (T A W B* P C) represents the following:

  • T A W: Event A is matched within 60 seconds. Since this pattern ends with W, subsequent events (B, P, C) can only be matched after the first 60 seconds have elapsed.

  • B* P C: After the first 60 seconds, the match pattern consists of 0 or more instances of event B, followed by event P, followed by event C.