Esper Alert query not triggering

Question

I am using Esper to generate the alert message based on the esper query's which gets fired.

I am using Map as a java object to bind all the log messages and that is defined in the external esper config xml file as follows.

<?xml version="1.0" encoding="UTF-8"?>
<esper-configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.espertech.com/schema/esper"
xsi:schemaLocation="http://www.espertech.com/schema/esper
http://www.espertech.com/schema/esper/esper-configuration-2.0.xsd">
<!-- <event-type name="StockTick" class="com.espertech.esper.example.stockticker.event.StockTick"/>
<event-type name="PriceLimit" class="com.espertech.esper.example.stockticker.event.PriceLimit"/>
<auto-import import-name="org.mycompany.mypackage.MyUtility"/>
<auto-import import-name="org.mycompany.util.*"/> -->

<event-type name="b2cAccessLogEvent">
 <java-util-map>
  <map-property name="request" class="string"/>
  <map-property name="response" class="int"/>
  <map-property name="type" class="string"/>
  <map-property name="dc" class="int"/>
  <map-property name="message" class="string"/>
  <map-property name="source" class="string"/>
  <map-property name="source_host" class="string"/>
  <map-property name="source_path" class="string"/>
  <map-property name="agent" class="string"/>
  <map-property name="duration" class="string"/>
  <map-property name="@timestamp" class="string"/>    
 </java-util-map>
</event-type>
</esper-configuration>

I am reading the log messages from queue. My requirement of event getting trigger is as follows 1. If the response field inside log message of type = "b2c_access" is = 302 and the count of log messages with this response code in 1 min is > 10 then fire a event.

I have following EPL

select * from b2cAccessLogEvent(type="b2c_access").win:time(1 minute) having response = 302 and dc like "%s%" and count(request) > 10.

But eventhough the log message contains more than 10 messages is 2 min of time span the event is not getting fired nor any exception. so I tried to make the EPL simple as follows.

select * from b2cAccessLogEvent(type="b2c_access").win:time(1 minute) having response = 302

Still this above query is not getting fired.

I am unable to find any example in the Esper official site which will match what I am looking for.

Answer 1

Actually the issue is with the values getting populated into my Map, for e.g the response field was getting populated as String in the Map but in my query I was treating that as a integer field. Just Because my Map was of type it never threw the exception.

Answer 2

I'd say your Map events are not getting populated correctly by your application. Esper will not check each field in your map to see if its correctly populated. Its up to your app to correctly populate events. Use @Audit to see what the engine pulls out of your event object.

Move the filters like this is preferred select * from b2cAccessLogEvent(type="b2c_access" and response = 302 and dc like "%s%").win:time(1 minute) having count(request) > 10.