Timeout Event Extraction: When a pattern defines detection window time through the within keyword, some event sequences may be discarded because they exceed the window length. To handle these timeout partial matches, select and flatSelect API calls allow specifying timeout handlers.
FlinkCEP Development Process:
- Data Source Conversion: Get raw data stream from data source (Kafka, file, Socket, etc.), convert data to DataStream
- Pattern Definition and PatternStream Creation: Define event pattern (Pattern), combine DataStream with Pattern to create PatternStream
- PatternStream Processing: Use Select/Process operator to process matched events
- Result Output: Output to target database
Case: Malicious Login Detection Find accounts with consecutive login failures within 5 seconds.
Test data:
new CepLoginBean(1L, "fail", 1597905234000L),
new CepLoginBean(1L, "success", 1597905235000L),
new CepLoginBean(2L, "fail", 1597905236000L),
new CepLoginBean(2L, "fail", 1597905237000L),
new CepLoginBean(2L, "fail", 1597905238000L),
new CepLoginBean(3L, "fail", 1597905239000L),
new CepLoginBean(3L, "success", 1597905240000L)Complete Java Code includes:
- Create execution environment, set event time semantics
- Simulate input data stream
- Assign timestamps and watermarks
- Group by user ID
- Define CEP pattern: consecutive two failures within 5 seconds
- Apply pattern and process matching results
Running Result: Detected user 2 with two consecutive login failures within 5 seconds, output matched events.