Needles in Haystacks: Pattern Matching on Events in the Sybase Aleri Streaming Platform
Suppose you are a systems administrator, and want to respond to potential break-ins quickly. The system continuously produces records of login attempts (perhaps encoded in a log file), and you’d like an alert if there were three unsuccessful attempts to login to an account within five minutes. How do you look for that pattern, especially when most of the attempts are not suspicious? But that’s hardly the only example of “pattern matching”. One might look, for instance, for patterns of stock trades, or price movements, to react quickly if certain market conditions arise. It’s important to respond efficiently, in real-time. And it’s important that the pattern-matching rules be simple to write, transparent to read, and easy to maintain.
Complex Event Processing (CEP) systems seem to be divided into camps: those based on “rules” (and who derive a heritage from expert systems), and those based on “relational databases” or SQL. A relational approach to these pattern-matching problems is possible, but usually messy, involving complicated “self-joins” and filters that obscure the problem.
The Sybase Aleri Streaming Platform provides primitive support for pattern matching. It uses a powerful but simple syntax based on three ideas: Microsoft’s LINQ syntax, matching syntax from functional languages, and the syntax of linear-time temporal logic.