Striim 3.9.4 / 3.9.5 documentation

Using multiple CQs for complex criteria

Applications often combine multiple CQs and windows to select events based on complex criteria. For example, from MultiLogApp:

CREATE CQ GetLog4JErrorWarning
INSERT INTO Log4ErrorWarningStream
SELECT l FROM Log4JStream l
WHERE l.level = 'ERROR' OR l.level = 'WARN';

CREATE WINDOW Log4JErrorWarningActivity 
OVER Log4ErrorWarningStream KEEP 300 ROWS;
...

CREATE CQ FindLargeRT
INSERT INTO LargeRTStream
SELECT ale
FROM AccessStream ale
WHERE ale.responseTime > 2000;

CREATE WINDOW LargeRTActivity 
OVER LargeRTStream KEEP 100 ROWS; 
...

CREATE CQ MergeLargeRTAPI
INSERT INTO LargeRTAPIStream
SELECT lrt.accessTime, lrt.sessionId, lrt.srcIp, lrt.userId  ...
FROM LargeRTActivity lrt, Log4JErrorWarningActivity log4j
WHERE lrt.sessionId = log4j.sessionId
  AND lrt.accessTime = log4j.logTime;   
  • The Log4JErrorWarningActivity window, populated by The GetLog4JErrorWarning CQ, contains the most recent 300 error and warning messages from the application log.

  • The LargeRTActivity window, populated by the FindLargeRT CQ, contains the most recent 100 messages from the web server access log with response times over 2000 microseconds.

  • The MergeLargeRTAPI CQ joins events from the two windows that have matching session IDs and access times and filters out unneeded fields. This filtered and joined data triggers alerts about the unusually long response times and is also used to populate dashboard displays.

See MultiLogApp for more details. See TQL programming rules and best practices for discussion of why the windows are required for the join.