Events subject to aggregation are selected by the aggregation service from the flow of normalized and correlated events. The events must meet the condition specified for a declared event in at least one aggregation rule (in the event
directive). For each aggregation rule, the selected events are split into event flows with the same values of all fields specified for a declared event (in the key
instruction of the event
directives).
An aggregation rule condition (in the aggregate
directive) describes the event sequence that triggers the registration of an aggregated event. One event flow forms one event sequence, different event flows can simultaneously form multiple event sequences. Each of the selected events is used to create the sequence specified in the aggregation rule condition.
When the first event in the sequence is registered, the time of event sequence registration and the number of events in the sequence are counted.
If the time of event sequence registration is not exceeded, the number of events in the sequence is counted as follows:
- If the sequence number of an event is less than the skipped event count, the event remains within the event flow. The number of events in the sequence is incremented by 1.
- If the sequence number of an event is equal to or greater than the skipped event count but less than the event count required to register an aggregated event, the event is removed from the event flow. The number of events in the sequence is incremented by 1.
- If the sequence number of an event is equal to the event count required to register an aggregated event, the event is removed from the event flow, an aggregated event is registered.
If the time of event sequence registration is exceeded, an aggregated event is registered or not—based on the number of events in the sequence:
- If the number of events is less than the skipped event count, an aggregated event is not registered.
- If the number of events is greater than the skipped event count, an aggregated event is registered.