Esper filter events by pattern

Question

I try select some events from flow through match_recognize function and receive error message. I can't understand why my pattern not work or I something miss in my statement. Maybe somebody can help me with my statement.

I have EPL Statement:

create schema Event1(alert_id string, user_dst string, host_src string, ip_src string);

SELECT * FROM Event1.win:time(5 minute)
MATCH_RECOGNIZE  (
  partition by ip_src
  measures A as a, B as b, C as c
  pattern (A B+ C)
  define
        A as A.alert_id !='account:logout',
        B as B.alert_id !='account:logout' and B.user_dst != A.user_dst,
        C as C.alert_id !='account:logout' and C.user_dst != A.user_dst and C.user_dst != B.user_dst
)

and events sequence:

Event1={alert_id='account:logon-success', user_dst='admin1', host_src='xxx.ru', ip_src='10.10.0.1'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin', host_src='xxx.ru', ip_src='10.10.0.1'}
t=t.plus(500 seconds)
Event1={alert_id='account:logon-success', user_dst='admin2', host_src='yyy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logout', user_dst='admin3', host_src='yyy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin4', host_src='yxy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin', host_src='yxy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin', host_src='yxy.ru', ip_src='10.10.0.2'}
t=t.plus(5 seconds)
Event1={alert_id='account:logon-success', user_dst='admin3', host_src='yyy.ru', ip_src='10.10.0.2'}

As result of processing statement I wait those events:

Event1={alert_id='account:logon-success', user_dst='admin4', host_src='yxy.ru', ip_src='10.10.0.2'}
Event1={alert_id='account:logon-success', user_dst='admin', host_src='yxy.ru', ip_src='10.10.0.2'}
Event1={alert_id='account:logon-success', user_dst='admin3', host_src='yyy.ru', ip_src='10.10.0.2'}

PS: I test my statement at Esper EPL Online: http://esper-epl-tryout.appspot.com/epltryout/mainform.html

Answer 1

I found solution, need was use C.user_dst != B[0].user_dst insted of C.user_dst != B.user_dst