PROCTIME
Function
PROCTIME is used to obtain the system processing time.
Event Time and Processing Time Usage Scenarios
- Event time semantics applies to scenarios where data delay is high, sequence is critical, and precision is high. For example, event time semantics is recommended for scenarios where an accurate attack chain and the behavior sequence restoration are required, such as attacks.
- Processing time semantics applies to scenarios that require real-time processing and can tolerate precision errors. Processing time semantics is recommended in scenarios where real-time and fast response is required, such as alarm reporting.
- You can select the event time semantics or processing time semantics based on your service requirements. If you select the processing time semantics, use this function. The definitions of incident time and processing time are as follows:
- Processing time refers to the machine's system time that is executing the respective operation.
- Event time refers to the time an incident occurred. It is usually specified by a field in the data, for example, event_time: "2025-06-10T10:00:00Z" in a user click log.
Syntax Format
PROCTIME()
Syntax Description
The PROCTIME() function indicates the requirement to adopt system processing time semantics. You can determine whether to use it based on specific service scenarios.
For more details, see Example of Upgrading a Streaming Model Job.
Precautions
- This function is used for window aggregation in streaming models. A streaming model processes streaming data tables using SecMaster SQL syntax.
Example of Upgrading a Streaming Model Job
with filter_data as (select * from s_sec_hss_alarm where __time >= timestampadd(minute, -60, now()) AND (event_category = 4000 AND event_type = 4002 AND (event_classid = 'login_0001' OR event_classid = 'login_0002') OR event_category=2000 OR event_category=6002)),operation_total AS ( select window_start, window_end, FIRST_VALUE(appendInfo.event_id) AS first_event_id, LISTAGG(DISTINCT appendInfo.event_id) AS event_id, COUNT(DISTINCT appendInfo.event_id) AS event_id_count from table(tumble(table filter_data, DESCRIPTOR(__time), INTERVAL '5' minute)) group by window_start, window_end,hostUuid ),final_total_result as (select * from operation_total WHERE event_id_count > 0),final_source_data as ( select * from final_total_result a, filter_data b WHERE a.first_event_id = b.appendInfo.event_id )select * from final_source_data;
You need to perform the following operations:
- Delete the event time window description from the statement.
from table(tumble(table filter_data, DESCRIPTOR(__time), INTERVAL '5' minute))
- Delete window_start and window_end from the SELECT statement.
window_start, window_end
- Replace window_start and window_end in the GROUP statement with TUMBLE(PROCTIME(), INTERVAL '5' MINUTE). Example after the replacement:
with filter_data as (select * from s_sec_hss_alarm where __time >= timestampadd(minute, -60, now()) AND (event_category = 4000 AND event_type = 4002 AND (event_classid = 'login_0001' OR event_classid = 'login_0002') OR event_category=2000 OR event_category=6002)),operation_total AS ( select FIRST_VALUE(appendInfo.event_id) AS first_event_id, LISTAGG(DISTINCT appendInfo.event_id) AS event_id, COUNT(DISTINCT appendInfo.event_id) AS event_id_count from filter_data group by TUMBLE(PROCTIME(), INTERVAL '5' MINUTE),hostUuid ), final_total_result as (select * from operation_total WHERE event_id_count > 0), final_source_data as ( select * from final_total_result a, filter_data b WHERE a.first_event_id = b.appendInfo.event_id ) select * from final_source_data;
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot