It is a common use case to search for a set of event patterns, especially in case of data streams. Flink comes with a complex event processing (CEP) library which allows for pattern detection in event streams. Furthermore, Flink’s SQL API provides a relational way of expressing queries with a large set of built-in functions and rule-based optimizations that can be used out of the box.
In December 2016, the International Organization for Standardization (ISO) released a new version
of the SQL standard which includes Row Pattern Recognition in SQL
(ISO/IEC TR 19075-5:2016).
It allows Flink to consolidate CEP and SQL API using the MATCH_RECOGNIZE
clause for complex event
processing in SQL.
A MATCH_RECOGNIZE
clause enables the following tasks:
PARTITION BY
and ORDER BY
clauses.PATTERN
clause. These patterns use a syntax similar to
that of regular expressions.DEFINE
clause.MEASURES
clause.The following example illustrates the syntax for basic pattern recognition:
This page will explain each keyword in more detail and will illustrate more complex examples.
Attention Flink’s implementation of the MATCH_RECOGNIZE
clause is a subset of the full standard. Only those features documented in the following sections
are supported. Since the development is still in an early phase, please also take a look at the
known limitations.
The pattern recognition feature uses the Apache Flink’s CEP library internally. In order to be able
to use the MATCH_RECOGNIZE
clause, the library needs to be added as a dependency to your Maven
project.
Alternatively, you can also add the dependency to the cluster classpath (see the dependency section for more information).
If you want to use the MATCH_RECOGNIZE
clause in the
SQL Client, you don’t have to do anything as all the
dependencies are included by default.
Every MATCH_RECOGNIZE
query consists of the following clauses:
GROUP BY
operation.SELECT
clause.Attention Currently, the MATCH_RECOGNIZE
clause can only
be applied to an append table. Furthermore, it
always produces an append table as well.
For our examples, we assume that a table Ticker
has been registered. The table contains prices of
stocks at a particular point in time.
The table has a following schema:
For simplification, we only consider the incoming data for a single stock ACME
. A ticker could
look similar to the following table where rows are continuously appended.
The task is now to find periods of a constantly decreasing price of a single ticker. For this, one could write a query like:
The query partitions the Ticker
table by the symbol
column and orders it by the rowtime
time attribute.
The PATTERN
clause specifies that we are interested in a pattern with a starting event START_ROW
that is followed by one or more PRICE_DOWN
events and concluded with a PRICE_UP
event. If such
a pattern can be found, the next pattern match will be seeked at the last PRICE_UP
event as
indicated by the AFTER MATCH SKIP TO LAST
clause.
The DEFINE
clause specifies the conditions that need to be met for a PRICE_DOWN
and PRICE_UP
event. Although the START_ROW
pattern variable is not present it has an implicit condition that
is evaluated always as TRUE
.
A pattern variable PRICE_DOWN
is defined as a row with a price that is smaller than the price of
the last row that met the PRICE_DOWN
condition. For the initial case or when there is no last row
that met the PRICE_DOWN
condition, the price of the row should be smaller than the price of the
preceding row in the pattern (referenced by START_ROW
).
A pattern variable PRICE_UP
is defined as a row with a price that is larger than the price of the
last row that met the PRICE_DOWN
condition.
This query produces a summary row for each period in which the price of a stock was continuously decreasing.
The exact representation of the output rows is defined in the MEASURES
part of the query. The
number of output rows is defined by the ONE ROW PER MATCH
output mode.
The resulting row describes a period of falling prices that started at 01-APR-11 10:00:04
and
achieved the lowest price at 01-APR-11 10:00:07
that increased again at 01-APR-11 10:00:08
.
It is possible to look for patterns in partitioned data, e.g., trends for a single ticker or a
particular user. This can be expressed using the PARTITION BY
clause. The clause is similar to
using GROUP BY
for aggregations.
Attention It is highly advised to partition the incoming
data because otherwise the MATCH_RECOGNIZE
clause will be translated into a non-parallel operator
to ensure global ordering.
Apache Flink allows for searching for patterns based on time; either processing time or event time.
In case of event time, the events are sorted before they are passed to the internal pattern state machine. As a consequence, the produced output will be correct regardless of the order in which rows are appended to the table. Instead, the pattern is evaluated in the order specified by the time contained in each row.
The MATCH_RECOGNIZE
clause assumes a time attribute with ascending
ordering as the first argument to ORDER BY
clause.
For the example Ticker
table, a definition like ORDER BY rowtime ASC, price DESC
is valid but
ORDER BY price, rowtime
or ORDER BY rowtime DESC, price ASC
is not.
The DEFINE
and MEASURES
keywords have similar meanings to the WHERE
and SELECT
clauses in a
simple SQL query.
The MEASURES
clause defines what will be included in the output of a matching pattern. It can
project columns and define expressions for evaluation. The number of produced rows depends on the
output mode setting.
The DEFINE
clause specifies conditions that rows have to fulfill in order to be classified to a
corresponding pattern variable. If a condition is not defined for a pattern
variable, a default condition will be used which evaluates to true
for every row.
For a more detailed explanation about expressions that can be used in those clauses, please have a look at the event stream navigation section.
Aggregations can be used in DEFINE
and MEASURES
clauses. Both
built-in and custom
user defined functions are supported.
Aggregate functions are applied to each subset of rows mapped to a match. In order to understand how those subsets are evaluated have a look at the event stream navigation section.
The task of the following example is to find the longest period of time for which the average price
of a ticker did not go below certain threshold. It shows how expressible MATCH_RECOGNIZE
can
become with aggregations. This task can be performed with the following query:
Given this query and following input values:
The query will accumulate events as part of the pattern variable A
as long as the average price
of them does not exceed 15
. For example, such a limit exceeding happens at 01-Apr-11 10:00:04
.
The following period exceeds the average price of 15
again at 01-Apr-11 10:00:10
. Thus the
results for said query will be:
Note Aggregations can be applied to expressions, but only if
they reference a single pattern variable. Thus SUM(A.price * A.tax)
is a valid one, but
AVG(A.price * B.tax)
is not.
Attention DISTINCT
aggregations are not supported.
The MATCH_RECOGNIZE
clause allows users to search for patterns in event streams using a powerful
and expressive syntax that is somewhat similar to the widespread regular expression syntax.
Every pattern is constructed from basic building blocks, called pattern variables, to which operators (quantifiers and other modifiers) can be applied. The whole pattern must be enclosed in brackets.
An example pattern could look like:
One may use the following operators:
(A B)
means that the contiguity is strict between A
and B
.
Therefore, there can be no rows that were not mapped to A
or B
in between.*
— 0 or more rows+
— 1 or more rows?
— 0 or 1 rows{ n }
— exactly n rows (n > 0){ n, }
— n or more rows (n ≥ 0){ n, m }
— between n and m (inclusive) rows (0 ≤ n ≤ m, 0 < m){ , m }
— between 0 and m (inclusive) rows (m > 0)Attention Patterns that can potentially produce an empty
match are not supported. Examples of such patterns are PATTERN (A*)
, PATTERN (A? B*)
,
PATTERN (A{0,} B{0,} C*)
, etc.
Each quantifier can be either greedy (default behavior) or reluctant. Greedy quantifiers try to match as many rows as possible while reluctant quantifiers try to match as few as possible.
In order to illustrate the difference, one can view the following example with a query where a
greedy quantifier is applied to the B
variable:
Given we have the following input:
The pattern above will produce the following output:
The same query where B*
is modified to B*?
, which means that B*
should be reluctant, will
produce:
The pattern variable B
matches only to the row with price 12
instead of swallowing the rows
with prices 12
, 13
, and 14
.
Attention It is not possible to use a greedy quantifier for
the last variable of a pattern. Thus, a pattern like (A B*)
is not allowed. This can be easily
worked around by introducing an artificial state (e.g. C
) that has a negated condition of B
. So
you could use a query like:
Attention The optional reluctant quantifier (A??
or
A{0,1}?
) is not supported right now.
Especially for streaming use cases, it is often required that a pattern finishes within a given period of time. This allows for limiting the overall state size that Flink has to maintain internally, even in case of greedy quantifiers.
Therefore, Flink SQL supports the additional (non-standard SQL) WITHIN
clause for defining a time
constraint for a pattern. The clause can be defined after the PATTERN
clause and takes an
interval of millisecond resolution.
If the time between the first and last event of a potential match is longer than the given value, such a match will not be appended to the result table.
Note It is generally encouraged to use the WITHIN
clause as
it helps Flink with efficient memory management. Underlying state can be pruned once the threshold
is reached.
Attention However, the WITHIN
clause is not part of the
SQL standard. The recommended way of dealing with time constraints might change in the future.
The use of the WITHIN
clause is illustrated in the following example query:
The query detects a price drop of 10
that happens within an interval of 1 hour.
Let’s assume the query is used to analyze the following ticker data:
The query will produce the following results:
The resulting row represents a price drop from 15
(at 01-Apr-11 12:00:00
) to 1
(at
01-Apr-11 13:00:00
). The dropDiff
column contains the price difference.
Notice that even though prices also drop by higher values, for example, by 11
(between
01-Apr-11 10:00:00
and 01-Apr-11 11:40:00
), the time difference between those two events is
larger than 1 hour. Thus, they don’t produce a match.
The output mode describes how many rows should be emitted for every found match. The SQL standard describes two modes:
ALL ROWS PER MATCH
ONE ROW PER MATCH
.Currently, the only supported output mode is ONE ROW PER MATCH
that will always produce one
output summary row for each found match.
The schema of the output row will be a concatenation of
[partitioning columns] + [measures columns]
in that particular order.
The following example shows the output of a query defined as:
For the following input rows:
The query will produce the following output:
The pattern recognition is partitioned by the symbol
column. Even though not explicitly mentioned
in the MEASURES
clause, the partitioned column is added at the beginning of the result.
The DEFINE
and MEASURES
clauses allow for navigating within the list of rows that (potentially)
match a pattern.
This section discusses this navigation for declaring conditions or producing output results.
A pattern variable reference allows a set of rows mapped to a particular pattern variable in the
DEFINE
or MEASURES
clauses to be referenced.
For example, the expression A.price
describes a set of rows mapped so far to A
plus the current
row if we try to match the current row to A
. If an expression in the DEFINE
/MEASURES
clause
requires a single row (e.g. A.price
or A.price > 10
), it selects the last value belonging to
the corresponding set.
If no pattern variable is specified (e.g. SUM(price)
), an expression references the default
pattern variable *
which references all variables in the pattern. In other words, it creates a
list of all the rows mapped so far to any variable plus the current row.
For a more thorough example, one can take a look at the following pattern and corresponding conditions:
The following table describes how those conditions are evaluated for each incoming event.
The table consists of the following columns:
#
- the row identifier that uniquely identifies an incoming row in the lists
[A.price]
/[B.price]
/[price]
.price
- the price of the incoming row.[A.price]
/[B.price]
/[price]
- describe lists of rows which are used in the DEFINE
clause to evaluate conditions.Classifier
- the classifier of the current row which indicates the pattern variable the row
is mapped to.A.price
/B.price
/SUM(price)
/SUM(B.price)
- describes the result after those expressions
have been evaluated.# | price | Classifier | [A.price] | [B.price] | [price] | A.price | B.price | SUM(price) | SUM(B.price) |
---|---|---|---|---|---|---|---|---|---|
#1 | 10 | -> A | #1 | - | - | 10 | - | - | - |
#2 | 15 | -> B | #1 | #2 | #1, #2 | 10 | 15 | 25 | 15 |
#3 | 20 | -> B | #1 | #2, #3 | #1, #2, #3 | 10 | 20 | 45 | 35 |
#4 | 31 | -> B | #1 | #2, #3, #4 | #1, #2, #3, #4 | 10 | 31 | 76 | 66 |
#5 | 35 | #1 | #2, #3, #4, #5 | #1, #2, #3, #4, #5 | 10 | 35 | 111 | 101 |
As can be seen in the table, the first row is mapped to pattern variable A
and subsequent rows
are mapped to pattern variable B
. However, the last row does not fulfill the B
condition
because the sum over all mapped rows SUM(price)
and the sum over all rows in B
exceed the
specified thresholds.
Logical offsets enable navigation within the events that were mapped to a particular pattern variable. This can be expressed with two corresponding functions:
Offset functions | Description |
---|---|
Returns the value of the field from the event that was mapped to the n-th last element of the variable. The counting starts at the last element mapped. |
|
Returns the value of the field from the event that was mapped to the n-th element of the variable. The counting starts at the first element mapped. |
For a more thorough example, one can take a look at the following pattern and corresponding conditions:
The following table describes how those conditions are evaluated for each incoming event.
The table consists of the following columns:
price
- the price of the incoming row.Classifier
- the classifier of the current row which indicates the pattern variable the row
is mapped to.LAST(B.price, 1)
/LAST(B.price, 2)
- describes the result after those expressions have been
evaluated.price | Classifier | LAST(B.price, 1) | LAST(B.price, 2) | Comment |
---|---|---|---|---|
10 | -> A | |||
15 | -> B | null | null | Notice that LAST(A.price, 1) is null because there is still nothing mapped
to B . |
20 | -> B | 15 | null | |
31 | -> B | 20 | 15 | |
35 | 31 | 20 | Not mapped because 35 < 2 * 20 . |
It might also make sense to use the default pattern variable with logical offsets.
In this case, an offset considers all the rows mapped so far:
price | Classifier | LAST(price, 1) | Comment |
---|---|---|---|
10 | -> A | ||
15 | -> B | ||
20 | -> C | 15 | LAST(price, 1) is evaluated as the price of the row mapped to the
B variable. |
If the second row did not map to the B
variable, we would have the following results:
price | Classifier | LAST(price, 1) | Comment |
---|---|---|---|
10 | -> A | ||
20 | -> C | 10 | LAST(price, 1) is evaluated as the price of the row mapped to the
A variable. |
It is also possible to use multiple pattern variable references in the first argument of the
FIRST/LAST
functions. This way, one can write an expression that accesses multiple columns.
However, all of them must use the same pattern variable. In other words, the value of the
LAST
/FIRST
function must be computed in a single row.
Thus, it is possible to use LAST(A.price * A.tax)
, but an expression like LAST(A.price * B.tax)
is not allowed.
The AFTER MATCH SKIP
clause specifies where to start a new matching procedure after a complete
match was found.
There are four different strategies:
SKIP PAST LAST ROW
- resumes the pattern matching at the next row after the last row of the
current match.SKIP TO NEXT ROW
- continues searching for a new match starting at the next row after the
starting row of the match.SKIP TO LAST variable
- resumes the pattern matching at the last row that is mapped to the
specified pattern variable.SKIP TO FIRST variable
- resumes the pattern matching at the first row that is mapped to the
specified pattern variable.This is also a way to specify how many matches a single event can belong to. For example, with the
SKIP PAST LAST ROW
strategy every event can belong to at most one match.
In order to better understand the differences between those strategies one can take a look at the following example.
For the following input rows:
We evaluate the following query with different strategies:
The query returns the sum of the prices of all rows mapped to A
and the first and last timestamp
of the overall match.
The query will produce different results based on which AFTER MATCH
strategy was used:
AFTER MATCH SKIP PAST LAST ROW
The first result matched against the rows #1, #2, #3, #4.
The second result matched against the rows #5, #6.
AFTER MATCH SKIP TO NEXT ROW
Again, the first result matched against the rows #1, #2, #3, #4.
Compared to the previous strategy, the next match includes row #2 again for the next matching. Therefore, the second result matched against the rows #2, #3, #4, #5.
The third result matched against the rows #3, #4, #5.
The forth result matched against the rows #4, #5, #6.
The last result matched against the rows #5, #6.
AFTER MATCH SKIP TO LAST A
Again, the first result matched against the rows #1, #2, #3, #4.
Compared to the previous strategy, the next match includes only row #3 (mapped to A
) again for
the next matching. Therefore, the second result matched against the rows #3, #4, #5.
The third result matched against the rows #4, #5, #6.
The last result matched against the rows #5, #6.
AFTER MATCH SKIP TO FIRST A
This combination will produce a runtime exception because one would always try to start a new match where the last one started. This would produce an infinite loop and, thus, is prohibited.
One has to keep in mind that in case of the SKIP TO FIRST/LAST variable
strategy it might be
possible that there are no rows mapped to that variable (e.g. for pattern A*
). In such cases, a
runtime exception will be thrown as the standard requires a valid row to continue the matching.
In order to apply some subsequent queries on top of the MATCH_RECOGNIZE
it might be required to
use time attributes. To select those there are available two functions:
Function | Description |
---|---|
MATCH_ROWTIME() |
Returns the timestamp of the last row that was mapped to the given pattern. The resulting attribute is a rowtime attribute that can be used in subsequent time-based operations such as time-windowed joins and group window or over window aggregations. |
MATCH_PROCTIME() |
Returns a proctime attribute that can be used in subsequent time-based operations such as time-windowed joins and group window or over window aggregations. |
Memory consumption is an important consideration when writing MATCH_RECOGNIZE
queries, as the
space of potential matches is built in a breadth-first-like manner. Having that in mind, one must
make sure that the pattern can finish. Preferably with a reasonable number of rows mapped to the
match as they have to fit into memory.
For example, the pattern must not have a quantifier without an upper limit that accepts every single row. Such a pattern could look like this:
The query will map every incoming row to the B
variable and thus will never finish. This query
could be fixed, e.g., by negating the condition for C
:
Or by using the reluctant quantifier:
Attention Please note that the MATCH_RECOGNIZE
clause
does not use a configured state retention time.
One may want to use the WITHIN
clause for this purpose.
Flink’s implementation of the MATCH_RECOGNIZE
clause is an ongoing effort, and some features of
the SQL standard are not yet supported.
Unsupported features include:
(A (B C)+)
is not a valid pattern.PATTERN((A B | C D) E)
, which means that either a subsequence
A B
or C D
has to be found before looking for the E
row.PERMUTE
operator - which is equivalent to all permutations of variables that it was applied
to e.g. PATTERN (PERMUTE (A, B, C))
= PATTERN (A B C | A C B | B A C | B C A | C A B | C B A)
.^, $
, which denote beginning/end of a partition, those do not make sense in the
streaming context and will not be supported.PATTERN ({- A -} B)
meaning that A
will be looked for but will not participate
in the output. This works only for the ALL ROWS PER MATCH
mode.PATTERN A??
only the greedy optional quantifier is supported.ALL ROWS PER MATCH
output mode - which produces an output row for every row that participated
in the creation of a found match. This also means:
MEASURES
clause is FINAL
CLASSIFIER
function, which returns the pattern variable that a row was mapped to, is not yet
supported.SUBSET
- which allows creating logical groups of pattern variables and using those groups in
the DEFINE
and MEASURES
clauses.PREV/NEXT
, which indexes all events seen rather than only those that were
mapped to a pattern variable (as in logical offsets case).MATCH_RECOGNIZE
is supported only for SQL. There is no equivalent in the Table API.