The Markov Models extension allows abnormal patterns relating to user activity to be detected when carrying out real time analysis. There are two approaches for using this extension. Click on the relevant tab for detailed information about the required approach.

You can input an existing Markov matrix as a csv file. It should be a N x N matrix, and the first row should include state names as shown in the following samples. The rows below that indicate the transition probabilities/transition counts for all the possible state transitions.

testState01,testState02,testState03 0.1,0.6,0.3 0.3,0.5,0.2 0.6,0.3,0.1

testState01,testState02,testState03 2,12,6 6,10,4 12,6,2

### Syntax

The following is the syntax for a query with the Markov Models extension using an existing matrix.

markov:markovChain(<String> id, <String> state, <int|long|time> durationToKeep, <double> alertThreshold, <String> markovMatrixStorageLocation, <boolean> train)

### Input parameters

The following are the input parameters for this extension.

Parameter | Required/Optional | Description |
---|---|---|

`id` | Required | The ID of the particular user or object being analyzed. |

`state` | Required | The current state of the ID. |

`durationToKeep` | Required | The maximum time duration to be considered for a continuous state change of a particular ID. |

`alertThreshold` | Required | The alert threshold probability. |

`markovMatrixStorageLocation` | Required | The location of the CSV file that contains the existing Markov matrix to be used. |

`train` | Optional | If this is set to |

### Output parameters

The following are the output parameters for this extension.

Parameter | Name | Description |
---|---|---|

| Last state | The previous state of the particular ID. |

`transitionProbability` | Transition probability | The transition probability between the previous state and the current state for a particular ID. |

`notify` | notify | This signifies a notification that indicates that the transition probability is less than or equal to the alert threshold probability. |

### Example

The following returns notifications to indicate whether a transition probability is less than or equal to 0.2 according to the Markov matrix you have provided.

define stream InputStream (id string, state string); from InputStream#markov:markovChain(id, state, 60 min, 0.2, “markovMatrixStorageLocation”, false) select id, lastState, state, transitionProbability, notify insert into OutputStream;

This approach involves using a reasonable amount of incoming data to train a Markov matrix and then using it to create notifications.

### Syntax

The following is the syntax for a query with the Markov Models extension using a matrix newly built using incoming data.

markov:markovChain(<String> id, <String> state, <int|long|time> durationToKeep, <double> alertThreshold, <int|long> notificationsHoldLimit, <boolean> train)

### Input parameters

The following are the input parameters for this extension.

Parameter | Required/Optional | Description |
---|---|---|

`id` | Required | The ID of the particular user or object being analyzed. |

`state` | Required | The current state of the ID. |

`durationToKeep` | Required | The maximum time duration to be considered for a continuous state change of a particular ID. |

`alertThreshold` | Required | The alert threshold probability. |

`notificationsHoldLimitor` | Required | The number of events that should be received before the matrix starts triggering notifications. |

`train` | Optional | If this is set to |

### Output parameters

The following are the output parameters for this extension.

Parameter | Name | Description |
---|---|---|

| Last state | The previous state of the particular ID. |

`transitionProbability` | Transition probability | The transition probability between the previous state and the current state for a particular ID. |

`notify` | notify | This signifies a notification that indicates that the transition probability is less than or equal to the alert threshold probability. |

### Example

The following query returns notifications that indicate whether a transition probability is less than or equal to 0.1 according to the Markov matrix that is build using incoming data itself. This starts sending notifications after the first 500 events arrive.

define stream InputStream (id string, state string, train bool); from InputStream#markov:markovChain(id, state, 60 min, 0.1, 500, train) select id, lastState, state, transitionProbability, notify insert into OutputStream;