A security team is monitoring a banking transaction system for potential fraud. They need to detect accounts that perform multiple high-value transactions in rapid succession but remain inactive for at least 15 minutes before making another transaction burst. Which windowing function should you use in Evenstream?

Session windows are defined by gaps between activity. In this scenario, you want to identify bursts of high-value transactions that happen quickly, but then pause for at least 15 minutes before the next burst. A session window starts with the first transaction and continues to collect events until there’s a period of inactivity long enough to conclude the window—here, 15 minutes. When that gap occurs, the current window ends and a new session begins on the next transaction. This dynamic, gap-based behavior is perfect for grouping activity into distinct bursts separated by quiet periods. Tumbling windows are fixed-size blocks and don’t adapt to bursts that end due to inactivity; Hopping windows are fixed-size with overlaps, which can blur burst boundaries; Sliding windows continuously move forward, which also doesn’t align with the natural break caused by a pause. Therefore, a session window best fits the need to detect separate transaction bursts separated by at least 15 minutes of inactivity.