7  Common Pitfalls and Worked Examples

Chapter	Topic
Stream Processing	Overview of batch vs. stream processing for IoT
Fundamentals	Windowing strategies, watermarks, and event-time semantics
Architectures	Kafka, Flink, and Spark Streaming comparison
Pipelines	End-to-end ingestion, processing, and output design
Challenges	Late data, exactly-once semantics, and backpressure
Pitfalls	Common mistakes and production worked examples
Basic Lab	ESP32 circular buffers, windows, and event detection
Advanced Lab	CEP, pattern matching, and anomaly detection on ESP32
Game & Summary	Interactive review game and module summary
Interoperability	Four levels of IoT interoperability
Interop Fundamentals	Technical, syntactic, semantic, and organizational layers
Interop Standards	SenML, JSON-LD, W3C WoT, and oneM2M
Integration Patterns	Protocol adapters, gateways, and ontology mapping

7.1 Learning Objectives

• Implement idempotent message processing using request IDs and deduplication to prevent double billing, double counting, and duplicate actions on retries
• Configure backpressure handling with bounded queues and blocking producers to prevent memory exhaustion when fast producers overwhelm slow consumers
• Design production fraud detection pipelines processing 2,000 TPS with <200ms latency using key-based partitioning, sliding windows, and exactly-once semantics
• Apply watermark strategies and allowed lateness handling to process out-of-order events in real-time payment systems
• Monitor stream processing health using Flink metrics for throughput, latency, checkpoint duration, and backpressure ratios

For Beginners: Stream Processing Pitfalls

Stream processing pitfalls are the common mistakes engineers make when handling real-time IoT data. Think of them as potholes on a road – knowing where they are helps you avoid them. Common traps include assuming data always arrives in order, ignoring late readings, and building systems that cannot recover from failures.

In 60 Seconds

The two most dangerous stream processing pitfalls are non-idempotent message processing (causing double billing, double counting, or duplicate actions on retries) and missing backpressure handling (causing memory exhaustion when producers overwhelm consumers). This chapter also presents a complete fraud detection pipeline worked example processing 2,000 transactions per second with <200ms P50 latency, exactly-once delivery, and velocity attack detection using key-based partitioning and sliding windows.

Key Concepts

• Worked Example: Detailed walkthrough of a specific streaming scenario showing both the pitfall pattern and the corrected implementation with quantified impact
• Throughput Bottleneck: Pipeline stage consuming events slower than the upstream stage produces them, causing consumer lag to grow and eventually data loss
• Memory Leak in State Store: Unbounded accumulation of state (event history, pattern matching state) in streaming operator state stores, eventually causing OOM failures
• Late Event Handling Strategy: Design decision for how to treat events arriving after their window has closed — drop silently, route to dead letter, or include with extended watermark
• Idempotent Processing: Stream operation that can be applied multiple times to the same event without changing the result beyond the first application, enabling safe at-least-once delivery
• Thundering Herd: Large number of IoT devices reconnecting simultaneously after a network outage, creating a traffic spike that overwhelms the stream ingestion tier
• Schema Incompatibility: Situation where a new message version cannot be deserialized by an older consumer, causing pipeline failures when producer and consumer are updated independently
• Debugging Streaming Pipelines: Techniques for tracing events through distributed streaming pipelines — sampling, event logging, distributed tracing with correlation IDs

Part of: Stream Processing for IoT

Previous: Handling Real-World Challenges

7.2 Common Pitfalls

⏱️ ~15 min | ⭐⭐⭐ Advanced | 📋 P10.C14.U06

Common Pitfall: Non-Idempotent Message Processing

The mistake: Without idempotency, retried messages cause duplicate processing. This leads to double counting, double billing, or repeated actions.

Symptoms:

• Duplicate actions (double billing, double counting)
• Data inconsistency
• Retry storms cause cascading effects
• Incorrect totals and aggregations

Wrong approach:

# Non-idempotent: Each message increments counter
def process(msg):
    counter += msg.value  # Duplicate messages double-count!

# Non-idempotent command
def process_command(cmd):
    if cmd.action == "dispense":
        dispense_item()  # Retry = dispense twice!

Correct approach:

# Idempotent: Use message ID for deduplication
def process(msg):
    if msg.id in processed_ids:
        return  # Already processed
    processed_ids.add(msg.id)
    counter += msg.value

# Idempotent command with request ID
def process_command(cmd):
    if cmd.request_id in completed:
        return completed[cmd.request_id]  # Return same result
    result = dispense_item()
    completed[cmd.request_id] = result
    return result

How to avoid:

• Include unique message IDs
• Track processed message IDs
• Design idempotent operations
• Use database constraints to prevent duplicates

Putting Numbers to It

A vending machine receives a $2 snack dispense command twice due to network retry. Without idempotency checks:

Non-idempotent outcome:

• Command 1: Dispense snack → Inventory: \(-1\), Customer charge: \(+\$2\)
• Command 2 (retry): Dispense again → Inventory: \(-1\), Customer charge: \(+\$2\)
• Total: \(-2\) items, \(+\$4\) charged, 100% overcharge

Idempotent fix (request ID tracking):

if request_id in completed:
    return cached_result  # No action
dispense_item()
completed[request_id] = result

Impact at scale: 10,000 transactions/day × 0.1% retry rate = 10 duplicates/day. Without idempotency: \(10 \times \$2 = \$20/day\) overcharge = $7,300/year in reconciliation costs.

Try It: Idempotency Impact Calculator

Explore how non-idempotent processing causes financial damage at scale. Adjust the transaction volume and retry rate to see the cost of missing deduplication.

viewof idem_txnPerDay = Inputs.range([1000, 100000], {
  value: 10000, step: 1000, label: "Transactions per day"
})

viewof idem_retryRate = Inputs.range([0.01, 5.0], {
  value: 0.1, step: 0.01, label: "Retry rate (%)"
})

viewof idem_avgAmount = Inputs.range([0.5, 50], {
  value: 2.0, step: 0.5, label: "Avg transaction amount ($)"
})

viewof idem_hasDedup = Inputs.toggle({label: "Idempotency enabled?", value: false})

idem_results = {
  const duplicatesPerDay = Math.round(idem_txnPerDay * (idem_retryRate / 100));
  const dailyCost = idem_hasDedup ? 0 : duplicatesPerDay * idem_avgAmount;
  const yearlyCost = dailyCost * 365;
  const dedupCacheSize = Math.round(idem_txnPerDay * 1.2);

  const statusColor = idem_hasDedup ? "#16A085" : "#E74C3C";
  const statusText = idem_hasDedup ? "PROTECTED" : "VULNERABLE";

  return html`<div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(180px, 1fr)); gap: 12px; margin-top: 10px;">
    <div style="background: #f8f9fa; border-radius: 8px; padding: 16px; border-left: 4px solid #3498DB;">
      <div style="font-size: 0.8em; color: #7F8C8D;">Retried Messages / Day</div>
      <div style="font-size: 1.6em; font-weight: bold; color: #2C3E50;">${duplicatesPerDay.toLocaleString()}</div>
    </div>
    <div style="background: #f8f9fa; border-radius: 8px; padding: 16px; border-left: 4px solid ${idem_hasDedup ? '#16A085' : '#E74C3C'};">
      <div style="font-size: 0.8em; color: #7F8C8D;">Daily Overcharge</div>
      <div style="font-size: 1.6em; font-weight: bold; color: ${idem_hasDedup ? '#16A085' : '#E74C3C'};">$${dailyCost.toFixed(2)}</div>
    </div>
    <div style="background: #f8f9fa; border-radius: 8px; padding: 16px; border-left: 4px solid ${idem_hasDedup ? '#16A085' : '#E74C3C'};">
      <div style="font-size: 0.8em; color: #7F8C8D;">Yearly Cost</div>
      <div style="font-size: 1.6em; font-weight: bold; color: ${idem_hasDedup ? '#16A085' : '#E74C3C'};">$${yearlyCost.toLocaleString(undefined, {minimumFractionDigits: 0, maximumFractionDigits: 0})}</div>
    </div>
    <div style="background: #f8f9fa; border-radius: 8px; padding: 16px; border-left: 4px solid ${statusColor};">
      <div style="font-size: 0.8em; color: #7F8C8D;">Status</div>
      <div style="font-size: 1.4em; font-weight: bold; color: ${statusColor};">${statusText}</div>
    </div>
  </div>
  <div style="margin-top: 12px; padding: 12px; background: ${idem_hasDedup ? '#e8f8f5' : '#fdedec'}; border-radius: 6px; font-size: 0.9em; color: #2C3E50;">
    ${idem_hasDedup
      ? `With idempotency enabled, all ${duplicatesPerDay} retried messages are safely deduplicated. Dedup cache tracks ~${dedupCacheSize.toLocaleString()} request IDs. Zero financial impact from retries.`
      : `Without idempotency, ${duplicatesPerDay} retried messages cause ${duplicatesPerDay} duplicate actions per day. At $${idem_avgAmount.toFixed(2)} average, that is $${yearlyCost.toLocaleString()} per year in overcharges, reconciliation, and customer complaints.`
    }
  </div>`;
}

Common Pitfall: Missing Backpressure Handling

The mistake: Without backpressure, slow consumers are overwhelmed by fast producers. This causes memory exhaustion, dropped messages, and system crashes during traffic spikes.

Symptoms:

• Memory exhaustion
• System crashes under load
• Lost data during traffic spikes
• Increasing latency

Wrong approach:

# Unbounded queue - memory grows indefinitely
queue = []
def producer():
    while True:
        queue.append(generate_data())

def consumer():
    while queue:
        process(queue.pop(0))  # Slower than producer
# Eventually: OutOfMemoryError

Correct approach:

# Bounded queue with backpressure
from queue import Queue

queue = Queue(maxsize=1000)

def producer():
    while True:
        queue.put(generate_data(), block=True)  # Blocks when full

# Or drop/sample under pressure
def producer_with_sampling():
    if queue.full():
        if random() < 0.1:  # Keep 10% under pressure
            queue.put_nowait(data)
    else:
        queue.put(data)

How to avoid:

• Use bounded buffers and queues
• Implement blocking producers
• Add sampling under load
• Monitor queue depths
• Scale consumers dynamically

Try It: Backpressure Throughput Simulator

See what happens when producers generate data faster than consumers can process it. Adjust the rates and watch queue depth, memory usage, and dropped events in real time.

viewof bp_inputRate = Inputs.range([100, 10000], {
  value: 2000, step: 100, label: "Producer rate (events/sec)"
})

viewof bp_processRate = Inputs.range([100, 10000], {
  value: 1500, step: 100, label: "Consumer capacity (events/sec)"
})

viewof bp_queueMax = Inputs.range([100, 10000], {
  value: 1000, step: 100, label: "Queue max size"
})

viewof bp_strategy = Inputs.select(
  ["unbounded", "block_producer", "drop_newest", "sample_10pct"],
  {value: "unbounded", label: "Backpressure strategy", format: x => ({
    "unbounded": "Unbounded (no backpressure)",
    "block_producer": "Block producer when full",
    "drop_newest": "Drop newest when full",
    "sample_10pct": "Sample 10% under pressure"
  })[x]}
)

bp_simulation = {
  const seconds = 30;
  const overflow = bp_inputRate - bp_processRate;
  let queue = 0;
  let dropped = 0;
  let processed = 0;
  let memoryMB = 0;
  const timeline = [];

  for (let t = 1; t <= seconds; t++) {
    let incoming = bp_inputRate;
    let droppedThisSec = 0;
    let processedThisSec = Math.min(queue + incoming, bp_processRate);

    if (bp_strategy === "unbounded") {
      queue = queue + incoming - processedThisSec;
    } else if (bp_strategy === "block_producer") {
      const canAccept = Math.max(0, bp_queueMax - queue);
      const accepted = Math.min(incoming, canAccept + processedThisSec);
      queue = Math.min(bp_queueMax, queue + accepted - processedThisSec);
      droppedThisSec = 0; // producer just waits
    } else if (bp_strategy === "drop_newest") {
      queue = queue + incoming - processedThisSec;
      if (queue > bp_queueMax) {
        droppedThisSec = queue - bp_queueMax;
        queue = bp_queueMax;
      }
    } else if (bp_strategy === "sample_10pct") {
      if (queue >= bp_queueMax * 0.8) {
        const sampled = Math.round(incoming * 0.1);
        droppedThisSec = incoming - sampled;
        incoming = sampled;
      }
      queue = queue + incoming - processedThisSec;
      if (queue > bp_queueMax) {
        droppedThisSec += queue - bp_queueMax;
        queue = bp_queueMax;
      }
    }

    dropped += droppedThisSec;
    processed += processedThisSec;
    memoryMB = queue * 0.001; // ~1KB per event

    timeline.push({t, queue: Math.round(queue), dropped: Math.round(dropped), processed: Math.round(processed), memoryMB: memoryMB.toFixed(1)});
  }

  const final = timeline[timeline.length - 1];
  const isHealthy = final.queue < bp_queueMax * 0.8;
  const willCrash = bp_strategy === "unbounded" && overflow > 0;

  return html`<div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(150px, 1fr)); gap: 10px; margin-top: 10px;">
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid ${overflow > 0 ? '#E74C3C' : '#16A085'};">
      <div style="font-size: 0.75em; color: #7F8C8D;">Rate Imbalance</div>
      <div style="font-size: 1.4em; font-weight: bold; color: ${overflow > 0 ? '#E74C3C' : '#16A085'};">${overflow > 0 ? '+' : ''}${overflow} evt/s</div>
    </div>
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid #3498DB;">
      <div style="font-size: 0.75em; color: #7F8C8D;">Queue after ${seconds}s</div>
      <div style="font-size: 1.4em; font-weight: bold; color: #2C3E50;">${final.queue.toLocaleString()}</div>
    </div>
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid #E67E22;">
      <div style="font-size: 0.75em; color: #7F8C8D;">Events Dropped</div>
      <div style="font-size: 1.4em; font-weight: bold; color: #E67E22;">${final.dropped.toLocaleString()}</div>
    </div>
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid ${willCrash ? '#E74C3C' : '#16A085'};">
      <div style="font-size: 0.75em; color: #7F8C8D;">Memory Est.</div>
      <div style="font-size: 1.4em; font-weight: bold; color: ${willCrash ? '#E74C3C' : '#2C3E50'};">${final.memoryMB} MB</div>
    </div>
  </div>
  <div style="margin-top: 10px; padding: 10px; border-radius: 6px; font-size: 0.85em; background: ${willCrash ? '#fdedec' : isHealthy ? '#e8f8f5' : '#fef9e7'}; color: #2C3E50;">
    ${willCrash
      ? `DANGER: Unbounded queue grows by ${overflow} events/sec. After ${seconds}s, queue holds ${final.queue.toLocaleString()} events (~${final.memoryMB} MB). In production this leads to OutOfMemoryError and system crash.`
      : overflow <= 0
        ? `Consumer capacity (${bp_processRate}/s) exceeds producer rate (${bp_inputRate}/s). Queue stays empty. System is healthy with ${bp_processRate - bp_inputRate} events/sec headroom.`
        : bp_strategy === "block_producer"
          ? `Producer blocks when queue reaches ${bp_queueMax}. Queue stabilized at ${final.queue}. No data loss, but producer throughput is throttled to match consumer capacity.`
          : bp_strategy === "drop_newest"
            ? `Dropping newest events when queue is full. ${final.dropped.toLocaleString()} events dropped over ${seconds}s (${(final.dropped / (bp_inputRate * seconds) * 100).toFixed(1)}% data loss). Queue bounded at ${bp_queueMax}.`
            : `Sampling 10% under pressure. ${final.dropped.toLocaleString()} events dropped over ${seconds}s. Queue bounded at ${bp_queueMax}. Good for metrics/monitoring where sampling is acceptable.`
    }
  </div>`;
}

7.3 Worked Example: Real-Time Fraud Detection Pipeline

7.4 Worked Example: Stream Processing for Payment Terminal Fraud Detection

Scenario: A payment processor operates 50,000 IoT payment terminals (card readers, POS systems) generating 2,000 transactions per second. The fraud team needs to detect suspicious patterns in real-time: - Velocity attacks: Same card used at multiple distant locations within minutes - Amount anomalies: Unusual transaction amounts for a given merchant - Burst attacks: Many small transactions in rapid succession

Goal: Design a stream processing pipeline that detects fraud within 500ms of transaction arrival while ensuring exactly-once processing to prevent false positives and missed detections.

Step 1: Define Data Model and Ingestion

What we do: Define the transaction event schema and set up Kafka ingestion.

Event Schema:

# Transaction event from payment terminal
transaction_schema = {
    "transaction_id": "uuid",       # Unique identifier
    "card_hash": "string",          # Anonymized card identifier
    "terminal_id": "string",        # Payment terminal ID
    "merchant_id": "string",        # Merchant identifier
    "amount_cents": "int",          # Transaction amount in cents
    "currency": "string",           # ISO currency code
    "location": {
        "lat": "double",
        "lon": "double"
    },
    "timestamp": "timestamp",       # Event time (when card was swiped)
    "terminal_time": "timestamp"    # Processing time (when terminal sent)
}

# Example event
{
    "transaction_id": "txn-a1b2c3d4",
    "card_hash": "hash_xyz789",
    "terminal_id": "term_12345",
    "merchant_id": "merch_grocery_001",
    "amount_cents": 4523,
    "currency": "USD",
    "location": {"lat": 40.7128, "lon": -74.0060},
    "timestamp": "2026-01-10T14:23:45.123Z",
    "terminal_time": "2026-01-10T14:23:45.456Z"
}

Kafka Topic Configuration:

# Kafka topic for raw transactions
topic_config = {
    "name": "transactions-raw",
    "partitions": 32,              # Parallelism for 2K TPS
    "replication_factor": 3,       # Durability
    "retention_ms": 7 * 24 * 3600 * 1000,  # 7 days
    "cleanup_policy": "delete"
}

# Partition by card_hash for ordered per-card processing
# This ensures all transactions for a card go to same partition
producer.send(
    "transactions-raw",
    key=transaction["card_hash"],
    value=transaction
)

Try It: Kafka Partition Calculator

Explore how partition count and replication factor affect throughput capacity and fault tolerance for the fraud detection pipeline.

viewof kp_tps = Inputs.range([500, 20000], {
  value: 2000, step: 100, label: "Target throughput (TPS)"
})

viewof kp_partitions = Inputs.range([1, 128], {
  value: 32, step: 1, label: "Number of partitions"
})

viewof kp_replication = Inputs.range([1, 5], {
  value: 3, step: 1, label: "Replication factor"
})

kp_results = {
  const perPartitionTps = Math.round(kp_tps / kp_partitions);
  const maxTpsEstimate = kp_partitions * 200; // ~200 TPS per partition typical
  const hasHeadroom = maxTpsEstimate >= kp_tps * 1.25;
  const toleratedFailures = kp_replication - 1;
  const storageMultiplier = kp_replication;
  const retentionDays = 7;
  const dailyDataGB = (kp_tps * 86400 * 0.5) / (1024 * 1024 * 1024); // 500 bytes per event
  const totalStorageGB = (dailyDataGB * retentionDays * storageMultiplier).toFixed(1);

  return html`<div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(170px, 1fr)); gap: 10px; margin-top: 10px;">
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid #3498DB;">
      <div style="font-size: 0.75em; color: #7F8C8D;">TPS per Partition</div>
      <div style="font-size: 1.4em; font-weight: bold; color: #2C3E50;">${perPartitionTps}</div>
    </div>
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid ${hasHeadroom ? '#16A085' : '#E74C3C'};">
      <div style="font-size: 0.75em; color: #7F8C8D;">Est. Max Throughput</div>
      <div style="font-size: 1.4em; font-weight: bold; color: ${hasHeadroom ? '#16A085' : '#E74C3C'};">${maxTpsEstimate.toLocaleString()} TPS</div>
    </div>
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid #E67E22;">
      <div style="font-size: 0.75em; color: #7F8C8D;">Broker Failures Tolerated</div>
      <div style="font-size: 1.4em; font-weight: bold; color: #E67E22;">${toleratedFailures}</div>
    </div>
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid #9B59B6;">
      <div style="font-size: 0.75em; color: #7F8C8D;">Storage (7-day retention)</div>
      <div style="font-size: 1.4em; font-weight: bold; color: #9B59B6;">${totalStorageGB} GB</div>
    </div>
  </div>
  <div style="margin-top: 10px; padding: 10px; border-radius: 6px; font-size: 0.85em; background: ${hasHeadroom ? '#e8f8f5' : '#fdedec'}; color: #2C3E50;">
    ${hasHeadroom
      ? `${kp_partitions} partitions provide ~${maxTpsEstimate.toLocaleString()} TPS capacity for a ${kp_tps.toLocaleString()} TPS target (${((maxTpsEstimate / kp_tps) * 100).toFixed(0)}% headroom). With replication factor ${kp_replication}, the cluster tolerates ${toleratedFailures} broker failure(s).`
      : `WARNING: ${kp_partitions} partitions may be insufficient. Estimated capacity ~${maxTpsEstimate.toLocaleString()} TPS is below the ${kp_tps.toLocaleString()} TPS target. Consider increasing partitions to at least ${Math.ceil(kp_tps * 1.25 / 200)}.`
    }
  </div>`;
}

Why: Partitioning by card_hash ensures all transactions for a single card arrive at the same Flink task instance in order. This is critical for velocity detection (same card at multiple locations) without expensive cross-partition coordination.

Step 2: Design Windowed Aggregations

What we do: Implement sliding windows to detect velocity and burst attacks.

Flink Pipeline for Velocity Detection:

from pyflink.datastream import StreamExecutionEnvironment
from pyflink.datastream.window import SlidingEventTimeWindows
from pyflink.common.time import Time

env = StreamExecutionEnvironment.get_execution_environment()
env.set_parallelism(32)

# Velocity detection: Same card, different locations within 5 min
velocity_alerts = (
    env.add_source(kafka_source)
    .key_by(lambda t: t["card_hash"])
    .window(SlidingEventTimeWindows.of(
        Time.minutes(5), Time.seconds(30)))
    .apply(VelocityDetector())
)

class VelocityDetector:
    def apply(self, card_hash, window, transactions):
        """Detect impossible travel (>100km in <5 min)."""
        locations = [(t["location"], t["timestamp"])
                     for t in transactions]
        for i, (loc1, t1) in enumerate(locations):
            for loc2, t2 in locations[i+1:]:
                speed = haversine(loc1, loc2) / (
                    abs((t2-t1).total_seconds()) / 3600)
                if speed > 500:  # Impossible by car
                    yield FraudAlert(card_hash=card_hash,
                        alert_type="VELOCITY_ATTACK",
                        confidence=min(0.99, speed / 1000))
                    return

Burst Attack Detection:

# Burst detection: >10 transactions in 2 minutes from same card
burst_alerts = (
    transactions
    .key_by(lambda t: t["card_hash"])
    .window(SlidingEventTimeWindows.of(
        Time.minutes(2),    # Window size: 2 minutes
        Time.seconds(15)    # Slide: check every 15 seconds
    ))
    .apply(BurstDetector())
)

class BurstDetector:
    def apply(self, card_hash, window, transactions):
        """Detect card testing attacks (many small transactions)."""
        txn_list = list(transactions)
        count = len(txn_list)
        avg_amount = sum(t["amount_cents"] for t in txn_list) / count

        # Flag: >10 transactions OR >5 transactions with avg <$5
        if count > 10 or (count > 5 and avg_amount < 500):
            yield FraudAlert(
                card_hash=card_hash,
                alert_type="BURST_ATTACK",
                confidence=min(0.95, count / 20),
                transactions=[t["transaction_id"] for t in txn_list],
                details=f"{count} txns, avg ${avg_amount/100:.2f}"
            )

Try It: Window Size Impact Visualizer

Explore the trade-offs of sliding window configuration for fraud detection. Larger windows catch more patterns but increase latency and memory. Smaller slides detect faster but cost more computation.

viewof win_windowSize = Inputs.range([1, 30], {
  value: 5, step: 1, label: "Window size (minutes)"
})

viewof win_slideInterval = Inputs.range([5, 120], {
  value: 30, step: 5, label: "Slide interval (seconds)"
})

viewof win_cardsActive = Inputs.range([1000, 100000], {
  value: 20000, step: 1000, label: "Active cards in window"
})

viewof win_tps = Inputs.range([500, 10000], {
  value: 2000, step: 100, label: "Transaction rate (TPS)"
})

win_analysis = {
  const windowSizeSec = win_windowSize * 60;
  const eventsPerWindow = win_tps * windowSizeSec;
  const slidesPerWindow = windowSizeSec / win_slideInterval;
  const evaluationsPerSec = 1 / win_slideInterval;
  const eventsPerEval = eventsPerWindow;
  const memoryPerCardMB = (win_tps / win_cardsActive) * windowSizeSec * 0.0005; // ~500 bytes per txn
  const totalMemoryGB = (memoryPerCardMB * win_cardsActive / 1024).toFixed(2);
  const maxDetectionDelaySec = win_slideInterval;
  const velocityWindowOK = win_windowSize >= 3;
  const burstWindowOK = win_windowSize <= 5;

  // Compute overlap count: how many windows contain a single event
  const overlapCount = Math.ceil(windowSizeSec / win_slideInterval);
  const computeCostRelative = (overlapCount * eventsPerWindow / 1000000).toFixed(1);

  return html`<div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(170px, 1fr)); gap: 10px; margin-top: 10px;">
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid #3498DB;">
      <div style="font-size: 0.75em; color: #7F8C8D;">Events per Window</div>
      <div style="font-size: 1.4em; font-weight: bold; color: #2C3E50;">${eventsPerWindow.toLocaleString()}</div>
    </div>
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid #E67E22;">
      <div style="font-size: 0.75em; color: #7F8C8D;">Max Detection Delay</div>
      <div style="font-size: 1.4em; font-weight: bold; color: #E67E22;">${maxDetectionDelaySec}s</div>
    </div>
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid #9B59B6;">
      <div style="font-size: 0.75em; color: #7F8C8D;">Window Overlap Factor</div>
      <div style="font-size: 1.4em; font-weight: bold; color: #9B59B6;">${overlapCount}x</div>
    </div>
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid ${parseFloat(totalMemoryGB) > 10 ? '#E74C3C' : '#16A085'};">
      <div style="font-size: 0.75em; color: #7F8C8D;">State Memory Est.</div>
      <div style="font-size: 1.4em; font-weight: bold; color: ${parseFloat(totalMemoryGB) > 10 ? '#E74C3C' : '#16A085'};">${totalMemoryGB} GB</div>
    </div>
  </div>
  <div style="margin-top: 10px; display: grid; grid-template-columns: 1fr 1fr; gap: 10px;">
    <div style="padding: 10px; border-radius: 6px; background: ${velocityWindowOK ? '#e8f8f5' : '#fdedec'}; font-size: 0.85em; color: #2C3E50;">
      <strong>Velocity Detection:</strong> ${velocityWindowOK
        ? `${win_windowSize}-min window captures travel patterns. A card used in two cities ${win_windowSize} minutes apart will be detected.`
        : `Window too small (${win_windowSize} min). Velocity attacks spanning >=${win_windowSize + 1} minutes will be missed. Recommend >= 3 minutes.`}
    </div>
    <div style="padding: 10px; border-radius: 6px; background: ${burstWindowOK ? '#e8f8f5' : '#fef9e7'}; font-size: 0.85em; color: #2C3E50;">
      <strong>Burst Detection:</strong> ${burstWindowOK
        ? `${win_windowSize}-min window is well-sized for burst attacks. Detects rapid card testing within the window.`
        : `${win_windowSize}-min window is large for burst detection. May accumulate legitimate transactions. Consider a separate smaller window (2 min) for bursts.`}
    </div>
  </div>
  <div style="margin-top: 10px; padding: 10px; border-radius: 6px; font-size: 0.85em; background: #eaf2f8; color: #2C3E50;">
    <strong>Computation:</strong> Each event belongs to ${overlapCount} overlapping windows. With a ${win_slideInterval}s slide, the system evaluates ${(60 / win_slideInterval).toFixed(1)} times per minute per card. Total state: ~${totalMemoryGB} GB across ${win_cardsActive.toLocaleString()} active cards.
  </div>`;
}

Why: Sliding windows allow continuous evaluation without waiting for window boundaries. A 5-minute window sliding every 30 seconds catches fraud quickly while reducing computational overhead compared to per-event evaluation.

Step 3: Implement Exactly-Once Semantics

What we do: Configure checkpointing and idempotent sinks to prevent duplicates.

Checkpointing Configuration:

from pyflink.datastream import CheckpointingMode

# Enable exactly-once checkpointing
env.enable_checkpointing(
    interval=10000,  # Checkpoint every 10 seconds
    mode=CheckpointingMode.EXACTLY_ONCE
)

# Checkpoint configuration
env.get_checkpoint_config().set_min_pause_between_checkpoints(5000)
env.get_checkpoint_config().set_checkpoint_timeout(60000)
env.get_checkpoint_config().set_max_concurrent_checkpoints(1)
env.get_checkpoint_config().enable_externalized_checkpoints(
    ExternalizedCheckpointCleanup.RETAIN_ON_CANCELLATION
)

# State backend for large state (card history)
env.set_state_backend(RocksDBStateBackend("s3://flink-state/checkpoints"))

Idempotent Alert Sink:

class IdempotentAlertSink:
    """Ensures each alert is processed exactly once."""

    def __init__(self, redis_client, alert_topic):
        self.redis = redis_client
        self.kafka_producer = KafkaProducer(
            bootstrap_servers="kafka:9092",
            enable_idempotence=True,  # Kafka idempotent producer
            acks="all"
        )
        self.alert_topic = alert_topic

    def invoke(self, alert: FraudAlert):
        # Deduplication key: alert_type + card + window_end
        dedup_key = f"alert:{alert.alert_type}:{alert.card_hash}:{alert.window_end}"

        # Check if already processed (Redis SET NX with TTL)
        if self.redis.set(dedup_key, "1", nx=True, ex=3600):
            # First time seeing this alert - process it
            self.kafka_producer.send(
                self.alert_topic,
                key=alert.card_hash,
                value=alert.to_json()
            )
            # Also write to PostgreSQL for audit
            self.write_to_postgres(alert)
        # else: Already processed, skip (idempotent)

    def write_to_postgres(self, alert):
        """Idempotent insert using ON CONFLICT."""
        self.cursor.execute("""
            INSERT INTO fraud_alerts
                (alert_id, card_hash, alert_type, confidence, created_at)
            VALUES (%s, %s, %s, %s, %s)
            ON CONFLICT (alert_id) DO NOTHING
        """, (alert.id, alert.card_hash, alert.alert_type,
              alert.confidence, alert.created_at))

Try It: Delivery Guarantee and Checkpoint Simulator

Compare delivery semantics and see how checkpoint intervals affect data safety and overhead. What happens when a failure occurs mid-processing?

viewof eo_guarantee = Inputs.select(
  ["at_most_once", "at_least_once", "exactly_once"],
  {value: "exactly_once", label: "Delivery guarantee", format: x => ({
    "at_most_once": "At-Most-Once",
    "at_least_once": "At-Least-Once",
    "exactly_once": "Exactly-Once"
  })[x]}
)

viewof eo_checkpointSec = Inputs.range([1, 60], {
  value: 10, step: 1, label: "Checkpoint interval (seconds)"
})

viewof eo_failureRate = Inputs.range([0.1, 10], {
  value: 1.0, step: 0.1, label: "Failures per hour"
})

viewof eo_tpsRate = Inputs.range([500, 10000], {
  value: 2000, step: 100, label: "Throughput (TPS)"
})

eo_analysis = {
  const eventsAtRisk = eo_tpsRate * eo_checkpointSec;
  const failuresPerDay = eo_failureRate * 24;
  const reprocessedPerFailure = eventsAtRisk;

  let duplicatesPerDay, lostPerDay, overheadPct, description, descColor;

  if (eo_guarantee === "at_most_once") {
    duplicatesPerDay = 0;
    lostPerDay = Math.round(reprocessedPerFailure * failuresPerDay);
    overheadPct = 0;
    descColor = "#E74C3C";
    description = `At-most-once: No retries on failure. ${lostPerDay.toLocaleString()} events lost per day. Zero duplicates but unacceptable for financial data. No checkpoint overhead.`;
  } else if (eo_guarantee === "at_least_once") {
    duplicatesPerDay = Math.round(reprocessedPerFailure * failuresPerDay);
    lostPerDay = 0;
    overheadPct = 2;
    descColor = "#E67E22";
    description = `At-least-once: Retries on failure cause ${duplicatesPerDay.toLocaleString()} duplicate events per day. No data loss, but without deduplication, duplicates cause double-counting and false fraud alerts. Low overhead.`;
  } else {
    duplicatesPerDay = 0;
    lostPerDay = 0;
    overheadPct = Math.min(30, Math.round(5 + (60 / eo_checkpointSec)));
    descColor = "#16A085";
    description = `Exactly-once: Flink checkpoints every ${eo_checkpointSec}s coordinate with Kafka transactions and Redis dedup. Zero duplicates, zero loss. Overhead: ~${overheadPct}% from checkpointing, 2-phase commit, and dedup lookups.`;
  }

  const checkpointsPerMin = 60 / eo_checkpointSec;
  const recoveryTimeSec = eo_checkpointSec * 2; // rough estimate

  return html`<div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(150px, 1fr)); gap: 10px; margin-top: 10px;">
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid ${lostPerDay > 0 ? '#E74C3C' : '#16A085'};">
      <div style="font-size: 0.75em; color: #7F8C8D;">Events Lost / Day</div>
      <div style="font-size: 1.4em; font-weight: bold; color: ${lostPerDay > 0 ? '#E74C3C' : '#16A085'};">${lostPerDay.toLocaleString()}</div>
    </div>
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid ${duplicatesPerDay > 0 ? '#E67E22' : '#16A085'};">
      <div style="font-size: 0.75em; color: #7F8C8D;">Duplicates / Day</div>
      <div style="font-size: 1.4em; font-weight: bold; color: ${duplicatesPerDay > 0 ? '#E67E22' : '#16A085'};">${duplicatesPerDay.toLocaleString()}</div>
    </div>
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid #3498DB;">
      <div style="font-size: 0.75em; color: #7F8C8D;">Events at Risk</div>
      <div style="font-size: 1.4em; font-weight: bold; color: #3498DB;">${eventsAtRisk.toLocaleString()}</div>
      <div style="font-size: 0.7em; color: #7F8C8D;">between checkpoints</div>
    </div>
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid #9B59B6;">
      <div style="font-size: 0.75em; color: #7F8C8D;">Overhead</div>
      <div style="font-size: 1.4em; font-weight: bold; color: #9B59B6;">~${overheadPct}%</div>
    </div>
  </div>
  <div style="margin-top: 10px; display: grid; grid-template-columns: 1fr 1fr; gap: 10px;">
    <div style="padding: 10px; border-radius: 6px; background: #eaf2f8; font-size: 0.85em; color: #2C3E50;">
      <strong>Checkpoint Stats:</strong> ${checkpointsPerMin.toFixed(1)} checkpoints/min, ~${recoveryTimeSec}s estimated recovery time, ${eventsAtRisk.toLocaleString()} events reprocessed on failure.
    </div>
    <div style="padding: 10px; border-radius: 6px; background: #eaf2f8; font-size: 0.85em; color: #2C3E50;">
      <strong>Failure Impact:</strong> ~${failuresPerDay.toFixed(1)} failures/day. ${eo_guarantee === "exactly_once" ? "All reprocessed events deduplicated via Redis + Kafka transactions." : eo_guarantee === "at_least_once" ? "Each failure replays " + eventsAtRisk.toLocaleString() + " events, causing duplicates." : "Each failure loses up to " + eventsAtRisk.toLocaleString() + " events."}
    </div>
  </div>
  <div style="margin-top: 10px; padding: 10px; border-radius: 6px; font-size: 0.85em; background: ${descColor === '#16A085' ? '#e8f8f5' : descColor === '#E67E22' ? '#fef9e7' : '#fdedec'}; color: #2C3E50;">
    ${description}
  </div>`;
}

Why: Exactly-once requires coordination between Flink checkpoints, Kafka transactions, and downstream sinks. The Redis deduplication key and PostgreSQL ON CONFLICT ensure that even if a failure causes reprocessing, each alert is delivered exactly once.

Step 4: Handle Late-Arriving Data

What we do: Configure watermarks and allowed lateness for out-of-order events.

Watermark Strategy:

from pyflink.datastream import WatermarkStrategy
from pyflink.common import Duration

# Watermark: event_time - 30 seconds (allow 30s network delay)
watermark_strategy = (
    WatermarkStrategy
    .for_bounded_out_of_orderness(Duration.of_seconds(30))
    .with_timestamp_assigner(
        lambda t, _: t["timestamp"].timestamp() * 1000
    )
)

transactions_with_watermarks = transactions.assign_timestamps_and_watermarks(
    watermark_strategy
)

# Window configuration with allowed lateness
velocity_alerts = (
    transactions_with_watermarks
    .key_by(lambda t: t["card_hash"])
    .window(SlidingEventTimeWindows.of(Time.minutes(5), Time.seconds(30)))
    .allowed_lateness(Time.minutes(2))  # Accept late data up to 2 min
    .side_output_late_data(late_data_tag)  # Capture very late data
    .apply(VelocityDetector())
)

# Handle late data separately (log for investigation)
late_transactions = velocity_alerts.get_side_output(late_data_tag)
late_transactions.add_sink(late_data_sink)  # Write to audit log

Late Data Handling Policy:

# Terminal clock drift detection
class ClockDriftMonitor:
    def process(self, transaction):
        event_time = transaction["timestamp"]
        processing_time = datetime.now(timezone.utc)
        drift_seconds = (processing_time - event_time).total_seconds()

        # Flag terminals with >60s clock drift
        if abs(drift_seconds) > 60:
            yield TerminalAlert(
                terminal_id=transaction["terminal_id"],
                alert_type="CLOCK_DRIFT",
                drift_seconds=drift_seconds
            )

Try It: Late Event Simulator

Explore how watermarks and allowed lateness determine which events get processed and which are dropped. Inject late events and see how the system handles them.

viewof late_watermarkDelay = Inputs.range([5, 120], {
  value: 30, step: 5, label: "Watermark delay (seconds)"
})

viewof late_allowedLateness = Inputs.range([0, 300], {
  value: 120, step: 10, label: "Allowed lateness (seconds)"
})

viewof late_clockDrift = Inputs.range([0, 180], {
  value: 15, step: 5, label: "Terminal clock drift (seconds)"
})

viewof late_networkDelay = Inputs.range([0, 120], {
  value: 10, step: 5, label: "Network delay (seconds)"
})

late_events = {
  // Generate sample events with various delays
  const totalLatency = late_clockDrift + late_networkDelay;
  const events = [
    {id: 1, label: "On-time event", delay: 2, type: "normal"},
    {id: 2, label: "Slightly late", delay: Math.round(late_watermarkDelay * 0.5), type: "normal"},
    {id: 3, label: "Near watermark", delay: late_watermarkDelay - 2, type: "normal"},
    {id: 4, label: "At watermark edge", delay: late_watermarkDelay + 1, type: "late"},
    {id: 5, label: "Moderately late", delay: late_watermarkDelay + 30, type: "late"},
    {id: 6, label: "Terminal drift event", delay: totalLatency, type: totalLatency <= late_watermarkDelay ? "normal" : "late"},
    {id: 7, label: "Very late event", delay: late_watermarkDelay + late_allowedLateness - 10, type: "late"},
    {id: 8, label: "Extremely late", delay: late_watermarkDelay + late_allowedLateness + 30, type: "dropped"}
  ];

  // Determine fate of each event
  const processed = events.map(e => {
    let status, color;
    if (e.delay <= late_watermarkDelay) {
      status = "PROCESSED (in window)";
      color = "#16A085";
    } else if (e.delay <= late_watermarkDelay + late_allowedLateness) {
      status = "LATE (accepted)";
      color = "#E67E22";
    } else {
      status = "DROPPED (side output)";
      color = "#E74C3C";
    }
    return {...e, status, color};
  });

  const inWindow = processed.filter(e => e.color === "#16A085").length;
  const lateAccepted = processed.filter(e => e.color === "#E67E22").length;
  const dropped = processed.filter(e => e.color === "#E74C3C").length;

  return html`<div style="display: grid; grid-template-columns: repeat(3, 1fr); gap: 10px; margin-top: 10px;">
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid #16A085;">
      <div style="font-size: 0.75em; color: #7F8C8D;">In Window</div>
      <div style="font-size: 1.4em; font-weight: bold; color: #16A085;">${inWindow} events</div>
    </div>
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid #E67E22;">
      <div style="font-size: 0.75em; color: #7F8C8D;">Late but Accepted</div>
      <div style="font-size: 1.4em; font-weight: bold; color: #E67E22;">${lateAccepted} events</div>
    </div>
    <div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid #E74C3C;">
      <div style="font-size: 0.75em; color: #7F8C8D;">Dropped to Side Output</div>
      <div style="font-size: 1.4em; font-weight: bold; color: #E74C3C;">${dropped} events</div>
    </div>
  </div>
  <div style="margin-top: 12px; border: 1px solid #dee2e6; border-radius: 8px; overflow: hidden;">
    <div style="display: grid; grid-template-columns: 2fr 1fr 1fr 2fr; background: #2C3E50; color: white; padding: 8px 12px; font-size: 0.8em; font-weight: bold;">
      <span>Event</span><span>Delay</span><span>Watermark</span><span>Result</span>
    </div>
    ${processed.map(e => html`<div style="display: grid; grid-template-columns: 2fr 1fr 1fr 2fr; padding: 6px 12px; font-size: 0.82em; border-bottom: 1px solid #f0f0f0; background: ${e.color}11;">
      <span style="color: #2C3E50;">${e.label}</span>
      <span style="color: #2C3E50;">${e.delay}s</span>
      <span style="color: #2C3E50;">${late_watermarkDelay}s</span>
      <span style="color: ${e.color}; font-weight: bold;">${e.status}</span>
    </div>`)}
  </div>
  <div style="margin-top: 10px; padding: 10px; border-radius: 6px; font-size: 0.85em; background: #eaf2f8; color: #2C3E50;">
    <strong>Timeline:</strong> Watermark = event_time - ${late_watermarkDelay}s. Events arriving within ${late_watermarkDelay}s are processed normally. Events up to ${late_watermarkDelay + late_allowedLateness}s late are accepted (may trigger window re-evaluation). Events beyond ${late_watermarkDelay + late_allowedLateness}s are sent to side output for audit. Terminal drift of ${late_clockDrift}s + network delay of ${late_networkDelay}s = ${totalLatency}s total latency, which is ${totalLatency <= late_watermarkDelay ? "within" : "beyond"} the watermark threshold.
  </div>`;
}

Why: Payment terminals may have network delays or clock drift. A 30-second watermark delay handles normal network latency, while 2-minute allowed lateness captures most edge cases. Very late data goes to side output for manual review rather than being silently dropped.

Step 5: Monitor Pipeline Health

What we do: Add metrics and alerting for pipeline reliability.

Key Metrics (exposed to Prometheus):

pipeline_metrics = {
    "transactions_processed_total": Counter,
    "transactions_processed_rate": Gauge,     # TPS
    "processing_latency_ms": Histogram,       # End-to-end
    "event_time_lag_ms": Gauge,               # Real-time lag
    "fraud_alerts_total": Counter,
    "checkpoint_duration_ms": Histogram,
    "checkpoint_failures_total": Counter,
    "backpressure_ratio": Gauge
}

Critical Alert Rules (Prometheus/Alertmanager):

- alert: HighProcessingLatency
  expr: histogram_quantile(0.99, processing_latency_ms) > 500
  for: 2m
  annotations:
    summary: "Fraud detection latency exceeds 500ms SLA"
- alert: CheckpointFailures
  expr: increase(checkpoint_failures_total[5m]) > 0
  for: 1m
- alert: HighBackpressure
  expr: backpressure_ratio > 0.5
  for: 5m

Try It: Pipeline Health Dashboard

Simulate a fraud detection pipeline and see how key metrics change under different conditions. Adjust throughput, latency, and failure rates to see when alerts trigger.

viewof ph_currentTps = Inputs.range([500, 5000], {
  value: 2000, step: 100, label: "Current throughput (TPS)"
})

viewof ph_p99Latency = Inputs.range([50, 2000], {
  value: 340, step: 10, label: "P99 latency (ms)"
})

viewof ph_backpressure = Inputs.range([0, 1], {
  value: 0.15, step: 0.05, label: "Backpressure ratio"
})

viewof ph_checkpointFails = Inputs.range([0, 10], {
  value: 0, step: 1, label: "Checkpoint failures (last 5 min)"
})

viewof ph_lateEventsPct = Inputs.range([0, 20], {
  value: 2, step: 0.5, label: "Late events (%)"
})

ph_dashboard = {
  const latencySLA = 500;
  const bpThreshold = 0.5;
  const tpsTarget = 2000;

  // Alert states
  const latencyAlert = ph_p99Latency > latencySLA;
  const bpAlert = ph_backpressure > bpThreshold;
  const checkpointAlert = ph_checkpointFails > 0;
  const tpsAlert = ph_currentTps < tpsTarget * 0.8;
  const lateAlert = ph_lateEventsPct > 10;

  const activeAlerts = [latencyAlert, bpAlert, checkpointAlert, tpsAlert, lateAlert].filter(Boolean).length;
  const overallStatus = activeAlerts === 0 ? "HEALTHY" : activeAlerts <= 2 ? "WARNING" : "CRITICAL";
  const overallColor = activeAlerts === 0 ? "#16A085" : activeAlerts <= 2 ? "#E67E22" : "#E74C3C";

  function metricCard(label, value, unit, threshold, isAbove, alertMsg) {
    const triggered = isAbove ? parseFloat(value) > threshold : parseFloat(value) < threshold;
    const color = triggered ? "#E74C3C" : "#16A085";
    return html`<div style="background: #f8f9fa; border-radius: 8px; padding: 14px; border-left: 4px solid ${color};">
      <div style="font-size: 0.75em; color: #7F8C8D;">${label}</div>
      <div style="font-size: 1.3em; font-weight: bold; color: ${color};">${value}${unit}</div>
      ${triggered ? html`<div style="font-size: 0.7em; color: #E74C3C; margin-top: 4px;">${alertMsg}</div>` : ""}
    </div>`;
  }

  return html`<div style="margin-top: 10px; padding: 12px; border-radius: 8px; background: ${overallColor}15; border: 2px solid ${overallColor};">
    <div style="display: flex; justify-content: space-between; align-items: center;">
      <span style="font-weight: bold; font-size: 1.1em; color: ${overallColor};">Pipeline Status: ${overallStatus}</span>
      <span style="font-size: 0.85em; color: #7F8C8D;">${activeAlerts} active alert(s)</span>
    </div>
  </div>
  <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(160px, 1fr)); gap: 10px; margin-top: 10px;">
    ${metricCard("Throughput", ph_currentTps.toLocaleString(), " TPS", tpsTarget * 0.8, false, "Below 80% of target")}
    ${metricCard("P99 Latency", ph_p99Latency, " ms", latencySLA, true, "Exceeds 500ms SLA")}
    ${metricCard("Backpressure", (ph_backpressure * 100).toFixed(0), "%", bpThreshold * 100, true, "Above 50% threshold")}
    ${metricCard("Checkpoint Failures", ph_checkpointFails, "", 0, true, "Exactly-once at risk")}
    ${metricCard("Late Events", ph_lateEventsPct.toFixed(1), "%", 10, true, "Above 10% threshold")}
  </div>
  <div style="margin-top: 12px;">
    ${latencyAlert ? html`<div style="padding: 8px 12px; margin-bottom: 6px; border-radius: 6px; background: #fdedec; font-size: 0.83em; color: #2C3E50;"><strong style="color: #E74C3C;">ALERT - HighProcessingLatency:</strong> P99 latency ${ph_p99Latency}ms exceeds 500ms SLA. Fraud detection may be too slow. Check for resource contention or increase parallelism.</div>` : ""}
    ${bpAlert ? html`<div style="padding: 8px 12px; margin-bottom: 6px; border-radius: 6px; background: #fef9e7; font-size: 0.83em; color: #2C3E50;"><strong style="color: #E67E22;">ALERT - HighBackpressure:</strong> Backpressure at ${(ph_backpressure * 100).toFixed(0)}% indicates consumers cannot keep up. Consider scaling consumers or adding more partitions.</div>` : ""}
    ${checkpointAlert ? html`<div style="padding: 8px 12px; margin-bottom: 6px; border-radius: 6px; background: #fef9e7; font-size: 0.83em; color: #2C3E50;"><strong style="color: #E67E22;">ALERT - CheckpointFailures:</strong> ${ph_checkpointFails} checkpoint failure(s) in 5 minutes. Exactly-once guarantees are at risk. Check state backend health and network connectivity.</div>` : ""}
    ${tpsAlert ? html`<div style="padding: 8px 12px; margin-bottom: 6px; border-radius: 6px; background: #fdedec; font-size: 0.83em; color: #2C3E50;"><strong style="color: #E74C3C;">ALERT - LowThroughput:</strong> Current ${ph_currentTps} TPS is below 80% of ${tpsTarget} TPS target. Pipeline may be degraded.</div>` : ""}
    ${activeAlerts === 0 ? html`<div style="padding: 8px 12px; border-radius: 6px; background: #e8f8f5; font-size: 0.83em; color: #2C3E50;"><strong style="color: #16A085;">All Clear:</strong> All metrics within healthy thresholds. Pipeline processing ${ph_currentTps.toLocaleString()} TPS with ${ph_p99Latency}ms P99 latency. Exactly-once delivery is intact.</div>` : ""}
  </div>`;
}

Why: Real-time fraud detection is useless if the pipeline is slow or losing data. These metrics ensure the team knows immediately if processing latency exceeds the 500ms SLA or if checkpoints fail (risking exactly-once guarantees).

Final Result

Outcome: A production fraud detection pipeline processing 2,000 TPS with <200ms average latency and exactly-once delivery guarantees.

Pipeline Performance: | Metric | Target | Achieved | |——–|——–|———-| | Throughput | 2,000 TPS | 2,500 TPS (headroom) | | P50 Latency | <200ms | 85ms | | P99 Latency | <500ms | 340ms | | False Positive Rate | <1% | 0.3% | | Missed Fraud Rate | <0.1% | 0.05% | | Exactly-Once Delivery | 100% | 100% (verified) |

Architecture Summary:

Figure 7.1: Fraud detection pipeline architecture showing payment terminals feeding into Kafka with card_hash partitioning, Flink processing with velocity and burst detection sliding windows, Redis deduplication, and output to PostgreSQL alerts and monitoring dashboards

Key Decisions Made:

1. Kafka partitioning by card_hash: Ensures per-card ordering without coordination
2. Sliding windows: Balance detection speed vs computational cost
3. 30-second watermarks: Handle network delays while keeping latency low
4. Redis deduplication: Ensures exactly-once even across Flink restarts
5. RocksDB state backend: Handles large per-card state (transaction history)
6. Side output for late data: Never silently drop data, always audit

Concept Relationships

Understanding pitfalls connects to several related concepts:

• Upstream: Stream Processing Pipelines - Architecture patterns that these pitfalls can compromise
• Parallel: Handling Real-World Challenges - Solutions for late data, exactly-once semantics, fault tolerance
• Foundational: Stream Processing Fundamentals - Core concepts of windowing and event-time processing

Contrast with: Batch processing errors (can be fixed by re-running entire batch) vs. streaming pitfalls (require careful design to prevent data loss or duplication in real-time)

See Also

• Database Transactions - ACID guarantees that complement streaming exactly-once semantics
• MQTT QoS Fundamentals - At-least-once vs. exactly-once delivery guarantees
• Resilience Patterns - Circuit breakers and retry strategies

Key Takeaway

The two most critical stream processing pitfalls are non-idempotent processing (causing duplicate billing, counting, or actions on message retries – fix with unique message IDs and dedup checks) and missing backpressure handling (causing memory exhaustion when producers overwhelm consumers – fix with bounded queues and blocking producers). The fraud detection worked example demonstrates a complete production pipeline achieving <200ms P50 latency and 0.05% missed fraud rate through key-based partitioning, sliding windows, and Redis-backed deduplication for exactly-once delivery.

For Kids: Meet the Sensor Squad!

The Sensor Squad catches a sneaky credit card thief using stream processing!

Max the Microcontroller works at a bank, watching 2,000 credit card transactions every second. One day, something suspicious happens!

At 2:00 PM, a card is used at a coffee shop in London. At 2:03 PM, the SAME card is used at a store in New York! That is 5,500 km away in just 3 minutes!

“Nobody can fly that fast!” shouts Sammy the Sensor. “That is a VELOCITY ATTACK – someone stole the card number!”

But how did they catch it so fast? The Sensor Squad used a special pipeline:

Step 1: All transactions from the same card go to the same detective (key-based partitioning). This way, one detective sees ALL of a card’s transactions.

Step 2: The detective keeps a 5-minute sliding window – looking at the last 5 minutes of purchases for each card, checking every 30 seconds.

Step 3: For each pair of transactions, the detective calculates: “How far apart are these locations? How much time passed? Is the speed humanly possible?”

Step 4: London to New York in 3 minutes = 110,000 km/h. That is WAY faster than any airplane! ALERT!

Lila the LED adds: “And we have to be really careful about duplicates! If a retry makes us flag the same transaction twice, we might block a card that is actually fine.”

Bella the Battery finishes: “That is why we use deduplication – every alert gets a unique ID. If we see the same ID twice, we skip it. One alert, one action, no mistakes!”

The pipeline catches fraud in under 200 milliseconds – less than the blink of an eye!

7.4.1 Try This at Home!

Play detective! Ask a friend to write down two cities and the time they “visited” each one. Your job: calculate if they could have traveled between the cities in that time! For example, your friend says “I was in my bedroom at 3:00 and the kitchen at 3:01.” Totally possible! But “I was in London at 3:00 and Tokyo at 3:01?” Impossible – that is fraud!

Interactive Quiz: Match Stream Processing Pitfall Concepts

Interactive Quiz: Sequence the Steps

7.5 Navigation

Previous	Up	Next
Stream Challenges	Stream Processing	Stream Lab Basic

7.6 What’s Next

If you want to…	Read this
Study the fundamentals to understand these pitfalls	Stream Processing Fundamentals
Learn the architectures that prevent these pitfalls	Stream Processing Architectures
Practice avoiding pitfalls in a lab	Lab: Stream Processing
See the full stream processing overview	Stream Processing for IoT

Continue to Hands-On Lab: Basic Stream Processing to implement streaming concepts on ESP32 with a 45-minute Wokwi lab.

🏷️ Label the Diagram