CEP is a large topic and it has more details which is covered separately here, For now let's see few cep queries here that we add in the stream definition.

"cepq":[
   {
      "name":"amount_exceed_fixed",
      "type":6,
      "tloc":86400,
      "fqry":{
         "name":"{"query":[{"key":"amount", "cmp_op":0, "val":10000}]}",
         "type":1
      },
      "notf":12345
   },
   {
      "name":"amount_exceed_avg",
      "type":6,
      "tloc":86400,
      "fqry":{
         "name":"{"query":[{"key":"amount", "cmp_op":0, "val":"avg(account.amount, h_1, more_10)"}],"qtype":3}",
         "type":1
      },
      "notf":12345
   },
   {
      "name":"txn_fraud_case",
      "type":1,
      "tloc":1000,
      "ratr":[
         "txnid",
         "loc"
      ],
      "rstm":"account",
      "iatr":[
         "name",
         "balance",
         "txnid",
         "loc"
      ],
      "jqry":{
         "cond":[
            "txnid",
            "loc"
         ],
         "opid":11,
         "args":[
            "txnid",
            "loc"
         ],
         "cmp":[
            "EQ",
            "NE"
         ]
      },
      "cond":[
         {
            "name":"NUMT",
            "val":1,
            "opid":1
         },
         {
            "name":"DUR",
            "val":100,
            "opid":0
         }
      ],
      "ostm":"txn_fraud",
      "notf":11111
   }
]

First one simply applies amount > 10000 rule and if true it notifies using 12345 notification id.

Second one does same but it uses amount > avg(amount) of an hour + 10%, which is average amount for an hour and 10% extra.

Third one finds the fraud in transaction where same transaction id is used in two different transactions with different locations within 100 sec.