Managing large volumes of event data records
First Claim
Patent Images
1. A network device, comprising:
- a processor; and
a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations, comprising;
receiving first data comprising first raw event data records describing events of a first period logged by devices of a network from a record collection device that collects the first data from the devices;
determining that a volume of the first raw event data records exceeds a defined threshold, wherein the defined threshold is a rate of change threshold that is exceeded in response to a determination that slopes of a number of first raw event data records plotted over time increase for multiple consecutive time intervals;
instructing the record collection device to perform a first level of aggregation, aggregating on a first data key, on second raw event data records describing events of a second period logged by the devices; and
receiving, from the record collection device, second data comprising an aggregated event data record representing an aggregation of the second raw event data records.
1 Assignment
0 Petitions
Accused Products
Abstract
A network device that operates as an analysis platform for analysis of event data records that can provide a flexible approach to event data record aggregation. For example, aggregation can be flexibly turned on or off and dynamically adjusted based on event record volume and other factors such as network capacity or throughput. Devices that are instructed to aggregate records can also be instructed to archive the raw records, e.g., to maintain a full fidelity log of events. Devices can further be instructed to utilize a mixed queue approach to determine an order to deliver those records that includes both older records and newer records.
31 Citations
20 Claims
-
1. A network device, comprising:
-
a processor; and a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations, comprising; receiving first data comprising first raw event data records describing events of a first period logged by devices of a network from a record collection device that collects the first data from the devices; determining that a volume of the first raw event data records exceeds a defined threshold, wherein the defined threshold is a rate of change threshold that is exceeded in response to a determination that slopes of a number of first raw event data records plotted over time increase for multiple consecutive time intervals; instructing the record collection device to perform a first level of aggregation, aggregating on a first data key, on second raw event data records describing events of a second period logged by the devices; and receiving, from the record collection device, second data comprising an aggregated event data record representing an aggregation of the second raw event data records. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A network device, comprising:
-
a processor; and a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations, comprising; receiving, from a record collection device, first data comprising an aggregated event data record that is aggregated to a first level of aggregation based on a first data key and represents an aggregation of first raw event data records describing events of a first period logged by devices of a network; determining that a volume of aggregated event data records, comprising the aggregated event data record, is less than a defined threshold; instructing the record collection device to terminate the aggregation of the first raw event data records and to transmit second data comprising second raw event data records describing events of a second period logged by the devices; receiving the second data; and instructing the record collection device to perform a second level of aggregation that aggregates based on a second data key that is not the first data key and operates on the second raw event data records. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method, comprising:
-
receiving, by a network device comprising a processor, first data comprising first event data records describing events of a first period logged by devices of a network, wherein the first event data records are not aggregated; determining, by the network device, a volume of the first event data records exceeds a defined threshold, wherein the defined threshold is a threshold applicable to a rate of change that is exceeded in response to a determination that slopes of a number of first raw event data records plotted over time have increased for at least two consecutive time intervals; determining, by the network device, aggregation data indicative of an aggregation profile to apply to second event data records describing events of a second period logged by the devices, wherein the aggregation profile comprises configurable elements comprising aggregation key data representing a key employable to aggregate the second event data records and aggregation time data representing a defined time interval employable to aggregate the second event data records; and receiving, by the network device, second data comprising an aggregated representation of the second event data records, wherein the aggregated representation corresponds to the aggregation profile. - View Dependent Claims (17, 18, 19, 20)
-
Specification