Distributed processing of network data using remote capture agents
First Claim
1. A computer-implemented method performed by a transformation server coupled via a network to a plurality of remote capture agents and used to improve processing of network data collected by the plurality of remote capture agents distributed across the network, the method comprising:
- receiving configuration information from a configuration server over the network, wherein the configuration information is usable by the transformation server to generate event streams containing transformed timestamped events;
receiving timestamped events from one or more of the plurality of remote capture agents over the network, the timestamped events generated from network packets captured by the one or more of the plurality of remote capture agents;
identifying, in the configuration information received from the configuration server, information describing an event stream to be generated by transforming the timestamped events received from the one or more of the plurality of remote capture agents into transformed timestamped events, the information indicating one or more fields to be included in the transformed timestamped events and further indicating, for at least one field of the one or more fields, an identifier of data in the timestamped events to be transformed to obtain a value for the at least one field, and a type of transformation to apply to the data in the timestamped events to obtain the value for the at least one field; and
generating, based on the configuration information received from the configuration server, the event stream containing the transformed timestamped events by transforming the timestamped events received from the one or more of the plurality of remote capture agents into the transformed timestamped events.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosed embodiments provide a method and system for processing network data. During operation, the system obtains one or more event streams from one or more remote capture agents over one or more networks, wherein the one or more event streams include event data generated from network packets captured by the one or more remote capture agents. Next, the system applies one or more transformations to the one or more event streams to obtain transformed event data from the event data. The system then enables querying of the transformed event data.
346 Citations
27 Claims
-
1. A computer-implemented method performed by a transformation server coupled via a network to a plurality of remote capture agents and used to improve processing of network data collected by the plurality of remote capture agents distributed across the network, the method comprising:
-
receiving configuration information from a configuration server over the network, wherein the configuration information is usable by the transformation server to generate event streams containing transformed timestamped events; receiving timestamped events from one or more of the plurality of remote capture agents over the network, the timestamped events generated from network packets captured by the one or more of the plurality of remote capture agents; identifying, in the configuration information received from the configuration server, information describing an event stream to be generated by transforming the timestamped events received from the one or more of the plurality of remote capture agents into transformed timestamped events, the information indicating one or more fields to be included in the transformed timestamped events and further indicating, for at least one field of the one or more fields, an identifier of data in the timestamped events to be transformed to obtain a value for the at least one field, and a type of transformation to apply to the data in the timestamped events to obtain the value for the at least one field; and generating, based on the configuration information received from the configuration server, the event stream containing the transformed timestamped events by transforming the timestamped events received from the one or more of the plurality of remote capture agents into the transformed timestamped events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system used to improve processing of network data collected by a plurality of remote capture agents distributed across a network, comprising:
-
the plurality of remote capture agents implemented by a first one or more computing devices; and a transformation server implemented by a second one or more computing devices, the transformation server including instructions that upon execution cause the transformation server to; receive configuration information from a configuration server over the network, wherein the configuration information is usable by the transformation server to generate event streams containing transformed timestamped events; receive timestamped events from one or more of the plurality of remote capture agents over the network, the timestamped events generated from network packets captured by the one or more of the plurality of remote capture agents; identify, in the configuration information received from the configuration server, information describing an event stream to be generated by transforming the timestamped events received from the one or more of the plurality of remote capture agents into transformed timestamped events, the information indicating one or more fields to be included in the transformed timestamped events and further indicating, for at least one field of the one or more fields, an identifier of data in the timestamped events to be transformed to obtain a value for the at least one field, and a type of transformation to apply to the data in the timestamped events to obtain the value for the at least one field; and generating, based on the configuration information received from the configuration server, the event stream containing the transformed timestamped events by transforming the timestamped events received from the one or more of the plurality of remote capture agents into the transformed timestamped events. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer-readable storage medium storing instructions that, when executed by one or more processors, cause performance of operations comprising:
-
receiving configuration information from a configuration server over a network, wherein the configuration information is usable by a transformation server to generate event streams containing transformed timestamped events; receiving timestamped events from one or more of the plurality of remote capture agents over the network, the timestamped events generated from network packets captured by the one or more of the plurality of remote capture agents; identifying, in the configuration information received from the configuration server, information describing an event stream to be generated by transforming the timestamped events received from the one or more of the plurality of remote capture agents into transformed timestamped events, the information indicating one or more fields to be included in the transformed timestamped events and further indicating, for at least one field of the one or more fields, an identifier of data in the timestamped events to be transformed to obtain a value for the at least one field, and a type of transformation to apply to the data in the timestamped events to obtain the value for the at least one field; and generating, based on the configuration information received from the configuration server, the event stream containing the transformed timestamped events by transforming the timestamped events received from the one or more of the plurality of remote capture agents into the transformed timestamped events. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
-
Specification