Grouping and managing event streams generated from captured network data

US 10,360,196 B2
Filed: 01/30/2015
Issued: 07/23/2019
Est. Priority Date: 04/15/2014
Status: Active Grant

First Claim

Patent Images

1. A method for facilitating the processing of network data, comprising:

receiving, via a first graphical user interface (GUI), input defining a plurality of event streams to be generated by one or more remote capture agents, each event stream of the plurality of event streams associated with a plurality of event stream attributes;

transmitting, via a network, configuration information generated based on the received input, the configuration information used by the one or more remote capture agents to generate the plurality of event streams, each event stream of the plurality of event streams including timestamped event data derived from network traffic monitored by the one or more remote capture agents;

causing display of a second GUI including a representation of the plurality of event streams;

receiving, via the second GUI, input specifying a value for an event stream attribute of the plurality of event stream attributes associated with at least one event stream of the plurality of event streams; and

updating the second GUI to display a representation of only event streams matching the specified value for the event stream attribute.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system causes for display a graphical user interface (GUI) for configuring the generation of time-series event data from network packets captured by one or more remote capture agents. Next, the system causes for display, in the GUI, a first set of user-interface elements for specifying a grouping of a set of event streams containing the time-series event data by an event stream attribute associated with the event streams. The system then causes for display, in the GUI, a second set of user-interface elements containing event stream information for one or more subsets of the event streams represented by the grouping of the event streams by the event stream attribute.

313 Citations

30 Claims

1. A method for facilitating the processing of network data, comprising:
- receiving, via a first graphical user interface (GUI), input defining a plurality of event streams to be generated by one or more remote capture agents, each event stream of the plurality of event streams associated with a plurality of event stream attributes;
  
  transmitting, via a network, configuration information generated based on the received input, the configuration information used by the one or more remote capture agents to generate the plurality of event streams, each event stream of the plurality of event streams including timestamped event data derived from network traffic monitored by the one or more remote capture agents;
  
  causing display of a second GUI including a representation of the plurality of event streams;
  
  receiving, via the second GUI, input specifying a value for an event stream attribute of the plurality of event stream attributes associated with at least one event stream of the plurality of event streams; and
  
  updating the second GUI to display a representation of only event streams matching the specified value for the event stream attribute.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein the input is first input, the value is a first value, and the event stream attribute is a first event stream attribute, and wherein the method further comprises:
    - receiving, via the second GUI, second input specifying a second value for a second event stream attribute that represents a subset of the first event stream attribute; and
      
      updating the second GUI to display a representation of only event streams matching the specified second value for the second event stream attribute.
  - 3. The method of claim 1, wherein the input is first input, the value is a first value, and the event stream attribute is a first event stream attribute, and wherein the method further comprises:
    - causing display of one or more values of the first event stream attribute and one or more values of a second event stream attribute;
      
      grouping the displayed representation of the plurality of event streams into one or more subsets of the plurality of event streams based on the one or more values of the first event stream attribute; and
      
      for each value from the one or more values of the first event stream attribute, further grouping the displayed event stream information into one or more additional subsets of the event streams based on the one or more values of the second event stream attribute.
  - 4. The method of claim 1, wherein the event stream attribute is selected from:
    - a category of an event stream;
      
      a protocol used by the network traffic;
      
      an application used to create the event stream; and
      
      an event stream lifecycle of the event stream.
  - 5. The method of claim 1, wherein the event stream attribute is a category of an event stream, and wherein a value of the category is at least one of:
    - web;
      
      infrastructure;
      
      networking;
      
      file transfer;
      
      email;
      
      messaging;
      
      authentication;
      
      database;
      
      telephony;
      
      network management; and
      
      a user-created value.
  - 6. The method of claim 1, wherein the event stream attribute is a protocol used by the network traffic, and wherein the protocol is at least one of:
    - a transport layer protocol;
      
      a session layer protocol;
      
      a presentation layer protocol; and
      
      an application layer protocol.
  - 7. The method of claim 1, wherein the event stream attribute is an application used to create an event stream, and wherein a value of the event stream attribute comprises a name of the application.
  - 8. The method of claim 1, wherein the event stream attribute is an event stream lifecycle of an event stream, and wherein the event stream lifecycle is permanent or ephemeral.
  - 9. The method of claim 1, wherein the event stream attribute is a permanent event stream lifecycle of an event stream, and wherein the event stream information comprises at least one of:
    - a name;
      
      a type;
      
      a protocol;
      
      an application;
      
      a description; and
      
      a status.
  - 10. The method of claim 1, wherein the event stream attribute is an ephemeral event stream lifecycle of an event stream, and wherein the representation of the plurality of event streams comprises at least one of:
    - a name;
      
      a number of event streams;
      
      an application;
      
      a start time;
      
      an end time;
      
      a time remaining; and
      
      a status.
  - 11. The method of claim 1, wherein the representation of the plurality of event streams comprises a graph of a metric associated with the timestamped event data.
  - 12. The method of claim 1, wherein the second GUI includes user-interface elements used to manage the plurality of event streams, and wherein managing the plurality of event streams comprises at least one of:
    - cloning a new event stream from an existing event stream;
      
      creating an event stream;
      
      deleting the event stream;
      
      enabling the event stream;
      
      disabling the event stream; and
      
      modifying an end time of the event stream.
  - 13. The method of claim 1, further comprising:
    - sorting the display of the representation of the plurality of event streams based on values associated with a second event stream attribute.
  - 14. The method of claim 1, further comprising:
    - sorting the display of the representation of the plurality of event streams based on values associated with a second event stream attribute, wherein the second event stream attribute includes at least one of;
      
      a name;
      
      a type;
      
      a protocol;
      
      an application;
      
      a description;
      
      a status; and
      
      a metric associated with the timestamped event data in the event streams.
  - 15. The method of claim 1, further comprising:
    - causing for display, in the second GUI, a user-interface element for performing a search of the plurality of event streams.
  - 16. The method of claim 1, wherein events in the plurality of event streams are searchable by a late-binding schema.
  - 17. The method of claim 1, further comprising:
    - causing display, in the second GUI, of a set of user-interface elements used to manage an ephemeral event stream, wherein managing the ephemeral event stream comprises at least one of;
      
      modifying an end time for terminating the capture of timestamped event data in the ephemeral event stream;
      
      disabling the ephemeral event stream; and
      
      deleting the ephemeral event stream.
  - 18. The method of claim 1, further comprising:
    - causing display, in the second GUI, of a set of graphs of a metric associated with the timestamped event data in the plurality of event streams.
  - 19. The method of claim 1, further comprising:
    - causing display, in the second GUI, of a set of graphs of a metric associated with the timestamped event data in the plurality of the event streams;
      
      aggregating the metric across one or more subsets of the plurality of event streams; and
      
      causing display, in the second GUI, a graph of the aggregated metric across the one or more subsets of the plurality of event streams.

20. An apparatus, comprising:
- one or more hardware processors; and
  
  memory storing instructions that, when executed by the one or more hardware processors, cause the apparatus to;
  
  receive, via a first graphical user interface (GUI), input defining a plurality of event streams to be generated by one or more remote capture agents, each event stream of the plurality of event streams associated with a plurality of event stream attributes;
  
  transmit, via a network, configuration information generated based on the received input, the configuration information used by the one or more remote capture agents to generate the plurality of event streams, each event stream of the plurality of event streams including timestamped event data derived from network traffic monitored by the one or more remote capture agents;
  
  cause display of a second GUI including a representation of the plurality of event streams;
  
  receive, via the second GUI, input specifying a value for an event stream attribute of the plurality of event stream attributes associated with at least one event stream of the plurality of event streams; and
  
  update the second GUI to display a representation of only event streams matching the specified value for the event stream attribute.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The apparatus of claim 20, wherein the input is first input, the value is a first value, and the event stream attribute is a first event stream attribute, and wherein execution of the instructions further cause the apparatus to:
    - receive, via the second GUI, second input specifying a second value for a second event stream attribute that represents a subset of the first event stream attribute; and
      
      update the second GUI to display a representation of only event streams matching the specified second value for the second event stream attribute.
  - 22. The apparatus of claim 20, wherein the input is first input, the value is a first value, and the event stream attribute is a first event stream attribute, and wherein execution of the instructions further cause the apparatus to:
    - cause display of one or more values of the first event stream attribute and one or more values of a second event stream attribute;
      
      group the displayed representation of the plurality of event streams into one or more subsets of the plurality of event streams based on the one or more values of the first event stream attribute; and
      
      for each value from the one or more values of the first event stream attribute, further group the displayed event stream information into one or more additional subsets of the event streams based on the one or more values of the second event stream attribute.
  - 23. The apparatus of claim 20, wherein the event stream attribute is a category of an event stream, and wherein a value of the category is at least one of:
    - web;
      
      infrastructure;
      
      networking;
      
      file transfer;
      
      email;
      
      messaging;
      
      authentication;
      
      database;
      
      telephony;
      
      network management; and
      
      a user-created value.
  - 24. The apparatus of claim 20, wherein the event stream attribute is a protocol used by the network traffic, and wherein the protocol is at least one of:
    - a transport layer protocol;
      
      a session layer protocol;
      
      a presentation layer protocol; and
      
      an application layer protocol.
  - 25. The apparatus of claim 20, wherein the event stream attribute is a permanent event stream lifecycle of an event stream, and wherein the representation of the plurality of event streams comprises at least one of:
    - a name;
      
      a type;
      
      a protocol;
      
      an application;
      
      a description; and
      
      a status.
  - 26. The apparatus of claim 20, wherein the event stream attribute is an ephemeral event stream lifecycle of an event stream, and wherein the event stream information comprises at least one of:
    - a name;
      
      a number of event streams;
      
      an application;
      
      a start time;
      
      an end time;
      
      a time remaining; and
      
      a status.
  - 27. The apparatus of claim 20, wherein the second GUI includes user-interface elements used to manage the plurality of event streams, and wherein managing the event stream comprises at least one of:
    - cloning a new event stream from an existing event stream;
      
      creating an event stream;
      
      deleting the event stream;
      
      enabling the event stream;
      
      disabling the event stream; and
      
      modifying an end time of the event stream.

28. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for facilitating the processing of network data, the method comprising:
- receiving, via a first graphical user interface (GUI), input defining a plurality of event streams to be generated by one or more remote capture agents, each event stream of the plurality of event streams associated with a plurality of event stream attributes;
  
  transmitting, via a network, configuration information generated based on the received input, the configuration information used by the one or more remote capture agents to generate the plurality of event streams, each event stream of the plurality of event streams including timestamped event data derived from network traffic monitored by the one or more remote capture agents;
  
  causing display of a second GUI including a representation of the plurality of event streams;
  
  receiving, via the second GUI, input specifying a value for an event stream attribute of the plurality of event stream attributes associated with at least one event stream of the plurality of event streams; and
  
  updating the second GUI to display a representation of only event streams matching the specified value for the event stream attribute.
- View Dependent Claims (29, 30)
- - 29. The non-transitory computer-readable storage medium of claim 28, wherein the input is first input, the value is a first value, and the event stream attribute is a first event stream attribute, and wherein the method further comprises:
    - receiving, via the second GUI, second input specifying a second value for a second event stream attribute that represents a subset of the first event stream attribute; and
      
      updating the second GUI to display a representation of only event streams matching the specified second value for the second event stream attribute.
  - 30. The non-transitory computer-readable storage medium of claim 28, wherein the event stream attribute is a category of an event stream, andwherein a value of the category is at least one of:
    - web;
      
      infrastructure;
      
      networking;
      
      file transfer;
      
      email;
      
      messaging;
      
      authentication;
      
      database;
      
      telephony;
      
      network management; and
      
      a user-created value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Hsiao, Fang I., Ching, Clayton S., Dickey, Michael R., Shcherbakov, Vladimir A., Teredesai, Nishant, Noel, Cary Glen
Primary Examiner(s)
Wilson, Kimberly L

Application Number

US14/610,408
Publication Number

US 20150293954A1
Time in Patent Office

1,635 Days
Field of Search

707741
US Class Current
CPC Class Codes

G06F 16/22   Indexing; Data structures t...

G06F 16/24568   Data stream processing; Con...

H04L 65/60   Network streaming of media ...

Grouping and managing event streams generated from captured network data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

313 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Grouping and managing event streams generated from captured network data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

313 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links