Visualizations of statistics associated with captured network data

US 10,462,004 B2
Filed: 04/29/2015
Issued: 10/29/2019
Est. Priority Date: 04/15/2014
Status: Active Grant

First Claim

Patent Images

1. A method performed by a configuration server coupled via a network to one or more remote capture agents, the method comprising:

receiving one or more event streams from at least one remote capture agent of the one or more remote capture agents, the one or more event streams including timestamped event data generated by the at least one remote capture agent;

determining, based on configuration information associated with the one or more event streams, that the configuration server is to generate one or more statistics based on the timestamped event data received from the at least one remote capture agent without subsequently processing and storing the timestamped event data used to generate the statistics in a data store;

generating the one or more statistics based on the timestamped event data received from the at least one remote capture agent without subsequently processing and storing the timestamped event data used to generate the statistics in a data store; and

causing display of a graphical user interface (GUI) including a graph generated based on the one or more statistics.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system causes for display a graphical user interface (GUI) for configuring the generation of time-series event data from network packets captured by one or more remote capture agents. Next, the system causes for display, in the GUI, a first set of user-interface elements containing a set of statistics associated with one or more event streams that comprise the time-series event data. The system then causes for display, in the GUI, one or more graphs comprising one or more values from the set of statistics. Finally, the system causes for display, in the GUI, a value of a statistic from the set of statistics based on a position of a cursor over the one or more graphs.

309 Citations

30 Claims

1. A method performed by a configuration server coupled via a network to one or more remote capture agents, the method comprising:
- receiving one or more event streams from at least one remote capture agent of the one or more remote capture agents, the one or more event streams including timestamped event data generated by the at least one remote capture agent;
  
  determining, based on configuration information associated with the one or more event streams, that the configuration server is to generate one or more statistics based on the timestamped event data received from the at least one remote capture agent without subsequently processing and storing the timestamped event data used to generate the statistics in a data store;
  
  generating the one or more statistics based on the timestamped event data received from the at least one remote capture agent without subsequently processing and storing the timestamped event data used to generate the statistics in a data store; and
  
  causing display of a graphical user interface (GUI) including a graph generated based on the one or more statistics.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The method of claim 1, further comprising updating the one or more statistics and the graph based on additional timestamped event data received from the at least one remote capture agent.
  - 3. The method of claim 1, wherein the GUI further includes at least one interface element used to change a view of the graph.
  - 4. The method of claim 1, wherein the GUI further includes at least one interface element used to change a view of the graph, and wherein changing the view of the graph includes at least one of:
    - changing a scale of the graph,changing a time range associated with the one or more statistics used to generate the graph, andchanging a host associated with the timestamped event data and the one or more statistics.
  - 5. The method of claim 1, further comprising sorting the one or more statistics by an attribute associated with the one or more statistics.
  - 6. The method of claim 1, further comprising sorting the one or more statistics by an attribute associated with the one or more event streams used to generate the one or more statistics, wherein the attribute is at least one of:
    - a name associated each of the one or more event streams,a total number of timestamped events in each of the one or more event streams,a total data size associated with incoming network traffic represented by the one or more event streams,a total data size associated with outgoing network traffic represented by the one or more event streams,a total data size associated with network traffic represented by the one or more event streams, andan estimated index volume for each of the one or more event streams.
  - 7. The method of claim 1, wherein the graph is a pie chart including a plurality of slices, each slice of the plurality of slices representing an index volume size of a respective event stream of the one or more event streams.
  - 8. The method of claim 1, wherein the graph is a pie chart including a plurality of slices, each slice of the plurality of slices representing an index volume size of a respective event stream of the one or more event streams, and wherein the pie chart is updated with one or more values of an index volume of an event stream based on a position of a cursor over the pie chart.
  - 9. The method of claim 1, wherein the graph is a pie chart including a plurality of slices, each slice of the plurality of slices representing an index volume size of a respective event stream of the one or more event streams, wherein the pie chart is updated with one or more values of an index volume of an event stream based on a position of a cursor over the pie chart, and wherein the one or more values comprise:
    - a percentage of a total index volume associated with the event stream, andan amount of data associated with the index volume of the event stream.
  - 10. The method of claim 1, wherein the one or more statistics include at least one of:
    - a total number of timestamped events in each of the one or more event streams,a total data size associated with incoming network traffic represented by the one or more event streams,a total data size associated with outgoing traffic represented by the one or more event streams,a total data size associated with network traffic represented by the one or more event streams, andan estimated index volume for each of the one or more event streams.
  - 11. The method of claim 1, wherein the graph is a bar chart plotting a total index volume of the one or more event streams over time.
  - 12. The method of claim 1, wherein the graph is a bar chart plotting a total index volume of the one or more event streams over time, and wherein a bar in the bar chart includes a plurality of segments each representing an index volume of a respective event stream of the one or more event streams over a time interval.
  - 13. The method of claim 1, wherein the graph is a bar chart plotting a total index volume of the one or more event streams over time, and wherein the bar chart displays a value of an index volume of an event stream based on a position of a cursor over the bar chart.
  - 14. The method of claim 1, wherein the graph is a bar chart plotting a total index volume of the one or more event streams over time, and wherein a portion of the bar chart is highlighted based on a position of a cursor over a legend of the bar chart.
  - 15. The method of claim 1, wherein the GUI further includes at least one interface element used to manage the one or more event streams, and wherein managing the one or more event streams comprises enabling the generation of the one or more statistics from an event stream without transmitting the event stream over a network for subsequent storage and processing of the event stream by one or more components on the network.
  - 16. The method of claim 1, wherein the GUI further includes at least one interface element used to manage the one or more event streams, and wherein managing the one or more event streams comprises adjusting an amount of capture of the one or more event streams based on the one or more statistics.
  - 17. The method of claim 1, further comprising causing display of a value of a statistic from the one or more statistics based on a position of a cursor over a legend associated with the graph.
  - 18. The method of claim 1, wherein a value of one or more statistics includes an index volume associated with a position of a cursor over the graph.
  - 19. The method of claim 1, wherein a value of the one or more statistics corresponds to at least one of:
    - a percentage of a total index volume associated with the one or more event streams, and an amount of data associated with the index volume of the one or more event streams.
  - 20. The method of claim 1, further comprising changing an appearance of the graph based on a position of a cursor over the graph.
  - 21. The method of claim 1, further comprising changing an appearance of the graph based on a position of a cursor over the graph, wherein changing the appearance of the graph comprises highlighting a portion of the graph based on the position of the cursor over the graph.
  - 22. The method of claim 1, further comprising changing an appearance of the graph based on a position of a cursor over the graph, wherein changing the appearance of the graph comprises dimming a portion of a graph based on the position of the cursor over the graph.
  - 23. The method of claim 1, further comprising changing an appearance of the graph based on a position of a cursor over the graph, wherein changing the appearance of the graph comprises highlighting a first portion of a graph and dimming a second portion of the graph based on the position of the cursor over the graph.
  - 24. The method of claim 1, further comprising changing an appearance of the graph based on a position of a cursor over a legend associated with the graph.
  - 25. The method of claim 1, further comprising changing an appearance of the graph based on a position of a cursor over a legend associated with the graph, wherein changing the appearance of the graph comprises highlighting a portion of the graph based on the position of the cursor over the legend.
  - 26. The method of claim 1, further comprising changing an appearance of the graph based on a position of a cursor over a legend associated with the graph, wherein changing the appearance of the graph comprises dimming a portion of the graph based on the position of the cursor over the legend.
  - 27. The method of claim 1, further comprising changing an appearance of the graph based on a position of a cursor over a legend associated with the graph, wherein changing the appearance of the graph comprises highlighting a first portion of the graph and dimming a second portion of the graph based on the position of the cursor over the legend.
  - 28. The method of claim 1, wherein causing display of the GUI including the graph generated based on the one or more statistics comprises at least one of:
    - including the statistic in an interface element of the GUI,including a name of the statistic in the interface element,including an identifier for the event stream in the interface element, anddisplaying the interface element next to a position of a cursor.

29. An apparatus, comprising:
- one or more processors; and
  
  memory storing instructions that, when executed by the one or more processors, cause the apparatus to;
  
  receive one or more event streams from at least one remote capture agent of one or more remote capture agents, the one or more event streams including timestamped event data generated by the at least one remote capture agent of the one or more remote capture agents;
  
  determine, based on configuration information associated with the one or more event streams, that a configuration server is to generate one or more statistics based on the timestamped event data received from the at least one remote capture agent without subsequently processing and storing the timestamped event data used to generate the statistics in a data store;
  
  generate the one or more statistics based on the timestamped event data received from the at least one remote capture agent without subsequently processing and storing the timestamped event data used to generate the statistics in a data store; and
  
  cause display of a graphical user interface (GUI) including a graph generated based on the one or more statistics.

30. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform operations comprising:
- receiving one or more event streams from at least one remote capture agent of one or more remote capture agents, the one or more event stream including timestamped event data generated by the at least one remote capture agent of the one or more remote capture agents;
  
  determining, based on configuration information associated with the one or more event streams, that a configuration server is to generate one or more statistics based on the timestamped event data received from the at least one remote capture agent without subsequently processing and storing the timestamped event data used to generate the statistics in a data store;
  
  generating the one or more statistics based on the timestamped event data received from the at least one remote capture agent without subsequently processing and storing the timestamped event data used to generate the statistics in a data store; and
  
  causing display of a graphical user interface (GUI) including a graph generated based on the one or more statistics.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Hsiao, Fang I., Jiang, Wei, Shcherbakov, Vladimir A., Chandrasekharan, Ramkumar, Ching, Clayton S.
Primary Examiner(s)
Arjomandi, Noosha

Application Number

US14/699,807
Publication Number

US 20150341212A1
Time in Patent Office

1,644 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/26   Visual data mining; Browsin...

G06F 3/0481   based on specific propertie...

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

H04L 41/0813   characterised by the condit...

H04L 41/22   comprising specially adapte...

H04L 67/12   specially adapted for propr...

H04L 67/75   Indicating network or usage...

Visualizations of statistics associated with captured network data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

309 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Visualizations of statistics associated with captured network data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

309 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links