Configuring rules for filtering events to be included in event streams
First Claim
1. A computer-implemented method performed by a configuration server coupled to a network, the method comprising:
- receiving input defining a filter to be applied to timestamped events generated by one or more remote capture agents from network data monitored by the one or more remote capture agents, the filter used to identify a subset of the timestamped events to be included in one or more event streams generated by the one or more remote capture agents;
generating configuration data based at least in part on the input defining the filter; and
sending, over the network, the configuration data to the one or more remote capture agents, the configuration data causing the one or more remote capture agents to apply the filter to events generated by the one or more remote capture agents for inclusion in the one or more event streams.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosed embodiments provide a system that processes network data. During operation, the system obtains, at a remote capture agent, a first protocol classification for a first packet flow captured by the remote capture agent. Next, the system uses configuration information associated with the first protocol classification to build a first event stream from the first packet flow at the remote capture agent, wherein the first event stream comprises time-series event data generated from network packets in the first packet flow based on the first protocol classification. The system then transmits the first event stream over a network for subsequent storage and processing of the first event stream by one or more components on the network.
307 Citations
30 Claims
-
1. A computer-implemented method performed by a configuration server coupled to a network, the method comprising:
-
receiving input defining a filter to be applied to timestamped events generated by one or more remote capture agents from network data monitored by the one or more remote capture agents, the filter used to identify a subset of the timestamped events to be included in one or more event streams generated by the one or more remote capture agents; generating configuration data based at least in part on the input defining the filter; and sending, over the network, the configuration data to the one or more remote capture agents, the configuration data causing the one or more remote capture agents to apply the filter to events generated by the one or more remote capture agents for inclusion in the one or more event streams. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A configuration server, comprising:
-
a processor; a non-transitory computer readable storage medium storing instructions which, when executed by the processor, cause the configuration server to; receive input defining a filter to be applied to timestamped events generated by one or more remote capture agents from network data monitored by the one or more remote capture agents, the filter used to identify a subset of the timestamped events to be included in one or more event streams generated by the one or more remote capture agents; generate configuration data based at least in part on the input defining the filter; and send, over a network, the configuration data to the one or more remote capture agents, the configuration data causing the one or more remote capture agents to apply the filter to events generated by the one or more remote capture agents for inclusion in the one or more event streams. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform operations comprising:
-
receiving, by a configuration server, input defining a filter to be applied to timestamped events generated by one or more remote capture agents from network data monitored by the one or more remote capture agents, the filter used to identify a subset of the timestamped events to be included in one or more event streams generated by the one or more remote capture agents; generating configuration data based at least in part on the input defining the filter; and sending, over a network, the configuration data to the one or more remote capture agents, the configuration data causing the one or more remote capture agents to apply the filter to events generated by the one or more remote capture agents for inclusion in the one or more event streams. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification