Distributed Methodology for Approximate Event Counting
First Claim
1. A computer-implemented method for collecting event information, comprising:
- on one or more servers;
receiving events, each having attributes;
in accordance with a rule for detecting a system condition, aggregating event information for at least one attribute in a corresponding set of the received events, including;
in each table of a plurality of distinct tables that correspond to the rule, each table having an associated distinct hash function, storing aggregated attribute information in rows determined by the hash function corresponding to the table;
evaluating the rule separately with respect to each table, using the information in the table, to generate a plurality of intermediate results, including a respective intermediate result for each table;
when the intermediate results for each table indicate a potential violation of the rule, determining if the intermediate result for each table corresponds to a same group of events and an actual violation of the rule; and
producing a report in accordance with the determination.
2 Assignments
0 Petitions
Accused Products
Abstract
In a method and system for aggregating event information, events are received at a first plurality of nodes in a distributed system. For the events received at each node aggregated attribute information is determined in accordance with two or more rules and stored in distinct first tables, each table storing aggregated attribute information for a respective rule of the two or more rules. At each node of the first plurality of nodes, the two or more distinct first tables are transmitted to a respective node of a second set of nodes in the distributed system. At each node of the second set of nodes, two or more distinct second tables are generated by merging the aggregated attribute information in the tables transmitted to the node. Each rule of the two or more rules is evaluating using the aggregated attribute information obtained from a corresponding table of the second tables.
42 Citations
22 Claims
-
1. A computer-implemented method for collecting event information, comprising:
-
on one or more servers; receiving events, each having attributes; in accordance with a rule for detecting a system condition, aggregating event information for at least one attribute in a corresponding set of the received events, including; in each table of a plurality of distinct tables that correspond to the rule, each table having an associated distinct hash function, storing aggregated attribute information in rows determined by the hash function corresponding to the table; evaluating the rule separately with respect to each table, using the information in the table, to generate a plurality of intermediate results, including a respective intermediate result for each table; when the intermediate results for each table indicate a potential violation of the rule, determining if the intermediate result for each table corresponds to a same group of events and an actual violation of the rule; and producing a report in accordance with the determination. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method for collecting event information, comprising:
-
receiving events at a first plurality of nodes in a distributed system, each event having attributes; for the events received at each node of the first plurality of nodes, determining aggregated attribute information corresponding to two or more rules; at each node of the first plurality of nodes, storing the aggregated attribute information in two or more distinct first tables, each table of the first tables storing aggregated attribute information for a respective rule of the two or more rules; at each node of the first plurality of nodes, transmitting the two or more distinct first tables to a respective node of a second set of nodes in the distributed system, the second set of nodes comprising one or more nodes in the distributed system; at each node of the second set of nodes, generating two or more distinct second tables by merging the aggregated attribute information in the tables transmitted to the node; and evaluating each rule of the two or more rules using the aggregated attribute information obtained from a corresponding table of the second tables. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A server system, comprising:
-
one or more processors; memory storing one or more programs, the one or more programs including instructions, which when executed by the one or more processors, cause the server system to; receive events, each having attributes; in accordance with a rule for detecting a system condition, aggregate event information for at least one attribute in a corresponding set of the received events, including; in each table of a plurality of distinct tables, each table having an associated distinct hash function, store aggregated attribute information in rows determined by the hash function corresponding to the table; evaluate the rule separately with respect to each table, using the information in the table, to generate a plurality of intermediate results, including a respective intermediate result for each table; when the intermediate results for each table indicate a violation of the rule, determine if the intermediate result indicating a rule violation for each table corresponds to a same group of events; and produce a report in accordance with the determination.
-
-
20. A computer readable storage medium storing the one or more programs including instructions, which when executed by one or more processors of a computer system, cause the computer system to:
-
receive events, each having attributes; in accordance with a rule for detecting a system condition, aggregate event information for at least one attribute in a corresponding set of the received events, including, in each table of a plurality of distinct tables, each table having an associated distinct hash function, storing aggregated attribute information in rows determined by the hash function corresponding to the table; evaluate the rule separately with respect to each table, using the information in the table, to generate a plurality of intermediate results, including a respective intermediate result for each table; when the intermediate results for each table indicate a violation of the rule, determine if the intermediate result indicating a rule violation for each table corresponds to a same group of events; and produce a report in accordance with the determination.
-
-
21. A server system, comprising:
-
one or more processors; memory storing one or more programs, the one or more programs including instructions, which when executed by the one or more processors, cause the server system to; receive events at a first plurality of nodes in a distributed system, each event having attributes; for the events received at each node of the first plurality of nodes, determine aggregated attribute information corresponding to two or more rules; at each node of the first plurality of nodes, store the aggregated attribute information in two or more distinct first tables, each table of the first tables storing aggregated attribute information for a respective rule of the two or more rules; at each node of the first plurality of nodes, transmit the two or more distinct first tables to a respective node of a second set of nodes in the distributed system, the second set of nodes comprising one or more nodes in the distributed system; at each node of the second set of nodes, generate two or more distinct second tables by merging the aggregated attribute information in the tables transmitted to the node; and evaluate each rule of the two or more rules using the aggregated attribute information obtained from a corresponding table of the second tables.
-
-
22. A computer readable storage medium storing the one or more programs including instructions, which when executed by one or more processors of a computer system, cause the computer system to:
-
receive events at a first plurality of nodes in a distributed system, each event having attributes; for the events received at each node of the first plurality of nodes, determine aggregated attribute information corresponding to two or more rules; at each node of the first plurality of nodes, store the aggregated attribute information in two or more distinct first tables, each table of the first tables storing aggregated attribute information for a respective rule of the two or more rules; at each node of the first plurality of nodes, transmit the two or more distinct first tables to a respective node of a second set of nodes in the distributed system, the second set of nodes comprising one or more nodes in the distributed system; at each node of the second set of nodes, generate two or more distinct second tables by merging the aggregated attribute information in the tables transmitted to the node; and evaluate each rule of the two or more rules using the aggregated attribute information obtained from a corresponding table of the second tables.
-
Specification