GROUPING AND MANAGING EVENT STREAMS GENERATED FROM CAPTURED NETWORK DATA

US 20150295780A1
Filed: 01/30/2015
Published: 10/15/2015
Est. Priority Date: 04/15/2014
Status: Active Grant

First Claim

Patent Images

1. A method for facilitating the processing of network data, comprising:

causing for display, on a computer system, a graphical user interface (GUI) for obtaining configuration information for configuring the generation of time-series event data from network packets captured by one or more remote capture agents;

causing for display, in the GUI, a first set of user-interface elements for managing one or more ephemeral event streams that comprise temporarily generated time-series event data from the network packets, wherein managing the one or more ephemeral event streams comprises modifying an end time for terminating the capture of time-series event data in an ephemeral event stream; and

updating the configuration information based on input received through the first set of user-interface elements.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system causes for display, on a computer system, a graphical user interface (GUI) for obtaining configuration information for configuring the generation of time-series event data from network packets captured by one or more remote capture agents. Next, the system causes for display, in the GUI, a first set of user-interface elements for managing one or more ephemeral event streams that contain temporarily generated time-series event data from the network packets, wherein managing the one or more ephemeral event streams comprises modifying an end time for terminating the capture of time-series event data in an ephemeral event stream. The system then updates the configuration information based on input received through the first set of user-interface elements.

85 Citations

View as Search Results

31 Claims

1. A method for facilitating the processing of network data, comprising:
- causing for display, on a computer system, a graphical user interface (GUI) for obtaining configuration information for configuring the generation of time-series event data from network packets captured by one or more remote capture agents;
  
  causing for display, in the GUI, a first set of user-interface elements for managing one or more ephemeral event streams that comprise temporarily generated time-series event data from the network packets, wherein managing the one or more ephemeral event streams comprises modifying an end time for terminating the capture of time-series event data in an ephemeral event stream; and
  
  updating the configuration information based on input received through the first set of user-interface elements.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, further comprising:
    - providing the configuration information over a network to the one or more remote capture agents, wherein the configuration information is used to configure the generation of the time-series event data at the one or more remote capture agents during runtime of the one or more remote capture agents.
  - 3. The method of claim 1, further comprising:
    - causing for display, in the GUI, a second set of user-interface elements for creating a new ephemeral event stream; and
      
      updating the configuration information based on input received through the second set of user-interface elements.
  - 4. The method of claim 1,wherein the GUI comprises a second set of user-interface elements for creating a new ephemeral event stream, andwherein creating the new ephemeral event stream comprises at least one of:
    - obtaining a name for the new ephemeral event stream;
      
      obtaining a description for the new ephemeral event stream;
      
      cloning the new ephemeral event stream from an existing event stream; and
      
      selecting a protocol used by the network packets.
  - 5. The method of claim 1, further comprising:
    - causing for display, in the GUI, event stream information for the one or more ephemeral event streams,wherein the event stream information comprises at least one of;
      
      a name;
      
      a number of event streams;
      
      an application;
      
      a start time;
      
      the end time;
      
      a time remaining; and
      
      a status.
  - 6. The method of claim 1, further comprising:
    - causing for display, in the GUI, a mechanism for applying an action associated with managing the one or more ephemeral event streams to a set of selected ephemeral event streams.
  - 7. The method of claim 1, further comprising:
    - obtaining a subset of the one or more ephemeral event streams associated with a grouping of the one or more ephemeral event streams by an event stream attribute; and
      
      causing for display, in the GUI, event stream information for the subset of the one or more ephemeral event streams.
  - 8. The method of claim 1, further comprising:
    - obtaining a subset of the one or more ephemeral event streams associated with a grouping of the one or more ephemeral event streams by an event stream attribute, wherein the event stream attribute is selected from;
      
      a category of an event stream;
      
      a protocol used by the network packets;
      
      an application used to create the event stream; and
      
      an event stream lifecycle of the event stream; and
      
      causing for display, in the GUI, event stream information for the subset of the one or more ephemeral event streams.
  - 9. The method of claim 1, wherein the ephemeral event stream is created by a capture trigger for generating additional time-series event data from the network packets on the one or more remote capture agents based on a security risk.
  - 10. The method of claim 1, wherein managing the one or more ephemeral event streams further comprises:
    - disabling the ephemeral event stream;
      
      ordeleting the ephemeral event stream.
  - 11. The method of claim 1, further comprising:
    - sorting the event stream information by an event stream attribute associated with the event streams.
  - 12. The method of claim 1, further comprising:
    - sorting the event stream information by an event stream attribute associated with the event streams,wherein the event stream attribute is at least one of;
      
      a name;
      
      a number of streams;
      
      an application;
      
      a start time;
      
      the end time;
      
      a time remaining; and
      
      a status.
  - 13. The method of claim 1, wherein modifying the end time for terminating the capture of time-series event data in the ephemeral event stream comprises at least one of:
    - extending the end time; and
      
      reducing the end time.
  - 14. The method of claim 1, comprising:
    - causing for display, in the GUI, a user-interface element for performing a search of the one or more ephemeral event streams.
  - 15. The method of claim 1, wherein events in the one or more ephemeral event streams are searchable by a late-binding schema.
  - 16. The method of claim 1, further comprising:
    - causing for display, in the GUI, event stream information for the one or more ephemeral event streams; and
      
      causing for display, in the GUI, a mechanism for navigating between the event stream information and creation information for one or more creators of the one or more ephemeral event streams.
  - 17. The method of claim 1, further comprising:
    - causing for display, in the GUI, event stream information for the one or more ephemeral event streams; and
      
      causing for display, in the GUI, a mechanism for navigating between the event stream information and creation information for one or more creators of the one or more ephemeral event streams,wherein the one or more creators of the one or more ephemeral event streams comprise at least one of;
      
      an application for monitoring network traffic captured by the one or more remote capture agents; and
      
      a capture trigger for generating additional time-series event data from the network packets on the one or more remote capture agents based on a security risk.

18. An apparatus, comprising:
- one or more processors; and
  
  memory storing instructions that, when executed by the one or more processors, cause the apparatus to;
  
  cause for display a graphical user interface (GUI) for obtaining configuration information for configuring the generation of time-series event data from network packets captured by one or more remote capture agents;
  
  cause for display, in the GUI, a first set of user-interface elements for managing one or more ephemeral event streams that comprise temporarily generated time-series event data from the network packets, wherein managing the one or more ephemeral event streams comprises modifying an end time for terminating an ephemeral event stream; and
  
  update the configuration information based on input received through the first set of user-interface elements.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The apparatus of claim 18, wherein the memory further stores instructions that, when executed by the one or more processors, cause the apparatus to:
    - cause for display, in the GUI, a second set of user-interface elements for creating a new ephemeral event stream; and
      
      update the configuration information based on input received through the second set of user-interface elements.
  - 20. The apparatus of claim 18,wherein the GUI comprises a second set of user-interface elements for creating a new ephemeral event stream, andwherein creating the new ephemeral event stream comprises at least one of:
    - obtaining a name for the new ephemeral event stream;
      
      obtaining a description for the new ephemeral event stream; and
      
      cloning the new ephemeral event stream from an existing event stream.
  - 21. The apparatus of claim 18, wherein the memory further stores instructions that, when executed by the one or more processors, cause the apparatus to:
    - cause for display, in the GUI, event stream information for the one or more ephemeral event streams,wherein the event stream information comprises at least one of;
      
      a name;
      
      a number of event streams;
      
      an application;
      
      a start time;
      
      the end time;
      
      a time remaining; and
      
      a status.
  - 22. The apparatus of claim 18, wherein the memory further stores instructions that, when executed by the one or more processors, cause the apparatus to:
    - cause for display, in the GUI, a mechanism for applying an action associated with managing the one or more ephemeral event streams to a set of selected ephemeral event streams.
  - 23. The apparatus of claim 18, wherein the ephemeral event stream is created by a capture trigger for generating additional time-series event data from the network packets on the one or more remote capture agents based on a security risk.
  - 24. The apparatus of claim 18, wherein managing the one or more ephemeral event streams further comprises:
    - disabling the ephemeral event stream;
      
      ordeleting the ephemeral event stream.

25. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for facilitating the processing of network data, the method comprising:
- causing for display, on a computer system, a graphical user interface (GUI) for obtaining configuration information for configuring the generation of time-series event data from network packets captured by one or more remote capture agents;
  
  causing for display, in the GUI, a first set of user-interface elements for managing one or more ephemeral event streams that comprise temporarily generated time-series event data from the network packets, wherein managing the one or more ephemeral event streams comprises modifying an end time for terminating an ephemeral event stream; and
  
  updating the configuration information based on input received through the first set of user-interface elements.
- View Dependent Claims (26, 27, 28, 29, 30, 31)
- - 26. The non-transitory computer-readable storage medium of claim 25, the method further comprising:
    - causing for display, in the GUI, a second set of user-interface elements for creating a new ephemeral event stream; and
      
      updating the configuration information based on input received through the second set of user-interface elements.
  - 27. The non-transitory computer-readable storage medium of claim 25,wherein the GUI comprises a second set of user-interface elements for creating a new ephemeral event stream, andwherein creating the new ephemeral event stream comprises at least one of:
    - obtaining a name for the new ephemeral event stream;
      
      obtaining a description for the new ephemeral event stream; and
      
      cloning the new ephemeral event stream from an existing event stream.
  - 28. The non-transitory computer-readable storage medium of claim 25, the method further comprising:
    - causing for display, in the GUI, event stream information for the one or more ephemeral event streams,wherein the event stream information comprises at least one of;
      
      a name;
      
      a number of event streams;
      
      an application;
      
      a start time;
      
      the end time;
      
      a time remaining; and
      
      a status.
  - 29. The non-transitory computer-readable storage medium of claim 25, the method further comprising:
    - causing for display, in the GUI, a mechanism for applying an action associated with managing the one or more ephemeral event streams to a set of selected ephemeral event streams.
  - 30. The non-transitory computer-readable storage medium of claim 25, wherein managing the one or more ephemeral event streams further comprises:
    - disabling the ephemeral event stream;
      
      ordeleting the ephemeral event stream.
  - 31. The non-transitory computer-readable storage medium of claim 25, wherein the ephemeral event stream is created by a capture trigger for generating additional time-series event data from the network packets on the one or more remote capture agents based on a security risk.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Hsiao, Fang I., Ching, Clayton S., Shcherbakov, Vladimir A., Noel, Cary Glen, Dickey, Michael R., Teredesai, Nishant

Granted Patent

US 10,523,521 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 41/22   comprising specially adapte...

H04L 43/022   by sampling

H04L 43/045   for graphical visualisation...

GROUPING AND MANAGING EVENT STREAMS GENERATED FROM CAPTURED NETWORK DATA

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

85 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

GROUPING AND MANAGING EVENT STREAMS GENERATED FROM CAPTURED NETWORK DATA

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links