Method of correlating events in data packet streams
First Claim
1. A method of identifying a plurality of packets associated with correlating events in a stream of data packets of a distributed computing network having a central administration node and a plurality of worker nodes, the method comprising:
- classifying a plurality of events according to event types that define the structure of events;
providing in each data packet of the stream an event type identifier and an attribute associated with the event type identifier, the event type identifier indicating a type of a particular event from the classified events represented by each data packet, the attribute having a value indicating a context associated with a result of a system transaction within which the particular event occurred;
applying a correlation set of selectors to said stream on a worker node, the correlation set of selectors including a first selector being responsive to data packets of a first event type identifier and extracting one or more first attributes from the data packets of the first event type identifier, each of the first attributes having a value associated therewith, the correlation set of selectors including a second selector being responsive to data packets of a second event type identifier and extracting one or more second attributes from the data packets of the second event type identifier, each of the second attributes having a value associated therewith;
assessing on the worker node two or more data packets of said stream as being associated with correlating events if the value of the first attributes associated with the first event type identifier and the value of the second attributes associated with the second event type identifier extracted by the correlation set of selectors from the two or more data packets match; and
accessing via the worker node a correlation session in a data store managed by said central administration node for each correlation assessed, said correlation session holding data items of tasks processing said correlating events.
9 Assignments
0 Petitions
Accused Products
Abstract
A method of correlating events in a stream of data packets in which each data packet includes an event type identifier and an attribute associated with a type of event. A plurality of data packets of the stream of data packets is received and correlation set of selectors is applied to the received data packets. Each selector of the correlation set of selectors is responsive to data packets of a predetermined type of event to extract the attribute from the data packets. The method further includes assessing two or more data packets of the received data packets as correlating events if attributes extracted from the two or more data packets match. Additionally, the method includes accessing a correlation session in a data store for each correlating events match, the correlation session holding data items of tasks that process said correlating events.
-
Citations
20 Claims
-
1. A method of identifying a plurality of packets associated with correlating events in a stream of data packets of a distributed computing network having a central administration node and a plurality of worker nodes, the method comprising:
-
classifying a plurality of events according to event types that define the structure of events; providing in each data packet of the stream an event type identifier and an attribute associated with the event type identifier, the event type identifier indicating a type of a particular event from the classified events represented by each data packet, the attribute having a value indicating a context associated with a result of a system transaction within which the particular event occurred; applying a correlation set of selectors to said stream on a worker node, the correlation set of selectors including a first selector being responsive to data packets of a first event type identifier and extracting one or more first attributes from the data packets of the first event type identifier, each of the first attributes having a value associated therewith, the correlation set of selectors including a second selector being responsive to data packets of a second event type identifier and extracting one or more second attributes from the data packets of the second event type identifier, each of the second attributes having a value associated therewith; assessing on the worker node two or more data packets of said stream as being associated with correlating events if the value of the first attributes associated with the first event type identifier and the value of the second attributes associated with the second event type identifier extracted by the correlation set of selectors from the two or more data packets match; and accessing via the worker node a correlation session in a data store managed by said central administration node for each correlation assessed, said correlation session holding data items of tasks processing said correlating events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer-readable storage medium comprising operational instructions that, when executed by a processor, cause the processor to:
-
classifying a plurality of events according to event types that define the structure of events; provide in each data packet of a stream of data packets an event type identifier and an attribute associated with the event type identifier, the event type identifier indicating a type of a particular event from the classified events represented by each data packet, the attribute having a value indicating a context associated with a result of a system transaction within which the particular event occurred; apply a correlation set of selectors to said stream, the correlation set of selectors including a first selector being responsive to data packets of a first event type identifier to extract one or more first attributes from the data packets of the first event type identifier, each of the first attributes having a value associated therewith, the correlation set of selectors including a second selector being responsive to data packets of a second event type identifier to extract one or more second attributes from the data packets of the second event type identifier, each of the second attributes having a value associated therewith; assess two or more data packets of said stream as being associated with correlating events if the value of the first attributes associated with the first event type identifier and the value of the second attributes associated with second event type identifier extracted by the correlation set of selectors from the two or more data packets match; and access a correlation session in a data store for each correlation assessed, said correlation session holding data items of tasks processing said correlating events. - View Dependent Claims (18, 19)
-
-
20. A method of identifying a plurality of packets associated with correlating events in a stream of data packets, the method comprising:
-
receiving a plurality of data packets of said stream at a work node, each data packet of said plurality of data packets including an event type identifier and an attribute associated with the event type identifier, the event type identifier indicating a type of a particular event from a plurality of possible events represented by each data packet, the attribute having a value indicating a context associated with a result of a system transaction within which the event occurred; applying at said work node a correlation set of selectors to said received plurality of data packets, the correlation set of selectors including a first selector being responsive to data packets of a first event type identifier to extract one or more first attributes each having a value associated therewith and a second selector being responsive to data packets of a second event type identifier to extract one or more second attributes each having a value associated therewith; assessing at said work node two or more data packets of said received plurality of data packets as being associated with correlating events if the value of the first attributes associated with the first event type identifier and the value of the second attributes associated with the second event type identifier extracted by said correlation set of selectors from said two or more data packets match; and accessing via said work node a correlation session in a data store managed by an administration node for each correlation assessed, said correlation session holding data items of tasks that process said correlating events.
-
Specification