Method of correlating events in data packet streams

US 7,805,482 B2
Filed: 12/30/2005
Issued: 09/28/2010
Est. Priority Date: 12/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method of identifying a plurality of packets associated with correlating events in a stream of data packets of a distributed computing network having a central administration node and a plurality of worker nodes, the method comprising:

classifying a plurality of events according to event types that define the structure of events;

providing in each data packet of the stream an event type identifier and an attribute associated with the event type identifier, the event type identifier indicating a type of a particular event from the classified events represented by each data packet, the attribute having a value indicating a context associated with a result of a system transaction within which the particular event occurred;

applying a correlation set of selectors to said stream on a worker node, the correlation set of selectors including a first selector being responsive to data packets of a first event type identifier and extracting one or more first attributes from the data packets of the first event type identifier, each of the first attributes having a value associated therewith, the correlation set of selectors including a second selector being responsive to data packets of a second event type identifier and extracting one or more second attributes from the data packets of the second event type identifier, each of the second attributes having a value associated therewith;

assessing on the worker node two or more data packets of said stream as being associated with correlating events if the value of the first attributes associated with the first event type identifier and the value of the second attributes associated with the second event type identifier extracted by the correlation set of selectors from the two or more data packets match; and

accessing via the worker node a correlation session in a data store managed by said central administration node for each correlation assessed, said correlation session holding data items of tasks processing said correlating events.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of correlating events in a stream of data packets in which each data packet includes an event type identifier and an attribute associated with a type of event. A plurality of data packets of the stream of data packets is received and correlation set of selectors is applied to the received data packets. Each selector of the correlation set of selectors is responsive to data packets of a predetermined type of event to extract the attribute from the data packets. The method further includes assessing two or more data packets of the received data packets as correlating events if attributes extracted from the two or more data packets match. Additionally, the method includes accessing a correlation session in a data store for each correlating events match, the correlation session holding data items of tasks that process said correlating events.

Citations

20 Claims

1. A method of identifying a plurality of packets associated with correlating events in a stream of data packets of a distributed computing network having a central administration node and a plurality of worker nodes, the method comprising:
- classifying a plurality of events according to event types that define the structure of events;
  
  providing in each data packet of the stream an event type identifier and an attribute associated with the event type identifier, the event type identifier indicating a type of a particular event from the classified events represented by each data packet, the attribute having a value indicating a context associated with a result of a system transaction within which the particular event occurred;
  
  applying a correlation set of selectors to said stream on a worker node, the correlation set of selectors including a first selector being responsive to data packets of a first event type identifier and extracting one or more first attributes from the data packets of the first event type identifier, each of the first attributes having a value associated therewith, the correlation set of selectors including a second selector being responsive to data packets of a second event type identifier and extracting one or more second attributes from the data packets of the second event type identifier, each of the second attributes having a value associated therewith;
  
  assessing on the worker node two or more data packets of said stream as being associated with correlating events if the value of the first attributes associated with the first event type identifier and the value of the second attributes associated with the second event type identifier extracted by the correlation set of selectors from the two or more data packets match; and
  
  accessing via the worker node a correlation session in a data store managed by said central administration node for each correlation assessed, said correlation session holding data items of tasks processing said correlating events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method according to claim 1, further comprising:
    - creating said correlation session in said data store by said administration node.
  - 3. The method according to claim 1, wherein the access to correlation sessions in the data store is restricted by the administration node to a maximum allowable number of concurrently accessing worker nodes.
  - 4. The method according to claim 2, wherein the steps of creating and accessing correlation sessions are performed via transactional processing.
  - 5. The method according to claim 2, wherein the data items in correlation sessions expire within a predetermined span of time.
  - 6. The method according to claim 2, wherein the correlation sessions are recoverable by storing the correlation sessions in a persistent data repository.
  - 7. The method according to claim 1, further comprising:
    - creating or accessing a lock in a data store for each correlation assessed, said lock used for synchronizing tasks processing said correlating events.
  - 8. The method according to claim 7, wherein said synchronizing comprises restricting the maximum number of concurrent processing tasks for correlated events.
  - 9. The method according to claim 7, wherein said synchronizing comprises serializing the order of processing tasks for correlated events.
  - 10. The method according to claim 7, wherein locks are managed centrally by the administration node.
  - 11. The method according to claim 7, wherein the steps of creating and accessing locks are performed via transactional processing.
  - 12. The method according to claim 1, further comprising at least one selector which is responsive to data packets of a set of predetermined event types, said set being defined as a virtual event type.
  - 13. The method according to claim 12, wherein at least one virtual event type is composed of at least one other virtual event type.
  - 14. The method according to claim 12, wherein there is one virtual event type which is composed of all events types.
  - 15. The method according to claim 12, wherein at least one virtual event type carries selected attributes of its composing events types only.
  - 16. The method according to claim 12, wherein the virtual event types are used to establish, trigger, or control event flows between processing tasks.

17. A computer-readable storage medium comprising operational instructions that, when executed by a processor, cause the processor to:
- classifying a plurality of events according to event types that define the structure of events;
  
  provide in each data packet of a stream of data packets an event type identifier and an attribute associated with the event type identifier, the event type identifier indicating a type of a particular event from the classified events represented by each data packet, the attribute having a value indicating a context associated with a result of a system transaction within which the particular event occurred;
  
  apply a correlation set of selectors to said stream, the correlation set of selectors including a first selector being responsive to data packets of a first event type identifier to extract one or more first attributes from the data packets of the first event type identifier, each of the first attributes having a value associated therewith, the correlation set of selectors including a second selector being responsive to data packets of a second event type identifier to extract one or more second attributes from the data packets of the second event type identifier, each of the second attributes having a value associated therewith;
  
  assess two or more data packets of said stream as being associated with correlating events if the value of the first attributes associated with the first event type identifier and the value of the second attributes associated with second event type identifier extracted by the correlation set of selectors from the two or more data packets match; and
  
  access a correlation session in a data store for each correlation assessed, said correlation session holding data items of tasks processing said correlating events.
- View Dependent Claims (18, 19)
- - 18. The computer-readable storage medium of claim 17, further comprising operational instructions that, when executed by a processor, cause the processor to create or access a lock in a data store for each correlation assessed, said lock used to synchronize tasks processing said correlating events.
  - 19. The computer-readable storage medium of claim 17, wherein at least one selector which is responsive to data packets of a set of predetermined event types, said set being defined as a virtual event type.

20. A method of identifying a plurality of packets associated with correlating events in a stream of data packets, the method comprising:
- receiving a plurality of data packets of said stream at a work node, each data packet of said plurality of data packets including an event type identifier and an attribute associated with the event type identifier, the event type identifier indicating a type of a particular event from a plurality of possible events represented by each data packet, the attribute having a value indicating a context associated with a result of a system transaction within which the event occurred;
  
  applying at said work node a correlation set of selectors to said received plurality of data packets, the correlation set of selectors including a first selector being responsive to data packets of a first event type identifier to extract one or more first attributes each having a value associated therewith and a second selector being responsive to data packets of a second event type identifier to extract one or more second attributes each having a value associated therewith;
  
  assessing at said work node two or more data packets of said received plurality of data packets as being associated with correlating events if the value of the first attributes associated with the first event type identifier and the value of the second attributes associated with the second event type identifier extracted by said correlation set of selectors from said two or more data packets match; and
  
  accessing via said work node a correlation session in a data store managed by an administration node for each correlation assessed, said correlation session holding data items of tasks that process said correlating events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Automic Software GmbH (Broadcom, Inc.)
Original Assignee
Senactive IT-Dienstleistungs GmbH (Broadcom, Inc.)
Inventors
Schiefer, Josef
Primary Examiner(s)
Patel; Ashok B.
Assistant Examiner(s)
EDWARDS, LINGLAN E

Application Number

US11/322,970
Publication Number

US 20070156916A1
Time in Patent Office

1,733 Days
Field of Search

709/201, 709/232
US Class Current

709/201
CPC Class Codes

G06Q 10/06 Resources, workflows, human...

H04L 41/0631 using root cause analysis; ...

Method of correlating events in data packet streams

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method of correlating events in data packet streams

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links