At least certain embodiments of the invention relate generally to computer networks, and more particularly to a system configured for capturing and processing network data across a distributed network environment.
Over the past decade, the age of virtualization has triggered a sea change in the world of network data capture. Almost every network capture product available today is a physical hardware appliance that customers have to purchase and configure. In addition, most network data capture technologies are built from scratch to serve a specific purpose and address the needs of a particular vertical market. For example, network capture systems may be customized to extract data for security and intrusion-detection purposes, collect network performance data, perform Quality of Service (QoS), redirect data, block network traffic, and/or perform other analysis or management of network traffic. Such targeted and/or fixed implementation and use of network capture technologies may preclude modification of the network capture technologies to address different and changing business needs.
Moreover, customers using conventional hardware-based network capture devices typically connect the devices to other hardware devices in a network. The connections may allow the network capture devices to access the network and monitor network traffic between two or more points in the network. Examples of such devices include a network Test Access Point (TAP) or Switched Port Analyzer (SPAN) port. After the network traffic is captured, cumbersome Extraction, Transform, and Load (“ETL”) processes may be performed to filter, transform, and/or aggregate data from the network traffic and enable the extraction of business value from the data.
However, customers are moving away from managing physical servers and data centers and toward public and private cloud computing environments that provide software, hardware, infrastructure, and/or platform resources as hosted services using computing, storage, and/or network devices at remote locations. For these customers, it is either impossible, or at best extremely challenging, to deploy physical network capture devices and infrastructure in the cloud computing environments.
Consequently, network data capture may be facilitated by mechanisms for deploying and configuring network capture technology at distributed and/or remote locations.
For a better understanding of at least certain embodiments, reference will be made to the following detailed description, which is to be read in conjunction with the accompanying drawings, wherein:
Throughout the description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present techniques described herein. It will be apparent to one skilled in the art, however, that the present invention may be practiced without some of these specific details. In other instances, well-known structures and devices are shown in block diagram form to avoid obscuring the underlying principles of embodiments of the invention.
1.0. General Overview
1.1. Event-Based Data Storage Systems
Generally, a data-processing system may perform data operations on data stored in one or more data repositories. Depending on the type of data-processing system, the data operations may range from simple operations such as storing and retrieving the data to more complex operations such as calculating statistics from the data, or arranging or formatting the data. One example of a data-processing system is a relational database system, in which data is stored in highly structured tables and accessed through rigid data storage rules (e.g., data storage and retrieval “schemas”). Another example of a data-processing system is a file system, such as a Network File System (NFS) server. Yet another example of a data-processing system is a web application server.
A data-processing system may also include an event-based system, such as the SPLUNK® ENTERPRISE system produced and sold for on-premise and cloud use by Splunk Inc. of San Francisco, CA. In some event-based systems, data is derived from lines or rows of unstructured time-series data, such as data from web logs and/or machine logs. Each row and/or group of rows is generally associated with a timestamp and one or more associated data points or parameter-value pairs. A timestamp may be any sequence of characters or encoded information that identifies the time at which a certain event is recorded. For example, a timestamp may provide the date, hour, minute, and/or second at which an application is initialized on a computer system. Based on the timestamps, data structures representing events may be derived from the associated data and include some or all of the associated data. A variety of event types may be derived from such data. For example, in the context of web logs, events may be derived from errors, specific user inputs, navigation events, and so forth.
As used herein, the term “events” may refer to anything that occurs and carries information in an event-based system. Some event-based systems feature flexible data storage and retrieval schemas that may be redefined as needed and applied after the associated data is stored in a database or other memory structure of the data storage system. For example, the schemas may be applied upon receiving a request to perform an operation on such data. Such schemas may indicate how to extract one or more pieces of data from data associated with an event. In addition, in connection-oriented network communications systems, a “data stream” generally refers to a sequence of encoded signals (e.g., in network packets) used to transmit or receive information over a network.
1.2. Remote Capture Agent Architecture
One or more embodiments include a network architecture for capturing network data in one or more networks using a configuration server working in combination with a set of remote capture agents distributed throughout the network(s). The remote capture agents may capture network packets from multiple sources (e.g., hosts, servers, etc.) and analyze the network packets to determine the packets' contents. The remote capture agents may then generate one or more events from the network packets and communicate the events to the configuration server over one or more additional networks.
In one or more embodiments, the configuration server includes configuration information used to determine how remote capture agents capture network data and build events therefrom. The remote capture agents may obtain the configuration information from the configuration server (e.g., using a push or pull mechanism) and use the configuration information to generate event data containing a series of timestamped events from the network data. The event data may be included in an event stream that is transmitted to additional network elements within the distributed network for additional processing and/or storage.
In this manner, both network traffic between the remote capture agents and other network elements and subsequent processing of the network traffic by the other network elements may be drastically reduced because capturing and pre-processing of the network data may be performed at the remote capture agents. For example, the remote capture agents may transmit events in lieu of network packets from which the events were generated to one or more centralized servers for further processing, indexing, and/or storage.
1.3. Dynamically Configurable Remote Capture Agents
Remote capture agents may be dynamically configured based on configuration information stored at the configuration server. For example, the remote capture agents may be configured in real-time as events are processed by the remote capture agents. The remote capture agents may be dynamically configured during runtime with: (1) events (or types of events) to be included in event streams for use by other components of the remote capture agent architecture, (2) fields to be included in each of the events streams, and (3) additional parameters associated with generation of the events and/or event streams.
The configuration information may be modified on-demand by users (e.g., administrators) at the configuration server and/or at a network component in communication with the configuration server. The configuration information may also be dynamically updated during processing of event streams by one or more applications running on separate servers in communication with the configuration server, such as one or more data storage servers in communication with the configuration server. Events may then be generated from the captured network packets based on the configuration information and/or any updates to the configuration information.
When changes are made to the configuration information at the configuration server, logic in the remote capture agents may be automatically updated in response. In one embodiment, the remote capture agents poll the configuration server at periodic intervals to determine if there have been any changes to the configuration information stored therein. If changes to the configuration information have been made, the remote capture agents may pull this configuration information from the configuration server. Alternatively, changes to the configuration information may be pushed from the configuration server to the remote capture agents at periodic intervals. Such propagation of updates to the configuration information to the remote capture agents may allow the remote capture agents to be dynamically configured to store different types of network data in events, generate different types of events, aggregate event data, and/or send event data to other network components at different times and/or intervals.
1.4. Transforming Event Data at the Remote Capture Agents
The configuration information may also be used by the remote capture agents to perform higher-level processing of the events before communicating the events to the configuration server. More specifically, the remote capture agents may use some or all of the configuration information to transform (e.g., aggregate, process, clean, filter, etc.) events into one or more sets of transformed event data. The remote capture agents may provide the transformed event data to the configuration server and/or other network components, in lieu of or in addition to the events. The network components may further process the transformed event data and/or store the transformed event data (e.g., in a data storage server).
In one or more embodiments, some or all of the configuration information related to transforming events is specified by applications running on other servers or systems and communicated to the configuration server. For example, the applications may run on a data-processing system such as the SPLUNK® ENTERPRISE system. Users may use the applications to perform queries and/or visualizations related to event data from the remote capture agents. The applications may provide the configuration server with information regarding the events (or types of events) the application is adapted to receive, along with information related to subsequent processing and/or transformation of those events. The configuration server may obtain the information from the applications for propagation to the remote capture agents, and the remote capture agents may use the information to configure or reconfigure the creation and processing of event data accordingly. In one embodiment, the applications include data storage applications running on a data storage server to facilitate optimizing data storage and retrieval operations.
1.5. Graphical Interface for Configuring Event Streams
A graphical user interface (GUI) may facilitate the configuration of the remote capture agents and/or other network components in generating and/or processing event streams containing event data. The GUI may provide a visual way to create, manage, and/or process event streams based on configuration information associated with each event stream. The GUI may be provided by the configuration server and/or by a network element in communication with the configuration server. The GUI may display representations of one or more components associated with creating and/or processing event streams generated from network traffic. The components may be configured or reconfigured using various icons and/or other user-interface elements in the GUI.
2.0. Structural Overview
2.1. Operating Environment
The data processing techniques described herein are suitable for use by systems deployed in a variety of operating environments.
Although system 100 only depicts three configuration servers 120 and three remote capture agents 151-153, any number of configuration servers 120 and/or remote capture agents 151-153 may be configured to operate and/or communicate with one another within the data-processing system. For example, a single physical and/or virtual server may perform the functions of configuration servers 120. Alternatively, multiple physical and/or virtual servers or network elements may be logically connected to provide the functionality of configuration servers 120. The configuration server(s) may direct the activity of multiple distributed remote capture agents 151-153 installed on various client computing devices across one or more networks. In turn, remote capture agents 151-153 may be used to capture network data from multiple remote network data sources.
Further, embodiments described herein can be configured to capture network data in a cloud-based environment, such as cloud 140 depicted in the illustrated embodiment, and to generate events such as clickstream events and/or business transactions out of the network data. Remote capture agents 151-153 may capture network data originating from numerous distributed network servers, whether they are physical hardware servers or virtual machines running in cloud 140. In cloud-based implementations, remote capture agents 151-153 will generally only have access to information that is communicated to and received from machines running in the cloud-based environment. This is because, in a cloud environment, there is generally no access to any of the physical network infrastructure, as cloud computing may utilize a “hosted services” delivery model where the physical network infrastructure is typically managed by a third party.
Embodiments further include the capability to separate the data capture technology into a standalone component that can be installed directly on client servers, which may be physical servers or virtual machines residing on a cloud-based network (e.g., cloud 140), and used to capture and generate events for all network traffic that is transmitted in and out of the client servers. This eliminates the need to deploy and connect physical hardware to network TAPS or SPAN ports, thus allowing users to configure and change their data capture configuration on-the-fly rather than in fixed formats.
In the illustrated embodiment, remote capture agents 152-153 are in communication with network servers 130 residing in cloud 140, and remote capture agent 151 is located in cloud 140. Cloud 140 may represent any number of public and private clouds, and is not limited to any particular cloud configuration. Network servers 130 residing in cloud 140 may be physical servers and/or virtual machines in cloud 140, and network traffic to and from network servers 130 may be monitored by remote capture agent 151 and/or other remote capture agents connected to network servers 130. Further, remote capture agents 152-153 may also run in cloud 140 on physical servers and/or virtual machines. Those skilled in the art will appreciate that any number of remote capture agents may be included inside or outside of cloud 140.
Remote capture agents 151-153 may analyze network packets received from the networks(s) to which remote capture agents 151-153 are connected to obtain network data from the network packets and generate a number of events from the network data. For example, each remote capture agent 151-153 may listen for network traffic on network interfaces available to the remote capture agent. Network packets transmitted to and/or from the network interfaces may be intercepted by the remote capture agent and analyzed, and relevant network data from the network packets may be used by the remote capture agent to create events related to the network data. Such events may be generated by aggregating network data from multiple network packets, or each event may be generated using the contents of only one network packet. A sequence of events from a remote capture agent may then be included in one or more event streams that are provided to other components of system 100.
Configuration servers 120, data storage servers 135, and/or other network components may receive event data (e.g., event streams) from remote capture agents 151-153 and further process the event data before the event data is stored by data storage servers 135. In the illustrated embodiment, configuration servers 120 may transmit event data to data storage servers 135 over a network 101 such as a local area network (LAN), wide area network (WAN), personal area network (PAN), virtual private network, intranet, mobile phone network (e.g., a cellular network), WiFi network, Ethernet network, and/or other type of network that enables communication among computing devices. The event data may be received over a network (e.g., network 101, network 190) at one or more event indexers (see
In addition, system 100 may include functionality to determine the types of network data collected and/or processed by each remote capture agent 151-153 to avoid data duplication at the indexers, data storage servers 135, and/or other components of system 100. For example, remote capture agents 152-153 may process network traffic from the same network. However, remote capture agent 152 may generate page view events from the network traffic, and remote capture agent 153 may generate request events (e.g., of HyperText Transfer Protocol (HTTP) requests and responses) from the network traffic.
In one or more embodiments, configuration servers 120 include configuration information that is used to configure the creation of events from network data on remote capture agents 151-153. In addition, such configuration may occur dynamically during event processing (e.g., at runtime). Conversely, because most conventional network capture technologies target specific end uses, they have been designed to operate in a fixed way and generally cannot be dynamically or easily modified to address different and changing business needs.
At least certain embodiments described herein are adapted to provide a distributed remote capture platform in which the times at which events are communicated to the configuration servers 120 and the fields to be included in the events are controlled by way of user-modifiable configuration rather than by “hard coding” fixed events with pre-determined fields for a given network capture mechanism. The remote configuration capability described herein also enables additional in-memory processing (e.g., filtering, transformation, normalization, aggregation, etc.) on events at the point of capture (e.g., remote capture agents 151-153) before the events are transmitted to other components of system 100.
Configuration information stored at each configuration server 120 may be created and/or updated manually at the configuration server and/or at a network element in communication with the configuration server. For example, a user may upload a configuration file containing configuration information for a remote capture agent to one or more configuration servers 120 for subsequent propagation to the remote capture agent. Alternatively, the user may use a GUI to provide the configuration information, as described in further detail below with respect to
Remote capture agents 151-153 may then use the configuration information to generate events from captured network packets. When changes in the configuration information at the configuration server are detected at the remote capture agents, logic in the remote capture agents may be automatically reconfigured in response. This means the remote capture agents may be configured dynamically to produce different events, transform the events, and/or communicate event streams to different components of system 100.
To detect changes in configuration information at configuration servers 120, remote capture agents 151-153 may poll configuration servers 120 at periodic intervals for updates to the configuration information. The updates may then be pulled from configuration servers 120 by remote capture agents 151-153. Conversely, updates to the configuration information may be pushed from configuration servers 120 to remote capture agents 151-153 at periodic intervals and/or when changes to the configuration information have been made.
In one embodiment, configuration servers 120 include a list of event streams generated by remote capture agents 151-153, as well as the configuration information used to generate the event streams at remote capture agents 151-153. The configuration information may include a unique identifier for each event stream, the types of events to be included in the event stream, one or more fields to be included in each event, and/or one or more filtering rules for filtering events to be included in the event stream. Configuration information for dynamically modifying network data capture by remote capture agents (e.g., remote capture agents 151-153) is described in further detail below with respect to
The configuration information may also specify transformations of network data and/or events into transformed events. Such transformations may include, for example, aggregations of network data and/or events, generation of statistics and/or metrics from the network data or events, and/or cleaning and/or filtering of the network data and/or events. As with other event streams, event streams containing transformed event data may be transmitted from remote capture agents 151-153 to configuration servers 120, data storage servers 135, and/or other components of system 100 for further processing, storage, and/or use.
Configuration information associated with transformed events may be obtained from end users and/or applications running on various network elements that receive the events. For example, an application executing on a data storage server (e.g., data storage servers 135) may provide statistics associated with network usage in cloud 140. To reduce overhead associated with real-time processing of event data by the application into the statistics, the application may provide configuration information for generating some or all of the statistics at one or more remote capture agents (e.g., remote capture agents 151-153) connected to cloud 140. The configuration information may be transmitted to configuration servers 120 and subsequently propagated to the relevant remote capture agents. In turn, the remote capture agents may use the configuration information to generate transformed events containing statistics associated with events captured by the remote capture agents, and the transformed events may be provided to the application to enable access to the statistics by users of the application without requiring the application to calculate the statistics at query time.
Such use of distributed remote capture agents 151-153 may offload processing tasks from configuration servers 120 and/or other components of system 100 to remote capture agents 120 (e.g., similar to parallelizing a network), while avoiding overloading of client network servers at remote networks by burdening the client network servers with the full functionality of configuration servers 120. System 100 may further reduce network traffic between remote capture agents 151-153 and the other components of system 100 because remote capture agents 120 convert a potentially large volume of raw network traffic into a smaller volume of events and further filter the event data as directed by the configuration information before transmitting the event data to other components of system 100.
Another advantage is that the work performed by system 100 may be distributed among multiple remote capture agents 151-153 on one or more networks. Remote capture agents 151-153 may occupy small footprints on remote client servers, thus mitigating resource usage by remote capture agents 151-153 on the client servers. For example, remote capture agents 151-153 may execute as background processes on physical and/or virtualized servers. On the other hand, configuration servers 120 may execute from one or more centralized locations and/or on one or more sets of dedicated resources because the operation of configuration servers 120 may require significantly more computing resources than the operation of remote capture agents 151-153.
As depicted in
Instructions for processing and manipulating data (e.g., event data) may be executed by data storage servers 135. For example, data storage servers 135 may perform data operations with respect to one or more data repositories. Data operations supported by these processes may include relatively simple operations such as adding or retrieving lines or rows of data from the data storage devices. The supported data operations may further include operations such as filtering the contents of retrieved data and/or performing transformations (e.g., aggregations, calculations, processing, cleaning, filtering, etc.) of the retrieved data.
In one or more embodiments, data storage servers 135 and/or configuration servers 120 provide one or more transformation servers that perform additional processing of event data from remote capture agents 151-153. Conversely, one or more configuration servers 120 and/or data storage servers 135 may be installed within a transformation server and/or execute independently from transformation servers in the data-processing system 100. The transformation servers may be used to aggregate, filter, format, query, transform, store, and/or otherwise manipulate event data, as described in further detail below with respect to
In another embodiment, data storage servers 135 may constitute one or more conventional database servers, such as a relational database server. These processes need not necessarily support the entire functionality of a database server or operate on conventional database structures.
Data repositories accessed by data storage servers 135 may be stored on data storage devices 155. Data storage devices 155 may be, for instance, non-volatile computer-readable media such as hard disk drives, flash/SSD drives, non-volatile memory, optical storage devices, disk arrays, storage area network devices, networked-attached storage devices, and/or file server devices. Storage devices 155 may store the data repositories in any suitable underlying form(s), such as disk blocks, file structures, or database tables. If multiple storage devices 155 are used in system 100, different portions of a data repository may be stored on different storage devices 155. Optionally, certain storage devices 155 may be configured to store some or all portions of a data repository redundantly, using any suitable backup or synchronization mechanism(s).
In an embodiment, each storage device 155 is equally accessible to each data storage server 135, and thus any data storage server 135 may perform operations on any data stored within the data repositories. In other embodiments, each data storage server 135 is assigned to only some or even one of the data storage devices 155, and is only configured to perform operations on data storage device(s) 155 to which it is assigned.
System 100 is only one example of the many types of operating environments in which the techniques described herein may be practiced. Other suitable operating environments may include additional or fewer elements, in varying arrangements. For instance, some or all data storage servers 135 may be replaced by virtual computing environments (e.g., virtual machines), some or all of which may execute on a single computing device.
System 100 further utilizes data repositories provided by storage devices 155. The data repositories may include one or more data collections, and each data collection may be a collection of data structures having a variety of forms. For example, a data collection may include a collection of time-based event data structures (e.g., one or more event streams), a group of data rows, a relational database, a relational database table, set of Extended Markup Language (XML) elements, and/or one or more files. Different data collections within the same repository may support different data structure types. In an embodiment, a data collection containing of any of the foregoing data structures is augmented with system-defined or user-defined variables that can be updated to describe certain characteristics of the data stored in the data collection. Examples of such variables may include counters or metrics. In an embodiment, each data collection is stored redundantly on multiple data storage devices 155, and synchronized therebetween. In an embodiment, each data collection is found on only some or even one of the data storage devices 155.
Remote capture agent 250 includes a network communications component 203 configured to communicate with network elements on one or more networks (e.g., network 101) and send and receive network data (e.g., network packets) over the network(s). As depicted, network communications component 203 may communicate with configuration servers 120 over network 101. Network communications component 203 may also communicate with one or more sources of network data, such as network servers 130 of
Network data received at network communications component 203 may be captured by a capture component 205 coupled with network communications component 203. Capture component 205 may capture some or all network data from network communications component 203. For example, capture component 205 may capture network data based on the sources and/or destinations of the network data, the types of network data, the protocol associated with the network data, and/or other characteristics of the network data.
In addition, the network data may be captured based on configuration information stored in a configuration component 204 of remote capture agent 250. As mentioned above, the configuration information may be received from configuration servers 120 over network 101. The configuration information may then be used to dynamically configure or reconfigure remote capture agent 250 in real-time. For example, newly received configuration information in configuration component 204 may be used to configure the operation of remote capture agent 250 during processing of events from network data by remote capture agent 250.
To dynamically configure remote capture agent 250, configuration information received by configuration component 204 from configuration servers 120 may be provided to other components of remote capture agent 250. More specifically, remote capture agent 250 includes an events generator 207 that receives network data from network data capture component 205 and generates events from the network data based on configuration information from configuration component 204.
Using configuration information provided by configuration servers 120, remote capture agent 250 can be instructed to perform any number of event-based processing operations. For example, the configuration information may specify the generation of event streams associated with network (e.g., HTTP, Simple Mail Transfer Protocol (SMTP), Domain Name System (DNS)) transactions, business transactions, errors, alerts, clickstream events, and/or other types of events. The configuration information may also describe custom fields to be included in the events, such as values associated with specific clickstream terms. The configuration information may include additional parameters related to the generation of event data, such as an interval between consecutive events and/or the inclusion of transactions and/or errors matching a given event in event data for the event.
An events transformer 209 may further use the configuration information to transform some or all of the network data from capture component 205 and/or events from events generator 207 into one or more sets of transformed events. In one or more embodiments, transformations performed by events transformer 209 include aggregating, filtering, cleaning, and/or otherwise processing events from events generator 207. Configuration information for the transformations may thus include a number of parameters that specify the types of transformations to be performed, the types of data on which the transformations are to be performed, and/or the formatting of the transformed data.
For example, configuration information for generating an event stream from network data (e.g., at events generator 207) may include the following Javascript Object Notation (JSON) data:
In another example, configuration information for performing transformations on events from events generator 207 (e.g., at events transformer 209) may include the following JSON data:
A rules comparison engine 208 in remote capture agent 250 may receive events from event generator 207 and compare one or more fields from the events to a set of filtering rules in the configuration information to determine whether to include the events in an event stream. For example, the configuration information may specify packet-level, protocol-level, and/or application-level filtering of event data from event streams generated by remote capture agent 250.
Finally, a data enrichment component 211 may further transform event data to a different form or format based on the configuration information from configuration component 204. For example, data enrichment component 211 may use the configuration information to normalize the data so that multiple representations of the same value (e.g., timestamps, measurements, etc.) are converted into the same value in transformed event data.
Data can be transformed by data enrichment component 211 in any number of ways. For example, remote capture agent 250 may reside on a client server in Cupertino, California, where all the laptops associated with the client server have been registered with the hostname of the client server. Remote capture agent 250 may use the registration data to look up an Internet Protocol (IP) address in a look-up table (LUT) that is associated with one or more network elements of the client server's local network. Remote capture agent 250 may then resolve a user's IP address into the name of the user's laptop, thereby enabling inclusion of the user's laptop name in transformed event data associated with the IP address. The transformed event data may then be communicated to configuration servers 120 and/or a central transformation server residing in San Francisco for further processing, indexing, and/or storage.
A further advantage of the techniques described herein includes relates to the transformation of network data at least at two distinct levels, including at the remote capture agents during generation of the events and at the configuration server and/or other components during subsequent processing of event data.
Configuration server 320 also includes a configuration component 304 that stores configuration information for remote capture agents 350. As described above, the configuration information may specify the types of events to produce, data to be included in the events, and/or transformations to be applied to the data and/or events to produce transformed events. Some or all of the transformations may be specified in a set of filtering rules 321 that may be applied to event data at remote capture agents 350 to determine a subset of the event data to be included in one or more event streams that are sent to configuration server 320 and/or other components.
Configuration server 320 also includes a data processing component 311 that performs additional processing of the event streams based on configuration information from configuration component 304. As discussed in the above example with respect to
Configuration server 320 may also provide a GUI 325 that can be used to configure or reconfigure the information contained in configuration component 304. The operation of GUI 325 is discussed in further detail below with respect to
3.0. Functional Overview
3.1. Remote Capture Agent Architecture
The techniques described in this section can be performed by the data processing system for capturing and processing network data in a distributed network environment as shown in
Initially, one or more event streams are obtained from one or more remote capture agents on one or more networks (operation 402). The event streams may include event data that is generated from network data (e.g., network packets) captured by the remote capture agent(s) on the network(s). For example, the event streams may include a series of sequentially timestamped events, with each event generated from data in one or more network packets related to the event. As a result, event data for the event may include information such as an identifier, a transaction type (e.g., for an HTTP transaction and/or business transaction), a timestamp, and/or any errors associated with the event. In addition, the event data may be associated with (e.g., represent) clickstream data, transactions, business transactions, errors, and/or alerts.
The event streams may additionally include transformed event data generated from the network data and/or event data by the remote capture agent(s). For example, the event streams may include transformed event data that is obtained by performing aggregations, calculations, filtering, normalization, and/or formatting of the network data and/or event data at the remote capture agent(s).
Next, one or more transformations are applied to the event stream(s) to obtain transformed event data from the event data (operation 404). As with any transformations already applied at the remote capture agent(s), the transformation(s) may include aggregations, calculations, filtering, normalization, and/or formatting of the network data and/or event data at the remote capture agent(s). Moreover, the transformation(s) may be applied on top of previous transformations performed by the remote capture agent(s), so that one round of transformations may initially be applied at the remote capture agent(s) during generation of the event streams and another round after the event streams are received from the remote capture agent(s). Such transformation(s) may be performed by one or more reactors on one or more transformation servers, as described in further detail below with respect to
The transformation(s) may also be used to store the event data and/or transformed event data (operation 406). For example, the transformation(s) may be used to store the event data and/or transformed event data in a database and/or log file. Finally, querying of the transformed event data is enabled (operation 408). For example, the transformed event data may be indexed, and queries may be executed on the indexed, transformed event data. The queries may further be performed in parallel on different subsets of the transformed event data. For example, a set of indexers may be used to index mutually exclusive time spans of the transformed event data and query the transformed event data using a map-reduce technique that operates on the time spans in parallel, as described in further detail below with respect to
Similarly, capturing of the network data may be divided among the remote capture agents to avoid data duplication. In addition, the remote capture agents may execute in and/or capture the network data from one or more virtual machines running in a cloud-based environment. This avoids the necessity of using a network TAP or SPAN port connection for access to and/or capturing of network data from physical network infrastructure.
3.2. Dynamically Configurable Remote Capture Agents for Capturing Network Data
First, configuration information for a remote capture agent is obtained at the remote capture agent from a configuration server (operation 502). The remote capture agent may be located on a separate network from that of the configuration server. For example, the remote capture agent may be installed on a physical and/or virtual machine on a remote network and/or cloud. As discussed above, the remote capture agent and other remote capture agents may be used to capture network data from a set of remote networks in a distributed manner. The captured network data may then be converted into event data that is included in a number of event streams by the remote capture agent(s). For example, a remote capture agent may generate an event to be included in an event stream by identifying one or more network packets associated with a packet and using the network data from the network packet(s) to generate event data corresponding to the event.
The configuration information may include a unique numeric or string identifier for each event stream to be generated by the remote capture agent. The configuration information may also include a description and/or a descriptive name of the event stream. The configuration information may further specify an event stream type that identifies the type of event data (e.g., clickstream events, HTTP transactions, business transactions, errors, alerts, classified transactions, etc.) to be included in the event stream. Finally, the configuration information may include a list of custom fields (e.g., for including specific pieces of network data in the events) and/or one or more additional parameters associated with generating the event data (e.g., time interval between events, maximum number of cached and/or aggregated events, inclusion of matching transactions or errors in the event data, types of events used by the event stream, etc.).
Next, the configuration information is used to configure the generation of event data from network data (e.g., from network packets) at the remote capture agent (operation 504). For example, the configuration information may be used to configure the remote capture agent to identify certain types of network packets, extract network data from the network packets, and/or include the network data in the event data. The configuration information may also be used to configure the transformation of event data or network data into transformed event data at the remote capture agent (operation 506).
For example, the configuration information may specify that the event data and/or network data be aggregated into a sum, statistic (e.g., mean, median, minimum, maximum, etc.), and/or uniqueness count (e.g., number of times a unique value is found in an aggregation interval). To aggregate the event data and/or network data, a time interval associated with aggregation of the event data and/or network data may be obtained, and the event data and/or network data within the time interval may be aggregated into an event count, statistic, and/or uniqueness count. The configuration information may also specify a calculation (e.g., mathematical function, mathematical formula, etc.) to be performed on the network data and/or event data to produce the transformed event data. The configuration information may further provide a filter (e.g., regular expression, range of values, exact value, etc.) for removing a subset of the event data and/or network data to produce the transformed event data. The configuration information may additionally specify a normalization that is used to transform different representations of the same value (e.g., timestamp, host name, resource name, location, etc.) into the same normalized value. Finally, the configuration information may provide a formatting that may be applied to the event data and/or network data to generate transformed event data that adheres to a specific format.
After the remote capture agent is configured, one or more event streams containing the event data and/or transformed event data from the remote capture agent are provided to one or more transformation servers for further transformation of the event data and/or transformed event data by the transformation server(s) (operation 508). For example, the event stream(s) may be transmitted over one or more networks to the transformation server(s), and the transformation server(s) may perform additional aggregations, calculations, filtering, normalization, and/or formatting associated with the event data and/or transformed event data.
An update to the configuration information may be received (operation 512) by the remote capture agent. For example, the update may be detected by the remote capture agent after polling the configuration server and determining that the version of configuration information at the configuration server is newer than the version at the remote capture agent. The remote capture agent may then pull the update from the configuration server. Alternatively, the update may be pushed from the configuration server to the remote capture agent. If no update is received, the remote capture agent may continue to be used (operation 516) to capture network data as-is.
If an update to the configuration information is received, the update is used to reconfigure the generation and/or transformation of event data and/or network data at the remote capture agent during runtime of the remote capture agent (operation 514). For example, the remote capture agent may be reconfigured to generate and/or transform the event data and/or network data while the remote capture agent continues to generate event streams containing event data and/or network data according to the old configuration.
The remote capture agent may continue to be used (operation 516) to capture network data with or without reconfiguring the remote capture agent using updates to the configuration information. If the remote capture agent is to be used, one or more event streams from the remote capture agent are continually provided to one or more transformation servers for further transformation by the transformation server(s) (operation 508), and any updates to the configuration information are used to reconfigure the operation of the remote capture agent (operations 512-514) during generation of the event stream(s). Capture of network data by the remote capture agent may continue until the remote capture agent is no longer used to generate event data and/or transformed event data from network data at the network to which the remote capture agent is connected.
In one or more embodiments, some or all of the configuration information is provided to the configuration server by an application used to access the transformed event data. The application may be designed around one or more specific use cases associated with network data captured by the remote capture agent, such as managing virtual machines, assessing network security, performing web analytics, and/or managing web application performance. The application may also execute on the SPLUNK® ENTERPRISE platform and have access to both the configuration server and event data generated by the remote capture agent.
To offload processing of the event data at the application (e.g., during real-time querying and/or visualization of the event data), the application may provide configuration information for performing the processing at the remote capture agent to the configuration server, and the configuration server may propagate the configuration information to the remote capture agent. In turn, the remote capture agent may use the configuration to perform the processing as the event data is generated and/or transformed instead of requiring the application to perform significant processing the event data in real-time. In other words, subsequent real-time processing of event data by the application and the associated overhead associated with such processing may be reduced by providing configuration information that causes the remote capture agent to transform event data into a form that can be used by the application.
This may integrate better with a late-binding schema, such as the late-binding schema implemented by Splunk Inc. of San Francisco, California, because significant resources may be required to aggregate, format, and/or otherwise transform event data and extract fields at runtime. The term “late-binding schema” refers to a system, such as SPLUNK® ENTERPRISE, where the schema need not be defined at index time, as with database technology. Rather, in a system involving late-binding schema, the schema can be developed on an ongoing basis up until a query, during execution, applies (binds) the schema to data to evaluate the data. As a user learns more about the data in stored events, in a late-binding schema, he/she can continue to develop the schema up until the next time it is needed for a query. Because SPLUNK® ENTERPRISE maintains the underlying raw data and enables application of a late-binding schema, SPLUNK® ENTERPRISE may have greater capability to enable deep exploration of the data to solve problems reflected in the data and answer questions about the data than conventional databases or data-processing systems that merely store summaries or portions of data.
For example, a security application monitoring login attempts on a web application may use incorrect password entries by users during the login attempts to assess the security of the web application. The security application may provide configuration information for generating event data corresponding to login failures, with the event data containing usernames, IP addresses, timestamps, and/or passwords entered for the login failures. Because the security application may receive events only when failed login attempts occur, the security application may not be required to filter the event data for failed login attempts.
Continuing with the above example, the configuration information may specify the aggregation of failed login attempts into failed login attempts per minute. Thus, instead of receiving an event every time a failed login attempt occurs, the security application may receive event data every minute that indicates the number of failed login attempts for the last minute.
3.3. Operation of Configuration Server
First, configuration information for a set of remote capture agents on a set of networks is obtained at the configuration server (operation 602). The configuration information may be obtained from a user (e.g., an administrator) and/or an application used to access event data generated by the remote capture agents. Next, the configuration server is used to provide the configuration information to the remote capture agents (operation 604). For example, the configuration server may use a push and/or pull mechanism to transmit the configuration information to the remote capture agents. The configuration information may then be used by the remote capture agents to configure the generation and/or transformation of event data, as described above.
An update to the configuration information may be obtained (operation 606). For example, an update to the configuration information may be obtained to enable the generation of new event streams at one or more of the remote capture agents for use with one or more new use cases associated with network data capture by the remote capture agent(s). If an update to the configuration information is obtained, the configuration server is used to provide the update to the remote capture agents (operation 608), and the update is used to reconfigure the generation and/or transformation of the event data at the remote capture agents during runtime of the remote capture agents. If no update is received, no additional configuration information may be transmitted between the configuration server and remote capture agents.
The remote capture agents may continue to be configured (operation 610) using configuration information from the configuration server. If the remote capture agents are to be configured using the configuration server, any updates to the configuration information are transmitted from the configuration server to the remote capture agents (operation 606-608) to enable reconfiguration of the remote capture agents. Such transmission of updates to the configuration information to the remote capture agents may continue until the configuration server is no longer used to dynamically configure the remote capture agents.
3.4. GUI for Configuring Event Streams
Initially, the GUI is provided for obtaining configuration information for configuring the generation of event data from network data obtained from network packets at one or more remote capture agents (operation 702). The configuration information may be obtained using a configuration dialog of the GUI, as discussed in further detail below with respect to
Next, use of the GUI in configuring the connection of one or more event streams containing the event data to one or more reactors for subsequent processing of the event data by the reactor(s) is enabled (operation 704). For example, graphical representations of the event stream(s) and reactor(s) may be displayed in the GUI, and directed edges for connecting the graphical representations may be provided by the GUI. A directed edge from one component (e.g., event stream or reactor) to another may thus represent the passing of output from the component as input to the second component. Using GUIs to connect event streams and reactors is described in further detail below with respect to
Use of the GUI in configuring the subsequent processing of the event data by the reactor(s) is also enabled (operation 706). For example, the GUI may provide a separate configuration dialog for configuring each type of reactor used to process event streams. Finally, the configuration information is provided to the remote capture agent(s), where the configuration information is used to configure the generation of the event data at the remote capture agent(s) during runtime of the remote capture agent(s).
In one or more embodiments, reactors are provided by one or more transformation servers that transform the event data after the event data is created and/or initially transformed at the remote capture agent(s). As noted above, configuration servers may be transformation servers. Alternatively, a configuration server may be included within a transformation server and/or execute independently from the transformation server. The reactors may include collection reactors that collect event and/or network data, processing reactors that process event and/or network data, and/or storage reactors that store event and/or network data. Within the GUI, the reactors may be represented by icons and/or other user-interface elements that may be selected to configure the operation of the reactors.
In the illustrated embodiment, GUI 800 includes two stream icons 801 and 802 that correspond to graphical representations of two event streams. Icon 801 is connected to a filter reactor icon 803 using a directed edge, which is further connected to a python reactor icon 806 using another directed edge. Filter reactor icon 803 may be a graphical representation of a filter reactor that filters event streams provided as input to the filter reactor according to one or more filtering rules (e.g., regular expressions, network data types, event types, time spans, etc.) and outputs the filtered event streams. Python reactor icon 806 may be a graphical representation of a python reactor that creates, processes, or stores events using the Python programming language. As a result, event data from the event stream represented by stream icon 801 may be filtered by the filter reactor before being processed by the python reactor.
Another series of directed edges in GUI 800 may connect stream icon 802 to a cleansing transformation reactor icon 804, which in turn is connected to both a filter reactor icon 805 and an aggregator reactor icon 807. Cleansing transformation reactor icon 804 may be a graphical representation of a cleansing transformation reactor that normalizes different representations of the same value into the same normalized value. For example, the cleansing transformation reactor may convert different timestamp formats into the same normalized timestamp format. Aggregator reactor icon 807 may be a graphical representation of an aggregator reactor that aggregates event data for multiple events received during a time interval and produces new events representing the aggregated information. The new events may include event counts, statistics, and/or uniqueness counts related to the aggregated information. For example, the aggregated event data may include total page views, average numbers of requests, minimum RTT, and/or counts of requests for uniquely named resources.
Other examples of reactors usable with the techniques described herein include:
GUI 800 may thus provide a visual mechanism for configuring event streams that are generated from network traffic. Users may connect graphical representations of event streams and reactors to allow filtering, cleaning, aggregating, transforming, and/or other processing of events in the event streams. Output from the reactors may then be provided to other reactors using connections (e.g., directed edges) specified in GUI 800 for further processing.
In addition, selecting (e.g., double-clicking) on stream icons 801-802 may invoke the configuration dialog for the corresponding event stream, which allows users to configure the generation of event data in the event stream.
In the illustrated embodiment, configuration dialog 901 includes a section 902 for specifying a descriptive stream name (e.g., “Home Page Requests”) and an event type (e.g., “clickstream.http-event”) associated with the event stream. Another section 903 may be used to provide terms (e.g., for clickstream data) to be included in event data the event stream. For example, section 903 may display a list of terms (e.g., “clickestream.c-ip,” “clickstream.host,” “clickstream.uri-stem”) to be included in the event data, as well as a mechanism 904 for adding a new term to the list.
Configuration dialog 901 further includes a section 905 that enables the definition of one or more filtering rules. For example, section 905 may include a filtering rule that requires an exact match between a URI stem of an event and the value “/index.html.” Section 905 may also include a mechanism 906 for adding new filtering rules for the event stream.
4.0. Implementation Mechanisms
4.1. Exemplary Systems for Storing and Retrieving Events
As noted above, the visualization techniques described herein can be applied to a variety of types of events, including those generated and used in SPLUNK® ENTERPRISE. Further details of underlying architecture of SPLUNK® ENTERPRISE are now provided.
Generally, the system includes one or more forwarders 1010 that collect data from a variety of different data sources 1005 and forwards the data using forwarders 1010 to one or more data indexers 1015. In one embodiment, forwarders 1010 and indexers 1015 can be implemented in one or more hardware servers. Moreover, the functionality of one or more forwarders 1010 may be implemented by one or more remote capture agents (e.g., remote capture agents 151-153 of
At operation 1125, the data included in a given event may be transformed. Such a transformation can include such things as removing part of an event (e.g., a portion used to define event boundaries) or removing redundant portions of an event. A client data processing system may specify a portion to remove using a regular expression or any similar method.
Optionally, a keyword index can be built to facilitate fast keyword searching of events. To build such an index, in operation 1130, a set of keywords contained in the events is identified. At operation 1135, each identified keyword is included in an index, which associates with each stored keyword pointers to each event containing that keyword (or locations within events where that keyword is found). When a keyword-based query is received by an indexer, the indexer may then consult this index to quickly find those events containing the keyword without having to examine again each individual event, thereby greatly accelerating keyword searches.
The events are stored in a data store at operation 1140. The data can be stored in working, short-term and/or long-term memory in a manner retrievable by query. The time stamp may be stored along with each event to help optimize searching the events by time range.
In some instances, the data store includes a plurality of individual storage buckets, each corresponding to a time range. An event can then be stored in a bucket associated with a time range inclusive of the event's time stamp. This not only optimizes time based searches, but it can allow events with recent time stamps that may have a higher likelihood of being accessed to be stored at preferable memory locations that lend to quicker subsequent retrieval (such as flash memory instead of hard-drive memory).
As shown in
It should be appreciated that, to achieve high availability and to provide for disaster recovery, events may be replicated in multiple data stores, in which case indexers with access to the redundant events would not respond to the query by processing the redundant events. The indexers 1015 may either stream the relevant events back to the search head or use the events to calculate a partial result responsive to the query and send the partial result back to the search head. At operation 1220, the search head combines all the partial results or events received from the parallel processing together to determine a final result responsive to the query.
Data intake and query system 145 and the processes described with respect to
4.2. Hardware Overview
RAM 1305 can be implemented as dynamic RAM (“DRAM”), which requires power continually in order to refresh or maintain the data in the memory. The other nonvolatile memory 1306 can be a magnetic hard drive, magnetic optical drive, optical drive, DVD RAM, or other type of memory system that maintains data after power is removed from the system. While
5.0. Extensions and Alternatives
With these embodiments in mind, it will be apparent from this description that aspects of the described techniques may be embodied, at least in part, in software, hardware, firmware, or any combination thereof. It should also be understood that embodiments can employ various computer-implemented functions involving data stored in a computer system. The techniques may be carried out in a computer system or other data processing system in response executing sequences of instructions stored in memory. In various embodiments, hardwired circuitry may be used independently or in combination with software instructions to implement these techniques. For instance, the described functionality may be performed by specific hardware components containing hardwired logic for performing operations, or by any combination of custom hardware components and programmed computer components. The techniques described herein are not limited to any specific combination of hardware circuitry and software.
Embodiments herein may also be implemented in computer-readable instructions stored on an article of manufacture referred to as a computer-readable medium, which is adapted to store data that can thereafter be read and processed by a computer. Computer-readable media is adapted to store these computer instructions, which when executed by a computer or other data processing system such as data processing system 1300, are adapted to cause the system to perform operations according to the techniques described herein. Computer-readable media can include any mechanism that stores information in a form accessible by a data processing device such as a computer, network device, tablet, smartphone, or any device having similar functionality. Examples of computer-readable media include any type of tangible article of manufacture capable of storing information thereon including floppy disks, hard drive disks (“HDDs”), solid-state devices (“SSDs”) or other flash memory, optical disks, digital video disks (“DVDs”), CD-ROMs, magnetic-optical disks, ROMs, RAMs, erasable programmable read only memory (“EPROMs”), electrically erasable programmable read only memory (“EEPROMs”), magnetic or optical cards, or any other type of media suitable for storing instructions in an electronic format. Computer-readable media can also be distributed over a network-coupled computer system stored and executed in a distributed fashion.
Throughout the foregoing description, for the purposes of explanation, numerous specific details were set forth in order to provide a thorough understanding of the invention. It will be apparent, however, to persons skilled in the art that these embodiments may be practiced without some of these specific details. Although various embodiments incorporating the teachings of the present invention have been shown and described in detail herein, those skilled in the art can readily devise many other varied embodiments that still incorporate these techniques. Embodiments of the invention may include various operations as set forth above or fewer operations or more operations; or operations in an order, which is different from the order described herein. Accordingly, the scope and spirit of the invention should be judged in terms of the claims that follow as well as the legal equivalents thereof.
This application claims benefit under 35 U.S.C. § 120 as a continuation of U.S. application Ser. No. 16/417,315, filed May 20, 2019, which is a continuation of U.S. application Ser. No. 15/582,309, filed Apr. 28, 2017, now U.S. Pat. No. 10,348,583, which claims benefit as a continuation of U.S. application Ser. No. 14/253,753, filed Apr. 15, 2014, now U.S. Pat. No. 9,762,443, the entire contents of which are hereby incorporated by reference as if fully set forth herein. The applicant(s) hereby rescind any disclaimer of claim scope in the parent application(s) or the prosecution history thereof and advise the USPTO that the claims in this application may be broader than any claim in the parent application(s).
Number | Name | Date | Kind |
---|---|---|---|
5436618 | Van Steenbrugge | Jul 1995 | A |
5787253 | Mccreery et al. | Jul 1998 | A |
5796942 | Esbensen | Aug 1998 | A |
5892903 | Klaus | Apr 1999 | A |
5920711 | Seawright et al. | Jul 1999 | A |
5983270 | Abraham et al. | Nov 1999 | A |
6044401 | Harvey | Mar 2000 | A |
6108782 | Fletcher et al. | Aug 2000 | A |
6418471 | Shelton et al. | Jul 2002 | B1 |
6542861 | Lyles et al. | Apr 2003 | B1 |
6584501 | Cartsonis et al. | Jun 2003 | B1 |
6587969 | Weinberg et al. | Jul 2003 | B1 |
6594634 | Hampton et al. | Jul 2003 | B1 |
6643694 | Chernin | Nov 2003 | B1 |
6708292 | Mangasarian | Mar 2004 | B1 |
6748343 | Alexander et al. | Jun 2004 | B2 |
6792460 | Oulu et al. | Sep 2004 | B2 |
6810494 | Weinberg et al. | Oct 2004 | B2 |
6892167 | Polan et al. | May 2005 | B2 |
6898556 | Smocha et al. | May 2005 | B2 |
6915308 | Evans et al. | Jul 2005 | B1 |
6973489 | Levy | Dec 2005 | B1 |
6978301 | Tindal | Dec 2005 | B2 |
6985944 | Aggarwal | Jan 2006 | B2 |
6988141 | Motoyama et al. | Jan 2006 | B1 |
6996779 | Meandzija et al. | Feb 2006 | B2 |
7016813 | Alexander et al. | Mar 2006 | B2 |
7054924 | Harvey et al. | May 2006 | B1 |
7080399 | Yanagawa et al. | Jul 2006 | B1 |
7100091 | Nakamoto et al. | Aug 2006 | B2 |
7107335 | Arcieri et al. | Sep 2006 | B1 |
7150037 | Wolf et al. | Dec 2006 | B2 |
7171689 | Beavers | Jan 2007 | B2 |
7177441 | Condon et al. | Feb 2007 | B2 |
7197559 | Goldstein et al. | Mar 2007 | B2 |
7206831 | Dube et al. | Apr 2007 | B1 |
7219138 | Straut et al. | May 2007 | B2 |
7228348 | Farley et al. | Jun 2007 | B1 |
7228564 | Raikar et al. | Jun 2007 | B2 |
7231445 | Aweya et al. | Jun 2007 | B1 |
7245623 | Cheriton | Jul 2007 | B1 |
7246101 | Fu et al. | Jul 2007 | B2 |
7246162 | Tindal | Jul 2007 | B2 |
7257719 | Pandit et al. | Aug 2007 | B2 |
7260846 | Day | Aug 2007 | B2 |
7277957 | Rowley et al. | Oct 2007 | B2 |
7299277 | Moran et al. | Nov 2007 | B1 |
7376896 | Ullmann et al. | May 2008 | B2 |
7376969 | Njemanze et al. | May 2008 | B1 |
7380272 | Sharp et al. | May 2008 | B2 |
7444263 | White et al. | Oct 2008 | B2 |
7490066 | Kronenberg et al. | Feb 2009 | B2 |
7519964 | Islam et al. | Apr 2009 | B1 |
7539489 | Alexander | May 2009 | B1 |
7543051 | Greifeneder et al. | Jun 2009 | B2 |
7552238 | Gulland | Jun 2009 | B2 |
7577623 | Genty et al. | Aug 2009 | B2 |
7594011 | Chandra | Sep 2009 | B2 |
7594269 | Durham et al. | Sep 2009 | B2 |
7607170 | Chesla | Oct 2009 | B2 |
7610344 | Mehr et al. | Oct 2009 | B2 |
7623463 | Chavda | Nov 2009 | B2 |
7644365 | Bhattacharya et al. | Jan 2010 | B2 |
7644438 | Dash et al. | Jan 2010 | B1 |
7650396 | Tindal | Jan 2010 | B2 |
7650634 | Zuk | Jan 2010 | B2 |
7660892 | Choong et al. | Feb 2010 | B2 |
7702806 | Gil et al. | Apr 2010 | B2 |
7729240 | Crane et al. | Jun 2010 | B1 |
7735063 | Herzog et al. | Jun 2010 | B2 |
7738396 | Turner et al. | Jun 2010 | B1 |
7751393 | Chaskar et al. | Jul 2010 | B2 |
7761918 | Gula et al. | Jul 2010 | B2 |
7774369 | Herzog et al. | Aug 2010 | B2 |
7797443 | Pettigrew et al. | Sep 2010 | B1 |
RE41903 | Wenig et al. | Oct 2010 | E |
7814218 | Knee et al. | Oct 2010 | B1 |
7818370 | Piper et al. | Oct 2010 | B2 |
7836498 | Poletto et al. | Nov 2010 | B2 |
7869352 | Turner et al. | Jan 2011 | B1 |
7886054 | Nag et al. | Feb 2011 | B1 |
7899444 | Hans et al. | Mar 2011 | B2 |
7921459 | Houston et al. | Apr 2011 | B2 |
7948889 | Lalonde et al. | May 2011 | B2 |
7953425 | Jordan | May 2011 | B2 |
7954109 | Durham et al. | May 2011 | B1 |
7962616 | Kupferman et al. | Jun 2011 | B2 |
7979555 | Rothstein et al. | Jul 2011 | B2 |
8019064 | Bedingfield et al. | Sep 2011 | B2 |
8020211 | Keanini et al. | Sep 2011 | B2 |
8032564 | Muret et al. | Oct 2011 | B2 |
8037175 | Apte et al. | Oct 2011 | B1 |
8042055 | Wenig et al. | Oct 2011 | B2 |
8046443 | Parker et al. | Oct 2011 | B2 |
8046833 | Gustafson et al. | Oct 2011 | B2 |
8056130 | Njemanze et al. | Nov 2011 | B1 |
8064350 | Peterman et al. | Nov 2011 | B2 |
8068986 | Shahbazi et al. | Nov 2011 | B1 |
8095640 | Guingo et al. | Jan 2012 | B2 |
8101480 | Kim et al. | Jan 2012 | B1 |
8103765 | Greifeneder et al. | Jan 2012 | B2 |
8112425 | Baum et al. | Feb 2012 | B2 |
8122006 | De et al. | Feb 2012 | B2 |
8125908 | Rothstein et al. | Feb 2012 | B2 |
8127000 | Wenig et al. | Feb 2012 | B2 |
8140665 | Malloy et al. | Mar 2012 | B2 |
8144609 | Rao | Mar 2012 | B2 |
8185953 | Rothstein et al. | May 2012 | B2 |
8191136 | Dudfield et al. | May 2012 | B2 |
8195661 | Kalavade | Jun 2012 | B2 |
8248958 | Tulasi et al. | Aug 2012 | B1 |
8255511 | Moore et al. | Aug 2012 | B1 |
8266271 | Oyadomari et al. | Sep 2012 | B2 |
8301745 | Wohlgemuth et al. | Oct 2012 | B1 |
8335848 | Wenig et al. | Dec 2012 | B2 |
8358591 | Chuang et al. | Jan 2013 | B2 |
8365278 | Njemanze et al. | Jan 2013 | B1 |
8385532 | Geist et al. | Feb 2013 | B1 |
8386371 | Kittelsen et al. | Feb 2013 | B2 |
8386598 | Robinson | Feb 2013 | B2 |
8387076 | Thatte et al. | Feb 2013 | B2 |
8392553 | Petropoulakis et al. | Mar 2013 | B2 |
8423894 | Bhattacharya et al. | Apr 2013 | B2 |
8473606 | Kronenberg et al. | Jun 2013 | B2 |
8473620 | Demmer et al. | Jun 2013 | B2 |
8498956 | Srinivasan et al. | Jul 2013 | B2 |
8522219 | Schwarzbauer et al. | Aug 2013 | B2 |
8533532 | Wenig et al. | Sep 2013 | B2 |
8543534 | Alves et al. | Sep 2013 | B2 |
8549650 | Hanson | Oct 2013 | B2 |
8578002 | Roesch et al. | Nov 2013 | B1 |
8583772 | Wenig et al. | Nov 2013 | B2 |
8589375 | Zhang et al. | Nov 2013 | B2 |
8589436 | Srinivasan et al. | Nov 2013 | B2 |
8589876 | Neeman | Nov 2013 | B1 |
8601122 | Malloy et al. | Dec 2013 | B2 |
8667121 | Ahuja et al. | Mar 2014 | B2 |
8676841 | Srinivasan et al. | Mar 2014 | B2 |
8682308 | De et al. | Mar 2014 | B2 |
8705639 | Salinger | Apr 2014 | B2 |
8749553 | Krasovsky et al. | Jun 2014 | B1 |
8779921 | Curtiss | Jul 2014 | B1 |
8782787 | Willibeek-Lemair et al. | Jul 2014 | B2 |
8806361 | Noel et al. | Aug 2014 | B1 |
8842548 | Pleshek et al. | Sep 2014 | B2 |
8850064 | Mann et al. | Sep 2014 | B2 |
8850182 | Fritz et al. | Sep 2014 | B1 |
8868486 | Tamayo | Oct 2014 | B2 |
8874736 | Levi et al. | Oct 2014 | B2 |
8918430 | Fischer | Dec 2014 | B2 |
8958318 | Hastwell et al. | Feb 2015 | B1 |
8978034 | Goodson et al. | Mar 2015 | B1 |
8984101 | Viswanath et al. | Mar 2015 | B1 |
8996668 | Tan et al. | Mar 2015 | B2 |
9043439 | Bicket et al. | May 2015 | B2 |
9098587 | Deshmukh et al. | Aug 2015 | B2 |
9110101 | Pietrowicz et al. | Aug 2015 | B2 |
9112915 | Su | Aug 2015 | B2 |
9118538 | Ekkalapudi et al. | Aug 2015 | B1 |
9122786 | Cammert et al. | Sep 2015 | B2 |
9189449 | Branson et al. | Nov 2015 | B2 |
9203707 | Iasija et al. | Dec 2015 | B1 |
9244978 | Alves et al. | Jan 2016 | B2 |
9270545 | Salinger | Feb 2016 | B2 |
9305238 | Srinivasan et al. | Apr 2016 | B2 |
9330395 | Hauser | May 2016 | B2 |
9405854 | Jerzak et al. | Aug 2016 | B2 |
9471585 | Theimer | Oct 2016 | B1 |
9509553 | Levy et al. | Nov 2016 | B2 |
9542708 | Piper et al. | Jan 2017 | B2 |
9558225 | Skrzypczak et al. | Jan 2017 | B2 |
9680846 | Haugsnes | Jun 2017 | B2 |
9736227 | Cook | Aug 2017 | B2 |
9762443 | Dickey | Sep 2017 | B2 |
9906607 | Lawson et al. | Feb 2018 | B2 |
9923767 | Dickey | Mar 2018 | B2 |
10374883 | Dickey | Aug 2019 | B2 |
10700950 | Hsiao et al. | Jun 2020 | B2 |
10796305 | Farrow et al. | Oct 2020 | B1 |
20020015387 | Houh | Feb 2002 | A1 |
20020069275 | Tindal | Jun 2002 | A1 |
20020093527 | Sherlock et al. | Jul 2002 | A1 |
20020198984 | Goldstein et al. | Dec 2002 | A1 |
20030061506 | Cooper et al. | Mar 2003 | A1 |
20030101449 | Bentolila et al. | May 2003 | A1 |
20030120619 | Osborn | Jun 2003 | A1 |
20030135612 | Huntington et al. | Jul 2003 | A1 |
20030191599 | Bartsch | Oct 2003 | A1 |
20030191989 | O'Sullivan | Oct 2003 | A1 |
20030221000 | Cherkasova et al. | Nov 2003 | A1 |
20040015579 | Cooper et al. | Jan 2004 | A1 |
20040030796 | Cooper et al. | Feb 2004 | A1 |
20040042470 | Cooper et al. | Mar 2004 | A1 |
20040044912 | Connary et al. | Mar 2004 | A1 |
20040088405 | Aggarwal | May 2004 | A1 |
20040109453 | Wirth | Jun 2004 | A1 |
20040152444 | Lialiamou et al. | Aug 2004 | A1 |
20040215747 | Maron | Oct 2004 | A1 |
20040268150 | Aaron | Dec 2004 | A1 |
20050021715 | Dugatkin et al. | Jan 2005 | A1 |
20050027858 | Sloth et al. | Feb 2005 | A1 |
20050060402 | Oyadomari et al. | Mar 2005 | A1 |
20050076136 | Cho et al. | Apr 2005 | A1 |
20050120160 | Plouffe et al. | Jun 2005 | A1 |
20050131876 | Ahuja et al. | Jun 2005 | A1 |
20050138013 | Walker et al. | Jun 2005 | A1 |
20050138426 | Styslinger | Jun 2005 | A1 |
20050267967 | Markos et al. | Dec 2005 | A1 |
20050273593 | Seminaro et al. | Dec 2005 | A1 |
20050278731 | Cameron et al. | Dec 2005 | A1 |
20060047721 | Narang et al. | Mar 2006 | A1 |
20060077895 | Wright | Apr 2006 | A1 |
20060101101 | Pandit et al. | May 2006 | A1 |
20060198318 | Schondelmayer et al. | Sep 2006 | A1 |
20060242694 | Gold et al. | Oct 2006 | A1 |
20060256735 | Borowski | Nov 2006 | A1 |
20060279628 | Fleming | Dec 2006 | A1 |
20070011309 | Brady et al. | Jan 2007 | A1 |
20070013936 | Ishimoto | Jan 2007 | A1 |
20070033408 | Morten | Feb 2007 | A1 |
20070043861 | Baron et al. | Feb 2007 | A1 |
20070050846 | Xie et al. | Mar 2007 | A1 |
20070067450 | Malloy et al. | Mar 2007 | A1 |
20070076312 | Jordan | Apr 2007 | A1 |
20070083644 | Miller et al. | Apr 2007 | A1 |
20070094327 | Ito | Apr 2007 | A1 |
20070106692 | Klein | May 2007 | A1 |
20070121872 | Hans et al. | May 2007 | A1 |
20070150584 | Srinivasan | Jun 2007 | A1 |
20070156916 | Schiefer | Jul 2007 | A1 |
20070208852 | Wexler et al. | Sep 2007 | A1 |
20070260932 | Prichard et al. | Nov 2007 | A1 |
20080005793 | Wenig et al. | Jan 2008 | A1 |
20080056139 | Liaqat | Mar 2008 | A1 |
20080082679 | Dobtchev | Apr 2008 | A1 |
20080159146 | Claudatos et al. | Jul 2008 | A1 |
20080184248 | Barua et al. | Jul 2008 | A1 |
20080196006 | Bates | Aug 2008 | A1 |
20080209505 | Ghai et al. | Aug 2008 | A1 |
20080259910 | Bodin et al. | Oct 2008 | A1 |
20080281963 | Fletcher et al. | Nov 2008 | A1 |
20090006672 | Blumrich et al. | Jan 2009 | A1 |
20090070786 | Alves et al. | Mar 2009 | A1 |
20090122699 | Alperovitch et al. | May 2009 | A1 |
20090129316 | Ramanathan et al. | May 2009 | A1 |
20090228474 | Chiu et al. | Sep 2009 | A1 |
20090238088 | Tan | Sep 2009 | A1 |
20090267953 | Sampsell et al. | Oct 2009 | A1 |
20090271504 | Ginter et al. | Oct 2009 | A1 |
20090319247 | Ratcliffe et al. | Dec 2009 | A1 |
20100031274 | Sim-Tang | Feb 2010 | A1 |
20100058165 | Bhattacharya et al. | Mar 2010 | A1 |
20100064307 | Malhotra et al. | Mar 2010 | A1 |
20100070929 | Behl et al. | Mar 2010 | A1 |
20100077286 | Guagenti et al. | Mar 2010 | A1 |
20100095370 | Lee et al. | Apr 2010 | A1 |
20100136943 | Hirvela et al. | Jun 2010 | A1 |
20100153316 | Duffield et al. | Jun 2010 | A1 |
20100172246 | Adam et al. | Jul 2010 | A1 |
20100318665 | Demmer et al. | Dec 2010 | A1 |
20100318836 | Ness et al. | Dec 2010 | A1 |
20110026521 | Gamage et al. | Feb 2011 | A1 |
20110029665 | Wenig et al. | Feb 2011 | A1 |
20110106935 | Srinivasan | May 2011 | A1 |
20110119226 | Ruhl et al. | May 2011 | A1 |
20110145715 | Malloy et al. | Jun 2011 | A1 |
20110166982 | Cole et al. | Jul 2011 | A1 |
20110178775 | Schoening et al. | Jul 2011 | A1 |
20110225289 | Prasad et al. | Sep 2011 | A1 |
20110231935 | Gula et al. | Sep 2011 | A1 |
20110238723 | Weintraub et al. | Sep 2011 | A1 |
20110246134 | Frishberg et al. | Oct 2011 | A1 |
20110256869 | Zhang et al. | Oct 2011 | A1 |
20110292818 | Zhytar et al. | Dec 2011 | A1 |
20110296015 | Chakravarty et al. | Dec 2011 | A1 |
20110302305 | Morimura et al. | Dec 2011 | A1 |
20110320586 | Maltz et al. | Dec 2011 | A1 |
20120017270 | Bartholomay et al. | Jan 2012 | A1 |
20120046133 | Pettys et al. | Feb 2012 | A1 |
20120054246 | Fischer | Mar 2012 | A1 |
20120072576 | Yumerefendi | Mar 2012 | A1 |
20120084437 | Wenig et al. | Apr 2012 | A1 |
20120106354 | Pleshek et al. | May 2012 | A1 |
20120109985 | Chandrasekaran | May 2012 | A1 |
20120124553 | Eschenroeder et al. | May 2012 | A1 |
20120131139 | Siripurapu et al. | May 2012 | A1 |
20120137018 | Uhlig et al. | May 2012 | A1 |
20120158987 | Greifeneder et al. | Jun 2012 | A1 |
20120173966 | Powell et al. | Jul 2012 | A1 |
20120179816 | Malloy et al. | Jul 2012 | A1 |
20120197934 | Zhang et al. | Aug 2012 | A1 |
20120198047 | Steuer et al. | Aug 2012 | A1 |
20120239681 | Zhang et al. | Sep 2012 | A1 |
20120250610 | Budampati et al. | Oct 2012 | A1 |
20120278455 | Peng et al. | Nov 2012 | A1 |
20120309377 | De et al. | Dec 2012 | A1 |
20120314616 | Hong et al. | Dec 2012 | A1 |
20130024431 | Parthasarathy et al. | Jan 2013 | A1 |
20130067034 | Degioanni et al. | Mar 2013 | A1 |
20130070622 | Degioanni et al. | Mar 2013 | A1 |
20130080620 | Cook | Mar 2013 | A1 |
20130091278 | Ludwig et al. | Apr 2013 | A1 |
20130111011 | Moulhaud et al. | May 2013 | A1 |
20130111014 | Lawrie et al. | May 2013 | A1 |
20130114456 | Dahod | May 2013 | A1 |
20130128742 | Yu | May 2013 | A1 |
20130132833 | White et al. | May 2013 | A1 |
20130136253 | Liberman et al. | May 2013 | A1 |
20130173782 | Ragutski et al. | Jul 2013 | A1 |
20130179855 | Elliott | Jul 2013 | A1 |
20130179860 | Woock | Jul 2013 | A1 |
20130182577 | Ivanyi et al. | Jul 2013 | A1 |
20130182579 | Turgeon et al. | Jul 2013 | A1 |
20130182700 | Figura et al. | Jul 2013 | A1 |
20130198391 | Weissblum | Aug 2013 | A1 |
20130212689 | Ben-Natan et al. | Aug 2013 | A1 |
20130227689 | Pietrowicz et al. | Aug 2013 | A1 |
20130232137 | Knott | Sep 2013 | A1 |
20130246925 | Ahuja et al. | Sep 2013 | A1 |
20130258995 | Skov et al. | Oct 2013 | A1 |
20130276000 | Neeman | Oct 2013 | A1 |
20130282892 | Levi et al. | Oct 2013 | A1 |
20130304531 | Barber et al. | Nov 2013 | A1 |
20130318236 | Coates et al. | Nov 2013 | A1 |
20130318514 | Neeman | Nov 2013 | A1 |
20130318536 | Fletcher et al. | Nov 2013 | A1 |
20130318603 | Merza | Nov 2013 | A1 |
20130318604 | Coates et al. | Nov 2013 | A1 |
20130326620 | Merza et al. | Dec 2013 | A1 |
20140012864 | Nakagawa | Jan 2014 | A1 |
20140013309 | Gounares | Jan 2014 | A1 |
20140046645 | White et al. | Feb 2014 | A1 |
20140068102 | Mann et al. | Mar 2014 | A1 |
20140173512 | Karpov et al. | Jun 2014 | A1 |
20140201375 | Beereddy et al. | Jul 2014 | A1 |
20140226817 | Von et al. | Aug 2014 | A1 |
20140230062 | Kumaran | Aug 2014 | A1 |
20140237292 | Chan | Aug 2014 | A1 |
20140279824 | Tamayo | Sep 2014 | A1 |
20140280737 | Bicket et al. | Sep 2014 | A1 |
20140317228 | Dharmasanam | Oct 2014 | A1 |
20140317684 | Porras et al. | Oct 2014 | A1 |
20140325058 | Fletcher et al. | Oct 2014 | A1 |
20140325363 | Fletcher et al. | Oct 2014 | A1 |
20140328189 | Fallon et al. | Nov 2014 | A1 |
20140344708 | Carr et al. | Nov 2014 | A1 |
20140351415 | Harrigan et al. | Nov 2014 | A1 |
20150013006 | Shulman et al. | Jan 2015 | A1 |
20150062113 | Cannon et al. | Mar 2015 | A1 |
20150095359 | Duxbury | Apr 2015 | A1 |
20150120820 | Cook | Apr 2015 | A1 |
20150125807 | Shipley | May 2015 | A1 |
20150156170 | Gurbani | Jun 2015 | A1 |
20150178342 | Seering et al. | Jun 2015 | A1 |
20150180891 | Seward et al. | Jun 2015 | A1 |
20150213631 | Vander Broek | Jul 2015 | A1 |
20150293954 | Hsiao et al. | Oct 2015 | A1 |
20150295766 | Dickey | Oct 2015 | A1 |
20150295796 | Hsiao et al. | Oct 2015 | A1 |
20150319058 | Molinero et al. | Nov 2015 | A1 |
20150319185 | Kirti et al. | Nov 2015 | A1 |
20150358391 | Moon et al. | Dec 2015 | A1 |
20160028758 | Ellis et al. | Jan 2016 | A1 |
20160112262 | Johnson et al. | Apr 2016 | A1 |
20160112287 | Farmer et al. | Apr 2016 | A1 |
20160127180 | Shcherbakov et al. | May 2016 | A1 |
20160127517 | Shcherbakov et al. | May 2016 | A1 |
20160155314 | Snyder | Jun 2016 | A1 |
20160182283 | Mann et al. | Jun 2016 | A1 |
20160323172 | Friend | Nov 2016 | A1 |
20160330086 | Oda et al. | Nov 2016 | A1 |
20160350722 | Walker et al. | Dec 2016 | A1 |
20170142068 | Devarajan et al. | May 2017 | A1 |
20170150037 | Rathod | May 2017 | A1 |
20170237634 | Dickey | Aug 2017 | A1 |
20170286505 | Lamas et al. | Oct 2017 | A1 |
20170310741 | Cook | Oct 2017 | A1 |
20170322972 | Lee et al. | Nov 2017 | A1 |
20170331670 | Parkvall et al. | Nov 2017 | A1 |
20180013692 | Park et al. | Jan 2018 | A1 |
20190294598 | Hsiao et al. | Sep 2019 | A1 |
20200162890 | Spencer | May 2020 | A1 |
Number | Date | Country |
---|---|---|
2011134739 | Nov 2011 | WO |
Entry |
---|
Corrected Notice of Allowance from U.S. Appl. No. 14/253,744, dated Feb. 15, 2018, 12 pages. |
Final Office Action, U.S. Appl. No. 16/378,400, dated Dec. 8, 2020, 17 pages. |
Final Office Action, U.S. Appl. No. 16/417,315, dated Nov. 27, 2020, 13 pages. |
Fiodin, et al., “Processing Object-Oriented Queries with Invertible Late Bound Functions,” Proceedings of the 21st VLDB Conference, 1995, pp. 335-344. |
Non-Final Office Action from U.S. Appl. No. 14/699,787, dated Jul. 16, 2019, 31 pages. |
Non-Final Office Action received for U.S. Appl. No. 14/609,223, dated Sep. 6, 2019, 26 pages. |
Non-Final Office Action, U.S. Appl. No. 16/134,778, dated Jun. 10, 2021, 21 pages. |
Non-Final Office Action, U.S. Appl. No. 16/378,400, dated Apr. 1, 2021, 7 pages. |
Non-Final Office Action, U.S. Appl. No. 16/378,400, dated Jun. 1, 2020, 14 pages. |
Non-Final Office Action, U.S. Appl. No. 16/417,315, dated Jun. 24, 2021, 7 pages. |
Non-Final Office Action, U.S. Appl. No. 16/417,315, dated May 15, 2020, 13 pages. |
Non-Final Office Action, U.S. Appl. No. 16/436,818, dated Jun. 9, 2021, 17 pages. |
Non-Final Office Action, U.S. Appl. No. 16/445,155, dated Jul. 31. 2020, 16 pages. |
Non-Final Office Action, U.S. Appl. No. 16/670,816, dated May 11, 2021, 46 pages. |
Notice of Allowability, U.S. Appl. No. 16/445,155, dated Nov. 13, 2020, 11 pages. |
Notice of Allowance from U.S. Appl. No. 14/528,898, dated May 8, 2017, 29 pages. |
Notice of Allowance from U.S. Appl. No. 14/610,457, dated Aug. 21, 2019, 22 pages. |
Notice of Allowance from U.S. Appl. No. 14/699,807, dated Jun. 17, 2019, 23 pages. |
Notice of Allowance, U.S. Appl. No. 14/609,223, dated Feb. 12, 2020, 7 pages. |
Notice of Allowance, U.S. Appl. No. 16/378,400, dated May 17, 2021, 8 pages. |
Notice of Allowance, U.S. Appl. No. 16/417,315, dated Oct. 4, 2021, 8 pages. |
Notice of Allowance, U.S. Appl. No. 16/442,338, dated Apr. 29, 2021, 8 pages. |
Notice of Allowance, U.S. Appl. No. 14/699,787, dated Feb. 20, 2020, 8 pages. |
Zabbix Network Monitoring Essentials Tutorial Video, Retrieved from https://www.youtube.com/watch?,=NLt_qR6yKWM&list=PLYoq8isOGa_N7mT7t4k2191CFdg2064wj&index=17 on Oct. 22, 2013, 1 page. |
Advisory Action from U.S. Appl. No. 14/253,713, dated Feb. 20, 2018, 3 pages. |
Advisory Action from U.S. Appl. No. 14/253,753, dated Apr. 29, 2016, 2 pages. |
Advisory Action from U.S. Appl. No. 14/253,753, dated May 7, 2015, 2 pages. |
Advisory Action from U.S. Appl. No. 14/253,767, dated Mar. 1, 2016, 3 pages. |
Advisory Action from U.S. Appl. No. 14/528,932, dated Jul. 14, 2017, 8 pages. |
Advisory Action from U.S. Appl. No. 14/609,292, dated Dec. 8, 2017, 5 pages. |
Advisory Action from U.S. Appl. No. 14/610,457, dated Apr. 16, 2018, 3 pages. |
Advisory Action from U.S. Appl. No. 14/699,787, dated Aug. 23, 2018, 3 pages. |
Advisory Action from U.S. Appl. No. 14/699,807, dated Jul. 12, 2018, 2 pages. |
Advisory Action from U.S. Appl. No. 15/582,309, dated Aug. 2, 2018, 2 pages. |
Final Office action from U.S. Appl. No. 14/253,713, dated Dec. 22, 2017, 46 pages. |
Final Office Action from U.S. Appl. No. 14/253,713, dated Feb. 10, 2015, 15 pages. |
Final Office Action from U.S. Appl. No. 14/253,713, dated Feb. 12, 2016, 17 pages. |
Final Office Action from U.S. Appl. No. 14/253,744, dated Feb. 21, 2017, 41 pages. |
Final Office Action from U.S. Appl. No. 14/253,744, dated Jan. 9, 2015, 29 pages. |
Final Office Action from U.S. Appl. No. 14/253,744, dated Oct. 23, 2015, 51 pages. |
Final Office Action from U.S. Appl. No. 14/253,753, dated Feb. 4, 2016, 17 pages. |
Final Office Action from U.S. Appl. No. 14/253,753, dated Mar. 2, 2015, 19 pages. |
Final Office Action from U.S. Appl. No. 14/253,767, dated Apr. 18, 2017, 34 pages. |
Final Office Action from U.S. Appl. No. 14/253,767, dated Dec. 16, 2015, 21 pages. |
Final Office Action from U.S. Appl. No. 14/253,767, dated Jan. 7, 2015, 14 pages. |
Final Office Action from U.S. Appl. No. 14/528,898, dated Jun. 29, 2016, 18 pages. |
Final Office Action from U.S. Appl. No. 14/528,932, dated May 5, 2017, 38 pages. |
Final Office Action from U.S. Appl. No. 14/609,223, dated Nov. 1, 2018, 33 pages. |
Final Office Action from U.S. Appl. No. 14/609,292, dated Aug. 25, 2017, 39 pages. |
Final Office Action from U.S. Appl. No. 14/610,408, dated Feb. 8, 2019, 16 pages. |
Final Office Action from U.S. Appl. No. 14/610,438, dated Dec. 20, 2018, 7 pages. |
Final Office Action from U.S. Appl. No. 14/610,457, dated Feb. 8, 2019, 49 pages. |
Final Office Action from U.S. Appl. No. 14/610,457, dated Jan. 22, 2018, 51 pages. |
Final Office Action from U.S. Appl. No. 14/699,787, dated Jun. 12, 2018, 41 pages. |
Final Office Action from U.S. Appl. No. 14/699,807, dated Apr. 27, 2018, 31 pages. |
Final Office Action from U.S. Appl. No. 15/582,309, dated May 11, 2018, 26 pages. |
Final Office Action from U.S. Appl. No. 15/885,712, dated Dec. 10, 2018, 18 pages. |
Final Office Action, U.S. Appl. No. 16/670,816, dated Sep. 7, 2021, 48 pages. |
Non-Final Office Action from U.S. Appl. No. 14/253,713, dated Aug. 12, 2015, 17 pages. |
Non-Final Office Action from U.S. Appl. No. 14/253,713, dated Jan. 19, 2017, 31 pages. |
Non-Final Office Action from U.S. Appl. No. 14/253,713, dated Sep. 3, 2014, 26 pages. |
Non-Final Office Action from U.S. Appl. No. 14/253,744, dated Jul. 5, 2016, 31 pages. |
Non-Final Office Action from U.S. Appl. No. 14/253,744, dated Jun. 10, 2015, 50 pages. |
Non-Final Office Action from U.S. Appl. No. 14/253,744, dated Jun. 16, 2017, 31 pages. |
Non-Final Office Action from U.S. Appl. No. 14/253,744, dated Oct. 6, 2014, 34 pages. |
Non-Final Office Action from U.S. Appl. No. 14/253,753, dated Jul. 1, 2016, 21 pages. |
Non-Final Office Action from U.S. Appl. No. 14/253,753, dated Jul. 28, 2015, 14 pages. |
Non-Final Office Action from U.S. Appl. No. 14/253,753, dated Sep. 5, 2014, 16 pages. |
Non-Final Office Action from U.S. Appl. No. 14/253,767, dated Jul. 15, 2015, 17 pages. |
Non-Final Office Action from U.S. Appl. No. 14/253,767, dated Jun. 19, 2014, 13 pages. |
Non-Final Office Action from U.S. Appl. No. 14/253,767, dated Sep. 19, 2016, 21 pages. |
Non-Final Office Action from U.S. Appl. No. 14/528,898, dated Mar. 31, 2016, 17 pages. |
Non-Final Office Action from U.S. Appl. No. 14/528,918, dated Feb. 17, 2016, 17 pages. |
Non-Final Office Action from U.S. Appl. No. 14/528,932, dated Dec. 14, 2016, 19 pages. |
Non-Final Office Action from U.S. Appl. No. 14/609,223, dated Mar. 14, 2018, 78 pages. |
Non-Final Office Action from U.S. Appl. No. 14/609,292, dated Apr. 12, 2017, 43 pages. |
Non-Final Office Action from U.S. Appl. No. 14/610,408, dated May 21, 2018, 80 pages. |
Non-Final Office Action from U.S. Appl. No. 14/610,438, dated Jun. 1, 2018, 91 pages. |
Non-Final Office Action from U.S. Appl. No. 14/610,457, dated Aug. 4, 2017, 79 pages. |
Non-Final Office Action from U.S. Appl. No. 14/610,457, dated Jun. 1, 2018, 63 pages. |
Non-Final Office Action from U.S. Appl. No. 14/699,787, dated Dec. 31, 2018, 42 pages. |
Non-Final Office Action from U.S. Appl. No. 14/699,787, dated Sep. 21, 2017, 67 pages. |
Non-Final Office action from U.S. Appl. No. 14/699,807, dated Dec. 28, 2017, 60 pages. |
Non-Final Office Action from U.S. Appl. No. 14/699,807, dated Sep. 21, 2018, 28 pages. |
Non-Final Office Action from U.S. Appl. No. 15/421,269, dated Jul. 10, 2017, 39 pages. |
Non-Final Office Action from U.S. Appl. No. 15/582,309, dated Sep. 22, 2017, 46 pages. |
Non-Final Office Action from U.S. Appl. No. 15/582,309, dated Sep. 6, 2018, 12 pages. |
Non-Final Office Action from U.S. Appl. No. 15/709,343, dated Jul. 13, 2018, 47 pages. |
Non-Final Office Action from U.S. Appl. No. 15/885,712, dated Jun. 28, 2018, 50 pages. |
Non-Final Office Action, U.S. Appl. No. 17/578,264, dated Sep. 28, 2022, 16 pages. |
Non-Final Office Action, U.S. Appl. No. 16/670,816, dated Jan. 13, 2022, 40 pages. |
Notice of Allowance from U.S. Appl. No. 14/253,713, dated Jun. 18, 2018, 17 pages. |
Notice of Allowance from U.S. Appl. No. 14/253,744, dated Nov. 15, 2017, 12 pages. |
Notice of Allowance from U.S. Appl. No. 14/253,744, dated Nov. 27, 2017, 12 pages. |
Notice of Allowance from U.S. Appl. No. 14/253,753, dated Feb. 27, 2017, 19 pages. |
Notice of Allowance from U.S. Appl. No. 14/253,753, dated Jun. 12, 2017, 16 pages. |
Notice of Allowance from U.S. Appl. No. 14/253,753, dated May 23, 2017, 2 pages. |
Notice of Allowance from U.S. Appl. No. 14/253,753, dated Nov. 8, 2016, 7 pages. |
Notice of allowance from U.S. Appl. No. 14/528,898, dated Nov. 28, 2016, 8 pages. |
Notice of Allowance from U.S. Appl. No. 14/528,898, dated Sep. 13, 2017, 22 pages. |
Notice of Allowance from U.S. Appl. No. 14/528,918, dated Aug. 18, 2016, 5 pages. |
Notice of Allowance from U.S. Appl. No. 14/528,918, dated Dec. 21, 2016, 26 pages. |
Notice of Allowance from U.S. Appl. No. 14/610,408, dated Mar. 8, 2019, 12 pages. |
Notice of Allowance from U.S. Appl. No. 14/610,438, dated Mar. 14, 2019, 14 pages. |
Notice of Allowance from U.S. Appl. No. 15/421,269, dated Nov. 13, 2017, 9 pages. |
Notice of Allowance from U.S. Appl. No. 15/421,269, dated Sep. 8, 2017, 12 pages. |
Notice of Allowance from U.S. Appl. No. 15/582,309, dated Feb. 20, 2019, 12 pages. |
Notice of Allowance from U.S. Appl. No. 15/582,309, dated Apr. 5, 2019, 6 pages. |
Notice of Allowance from U.S. Appl. No. 15/709,343, dated Nov. 19, 2018, 10 pages. |
Notice of Allowance from U.S. Appl. No. 15/885,712, dated Mar. 18. 2019, 9 pages. |
Notice of Allowance, U.S. Appl. No. 16/134,778, dated Dec. 24, 2021, 8 pages. |
Notice of Allowance, U.S. Appl. No. 16/436,818, dated Nov. 17, 2021, 10 pages. |
Notice of Allowance, U.S. Appl. No. 16/573,937, dated Sep. 28, 2021, 18 pages. |
Notice of Allowance, U.S. Appl. No. 16/670,816, dated Jun. 10, 2022, 19 pages. |
Notice of Allowance, U.S. Appl. No. 16/908,564, dated Dec. 1, 2021, 8 pages. |
Ulf L., et al., “Wires hark User's Guide for Wires hark 1.9,” 2004-2012, Retrieved from http://wayback.archive.org/web/20121018193345/http://www.wireshark.org/download/docs/user-guide-us.pdf on Oct. 18, 2012, 256 pages. |
Non-Final Office Action, U.S. Appl. No. 17/875,170, dated Feb. 24, 2023, 24 pages. |
Notice of Allowance, U.S. Appl. No. 17/578,264, dated Mar. 8, 2023, 8 pages. |
Non-Final Office Action, U.S. Appl. No. 17/702,500, dated Jul. 7, 2023, 17 pages. |
Notice of Allowance, U.S. App. No. 17/875,170, dated Jul. 19, 2023, 9 pages. |
Number | Date | Country | |
---|---|---|---|
Parent | 16417315 | May 2019 | US |
Child | 17578206 | US | |
Parent | 15582309 | Apr 2017 | US |
Child | 16417315 | US | |
Parent | 14253753 | Apr 2014 | US |
Child | 15582309 | US |