Patent Application
20070150585
Many business enterprises use computer systems to monitor and process business activities and transactions. Business entities that handle complex transactions and activities, in particular, often employ distributed computer systems. As such, current networks, systems, applications, and businesses are inherently distributed and event-driven.
For example, an online retailer may use a business application to receive online purchase orders, an inventory application to manage the store's inventory and to communicate with its suppliers, and other applications or services to create online interfaces and to manage shipping. In another example, a web server often faces heavy client loads and serves many scripts registered on a number of different uniform resource locators (URLs). Because each client request can cause multiple monitoring events, and the requests are handled asynchronously and independently of each other, the server generates a continuous stream of monitoring events. In this example, a network administrator may be very interested in analyzing the network's performance based on these monitoring events.
Events of interest happen in various places throughout an enterprise. Unfortunately, the users of such event-driven systems are frequently unable to easily extract information from the event streams because there is no central place to easily evaluate the information contained in the events or to examine holistic patterns of interest. This results in blindness to valuable information in an event-driven enterprise, which can seriously impair a user's ability to identify and react to changing and developing situations.
Multiple technologies currently exist for monitoring and centralizing remote events. For example, operations management tools provide monitoring and alerting as well as reporting and trend analysis for managing server events. And audit collection services manage security events. In the retail world, the conventional radio frequency identification (RFID) framework has become very popular for tracking inventory and the like. But users are still unable to quickly, easily, and intuitively define reports for aggregating event information.
For example, current business activity monitoring (BAM) user experience emphasizes the business process and separates the roles of the business analyst and developer. In the canonical BAM solution, first a business analyst defines an observation model (i.e., desired data views) and then a developer maps this model to the available events in the implementation. Even though this top-down approach works well for BAM, it does not provide an intuitive solution when the system is configured by a single user who understands the available events and wants to go essentially from the bottom up, that is, from events to reports.
Embodiments of the invention overcome one or more deficiencies in known reporting systems by providing improved event reporting in which a user can directly define reports based on metadata about what events are available. As such, aspects of the invention allow users to think how they want to “shape up” event streams into data and multi-dimensional aggregations, without any knowledge of SQL and Data Warehousing. By centralizing events of interest, users can easily generate data views of event streams and use correlation processors such as those available in BAM tools. In one aspect, the invention captures user input specifying events that are of interest, a desired correlation pattern, and a desired dimensional structure and then maps between data items in the events and the dimensional structure. Advantageously, aspects of the invention operate in conjunction with current BAM runtime to manipulate virtually any kind of event stream into aggregations.
Computer-readable media having computer-executable instructions for generating reports from event streams and defining an intuitive user experience embody further aspects of the invention. Alternatively, embodiments of the invention may comprise various other methods and apparatuses.
Other features will be in part apparent and in part pointed out hereinafter.
This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
Corresponding reference characters indicate corresponding parts throughout the drawings.
Referring now to the drawings,
To illustrate aspects of the invention,
In one embodiment, four diagnostic events A, B, C, and D are available for monitoring web server 32. At A, an event HTTPRequest_Begin contains data such as the URL and the size of the incoming request in bytes; at B, an event ScriptExecution_Begin occurs when server 32 spawns the script process (e.g. Peri interpreter); at C, an event ScriptExecution_End indicates when the executed script 34 is completed (or a resultant error code); and at D, an event HTTPRequest_End occurs when the request is completed (including any error code). In this example, the list of events that can possibly happen and the shape of the data they will contain (i.e., their schema) is known ahead of time. According to aspects of the invention, the aggregation definition tool 28 utilizes event metadata for processing event stream 24. The event metadata for the example of
Referring further to
It is not unlikely that at least some of the scripts 34 contain errors and will fail. When such errors occur, web server 32 returns an error 500 (Internal Server Error) to the client but may not propagate the error code for security reasons. The administrator of server 32 is likely interested to see which scripts 34 are failing, how often, and with what error codes.
In the web server example, the URL is in one event, the error code from the script 34 is in another event, and the HTTP Result Code is in yet another event. To obtain the exemplary report shown in
Another report of interest to the administrator of web server 32 may be about the performance of the server (e.g., how long does it take to execute the request for each URL, and what percentage of this time is spent waiting for script 34 to complete).
As with the earlier example, the data of interest is contained in multiple events. For example, the URL is in HTTPRequest_Begin; the average duration of the request is calculated by averaging the time between HTTPRequest_Begin and HTTPRequest_End for each request; and the script duration is calculated by averaging the time between ScriptExecution_Begin and ScriptExecution_End. The administrator of web server 32 again knows about the events based on their metadata. In this instance, the administrator may already know what reports are desired and have at least a high-level idea about how the data should be processed. Unfortunately, existing technologies require a developer to take this information as requirements and then build a data warehouse to generate the reports of interest. Embodiments of the present invention advantageously allow the administrator to capture the requirements in such a structured way that they are directly executable.
Referring now to
The user interface of
As result of these operations, the view in the left pane of
More events may belong to the same Activity that are neither Begin nor End, and there may be multiple Begin/End events as long as only one of them happens in any specific instance of the Activity. Also, in the example of
Specifying the Correlation Key and Begin-End informs the stream processing system how to deem some event instances as belonging together, when to initiate a new instance, and when to get rid of the data. Alternatively, such Activity semantics may already exist in the form of annotations in the event metadata, as shown in the example below:
In this instance, because the metadata specified the Activity semantics, the administrator can skip the previous manual step and only select the events of interest, again obtaining the result as shown in
Once the administrator in this example has specified the events of interest and the Activity semantics, the administrator can define how the activities are aggregated. To do so in this example, the administrator drags items from the event schema on the left, into the right pane of the UI of
Further to the web server example, the administrator may notice that the desired report, such as the one shown in
The counts on
To obtain the report of
If now the administrator clicks on any of the items in the right pane of the user interface tool (e.g., ReturnCode), the corresponding item in the event metadata gets highlighted, so it is clear where this comes from. With this, the tool now contains sufficient information how to produce the reports of, for example,
It should be appreciated that the various aspects of the invention are not limited to the specific look of the UI and the specific gestures. Rather, the user interface provides a tool that allows the user to capture several pieces of information, such as which events are of interest, activity (correlation) semantics, desired dimensional structure, including durations, and mapping between the events and the dimensional structure. Moreover, the web server 34 and administrator use case described above is merely exemplary. Those skilled in the art will readily understand that a business user, for example, could define reports of interest with the same ease from schematized event sources, such as RFID. In general, aspects of the invention are applicable to any user and any event stream with known metadata.
At runtime, an infrastructure or collection mechanism 48, such as the as MOM (operation monitoring events), Auditing Collection Service for Windows (security audit events) or RFID (business events), collects the events. A relatively small pluggable component (e.g., interceptor 50) filters and transforms the events from their original schema to Activity Change events, similar to the signature of a BAM API. Another component (or the same) takes the Activity Change events and calls the BAM API.
The exemplary operating environment illustrated in
Communication media typically embody computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism and include any information delivery media. Those skilled in the art are familiar with the modulated data signal, which has one or more of its characteristics set or changed in such a manner as to encode information in the signal. Wired media, such as a wired network or direct-wired connection, and wireless media, such as acoustic, RF, infrared, and other wireless media, are examples of communication media. Combinations of any of the above are also included within the scope of computer readable media. The computing device includes or has access to computer storage media in the form of removable and/or non-removable, volatile and/or nonvolatile memory. A user may enter commands and information into the computing device through input devices or user interface selection devices such as a keyboard and a pointing device (e.g., a mouse, trackball, pen, or touch pad). Other input devices (not shown) may be connected to the computing device. A monitor or other type of display device (not shown) is also connected to the computing device. In addition to the monitor, computers often include other peripheral output devices (not shown) such as a printer and speakers, which may be connected through an output peripheral interface (not shown).
The computer 22 may operate in a networked environment using logical connections to one or more remote computers. The remote computer may be a personal computer, a server (e.g., servers 32), a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to computer 22. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets, and global computer networks (e.g., the Internet).
Although described in connection with an exemplary computing system environment, aspects of the invention are operational with numerous other general purpose or special purpose computing system environments or configurations. The computing system environment is not intended to suggest any limitation as to the scope of use or functionality of aspects of the invention. Moreover, the computing system environment should not be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in the exemplary operating environment. Examples of well known computing systems, environments, and/or configurations that may be suitable for use in embodiments of the invention include, but are not limited to, personal computers, server computers, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, mobile telephones, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
Embodiments of the invention may be described in the general context of computer-executable instructions, such as program modules, executed by one or more computers or other devices. Generally, program modules include, but are not limited to, routines, programs, objects, components, and data structures that perform particular tasks or implement particular abstract data types. Aspects of the invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The order of execution or performance of the methods illustrated and described herein is not essential, unless otherwise specified. That is, it is contemplated by the inventors that elements of the methods may be performed in any order, unless otherwise specified, and that the methods may include more or less elements than those disclosed herein. For example, it is contemplated that executing or performing a particular element before, contemporaneously with, or after another element is within the scope of the invention.
Embodiments of the invention may be implemented with computer-executable instructions. The computer-executable instructions may be organized into one or more computer-executable components or modules. Aspects of the invention may be implemented with any number and organization of such components or modules. For example, aspects of the invention are not limited to the specific computer-executable instructions or the specific components or modules illustrated in the figures and described herein. Other embodiments of the invention may include different computer-executable instructions or components having more or less functionality than illustrated and described herein.
When introducing elements of the present invention or the embodiments thereof, the articles “a,” “an,” “the,” and “said” are intended to mean that there are one or more of the elements. The terms “comprising,” “including,” and “having” are intended to be inclusive and mean that there may be additional elements other than the listed elements.
In view of the above, it will be seen that the several objects of the invention are achieved and other advantageous results attained.
As various changes could be made in the above constructions and methods without departing from the scope of embodiments of the invention, it is intended that all matter contained in the above description and shown in the accompanying drawings shall be interpreted as illustrative and not in a limiting sense.
