| CPC G06F 16/355 (2019.01) [G06F 16/24556 (2019.01)] | 30 Claims |
|
1. A method performed by a streaming aggregator comprising:
allocating, as a stream of log messages is being received, the log messages to a plurality of nodes of an aggregator based on different ones of the log messages sharing one or more of attributes, wherein each of the plurality of nodes of the aggregator is allocated a respective sub-stream of the log messages, wherein the log messages regard network events of a user system, wherein each of the log messages comprises unstructured data and a timestamp indicating when the respective one of the network events occurred, and wherein the attributes are based on the unstructured data;
processing, at each of the plurality of nodes of the aggregator, the log messages of the respective sub-stream as the log messages are being received by that node, wherein the processing includes:
determining, based on the timestamps of the log messages of the respective sub-stream, which time window, of a series of time windows, each of the log messages is within; and
clustering, for each active one of the series of time windows, the log messages within that time window based on the unstructured data of those log messages to form a set of clusters for that time window;
responsive to deactivating each of the series of time windows for at least one of the plurality of nodes, generating an aggregation for at least one of the set of clusters for that time window; and
streaming the aggregations to the user system responsive to the generating.
|