Storing log data efficiently while supporting querying

Assignee

• HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P. · US

Inventors

• Wei Huang · Fremont, US
• Yizheng Zhou · Cupertino, US
• Bin Yu · Cupertino, US
• Wenting Tang · Sunnyvale, US
• Christian Friedrich Beedgen · Redwood City, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F2221/034
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

A logging system includes an event receiver and a storage manager. The receiver receives log data, processes it, and outputs a column-based data “chunk.” The manager receives and stores chunks. The receiver includes buffers that store events and a metadata structure that stores metadata about the contents of the buffers. Each buffer is associated with a particular event field and includes values from that field from one or more events. The metadata includes, for each “field of interest,” a minimum value and a maximum value that reflect the range of values of that field over all of the events in the buffers. A chunk is generated for each buffer and includes the metadata structure and a compressed version of the buffer contents. The metadata structure acts as a search index when querying event data. The logging system can be used in conjunction with a security information/event management (SIEM) system.