公开(公告)号：WO2007118096A3

公开(公告)日：2008-09-25

申请号：PCT/US2007065886

申请日：2007-04-03

Applicant: ARCSIGHT INC ,  AGUILAR-MACIAS HECTOR ,  MANTRY GIRISH

Inventor： AGUILAR-MACIAS HECTOR ,  MANTRY GIRISH

IPC: G06F13/00 ,  G06F15/00 ,  G06F17/30 ,  H04N7/18

CPC classification number: G06F11/3476 ,  G06F11/3495 ,  H04L67/22 ,  Y10S707/99936 ,  Y10S707/99937

Abstract: A system and method for building merged events from log entries received from multiple devices. Multiple log events generally contribute to a single merged event. In the described embodiment, the mapping module (120) receives log entries associated with specific merged events and maps them to fields in the merged event data structure in accordance with mapping properties (122). The described embodiments of the invention use regular expressions in the merge properties (112) to describe values that are searched for in the received log entries. A described embodiment of the present invention gives the mapping module access to the event under construction. A new conditional operator, oneOf, i introduced that selects the first token that is bound to a value out of a list of tokens.

Abstract translation: 从从多个设备接收的日志条目构建合并事件的系统和方法。 多个日志事件通常有助于单个合并的事件。 在所描述的实施例中，映射模块（120）接收与特定合并事件相关联的日志条目，并根据映射属性将它们映射到合并事件数据结构中的字段（122）。 所描述的本发明的实施例使用合并属性（112）中的正则表达式来描述在接收的日志条目中搜索的值。 本发明的一个描述的实施例给出了映射模块访问正在建造的事件。 一个新的条件运算符，oneOf，我介绍了从令牌列表中选择绑定到一个值的第一个标记。