Splunk Inc.
System and method for centralized analytics for edge devices with enrichment pushdown

Abstract:

The computerized method is shown and includes obtaining input from a data stream at an electronic device, wherein the input includes machine data, wherein the electronic device has stored thereon a first query, evaluating the query by processing the input according to the first query, responsive to detecting a failure during evaluation of the query resulting from a lack of enrichment data stored on the electronic device, recording a first identifier corresponding to the enrichment data, transmitting the first identifier to a remote server computer system, receiving a communication from the remote server computer system, wherein the communication includes the enrichment data, and evaluating the query by processing second input from the data stream according to the first query and the enrichment data. In some instances the enrichment data includes contextual information for parsing the data stream and converting extracted data into an alternative format.