High Performance Log Analytics: Database Considerations



Similar documents
Analytic Applications With PHP and a Columnar Database

Microsoft SQL Server to Infobright Database Migration Guide

Fact Sheet In-Memory Analysis

Innovative technology for big data analytics

Netezza and Business Analytics Synergy

White paper FUJITSU Software Enterprise Postgres

Server Consolidation with SQL Server 2008

SAP HANA SAP s In-Memory Database. Dr. Martin Kittel, SAP HANA Development January 16, 2013

Oracle BI EE Implementation on Netezza. Prepared by SureShot Strategies, Inc.

Cost-Effective Business Intelligence with Red Hat and Open Source

Using MySQL for Big Data Advantage Integrate for Insight Sastry Vedantam

Managing Big Data with Hadoop & Vertica. A look at integration between the Cloudera distribution for Hadoop and the Vertica Analytic Database

Sawmill Log Analyzer Best Practices!! Page 1 of 6. Sawmill Log Analyzer Best Practices

Emerging Technologies Shaping the Future of Data Warehouses & Business Intelligence

An Oracle White Paper June High Performance Connectors for Load and Access of Data from Hadoop to Oracle Database

Preview of Oracle Database 12c In-Memory Option. Copyright 2013, Oracle and/or its affiliates. All rights reserved.

SOLUTION BRIEF. Advanced ODBC and JDBC Access to Salesforce Data.

Dell and JBoss just work Inventory Management Clustering System on JBoss Enterprise Middleware

Red Hat Network Satellite Management and automation of your Red Hat Enterprise Linux environment

Red Hat Satellite Management and automation of your Red Hat Enterprise Linux environment

XpoLog Center Suite Data Sheet

How To Use Hp Vertica Ondemand

Oracle Database In-Memory The Next Big Thing

IBM Netezza High-performance business intelligence and advanced analytics for the enterprise. The analytics conundrum

Performance and Scalability Overview

ORACLE OPS CENTER: PROVISIONING AND PATCH AUTOMATION PACK

SQL Server Business Intelligence on HP ProLiant DL785 Server

Scaling Objectivity Database Performance with Panasas Scale-Out NAS Storage

Understanding the Benefits of IBM SPSS Statistics Server

Microsoft SQL Server versus IBM DB2 Comparison Document (ver 1) A detailed Technical Comparison between Microsoft SQL Server and IBM DB2

SAP HANA PLATFORM Top Ten Questions for Choosing In-Memory Databases. Start Here

In-memory databases and innovations in Business Intelligence

Maximum performance, minimal risk for data warehousing

Unprecedented Performance and Scalability Demonstrated For Meter Data Management:

IBM Cognos 8 Business Intelligence Analysis Discover the factors driving business performance

System Requirements Table of contents

SQL Server 2012 Performance White Paper

Advanced In-Database Analytics

Performance and Scalability Overview

Upgrading to Microsoft SQL Server 2008 R2 from Microsoft SQL Server 2008, SQL Server 2005, and SQL Server 2000

Oracle Architecture, Concepts & Facilities

ORACLE BUSINESS INTELLIGENCE, ORACLE DATABASE, AND EXADATA INTEGRATION

QLIKVIEW INTEGRATION TION WITH AMAZON REDSHIFT John Park Partner Engineering

Information management software solutions White paper. Powerful data warehousing performance with IBM Red Brick Warehouse

Accelerating Enterprise Applications and Reducing TCO with SanDisk ZetaScale Software

Manage your IT Resources with IBM Capacity Management Analytics (CMA)

ICONICS Choosing the Correct Edition of MS SQL Server

EMC Unified Storage for Microsoft SQL Server 2008

Microsoft SQL Server 2008 R2 Enterprise Edition and Microsoft SharePoint Server 2010

Real Life Performance of In-Memory Database Systems for BI

Supported Platforms HPE Vertica Analytic Database. Software Version: 7.2.x

IBM Netezza High Capacity Appliance

Why Big Data in the Cloud?

2009 Oracle Corporation 1

Microsoft Analytics Platform System. Solution Brief

An Oracle White Paper July Oracle Primavera Contract Management, Business Intelligence Publisher Edition-Sizing Guide

Online Transaction Processing in SQL Server 2008

Pervasive vs. Regular Database Solutions

Trafodion Operational SQL-on-Hadoop

Virtualization s Evolution

Exadata Database Machine

High performance ETL Benchmark

I N T E R S Y S T E M S W H I T E P A P E R INTERSYSTEMS CACHÉ AS AN ALTERNATIVE TO IN-MEMORY DATABASES. David Kaaret InterSystems Corporation

Cray: Enabling Real-Time Discovery in Big Data

alcatel-lucent vitalqip Appliance manager End-to-end, feature-rich, appliance-based DNS/DHCP and IP address management

SQL Server 2012 Gives You More Advanced Features (Out-Of-The-Box)

Centralized Orchestration and Performance Monitoring

Affordable, Scalable, Reliable OLTP in a Cloud and Big Data World: IBM DB2 purescale

ORACLE DATABASE 10G ENTERPRISE EDITION

Next Generation Business Performance Management Solution

Bringing Big Data into the Enterprise

SAN Conceptual and Design Basics

The IBM Cognos Platform for Enterprise Business Intelligence

Cloud Server. Parallels. An Introduction to Operating System Virtualization and Parallels Cloud Server. White Paper.

Sisense. Product Highlights.

Enterprise Performance Tuning: Best Practices with SQL Server 2008 Analysis Services. By Ajay Goyal Consultant Scalability Experts, Inc.

Server & Application Monitor

How To Make Data Streaming A Real Time Intelligence

<Insert Picture Here> Oracle Database Directions Fred Louis Principal Sales Consultant Ohio Valley Region

SQL Server 2008 Performance and Scale

CitusDB Architecture for Real-Time Big Data

Big Data at Cloud Scale

Product Guide. Sawmill Analytics, Swindon SN4 9LZ UK tel:

Data Warehouse: Introduction

Implementation & Capacity Planning Specification

SAP Customer Success Story High Tech SunGard. SunGard: SAP Sybase IQ Supports Big Data and Future Growth

Cognos Performance Troubleshooting

SOLUTION BRIEF. JUST THE FAQs: Moving Big Data with Bulk Load.

Optimize Oracle Business Intelligence Analytics with Oracle 12c In-Memory Database Option

How Customers Are Cutting Costs and Building Value with Microsoft Virtualization

Actian Vector in Hadoop

Transcription:

High Performance Log Analytics: Database Considerations

"Once companies start down the path of log collection and management, organizations often discover there are things going on in their networks that they weren t aware of." Source: SANS Annual 2009 Log Management Survey Log Management Examples Telecommunications Service Provider Captures CDR (Call Detail Records) for each of their 2 million customers. Infobright solution provided: Analytical database now capable of storing over 4.2 billion rows representing 2-3 years of rolling CDR data Data compression of 15:1 Fast queries on more historical data with reduced administrative effort and cost "Infobright enables us to put more data online and make it accessible without requiring the attention other databases do. Infobright's performance, lower hardware costs and ease of maintenance are of great benefit to us." Manager, Business Intelligence and Data Management Canadian Space Agency, Government, Log Analytics Space and science research - analysis of performance and space-worthiness of orbiting satellites Infobright solution provided Capture and load of 200,000 records/s Ability to query in between loads Ability to query on large amounts of historical data, allowing for identification of event anomalies "This [Infobright] solution permits real time compression, compact storage and quick retrieval of relevant data segments. What is especially significant is there was also an event where two distinct spikes were detected within the same interval; something that could not have been detected using the previous technology." from the paper 'A DATA ACQUISITION SYSTEM FOR MONTIORING OF PIM AND MULTIPACTION EVENTS' authored by Louis-Philippe Girouard, Pierre Charron and Shantnu Mishra of the David Florida Laboratory, Canadian Space Agency Log Management consists of the collection, analysis and reporting of log data extracted from a wide variety of systems including transaction environments, web server applications and SEIM (Security Information and Event Management) environments. Log Management is used for a variety of purposes across all industries including regulatory compliance, fraud detection, end-user statistics analysis, security threat analysis and network resource usage and load management. Most log-related applications are characterized by large and growing data volumes, and some logs must be accessible for years in order to meet legal requirements. How to cost-effectively store this data, while ensuring high performance for reports, queries and dashboards against these large data volumes, is therefore a significant challenge. Important components of Log Management are: The ability to consolidate data input from a variety of sources Cost-effective storage of large amounts of historical data with low administrative overhead Fast and efficient load speeds for large amounts of data on a growing database The ability to analyze and report on growing volumes of data quickly and easily, which includes both pre-defined reports as well as ad hoc analytics with seamless integration with third party reporting tools Who needs log management? While there are many examples of log-related applications, some of the most common are: SIEM (Security Information and Event Management) Security logs enable companies to provide activity monitoring, resource allocation and exception detection and analysis. Application transaction logs Telecommunication companies analyze log data to gain insight about customer usage patterns, allowing for improved customer service, identification of potential new services and reduction of churn. Financial Transaction data, such as stock trade logs, are monitored for regulatory compliance, adverse event alerts and resource allocation. Web server log analysis The performance of websites within a commercial context can be determined by traffic volumes and patterns, providing insight that can help optimize web site content and layouts. Systems, network, and applications To protect and maximize the efficiency of computer and telecommunications networks, companies must collect and analyze high volumes of log and event data. Other uses include the need to secure customer information, identify security threats and identify fraud.

Database considerations Benefits of Infobright Easily Deployed Easy to Manage Easy to Use Excellent Performance and Scalability Small download under 15MB in size Zero-configuration simple install and setup Simple, easy to use open API Based on open source Self-contained no external dependencies, not reliant on any third party add-ons or products Complete the entire database is stored in a limited number of crossplatform files No: indexes, data partitioning, data duplication, or database tuning needed No: aggregate tables prepared in advance Any schema accepted Very small hardware footprint - can support up to 50TB of data on a single, industry standard server with far less storage than alternatives MySQL interface Infobright Loader option up to about 250 GB/hr for binary and 175GB/hr for CSV files MySQL Loader option expanded flexibility and features for varying file types Fast load speed remains constant as the size of the database grows Fast query speed on large volumes of data Very high data compression (from 10:1 to over 40:1), which drastically reduces I/O and storage requirements Fast ETL load times with parallel load Broad SQL and feature set support ACID compliance transactions are atomic, consistent, isolated, and durable (ACID) in the event of system crashes and power failures When selecting the database component of your Log Management solution, consider the following: Multiple sources need to be combined into one consolidated resource to provide a correlated view of log data. Ease of use with common ETL tools is necessary. Data stored will be both short and long-term with a large potential for growth. The database must be able to handle growing data volumes without impacting performance. Look for a database with the capability to massively compress the data, in order to minimize storage costs and simplify backup and recovery. Given the volume of data that must be loaded each day, both load speed and ease of loading data into the database are very important. Simple load procedures and a compliance with a variety of database schemas is necessary. The database must be easy to use with little or no configuration. Ongoing maintenance requirements must be negligible or non-existent as data volumes grow. Extracting reports and running queries must be easy and fast, with the ability to provide diverse users with a wide variety of both predetermined reports and ad-hoc analytics. Support for a variety of 3rd party tools is necessary. These considerations point out the need for a database designed for analytics, rather than for transaction processing. Infobright Analytic Database: Massive Compression, Faster Performance, Less Work, Lower Cost As the first commercial open source analytic database, Infobright is ideal for use as the underlying analytic database for an end-to-end Log Management solution. Highly Available Highly Flexible Low Cost Support for a dual peer-to-peer server deployment with no single point of failure, providing highavailability with automatic failover Cross-platform popular Linux distributions, Solaris, and Windows (Win32 and Win64) are supported out of the box Works with major commercial and open source Business Intelligence and ETL tools from vendors such as Actuate/BIRT, Jaspersoft, Pentaho, Talend, MicroStrategy, Cognos, Informatica, Business Objects, and others Supports many languages including Java, C/C++, Ruby, Perl, 4th GL s, ODBC and JDBC compliant solutions, etc 90% less work 50% or less the cost than alternatives Requires significantly less hardware than other products Runs on industry standard servers The combination of its column orientation and the unique Knowledge Grid architecture provides: Massive data compression High performance Minimal administration Support for up to 50TB of data using a single server Very small hardware footprint Low cost In addition, Infobright s support for a broad range of BI tools, data integration tools and open and standard application interfaces enables easy application integration and delivery of flexible reporting, dashboards and query capability.

Infobright architecture Column vs. Row A row-oriented design used for analytics has the disadvantages of: Forcing the database to retrieve all column data for each row regardless of whether or not is it required to resolve the query. Requiring indexes in order to improve efficiency. These must be planned ahead of time and customized for pre-determined reporting. The use of indexes is unsuitable for analytical queries, which require flexibility in data retrieval patterns. Degradation in load speeds for growing amounts of data. As new data is added to existing tables, indexes must be recreated each time resulting in very large sort operations. This problem only gets worse as the database grows. Degradation in query performance for growing amounts of data and/or an increasing number of concurrent queries and users. Even when reporting on indexed columns, there is an increasingly large amount of data retrieval required as all columns are returned for each data set, regardless of relevance. The advantages to Infobright's columnorientation include: Faster query response times. Most analytic queries only involve a subset of the columns of the tables, and a columnoriented database focuses on retrieving only the data that is required. Intelligent design. Infobright has further improved query response times by organizing information about the data in the Knowledge Grid ahead of time. Faster load times. As new data is added there is no degradation in load speed since no indexes need to be recreated. The load times are simply proportional to the load size, not the size of the existing tables. Industry-leading data compression. Each column stores a single data type, as opposed to rows that typically contain multiple data types. This allows compression to be optimized for each particular data type, to which we apply our patent-pending compression algorithms. On average, Infobright users experience 10:1 compression (raw data versus size on disk) while some report compression as high as 40:1. Infobright s architecture combines a columnar database and a unique Knowledge Grid architecture optimized for analytics. The following is an overview of the architecture and a description of the data loading and compression technology. Infobright at its core is a highly compressed column-oriented database, which means that instead of the data being stored row-by-row, it is stored column-by-column. Traditional row-based database systems have typically been used to store application data, but they were designed for transaction-oriented applications, not for analytics. A column-based database is a much better fit for analytics because it retrieves only the data relevant to the query, rather than the entire row. In addition to leveraging the column-oriented approach, Infobright employs a unique method of compressing, storing and retrieving data using our Knowledge Grid that provides a scalable, flexible analytical environment without the need for any indexes. Data organization and the Knowledge Grid (KG) The Infobright database resolves complex analytic queries without the need for traditional indexes, data partitioning, manual tuning or specific schemas. Instead, the Knowledge Grid architecture automatically creates and stores the information needed to quickly resolve these queries. Infobright organizes the data into 2 layers: the compressed data itself that is stored in segments called Data Packs, and information about the data which comprises the components of the Knowledge Grid. For each query, the Infobright Optimizer uses the information in the Knowledge Grid to determine which Data Packs are relevant to the query before decompressing any data. The following is a description of the data layer components: Data Packs The data within each column is stored in 65,536 item groupings called Data Packs. The use of Data Packs improves data compression, since there may be less variability within a subset of data in a column. Data Pack Nodes (DPNs) Data Pack Nodes contain a set of statistics and aggregate values of the data from each Data Pack: MIN, MAX, COUNT (No. of rows, No. of NULLs) and SUM. There is a 1:1 relationship between Data Packs and the DPNs that are created automatically during load. The Optimizer then has permanent summary information available about all of the data in the database that will later be used to flag relevant Data Packs when resolving queries. In the case of traditional databases, query resolution is aided by indexes that are created for a subset of columns only.

Knowledge Nodes (KNs) Data Packs, DPNs and KNs Data Packs Columns are divided into Data Packs of 64k elements. The last Data Pack remains unfilled until the next load. Each Data Pack is compressed individually using an iterative approach. Infobright uses patentpending compression algorithms that are applied dynamically to each Data Pack finding the best fit. Compression ratios will vary according to data type and the repetitiveness of the data within a Data Pack, resulting in very effective overall compression. This is a further set of metadata that is more introspective of the data within the Data Packs, describing ranges of numeric value occurrences and character positions, as well as column relationships between Data Packs. The introspective KNs are created at load time, and the KNs relating the columns to each other are created in response to queries involving JOINs in order to optimize performance. The DPNs and KNs together form the Knowledge Grid. Unlike the indexes required for traditional databases, DPNs and KNs are not manually created, and require no ongoing care and maintenance. Instead, they are created and managed automatically by the system. In essence, the Knowledge Grid provides a high level view of the entire content of the database with a minimal overhead of approximately 1% of the original data. By contrast, classic indexes may represent as much as 20% to 100% of the size of the original data. Figure 1 Architecture Layers Data Pack Nodes (DPNs) Each DPN contains aggregate information about the data within that Data Pack: MIN, MAX, COUNT (No. of rows, No. NULL's) and SUM Knowledge Nodes (KNs) a) Histogram For numerical Data Packs the MIN-MAX interval is divided into 1024 intervals. This is a binary representation of whether a value exists within each of these intervals. b) Character Map For text Data Packs, this is a binary representation of the occurrence of ASCII characters within the first 64 row positions. c) Pack-to-Pack Node This describes the relationships between packs from different tables as discovered on using a join query. The Infobright optimizer The Infobright Optimizer is the highest level of intelligence in the architecture. It uses the Knowledge Grid to determine the minimum set of Data Packs needed to be decompressed in order to satisfy a given query in the fastest possible time by identifying the relevant Data Packs. In some cases the summary information already contained in the Knowledge Grid is sufficient to resolve the query, and nothing is decompressed. How do Data Packs, DPNs and KNs work together to achieve fast query performance? For each query, the Optimizer uses the summary information in the DPNs and KNs to group the Data Packs into one of the three following

categories: Sample Query Here is the sample query: Example of query resolution: Relevant Packs where each element (the record s value for the given column) is identified, based on DPNs and KNs, as applicable to the given query, Irrelevant Packs where the Data Pack elements hold no relevant values based on the DPN and KN statistics, or Suspect Packs where some relevant elements exist within a certain range, but the Data Pack needs to be decompressed in order to determine the detailed values specific to the query. The Relevant and Suspect packs are then used to resolve the query. In some cases, for example if we re asking for aggregates, only the Suspect packs need to be decompressed because the Relevant packs will have the aggregate value(s) pre-determined. However, if the query is asking for record details, then all Suspect and all Relevant packs will need to be decompressed. An example of query resolution using the KG Lets look at a sample CDR (call data record) table with the following 4 columns: call_duration, protocol, start_time and cdr_type. Now lets apply a query that asks for a count of the number of calls fitting a particular description. In this case we want to know the number of calls lasting less than 10 minutes, using SIP (session initiation protocol), that were made after Nov 1 st 2009 and have a specific 'call ending' record type. The Optimizer uses the specific constraints of the query to identify the Relevant, Suspect, and Irrelevant Data Packs. In our sample table, the first constraint of call duration < 10 minutes eliminates 3 of the 4 Data Packs in this column by using the MIN and MAX information stored in the Data Pack Nodes to tell us that all values in these Data Packs are greater than or equal to 10 minutes (or 600 seconds), making them Irrelevant. Using similar logic for the column protocol, we can determine that 2 Data Packs contain only calls using 'SIP', making them Relevant, and 2 Data Packs contain some calls using 'SIP' making them Suspect since we need more details about the date to determine how many. We continue this logic to the start time and cdr_type columns, but since we've already identified Irrelevant Data Packs in the first column based on duration, only the 3 rd row of Data Packs for the entire table needs to be examined. We essentially use the Knowledge Grid to eliminate all Data Pack rows that have any columns flagged as Irrelevant. In this example we found that only the Data Pack of the column cdr_type actually needs to be decompressed since the other 3 were found to be Relevant, so of the entire table we now only have 1 Data Pack to decompress. This is the key to the fast query response Infobright delivers eliminating the need to decompress and read extraneous data in order to resolve a query.

Compression Compression Algorithms During load, 65,536 values of a given column are treated as a sequence with zero or more null values occurring anywhere in the sequence. Information about the null positions is stored separately within a NULL mask. Then the remaining stream of the non-null values is compressed, taking full advantage of regularities inside the data, and allowing compression algorithms to be finely tuned to the column data type. This set of patentpending compression algorithms are optimized by automatically self-adjusting various parameters of the algorithm for each data pack. An average compression ratio of 10:1 is achieved after loading data into Infobright. For example 10TB of raw data can be stored in about 1TB of space, including the 1% overhead associated with creating the Data Pack Nodes and the Knowledge Grid. The compression algorithms for each column are selected based on the data type, and are applied iteratively to each Data Pack until maximum compression for that Data Pack has been achieved. Within a column the compression ratio may differ between Data Packs depending on how repetitive the data is. Some customers have reported an overall compression ratio as high as 40:1. Data loading Infobright Connector Core Library Connectors to popular ETL tools such as JasperETL, Talend Open Studio and Pentaho Data Integration are available as free downloads from the Infobright connector core Java library (API) at: http://www.infobright.org/downloads/con tributed-software/ Hardware Considerations Infobright s industry-leading compression ratios mean an extremely low hardware footprint, and TCO. The database can support large volumes of data on a single server, with the following requirements and considerations: Infobright includes multiple options for loading data into the database: The Infobright high-speed Loader The MySQL Loader Loading data using third party ETL tools The Infobright Loader and MySQL Loader are delivered as part of Infobright Enterprise Edition. Since it was designed for fast data loading, the Infobright Loader has stricter requirements in terms of data formatting and less error checking than the MySQL Loader, as it assumes that the incoming data is aligned with the target database table and suitably formatted. The high speed Infobright Loader can be used for both text and binary files, achieving up to approximately 250GB/hour on a single server with parallel loads. The MySQL Loader supports text-based loads and has additional features such as the ability to use variably formatted files and more extensive error handling. Its load speed however, is significantly slower than the Infobright Loader due to these features which add processing time during the load. Processor Architecture CPU Speed Memory Operating System Support Intel 64 bit or 32 bit AMD 64 bit or 32 bit 2.0 GHz minimum Dual or Quad-core recommended 4GB minimum 8GB or more recommended Windows Server 2003/2008 (64- bit, 32-bit) Solaris 10 x86 (64-bit) Red Hat Enterprise Linux 5 (64- bit) Red Hat Enterprise Linux 5 Advanced Server (64-bit) Novell SUSE Linux Enterprise 10 (64-bit) Debian Lenny (64-bit) CentOS 5.2 (64-bit) Leveraging MySQL Infobright is built within the MySQL architecture and leverages the connectors and interoperability of MySQL standards. This integration with MySQL allows Infobright to tie in seamlessly with any ETL and BI tool that is compatible with MySQL and to leverage the extensive driver connectivity provided by MySQL connectors (including ODBC, JDBC, C/C++,.NET, Perl, Python, PHP, Ruby, Tcl and others). The Infobright technology has its own advanced Optimizer that uses the column orientation and the Knowledge Grid to resolve queries. This integration provides a simple path to a high performance analytic database for MySQL users with no new interface to learn.

Using ETL and BI tools Contact Us for More Information at one of our offices below Download Infobright Community Edition at www.infobright.org Infobright has partnered with many of the leading open source and commercial ISVs in the data integration and business intelligence market. Examples include but are not limited to Talend, Jaspersoft, Pentaho, Actuate and MicroStrategy. In order to ensure these solutions interface and interoperate well with our database solution, we have joined forces to certify and test our joint solutions. Furthermore, Infobright has adopted open and standard interfaces with popular solutions including ODBC and JDBC API s to ensure a rich set of interoperability between our data integration and business intelligence partners that support these standards. Try our free trial of Infobright Enterprise Edition at www.infobright.com Summary Infobright is the ideal underlying analytic database for Log Management applications. It provides the high performance across large data volumes these applications require, at the lowest cost and with the smallest hardware footprint in the market. Contact us For more information please call one of our offices below or contact us via email at info@infobright.com. Learn more at www.infobright.com. We also invite you to download our free open source edition from our Community site at www.infobright.org or a free trial of our Enterprise Edition at www.infobright.com. HEAD OFFICE: 47 Colborne Street, Suite 403 Toronto, ON, Canada M5E 1P8 Toll Free. 1 877 596 2483 Tel. 416 596 2483 Fax. 416 352 5674 US OFFICE: 5157 Main Street, Suite 202 Downers Grove, IL 60515 Tel. 630 297 4081 EUROPEAN OFFICE: ul.krzywickiego 34 pok.219 02-078 Warszawa, Polska Tel. 48 22 626 9409 Copyright 2009 Infobright Inc. All Rights Reserved. All names referred to are trademarks or registered trademarks of their respective owners. WWW.INFOBRIGHT.COM

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information