TIBCO LogLogic® Glossary

An optimized GROUP BY query that precomputes aggretaion functions such as sum() and avg() for all possible GROUP BY combinations in the query. Aggregation sets are precomputed as logs arrive in the TIBCO LogLogic® Log Management Intelligence (LMI) appliance.

A GROUP BY query with aggregation functions. When run in Advanced Search, if an aggregation query matches an existing aggregation rule, the precomputed data is returned quickly as compared to computing at runtime. If there is no matching rule, the computation takes a very long time.

A query whose results are stored in the cache within the query database, thereby allowing sub-select queries to be performed efficiently. The results are stored in the cache until the search query tab on the Advanced Search page is closed, the query is deleted from the Search Queries page, or the deleteQuery() function is called using the REST API.

In event data that is forwarded by TIBCO LogLogic® Universal Collector to TIBCO LogLogic® Log Management Intelligence (LMI), a collector domain is the keyword inserted into the event data to:

• Distinguish logs collected from hosts across multiple subnets that share the same IP range
• Provide an extra identifier for distinguishing hosts from each other

In LogLogic LMI, a collector domain can be used only when LogLogic LMI is the primary collection point.

It can also be used in:

• TIBCO LogLogic® Universal Collector or LogLogic LMI if event data is being collected from multiple hosts in the same subnet
• ULDP Lambda function for Amazon AWS
• ULDP library for creating custom event sources
• Environments where IP addresses are less relevant, for example, virtual machines, cloud environments, or containers.

A collector domain is compatible with only ULDP.

A way to find relationships between multiple event streams from different sources, based on user-defined rules to generate notifications and actions. Correlation extends what a regular search can provide. A correlation rule can be defined by using the Event Correlation Language (ECL).

A query that uses a correlation blok to search historical data and analyze patterns in the data. Results of the correlation query are stored in the cache and can be deleted by closing the search query tab on the Advanced Search page.

A query-time data normalization and taxonomy to parse log data and extract columns out of it. A data model can contain multiple parsing rules. In the LogLogic LMI GUI, data models can be added by using either the wizard-based graphical mode or JSON-based raw mode.

A dynamic mapping of log snippets to user-defined phrases. An enrichment list can be replaced during advanced query search, for example, a list of IP addresses to be replaced by the user-defined phrase Blacklisted Address.

A query used by Advanced Dashboards and internally by LogLogic LMI to query historical data. A forward-only query is not cached in the query database, but otherwise functions like a cached query.

In Advanced Search, a query used to obtain metadata about the TIBCO LogLogic® Log Management Intelligence application, such as a list of data models, configuration bloks, or log source types. Infrastructure queries do not use a time frame because the data is not time-related.

In LogLogic LMI, log messages larger than the maximum UDP syslog size of 65,535 bytes (as defined in RFC standards). Jumbo messages up to 1 MB can be collected in LogLogic LMI, but only via TCP syslog or ULDP.

In the context of Advanced Features, a level of index information stored in the BFQ directory structure alongside the hourly index information, but at the monthly level. Its purpose is to increase the performance of Advanced Search queries spanning time ranges larger than one month, particularly if the results are sparsely distributed over time. This helps quickly identify those hourly indexes that contain a match for a given term, thus allowing the search to skip all other hourly indexes.

In Advanced Search, a generic name for any cached, forward-only, or tail query, used to retrieve log source event data other than infrastructure-related data.

A query that uses the default time Blok, "Real Time". Functionally, this is equivalent to a tail query.

In Advanced Search, a cached query that is scheduled to execute with a specific frequency and whose results are sent to a predefined recipient list. Scheduled queries are listed on the Management > Advanced Features > Queries > Scheduled page.

A query that uses the EQL keyword tail to retrieve only newly collected data in near real-time. The results are cached in the query database with a default limit of 100,000 rows. After the limit is reached, the old events are removed from the cache to make room for new events.

See Universal Lossless Data Protocol

See Universal Lossless Data Protocol Secure

A library that is used to send log messages to a LogLogic LMI instance using the ULDP and wrapped with custom code. Using the ULDP library provides additional reliability and security over the usual Syslog protocol.

A protocol that adds a security layer of TLS encryption using RSA certificates to ULDP.