The SAQL System Architecture

The SAQL system consists of (1) monitoring agents deployed across servers, desktops, and laptops in the enterprise, (2) the language parser, which performs syntactic and semantic analysis of the input queries and generates anomaly model contexts, and (3) the execution engine which monitors the data stream and reports alerts based on the execution of the anomaly model contexts.

The execution engine contains four sub-modules: (1) the multievent matcher matches the data against the event patterns specified in the query; (2) the state maintainer computes and maintains the states in sliding windows over the matched events; (3) the concurrent query scheduler divides the concurrent queries into groups based on the master-dependent scheduling algorithm to minimize the need for data copies; (4) the error reporter reports errors during the query execution.