The Profiler is a feature extraction mechanism that can generate a profile that describes the behavior of an entity. An entity can be a server, user, subnet, or application.
You can use any field contained within a message to generate a profile. A profile can even be produced by combining fields that originate in different data sources. You can transform the data used in a profile by leveraging the Stellar language.
Once you generate a profile defining what normal behavior looks like, you can build models that identify anomalous behavior. To identify anomalous behavior, you can summarize the streaming telemetry data consumed by CCP over sliding windows. You apply a summary statistic to the data received within a given window. Collecting this summary across many windows results in a time series that is useful for analysis.
The Profiler is automatically installed and started when you install CCP through Ambari.
CCP provides two types of profilers:
- Streaming Profiler
- Allows you to create profiles based on the stream of telemetry being captured, enriched, triaged, and indexed by CCP. This does not allow you to create a profile based on telemetry that was captured in the past.
- Batch Profiler
- Allows you to generate a profile using archived telemetry.