In networks today, events occur that can cause issues with the host network or with systems the network serves. In many cases, devices attached to the network can log information about the event in data files, referred to herein as ‘event data records’ or ‘event data logs’ or as ‘records’ or ‘logs’ for shorthand. These records are typically transmitted to an analysis system to be analyzed, generally in order to determine a remedy to the issue, a cause of the issue, or the like.
In some cases, the quantity/volume of event data records grows so large (e.g., during an ‘event storm’ or ‘event flood’) as to outstrip the network's capacity to transmit all the data records to the analysis system. In such situations, a local device that either generates the event data records or collects those event data records for submission to the analysis system conventionally has two options. As one option, excess event data records (e.g., those not able to be transmitted) can be purged, resulting in a loss of data. As another option, the local device can aggregate the event data records according to some aggregation scheme, and the aggregated records can be delivered to the analysis system.