Real time indication of previously extracted data fields for regular expressions
First Claim
1. A method, comprising:
- organizing, on a first device, machine data into a plurality of events, each event in the plurality of events being associated with a timestamp and including a portion of machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment;
receiving, via a user interface, a user selection of a text value from displayed machine data associated with an event among the plurality of events;
automatically generating at least one extraction rule in response to the selection of the text value from machine data associated with the event; and
extracting at least one text value from at least one event in the plurality of events using the at least one extraction rule.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments are directed towards real time display of event records with an indication of previously provided extraction rules. A plurality of extraction rules may be provided to the system, such as automatically generated and/or user created extraction rules. These extraction rules may include regular expressions. A plurality of event records may be displayed to the user, such that text in a field defined by an extraction rule is emphasized in the display of the event record. The same emphasis may be provided for text in overlapping fields, or the emphasis may be somewhat different for different fields. The user interface may enable a user to select a portion of text of an event record, such as by rolling-over or clicking on an emphasized part of the event record. By selecting the portion of the event record, the interface may display each extraction rule associated with the selected portion.
-
Citations
36 Claims
-
1. A method, comprising:
-
organizing, on a first device, machine data into a plurality of events, each event in the plurality of events being associated with a timestamp and including a portion of machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment; receiving, via a user interface, a user selection of a text value from displayed machine data associated with an event among the plurality of events; automatically generating at least one extraction rule in response to the selection of the text value from machine data associated with the event; and extracting at least one text value from at least one event in the plurality of events using the at least one extraction rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An apparatus, comprising:
-
a subsystem, on a first device, implemented at least partially in hardware, that organizes machine data into a plurality of events, each event in the plurality of events being associated with a timestamp and including a portion of machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment; a subsystem, implemented at least partially in hardware, that receives, via a user interface, a user selection of a text value from displayed machine data associated with an event among the plurality of events, and automatically generates at least one extraction rule in response to the selection of the text value from machine data associated with the event; and a subsystem, implemented at least partially in hardware, that extracts at least one text value from at least one event in the plurality of events using the at least one extraction rule. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A non-transitory computer-readable medium storing one or more sequences of instructions, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform:
-
organizing, on a first device, machine data into a plurality of events, each event in the plurality of events being associated with a timestamp and including a portion of machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment; receiving, via a user interface, a user selection of a text value from displayed machine data associated with an event among the plurality of events; automatically generating at least one extraction rule in response to the selection of the text value from machine data associated with the event; and extracting at least one text value from at least one event in the plurality of events using the at least one extraction rule. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
Specification