Displaying a number of events that have a particular value for a field in a set of events

US 10,282,463 B2
Filed: 08/02/2015
Issued: 05/07/2019
Est. Priority Date: 01/23/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

accessing a set of events in a field-searchable data store that acts as a persistent repository for the events, wherein each event in the set includes a portion of raw machine data in textual form, and wherein the raw machine data is produced by a component within an information technology environment and reflects activity within the information technology environment;

receiving a user selection of a first portion of raw machine data in a particular event presented in a first portion of a display screen;

applying an extraction rule, which specifies how to extract a subportion of text from a larger portion of text, to the portion of raw machine data in textual form in each event in the accessed set of events to extract a set of values, wherein the extraction rule comprises a regular expression rule updated and presented in a second portion of the display screen in real-time to correspond with the user-selected first portion of raw machine data;

for one or more particular values in the extracted set of values, determining a count of events that include the particular value at a location corresponding to the extraction rule;

updating, in real-time in a third portion of the display screen, a display of the one or more particular values and its associated count;

andwherein the method is performed by one or more computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed towards real time display of event records and extracted values based on at least one extraction rule, such as a regular expression. A user interface may be employed to enable a user to have an extraction rule automatically generate and/or to manually enter an extraction rule. The user may be enabled to manually edit a previously provided extraction rule, which may result in real time display of updated extracted values. The extraction rule may be utilized to extract values from each of a plurality of records, including event records of unstructured machine data. Statistics may be determined for each unique extracted value, and may be displayed to the user in real time. The user interface may also enable the user to select at least one unique extracted value to display those event records that include an extracted value that matches the selected value.

219 Citations

26 Claims

1. A computer-implemented method, comprising:
- accessing a set of events in a field-searchable data store that acts as a persistent repository for the events, wherein each event in the set includes a portion of raw machine data in textual form, and wherein the raw machine data is produced by a component within an information technology environment and reflects activity within the information technology environment;
  
  receiving a user selection of a first portion of raw machine data in a particular event presented in a first portion of a display screen;
  
  applying an extraction rule, which specifies how to extract a subportion of text from a larger portion of text, to the portion of raw machine data in textual form in each event in the accessed set of events to extract a set of values, wherein the extraction rule comprises a regular expression rule updated and presented in a second portion of the display screen in real-time to correspond with the user-selected first portion of raw machine data;
  
  for one or more particular values in the extracted set of values, determining a count of events that include the particular value at a location corresponding to the extraction rule;
  
  updating, in real-time in a third portion of the display screen, a display of the one or more particular values and its associated count;
  
  andwherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 22, 23)
- - 2. The method of claim 1, wherein the field-searchable data store is searchable to reveal a performance or security of the information technology environment based on the activity reflected by the raw machine data in the data store.
  - 3. The method of claim 1, wherein the extraction rule at least in part defines a field.
  - 4. The method of claim 1, wherein the extraction rule at least in part defines a field, and the extracted set of values produced by applying extraction rule to the accessed set of events are semantically related.
  - 5. The method of claim 1, wherein the extraction rule at least in part defines a field that can be referenced in a search query by a name for the field.
  - 6. The method of claim 1, wherein a data store of events is field-searchable when a search query containing a criterion for a field can be executed against the events in the data store to cause comparison between the criterion and values extracted from the events by an extraction rule defining the field.
  - 7. The method of claim 1, further comprising causing display of an indication of a relative rate of occurrence in events of different values from the extracted set of values.
  - 8. The method of claim 1, wherein the display of the one or more particular values and its associated count further comprises causing display of the one or more particular values in a sorted order based on the associated counts.
  - 9. The method of claim 1, wherein the one or more particular values include only unique values found in the extracted set of values.
  - 10. The method of claim 1, further comprising:
    - causing display of at least one event having a given value in the extracted set of values at a location corresponding to the extraction rule; and
      
      causing highlighting of the given value in the at least one displayed event.
  - 11. The method of claim 1, further comprising:
    - receiving input corresponding to a selection of a particular value that has been displayed with its associated count;
      
      based on receiving the selection, determining a subset of the set of events such that each event in the subset includes the selected particular value at a location corresponding to the extraction rule; and
      
      modifying a displayed set of events to include only events in the determined subset and to hide any events not in the determined subset.
  - 22. The method of claim 1, wherein the information generated by the component comprises security information for the information technology environment.
  - 23. The method of claim 1, wherein the information generated by the component comprises operational performance information for the information technology environment.

12. A non-transitory computer readable storage medium impressed with computer program instructions that, when executed on a processor, implement a method comprising:
- accessing a set of events in a field-searchable data store that acts as a persistent repository for the events, wherein each event in the set includes a portion of raw machine data in textual form, and wherein the raw machine data is produced by a component within an information technology environment and reflects activity within the information technology environment;
  
  receiving a user selection of a first portion of raw machine data in a particular event presented in a first portion of a display screen;
  
  applying an extraction rule, which specifies how to extract a subportion of text from a larger portion of text, to the portion of raw machine data in textual form in each event in the accessed set of events to extract a set of values, wherein the extraction rule comprises a regular expression rule updated and presented in a second portion of the display screen in real-time to correspond with the user-selected first portion of raw machine data;
  
  for one or more particular values in the extracted set of values, determining a count of events that include the particular value at a location corresponding to the extraction rule;
  
  updating, in real-time in a third portion of the display screen, a display of the one or more particular values and its associated count;
  
  andwherein the method is performed by one or more computing devices.
- View Dependent Claims (13, 14, 15, 16, 24, 25)
- - 13. The computer readable medium of claim 12, wherein the field-searchable data store is searchable to reveal a performance or security of the information technology environment t based on the activity reflected by the raw machine data in the data store.
  - 14. The computer readable medium of claim 12, wherein the display of the one or more particular values and its associated count further comprises causing display of the one or more particular values in a sorted order based on the associated counts.
  - 15. The computer readable medium of claim 12, implementing the method further comprising:
    - causing display of at least one event having a given value in the extracted set of values at a location corresponding to the extraction rule; and
      
      causing highlighting of the given value in the at least one displayed event.
  - 16. The computer readable medium of claim 12, implementing the method further comprising:
    - receiving input corresponding to a selection of a particular value that has been displayed with its associated count;
      
      based on receiving the selection, determining a subset of the set of events such that each event in the subset includes the selected particular value at a location corresponding to the extraction rule; and
      
      modifying a displayed set of events to include only events in the determined subset and to hide any events not in the determined subset.
  - 24. The computer readable medium of claim 12, wherein the information generated by the component comprises security information for the information technology environment.
  - 25. The computer readable medium of claim 12, wherein the information generated by the component comprises operational performance information for the information technology environment.

17. A system including one or more processors coupled to memory, the memory loaded with computer instructions that, when executed on the processors, implement actions comprising:
- accessing a set of events in a field-searchable data store that acts as a persistent repository for the events, wherein each event in the set includes a portion of raw machine data in textual form, and wherein the raw machine data is produced by a component within an information technology environment and reflects activity within the information technology environment;
  
  receiving a user selection of a first portion of raw machine data in a particular event presented in a first portion of a display screen;
  
  applying an extraction rule, which specifies how to extract a subportion of text from a larger portion of text, to the portion of raw machine data in textual form in each event in the accessed set of events to extract a set of values, wherein the extraction rule comprises a regular expression rule updated and presented in a second portion of the display screen in real-time to correspond with the user-selected first portion of raw machine data;
  
  for one or more particular values in the extracted set of values, determining a count of events that include the particular value at a location corresponding to the extraction rule;
  
  updating, in real-time in a third portion of the display screen, a display of the one or more particular values and its associated count;
  
  andwherein the method is performed by one or more computing devices.
- View Dependent Claims (18, 19, 20, 21, 26)
- - 18. The system of claim 17, wherein the field-searchable data store is searchable to reveal a performance or security of the information technology environment based on the activity reflected by the raw machine data in the data store.
  - 19. The system of claim 17, wherein the display of the one or more particular values and its associated count further comprises causing display of the one or more particular values in a sorted order based on the associated counts.
  - 20. The system of claim 17, further implementing actions comprising:
    - causing display of at least one event having a given value in the extracted set of values at a location corresponding to the extraction rule; and
      
      causing highlighting of the given value in the at least one displayed event.
  - 21. The system of claim 17, further implementing actions comprising:
    - receiving input corresponding to a selection of a particular value that has been displayed with its associated count;
      
      based on receiving the selection, determining a subset of the set of events such that each event in the subset includes the selected particular value at a location corresponding to the extraction rule; and
      
      modifying a displayed set of events to include only events in the determined subset and to hide any events not in the determined subset.
  - 26. The system of claim 17, wherein the information generated by the component comprises security information for the information technology environment or operational performance information for the information technology environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Carasso, R. David, Delfino, Micah James, Hwang, Johnvey
Primary Examiner(s)
Ellis, Matthew J

Application Number

US14/816,038
Publication Number

US 20150339377A1
Time in Patent Office

1,374 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/248   Presentation of query results

G06F 16/287   Visualization; Browsing

G06F 16/332   Query formulation

G06F 16/334   Query execution G06F16/335 ...

G06F 16/338   Presentation of query results

G06F 16/34   Browsing; Visualisation the...

G06F 16/93   Document management systems

G06F 16/951   Indexing; Web crawling tech...

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

G06F 40/166   Editing, e.g. inserting or ...

G06F 40/169   Annotation, e.g. comment da...

G06F 40/174   Form filling; Merging

G06Q 10/00   Administration; Management

G06Q 10/0637   Strategic management or ana...

Y04S 10/50   Systems or methods supporti...

Displaying a number of events that have a particular value for a field in a set of events

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

219 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Displaying a number of events that have a particular value for a field in a set of events

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

219 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others