Displaying drill-down event information using event identifiers

US 10,318,535 B2
Filed: 01/25/2016
Issued: 06/11/2019
Est. Priority Date: 03/14/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, at a user interface of a first device, a search query to be performed on a set of event records accessible by a second device;

sending, by the first device, at least a portion of the search query to the second device;

receiving, by the first device, a search result from the second device, the search result including one or more event identifiers that are transmitted to the second device by a plurality of distributed nodes, each event identifier of the one or more event identifiers is associated with a specific event record of a set of event records accessible by the second device that satisfied the search query, each event identifier enables locating an associated specific event record that is stored by a corresponding specific distributed node of the plurality of distributed nodes and the specific event record is accessible by the second device, at the corresponding specific distributed node, without searching the set of event records;

causing, within the user interface of the first device, display of information associated with at least a portion of the search result;

receiving, based on a user selection of at least a portion of the information displayed within the user interface of the first device, a request to view underlying data associated with the at least a portion of the search result;

determining, by the first device, at least one event identifier in the search result associated with the request, wherein the at least one event identifier was transmitted to the second device by a first distributed node of the plurality of nodes;

sending, by the first device, a request for event records, the request including the at least one event identifier;

receiving from the second device, by the first device, at least one event record associated with the at least one event identifier, wherein the at least one event record was accessed by the second device, at the first distributed node, and comprises raw data that relates to operations or activities in an information technology environment; and

causing, within the user interface of the first device, display of the requested underlying data based on at least the raw data of the received at least one event record.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.

Citations

20 Claims

1. A method, comprising:
- receiving, at a user interface of a first device, a search query to be performed on a set of event records accessible by a second device;
  
  sending, by the first device, at least a portion of the search query to the second device;
  
  receiving, by the first device, a search result from the second device, the search result including one or more event identifiers that are transmitted to the second device by a plurality of distributed nodes, each event identifier of the one or more event identifiers is associated with a specific event record of a set of event records accessible by the second device that satisfied the search query, each event identifier enables locating an associated specific event record that is stored by a corresponding specific distributed node of the plurality of distributed nodes and the specific event record is accessible by the second device, at the corresponding specific distributed node, without searching the set of event records;
  
  causing, within the user interface of the first device, display of information associated with at least a portion of the search result;
  
  receiving, based on a user selection of at least a portion of the information displayed within the user interface of the first device, a request to view underlying data associated with the at least a portion of the search result;
  
  determining, by the first device, at least one event identifier in the search result associated with the request, wherein the at least one event identifier was transmitted to the second device by a first distributed node of the plurality of nodes;
  
  sending, by the first device, a request for event records, the request including the at least one event identifier;
  
  receiving from the second device, by the first device, at least one event record associated with the at least one event identifier, wherein the at least one event record was accessed by the second device, at the first distributed node, and comprises raw data that relates to operations or activities in an information technology environment; and
  
  causing, within the user interface of the first device, display of the requested underlying data based on at least the raw data of the received at least one event record.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as recited in claim 1, wherein an event identifier includes an identification of both an event record and a device having access to the event record.
  - 3. The method as recited in claim 1, wherein the received at least one event identifier received by the first device includes an identification of both an event record and the first device.
  - 4. The method as recited in claim 1, wherein the search result sent by the second device to the first device does not include an event record associated with an event identifier that was included in the search result.
  - 5. The method as recited in claim 1, wherein the second device includes an indexer.
  - 6. The method of claim 1, wherein the display of information associated with the at least portion of the search result includes displaying a bar graph within a first portion of the user interface.
  - 7. The method of claim 1, wherein the user selection of at least the portion of information displayed within the user interface is enabled by a field picker of the user interface.
  - 8. The method of claim 1, wherein the display of the requested underlying data includes displaying the raw data of the at least one event record.
  - 9. The method of claim 1, wherein the user interface simultaneously displays each of the information associated with the at least portion of the search result and the requested underlying data based on the raw data of the received at least one event record.
  - 10. The method of claim 1, wherein the second device is an aggregating node that aggregates the one or more event identifiers to generate the search result.

11. An apparatus, comprising:
- a search query receiver, at a first device, implemented at least partially in hardware, that receives a search query to be performed on a set of event records accessible by a second device;
  
  a search query transmitter, at the first device, implemented at least partially in hardware, that sends at least a portion of the search query to the second device;
  
  a search result receiver, at the first device, implemented at least partially in hardware, that receives a search result from the second device, the search result including one or more event identifiers that are transmitted to the second device by a plurality of distributed nodes, each event identifier of the one or more event identifiers is associated with a specific event record of a set of event records accessible by the second device that satisfied the search query, each event identifier enables locating an associated specific event record that is stored by a corresponding specific distributed node of the plurality of distributed nodes and the specific event record is accessible by the second device, at the corresponding specific distributed node, without searching the set of event records;
  
  a display information formatter, at the first device, implemented at least partially in hardware, that causes display, within a user interface, of information associated with at least a portion of the search result;
  
  a subsystem, at the first device, implemented at least partially in hardware, that receives, based on a user selection of at least a portion of the information displayed within the user interface, a request to view underlying data associated with the at least a portion of the search result;
  
  a subsystem, at the first device, implemented at least partially in hardware, that determines at least one event identifier in the search result associated with the request, wherein the at least one event identifier was transmitted to the second device by a first distributed node of the plurality of nodes;
  
  an event record retrieval subsystem, at the first device, implemented at least partially in hardware, that sends a request for event records, the request including the at least one event identifier;
  
  wherein the event record retrieval subsystem receives at least one event record associated with the at least one event identifier, wherein the at least one event record was accessed by the second device, at the first distributed node, and comprises raw data that relates to operations or activities in an information technology environment;
  
  wherein the display information formatter causes, within the user interface of the first device, display of the requested underlying data based on at least the raw data of the received at least one event record.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus as recited in claim 11, wherein each event record in the set of event records is associated with a time stamp and is searchable based on a time represented by the time stamp.
  - 13. The apparatus as recited in claim 11, wherein an event identifier includes an identification of both an event record and a device having access to the event record.
  - 14. The apparatus as recited in claim 11, wherein the received at least one event identifier received by the first device includes an identification of both an event record and the first device.
  - 15. The apparatus as recited in claim 11, wherein the search result sent by the second device to the first device does not include an event record associated with an event identifier that was included in the search result.

16. One or more non-transitory computer-readable storage media, storing one or more sequences of instructions, which when executed by one or more processors cause performance of:
- receiving, at a user interface of a first device, a search query to be performed on a set of event records accessible by a second device;
  
  sending, by the first device, at least a portion of the search query to the second device;
  
  receiving, by the first device, a search result from the second device, the search result including one or more event identifiers that are transmitted to the second device by a plurality of distributed nodes, each event identifier of the one or more event identifiers is associated with a specific event record of a set of event records accessible by the second device that satisfied the search query, each event identifier enables locating an associated specific event record that is stored by a corresponding specific distributed node of the plurality of distributed nodes and the specific event record is accessible by the second device, at the corresponding specific distributed node, without searching the set of event records;
  
  causing, within the user interface of the first device, display of information associated with at least a portion of the search result;
  
  receiving, based on a user selection of at least a portion of the information displayed within the user interface of the first device, a request to view underlying data associated with the at least a portion of the search result;
  
  determining, by the first device, at least one event identifier in the search result associated with the request, wherein the at least one event identifier was transmitted to the second device by a first distributed node of the plurality of nodes;
  
  sending, by the first device, a request for event records, the request including the at least one event identifier;
  
  receiving from the second device, by the first device, at least one event record associated with the at least one event identifier, wherein the at least one event record was accessed by the second device, at the first distributed node, and comprises raw data that relates to operations or activities in an information technology environment;
  
  causing, within the user interface of the first device, display of the requested underlying data based on at least the raw data of the received at least one event record.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The one or more non-transitory computer-readable storage media as recited in claim 16, wherein each event record in the set of event records is associated with a time stamp.
  - 18. The one or more non-transitory computer-readable storage media as recited in claim 16, wherein each event record in the set of event records is associated with a time stamp and is searchable based on a time represented by the time stamp.
  - 19. The one or more non-transitory computer-readable storage media as recited in claim 16, wherein an event identifier includes an identification of both an event record and a device having access to the event record.
  - 20. The one or more non-transitory computer-readable storage media as recited in claim 16, wherein the received at least one event identifier received by the first device includes an identification of both an event record and the first device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Zhang, Steve Yu, Sorkin, Stephen Phillip
Primary Examiner(s)
Pham, Michael

Application Number

US15/006,055
Publication Number

US 20160140181A1
Time in Patent Office

1,233 Days
Field of Search

707769
US Class Current
CPC Class Codes

G06F 16/182   Distributed file systems

G06F 16/22   Indexing; Data structures t...

G06F 16/2322   using timestamps

G06F 16/24   Querying

G06F 16/2455   Query execution

G06F 16/24553   of query operations

G06F 16/24554   Unary operations; Data part...

G06F 16/24575   using context

G06F 16/24578   using ranking

G06F 16/2471   Distributed queries

G06F 16/2477   Temporal data queries

G06F 16/248   Presentation of query results

G06F 16/334   Query execution G06F16/335 ...

G06F 16/90328   using search space presenta...

G06F 16/9038   Presentation of query results

G06F 16/951   Indexing; Web crawling tech...

G06F 16/9535   Search customisation based ...

G06F 16/9538   Presentation of query results

H04L 41/0604   using filtering, e.g. reduc...

H04L 41/22   comprising specially adapte...

H04L 67/1097 : for distributed storage of ...

View All

Displaying drill-down event information using event identifiers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Displaying drill-down event information using event identifiers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links