Displaying drill-down event information using event identifiers
First Claim
1. A method, comprising:
- receiving, at a user interface of a first device, a search query to be performed on a set of event records accessible by a second device;
sending, by the first device, at least a portion of the search query to the second device;
receiving, by the first device, a search result from the second device, the search result including one or more event identifiers that are transmitted to the second device by a plurality of distributed nodes, each event identifier of the one or more event identifiers is associated with a specific event record of a set of event records accessible by the second device that satisfied the search query, each event identifier enables locating an associated specific event record that is stored by a corresponding specific distributed node of the plurality of distributed nodes and the specific event record is accessible by the second device, at the corresponding specific distributed node, without searching the set of event records;
causing, within the user interface of the first device, display of information associated with at least a portion of the search result;
receiving, based on a user selection of at least a portion of the information displayed within the user interface of the first device, a request to view underlying data associated with the at least a portion of the search result;
determining, by the first device, at least one event identifier in the search result associated with the request, wherein the at least one event identifier was transmitted to the second device by a first distributed node of the plurality of nodes;
sending, by the first device, a request for event records, the request including the at least one event identifier;
receiving from the second device, by the first device, at least one event record associated with the at least one event identifier, wherein the at least one event record was accessed by the second device, at the first distributed node, and comprises raw data that relates to operations or activities in an information technology environment; and
causing, within the user interface of the first device, display of the requested underlying data based on at least the raw data of the received at least one event record.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.
-
Citations
20 Claims
-
1. A method, comprising:
-
receiving, at a user interface of a first device, a search query to be performed on a set of event records accessible by a second device; sending, by the first device, at least a portion of the search query to the second device; receiving, by the first device, a search result from the second device, the search result including one or more event identifiers that are transmitted to the second device by a plurality of distributed nodes, each event identifier of the one or more event identifiers is associated with a specific event record of a set of event records accessible by the second device that satisfied the search query, each event identifier enables locating an associated specific event record that is stored by a corresponding specific distributed node of the plurality of distributed nodes and the specific event record is accessible by the second device, at the corresponding specific distributed node, without searching the set of event records; causing, within the user interface of the first device, display of information associated with at least a portion of the search result; receiving, based on a user selection of at least a portion of the information displayed within the user interface of the first device, a request to view underlying data associated with the at least a portion of the search result; determining, by the first device, at least one event identifier in the search result associated with the request, wherein the at least one event identifier was transmitted to the second device by a first distributed node of the plurality of nodes; sending, by the first device, a request for event records, the request including the at least one event identifier; receiving from the second device, by the first device, at least one event record associated with the at least one event identifier, wherein the at least one event record was accessed by the second device, at the first distributed node, and comprises raw data that relates to operations or activities in an information technology environment; and causing, within the user interface of the first device, display of the requested underlying data based on at least the raw data of the received at least one event record. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus, comprising:
-
a search query receiver, at a first device, implemented at least partially in hardware, that receives a search query to be performed on a set of event records accessible by a second device; a search query transmitter, at the first device, implemented at least partially in hardware, that sends at least a portion of the search query to the second device; a search result receiver, at the first device, implemented at least partially in hardware, that receives a search result from the second device, the search result including one or more event identifiers that are transmitted to the second device by a plurality of distributed nodes, each event identifier of the one or more event identifiers is associated with a specific event record of a set of event records accessible by the second device that satisfied the search query, each event identifier enables locating an associated specific event record that is stored by a corresponding specific distributed node of the plurality of distributed nodes and the specific event record is accessible by the second device, at the corresponding specific distributed node, without searching the set of event records; a display information formatter, at the first device, implemented at least partially in hardware, that causes display, within a user interface, of information associated with at least a portion of the search result; a subsystem, at the first device, implemented at least partially in hardware, that receives, based on a user selection of at least a portion of the information displayed within the user interface, a request to view underlying data associated with the at least a portion of the search result; a subsystem, at the first device, implemented at least partially in hardware, that determines at least one event identifier in the search result associated with the request, wherein the at least one event identifier was transmitted to the second device by a first distributed node of the plurality of nodes; an event record retrieval subsystem, at the first device, implemented at least partially in hardware, that sends a request for event records, the request including the at least one event identifier; wherein the event record retrieval subsystem receives at least one event record associated with the at least one event identifier, wherein the at least one event record was accessed by the second device, at the first distributed node, and comprises raw data that relates to operations or activities in an information technology environment; wherein the display information formatter causes, within the user interface of the first device, display of the requested underlying data based on at least the raw data of the received at least one event record. - View Dependent Claims (12, 13, 14, 15)
-
-
16. One or more non-transitory computer-readable storage media, storing one or more sequences of instructions, which when executed by one or more processors cause performance of:
-
receiving, at a user interface of a first device, a search query to be performed on a set of event records accessible by a second device; sending, by the first device, at least a portion of the search query to the second device; receiving, by the first device, a search result from the second device, the search result including one or more event identifiers that are transmitted to the second device by a plurality of distributed nodes, each event identifier of the one or more event identifiers is associated with a specific event record of a set of event records accessible by the second device that satisfied the search query, each event identifier enables locating an associated specific event record that is stored by a corresponding specific distributed node of the plurality of distributed nodes and the specific event record is accessible by the second device, at the corresponding specific distributed node, without searching the set of event records; causing, within the user interface of the first device, display of information associated with at least a portion of the search result; receiving, based on a user selection of at least a portion of the information displayed within the user interface of the first device, a request to view underlying data associated with the at least a portion of the search result; determining, by the first device, at least one event identifier in the search result associated with the request, wherein the at least one event identifier was transmitted to the second device by a first distributed node of the plurality of nodes; sending, by the first device, a request for event records, the request including the at least one event identifier; receiving from the second device, by the first device, at least one event record associated with the at least one event identifier, wherein the at least one event record was accessed by the second device, at the first distributed node, and comprises raw data that relates to operations or activities in an information technology environment; causing, within the user interface of the first device, display of the requested underlying data based on at least the raw data of the received at least one event record. - View Dependent Claims (17, 18, 19, 20)
-
Specification