Graphical display of field values extracted from machine data

US 10,331,720 B2
Filed: 01/31/2017
Issued: 06/25/2019
Est. Priority Date: 09/07/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving a search query entered by a user in textual form into a query box;

creating a set of events by applying the search query across a data store of field-searchable events to find matching events, including unstructured raw data produced by one or more components in an information technology environment and reflecting activity within the information technology environment;

determining a set of fields that have each been defined for one or more events in the set of events, each field included in the set of fields associated with a different extraction rule that is used to identify occurrences of the field in the unstructured raw data in each of the one or more events and extract values from the occurrences of the field;

calculating a relevance score for each field in the set of fields;

selecting one or more fields included in the set of fields based on the relevance scores; and

causing display of one or more graphical controls, each graphical control corresponding to a field in the one or more fields, the graphical controls enabling the user to process the set of events using the corresponding one or more fields.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosure relates to certain system and method embodiments for generating reports from unstructured data. In one embodiment, a method can include identifying events matching criteria of an initial search query (each of the events including a portion of raw machine data that is associated with a time), identifying a set of fields, each field defined for one or more of the identified events, causing display of an interactive graphical user interface (GUI) that includes one or more interactive elements enabling a user to define a report for providing information relating to the matching events (each interactive element enabling processing or presentation of information in the matching events using one or more fields in the identified set of fields), receiving, via the GUI, a report definition indicating how to report information relating to the matching events, and generating, based on the report definition, a report including information relating to the matching events.

180 Citations

21 Claims

1. A computer-implemented method comprising:
- receiving a search query entered by a user in textual form into a query box;
  
  creating a set of events by applying the search query across a data store of field-searchable events to find matching events, including unstructured raw data produced by one or more components in an information technology environment and reflecting activity within the information technology environment;
  
  determining a set of fields that have each been defined for one or more events in the set of events, each field included in the set of fields associated with a different extraction rule that is used to identify occurrences of the field in the unstructured raw data in each of the one or more events and extract values from the occurrences of the field;
  
  calculating a relevance score for each field in the set of fields;
  
  selecting one or more fields included in the set of fields based on the relevance scores; and
  
  causing display of one or more graphical controls, each graphical control corresponding to a field in the one or more fields, the graphical controls enabling the user to process the set of events using the corresponding one or more fields.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 21)
- - 2. The computer-implemented method of claim 1, further comprising:
    - causing display of a graphical control for selecting the one or more fields from the set of fields, to be used in a report definition.
  - 3. The computer-implemented method of claim 1, wherein the relevance score is calculated based on a calculated number of events in the set of events that contain unstructured raw data that includes that field, and further comprising causing display of a graphical control for selecting the one or more fields from the set of fields, wherein a field name associated with each of the one or more fields is selected to be displayed by the graphical control based on the calculated relevance score.
  - 4. The computer-implemented method of claim 1, wherein the relevance score is calculated based on a calculated number of different values for that field found in unstructured raw data contained in the set of events, and further comprising causing display of a graphical control for selecting the one or more fields from the set of fields, wherein a field name associated with each of the one or more fields is selected to be displayed by the graphical control based on the calculated relevance score.
  - 5. The computer-implemented method of claim 1, wherein the relevance score is calculated based on a calculated number of unique values for that field found in unstructured raw data contained in the set of events, and further comprising causing display of a graphical control for selecting the one or more fields from the set of fields, wherein a field name associated with each of the one or more fields is selected to be displayed by the graphical control based on the calculated relevance score.
  - 6. The computer-implemented method of claim 1, wherein the one or more graphical controls includes one or more filter criteria for filtering the set of events.
  - 7. The computer-implemented method of claim 1, wherein a graphical control of the one or more graphical controls includes one or more filter criteria for filtering the set of events by applying the filter criteria to the field.
  - 8. The computer-implemented method of claim 1, wherein the one or more graphical controls includes criteria for generating one or more aggregate values for the one or more events.
  - 9. The computer-implemented method of claim 1, wherein the one or more graphical controls includes criteria for generating one or more aggregate values for a field in the set of fields.
  - 10. The computer-implemented method of claim 1, wherein a graphical control of the one or more graphical controls indicates a graphical visualization.
  - 11. The computer-implemented method of claim 1, wherein a graphical control of the one or more graphical controls indicates a graphical visualization, and wherein the set of fields are used to map data from the set of events to the graphical visualization.
  - 12. The computer-implemented method of claim 1, further comprising:
    - causing display of a text box for entering at least a portion of at least one criterion for at least one field from the set of fields;
      
      receiving the at least one criterion for the at least one field;
      
      causing the set of events to be filtered based on the received at least one criterion for the at least one field.
  - 13. The computer-implemented method of claim 1, further comprising:
    - generating a data model based on the set of fields and the initial search query.
  - 14. The computer-implemented method of claim 1, further comprising:
    - generating a data model based on the set of fields; and
      
      modifying a search defining events to which a data model is applicable based on the set of fields.
  - 15. The computer-implemented method of claim 1, wherein each event in the data store of field-searchable events is assigned a time stamp.
  - 16. The computer-implemented method of claim 1, wherein the each of the fields in the set of fields is included in a late-binding schema.
  - 17. The computer-implemented method of claim 1, further comprising:
    - generating a data model based on the set of fields and the initial search query;
      
      saving the data model; and
      
      applying the data model to a second set of events different than the set of events.
  - 18. The computer-implemented method of claim 1, wherein the set of fields are pre-defined fields.
  - 19. The computer-implemented method of claim 1, wherein the set of fields are discovered as the set of events are created.
  - 21. The computer-implemented method of claim 1, wherein each extraction rule is used to identify a pattern in the unstructured raw data that indicates one or more occurrences of the field associated with the extraction rule.

20. One or more non-transitory computer readable storage media storing instructions which, when executed by one or more computing devices, cause:
- receiving a search query entered by a user in textual form into a query box;
  
  creating a set of events by applying the search query across a data store of field-searchable events to find matching events, including unstructured raw data produced by one or more components in an information technology environment and reflecting activity within the information technology environment;
  
  determining a set of fields that have each been defined for one or more events in the set of events, each field included in the set of fields associated with a different extraction rule that is used to identify occurrences of the field in the unstructured raw data in each of the one or more events and extract values from the occurrences of the field;
  
  calculating a relevance score for each field in the set of fields;
  
  selecting one or more fields included in the set of fields based on the relevance scores; and
  
  causing display of one or more graphical controls, each graphical control corresponding to a field in the one or more fields, the graphical controls enabling the user to process the set of events using the corresponding one or more fields.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Neels, Alice Emily, Vasan, Sundar, Fishel, Simon, Robichaud, Marc Vincent, Lamas, Divanny
Primary Examiner(s)
Nguyen, Phong H

Application Number

US15/421,425
Publication Number

US 20170140039A1
Time in Patent Office

875 Days
Field of Search

707722, 707723, 707805
US Class Current
CPC Class Codes

G06F 16/24575   using context

G06F 16/2477   Temporal data queries

G06F 16/248   Presentation of query results

G06F 16/26   Visual data mining; Browsin...

G06F 16/334   Query execution G06F16/335 ...

G06F 16/335   Filtering based on addition...

G06F 16/338   Presentation of query results

G06F 16/345   Summarisation for human users

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 16/9535   Search customisation based ...

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

G06F 40/166   Editing, e.g. inserting or ...

G06T 11/206   Drawing of charts or graphs

G06T 2200/24   involving graphical user in...

Graphical display of field values extracted from machine data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

180 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Graphical display of field values extracted from machine data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

180 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links