Displaying events based on user selections within an event limited field picker

US 10,372,722 B2
Filed: 01/31/2018
Issued: 08/06/2019
Est. Priority Date: 09/30/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for machine-data analysis of activity by a component in an information technology environment, the method comprising:

in response to receiving a first query, accessing a set of events in a data store, wherein each event in the accessed set of events includes raw machine data that reflects the activity in the information technology environment associated with the event and the raw data of each event is produced by the component of the information technology environment;

within a first interface, causing display of first search results that are based on the received first query, wherein the first search results include a first plurality of events that includes a first subset of the accessed set of events;

in response to receiving a first user selection that indicates a first event included in the first plurality of events, causing display of a field information panel that displays fields having corresponding values for the first event, wherein each field is defined by an extraction rule that when applied to the first event, extracts a portion of a character string that represents the raw machine data of the first event by identifying a pattern in the character string to generate the corresponding value for the field from the portion of the character string; and

in response to receiving a second user selection, displaying a second plurality of events that includes a second subset of the accessed set of events, wherein the second user selection indicates a first field included in the fields displayed in the field information panel and the second subset of the accessed set of events is based on first field.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An event limited field picker for a search user interface is described. In one or more implementations, a service may operate to collect and store data as events each of which includes a portion of the data correlated with a point in time. Clients may use a search user interface perform searches by input of search criteria. Responsive to receiving search criteria, the service may operate to apply a late binding schema to extract events that match the search criteria and provide search results for display via the search user interface. The search user interface exposes an event limited field picker operable to make selections of fields with respect to individual events in a view of the search results. In response to receiving an indication of a fields selected via the picker, visibility of selected fields may be updated to control which field and values are included in different views.

59 Citations

View as Search Results

30 Claims

1. A computer-implemented method for machine-data analysis of activity by a component in an information technology environment, the method comprising:
- in response to receiving a first query, accessing a set of events in a data store, wherein each event in the accessed set of events includes raw machine data that reflects the activity in the information technology environment associated with the event and the raw data of each event is produced by the component of the information technology environment;
  
  within a first interface, causing display of first search results that are based on the received first query, wherein the first search results include a first plurality of events that includes a first subset of the accessed set of events;
  
  in response to receiving a first user selection that indicates a first event included in the first plurality of events, causing display of a field information panel that displays fields having corresponding values for the first event, wherein each field is defined by an extraction rule that when applied to the first event, extracts a portion of a character string that represents the raw machine data of the first event by identifying a pattern in the character string to generate the corresponding value for the field from the portion of the character string; and
  
  in response to receiving a second user selection, displaying a second plurality of events that includes a second subset of the accessed set of events, wherein the second user selection indicates a first field included in the fields displayed in the field information panel and the second subset of the accessed set of events is based on first field.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The computer-implemented method of claim 1, wherein each event in the accessed set of events is associated with a timestamp that is extracted from the raw data of the event.
  - 3. The computer-implemented method of claim 1, wherein the first interface displays the field information panel.
  - 4. The computer-implemented method of claim 1, wherein the first interface displays the second plurality of events.
  - 5. The computer-implemented method of claim 1, wherein a second interface that is separate from the first interface displays the second plurality of events.
  - 6. The computer-implemented method of claim 1, wherein the second subset of the accessed set of events is a subset of the first subset of the accessed set of events.
  - 7. The computer-implemented method of claim 1, further comprising:
    - in response to receiving a second query based on the first field, performing a search operation that returns second search results that are based on the received second query, wherein the second search results includes the second plurality of events.
  - 8. The computer-implemented method of claim 1, further comprising:
    - in response to receiving the first user selection, filtering the first plurality of event based on the first field to generate filtering results, wherein the filtering results include the second subset of the accessed set of events.
  - 9. The computer-implemented method of claim 1, further comprising:
    - causing display in the field information panel of the corresponding value for each field of the fields;
      
      receiving the second user selection from the field information panel; and
      
      based on receiving the second user selection, identifying the second subset of the accessed set of events, wherein each event in the second subset of the accessed set of events have a same value for the first field as the first event.
  - 10. The computer-implemented method of claim 1, further comprising:
    - causing display in the field information panel of an interactive element enabling the second user selection; and
      
      receiving the second user selection through the interactive element; and
      
      causing display in a table format of events retrieved using a search query, the table format including information about values for the displayed events for the selected one or more particular fields.
  - 11. The computer-implemented method of claim 1, wherein the first and the second plurality of events are displayed in a table format and the table format includes values for the events included in the first and the second plurality of events.
  - 12. The computer-implemented method of claim 1, wherein at least one common event is included in each of the first subset of the accessed set of events and the second subset of the accessed set of events.
  - 13. The computer-implemented method of claim 1, wherein a second event is included in the second subset of the accessed set of event and excluded from the first subset of the accessed set of events.
  - 14. The computer-implemented method of claim 1, wherein the display of the fields comprises a name used to reference a field in the first search query.
  - 15. The computer-implemented method of claim 1, further comprising causing display in the field information panel of the corresponding value for each of the fields displayed in the field information panel.
  - 16. The computer-implemented method of claim 1, wherein the field information panel is exposed in the first interface at a location corresponding to the first event, and the first user selection is of a toggle element corresponding to the first event.
  - 17. The computer-implemented method of claim 1, wherein a first value of the corresponding values of a first field is generated from a first portion of the character string using a first extraction rule and a second value of the corresponding values of a second field of the fields is generated from a second portion of the character string using a second extraction rule.
  - 18. The computer-implemented method of claim 1, wherein the raw machine data in at least one of the events of the accessed set of events comprises unstructured data.
  - 19. The computer-implemented method of claim 1, further comprising causing display in the field information panel of both the corresponding value for each field of the fields and the of raw machine data included in the first event.
  - 20. The computer-implemented method of claim 1, further comprising causing display in the field information panel of both the corresponding value for each field of the fields and a statistic based on the corresponding value.
  - 21. The computer-implemented method of claim 1, further comprising causing display in the field information panel of the raw machine data included in the first event.
  - 22. The computer-implemented method of claim 1, wherein the extraction rule includes a regular expression.
  - 23. The computer-implemented method of claim 1, wherein a second event is included in the first subset of the accessed set of event and excluded from the second subset of the accessed set of events.
  - 24. The computer-implemented method of claim 1, wherein the extraction rule includes a late-binding schema.

25. A system comprising:
- one or more processors; and
  
  one or more computer-readable storage media containing instructions which, in response to execution by the one or more processors, cause the one or more processors to perform a method comprising;
  
  in response to receiving a first query, accessing a set of events in a data store, wherein each event in the accessed set of events includes raw machine data that reflects the activity in the information technology environment associated with the event and the raw data of each event is produced by the component of the information technology environment;
  
  within a first interface, causing display of first search results that are based on the received first query, wherein the first search results include a first plurality of events that includes a first subset of the accessed set of events;
  
  in response to receiving a first user selection that indicates a first event included in the first plurality of events, causing display of a field information panel that displays fields having corresponding values for the first event, wherein each field is defined by an extraction rule that when applied to the first event, extracts a portion of a character string that represents the raw machine data of the first event by identifying a pattern in the character string to generate the corresponding value for the field from the portion of the character string; and
  
  in response to receiving a second user selection, displaying a second plurality of events that includes a second subset of the accessed set of events, wherein the second user selection indicates a first field included in the fields displayed in the field information panel and the second subset of the accessed set of events is based on first field.
- View Dependent Claims (26, 27)
- - 26. The system of claim 25, wherein each event in the accessed set of events is associated with a timestamp that is extracted from the raw data of the event.
  - 27. The system of claim 25, wherein the first interface displays the field information panel.

28. One or more non-transitory computer-storage media having executable instructions, which, when executed by a computing device, cause the computing device to perform a method comprising:
- in response to receiving a first query, accessing a set of events in a data store, wherein each event in the accessed set of events includes raw machine data that reflects the activity in the information technology environment associated with the event and the raw data of each event is produced by the component of the information technology environment;
  
  within a first interface, causing display of first search results that are based on the received first query, wherein the first search results include a first plurality of events that includes a first subset of the accessed set of events;
  
  in response to receiving a first user selection that indicates a first event included in the first plurality of events, causing display of a field information panel that displays fields having corresponding values for the first event, wherein each field is defined by an extraction rule that when applied to the first event, extracts a portion of a character string that represents the raw machine data of the first event by identifying a pattern in the character string to generate the corresponding value for the field from the portion of the character string; and
  
  in response to receiving a second user selection, displaying a second plurality of events that includes a second subset of the accessed set of events, wherein the second user selection indicates a first field included in the fields displayed in the field information panel and the second subset of the accessed set of events is based on first field.
- View Dependent Claims (29, 30)
- - 29. The one or more computer-storage media of claim 28, wherein the first interface displays the second plurality of events.
  - 30. The one or more computer-storage media of claim 28, wherein a second interface that is separate from the first interface displays the second plurality of events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Lamas, Divanny I., Robichaud, Marc Vincent, Yestrau, Carl Sterling
Primary Examiner(s)
Alam, Shahid A

Application Number

US15/885,491
Publication Number

US 20180157722A1
Time in Patent Office

552 Days
Field of Search

707722
US Class Current
CPC Class Codes

G06F 16/2393   Updating materialised views

G06F 16/2455   Query execution

G06F 16/2477   Temporal data queries

G06F 16/25   Integrating or interfacing ...

G06F 16/26   Visual data mining; Browsin...

G06F 16/9038   Presentation of query results

G06F 3/04817   using icons graphical or vi...

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

Displaying events based on user selections within an event limited field picker

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

59 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Displaying events based on user selections within an event limited field picker

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others