Collection query driven generation of summarization information for raw machine data
First Claim
1. A method comprising:
- providing a field searchable data store comprising a plurality of partitions of field searchable, time stamped event records, each event record comprising a time-stamped portion of raw machine data;
receiving a collection query that references a field name, wherein the field name corresponds to at least one field value, and wherein the collection query comprises commands to generate summarization information for one or more field names included therein;
responsive to the collection query, generating a respective summarization table for each partition of field searchable, time stamped event records by;
forwarding the collection query to an indexer, wherein the indexer comprises one or more partitions of field searchable, time stamped event records of the plurality of partitions;
determining partitions of field searchable, time stamped event records responsive to the collection query;
determining an extraction rule associated with the field name, wherein the extraction rule comprises instructions applied to identify and extract a field value associated with the field name;
extracting the field value corresponding to the field name from one or more event records in responsive partitions using the extraction rule; and
populating the respective summarization table responsive to each extracted field value, wherein each entry comprises the field name, the corresponding field value and a posting value that identifies a location in a corresponding partition where an associated event record is storedreceiving a first incoming search query from a search head;
generating a partial result to the first incoming search query using summarization tables generated corresponding to each partition of field searchable, time stamped event records; and
generating a result set responsive to the first incoming search query, wherein the result set is generated using the partial result, wherein the search head is operable to combine partial result sets returned from each partition of field searchable, time stamped event records to generate the result set.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments are directed are towards the transparent summarization of events. Queries directed towards summarizing and reporting on event records may be received at a search head. Search heads may be associated with one more indexers containing event records. The search head may forward the query to the indexers the can resolve the query for concurrent execution. If a query is a collection query, indexers may generate summarization information based on event records located on the indexers. Event record fields included in the summarization information may be determined based on terms included in the collection query. If a query is a stats query, each indexer may generate a partial result set from previously generated summarization information, returning the partial result sets to the search head. Collection queries may be saved and scheduled to run and periodically update the summarization information.
-
Citations
27 Claims
-
1. A method comprising:
-
providing a field searchable data store comprising a plurality of partitions of field searchable, time stamped event records, each event record comprising a time-stamped portion of raw machine data; receiving a collection query that references a field name, wherein the field name corresponds to at least one field value, and wherein the collection query comprises commands to generate summarization information for one or more field names included therein; responsive to the collection query, generating a respective summarization table for each partition of field searchable, time stamped event records by; forwarding the collection query to an indexer, wherein the indexer comprises one or more partitions of field searchable, time stamped event records of the plurality of partitions; determining partitions of field searchable, time stamped event records responsive to the collection query; determining an extraction rule associated with the field name, wherein the extraction rule comprises instructions applied to identify and extract a field value associated with the field name; extracting the field value corresponding to the field name from one or more event records in responsive partitions using the extraction rule; and populating the respective summarization table responsive to each extracted field value, wherein each entry comprises the field name, the corresponding field value and a posting value that identifies a location in a corresponding partition where an associated event record is stored receiving a first incoming search query from a search head; generating a partial result to the first incoming search query using summarization tables generated corresponding to each partition of field searchable, time stamped event records; and generating a result set responsive to the first incoming search query, wherein the result set is generated using the partial result, wherein the search head is operable to combine partial result sets returned from each partition of field searchable, time stamped event records to generate the result set. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory computer-readable medium storing computer-executable instructions which, when executed by a processor, cause the processor to perform operations comprising:
-
providing a field searchable data store comprising a plurality of partitions of field searchable, time stamped event records, each event record comprising a time-stamped portion of raw machine data; receiving a collection query that references a field name, wherein the field name corresponds to at least one field value, and wherein the collection query comprises commands to generate summarization information for one or more field names included therein; responsive to the collection query, generating a respective summarization table for each partition of field searchable, time stamped event records by; forwarding the collection query to an indexer, wherein the indexer comprises one or more partitions of field searchable, time stamped event records of the plurality of partitions; determining partitions of field searchable, time stamped event records responsive to the collection query; determining an extraction rule associated with the field name, wherein the extraction rule comprises instructions applied to identify and extract a field value associated with the field name; extracting the field value corresponding to the field name from one or more event records in responsive partitions using the extraction rule; and populating the respective summarization table responsive to each extracted field value, wherein each entry comprises the field name, the corresponding field value and a posting value that identifies a location in a corresponding partition where an associated event record is stored; receiving a first incoming search query from a search head; generating a partial result to the first incoming search query using summarization tables generated corresponding to each partition of field searchable, time stamped event records; and generating a result set responsive to the first incoming search query, wherein the result set is generated using the partial result, wherein the search head is operable to combine partial result sets returned from each partition of field searchable, time stamped event records to generate the result set. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A system comprising:
-
at least one memory storing computer-executable instructions; and at least one processor, wherein the at least one processor is configured to access the at least one memory and to execute the computer-executable instructions to; provide a field searchable data store comprising a plurality of partitions of field searchable, time stamped event records, each event record comprising a time-stamped portion of raw machine data; receive a collection query that references a field name, wherein the field name corresponds to at least one field value, and wherein the collection query comprises commands to generate summarization information for one or more field names included therein; responsive to the collection query, generate a respective summarization table for each partition of field searchable, time stamped event records by; forwarding the collection query to an indexer, wherein the indexer comprises one or more partitions of field searchable, time stamped event records of the plurality of partitions; determining partitions of field searchable, time stamped event records responsive to the collection query; determining an extraction rule associated with the field name, wherein the extraction rule comprises instructions applied to identify and extract a field value associated with the field name; extracting the field value corresponding to the field name from one or more event records in responsive partitions using the extraction rule; and populating the respective summarization table responsive to each extracted field value, wherein each entry comprises the field name, the corresponding field value and a posting value that identifies a location in a corresponding partition where an associated event record is stored; receiving a first incoming search query from a search head; generating a partial result to the first incoming search query using summarization tables generated corresponding to each partition of field searchable, time stamped event records; and generating a result set responsive to the first incoming search query, wherein the result set is generated using the partial result, wherein the search head is operable to combine partial result sets returned from each partition of field searchable, time stamped event records to generate the result set. - View Dependent Claims (26, 27)
-
Specification