Query handling for field searchable raw machine data
First Claim
1. A method for searching data, the method comprising:
- providing an inverted index that comprises at least one record comprising at least one field name and a corresponding at least one field value extracted from time-stamped searchable events, the time-stamped searchable events comprising portions of raw machine data and stored in a field searchable datastore, wherein the at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored;
receiving an incoming search query that references a field name, wherein the incoming search query comprises keywords and the field name;
evaluating the incoming search query, wherein the evaluating comprises decomposing the search query to analyze it and determine respective portions of the search query addressable by the field searchable datastore and by the inverted index; and
responsive to the evaluating, determining results for the incoming search query by executing the search query across the field searchable datastore or the inverted index or both, wherein the field name in the search query is used to perform a search of the inverted index, and wherein a search for the keywords is serviced using the field searchable datastore.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments are directed towards a method for searching data. The method comprises providing an inverted index that comprises at least one record, wherein the at least one record comprises at least one field name and a corresponding at least one field value. The at least one field name and corresponding value are extracted from time-stamped searchable events that are stored in a field searchable datastore and comprise portions of raw data. The at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored. The method further comprises receiving an incoming search query that references a field name and evaluating the incoming search query. Furthermore, responsive to the evaluating, the method comprises determining results for the incoming search query using the field searchable datastore or the inverted index.
83 Citations
24 Claims
-
1. A method for searching data, the method comprising:
-
providing an inverted index that comprises at least one record comprising at least one field name and a corresponding at least one field value extracted from time-stamped searchable events, the time-stamped searchable events comprising portions of raw machine data and stored in a field searchable datastore, wherein the at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored; receiving an incoming search query that references a field name, wherein the incoming search query comprises keywords and the field name; evaluating the incoming search query, wherein the evaluating comprises decomposing the search query to analyze it and determine respective portions of the search query addressable by the field searchable datastore and by the inverted index; and responsive to the evaluating, determining results for the incoming search query by executing the search query across the field searchable datastore or the inverted index or both, wherein the field name in the search query is used to perform a search of the inverted index, and wherein a search for the keywords is serviced using the field searchable datastore. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A network device that is operative for searching data, the network device comprising:
-
a memory that is operative to store at least one instruction; and a processor device that is operative to execute instructions that enable actions, the actions comprising; providing an inverted index that comprises at least one record comprising at least one field name and a corresponding at least one field value extracted from time-stamped searchable events, wherein the time-stamped searchable events comprise portions of raw machine data and are stored in a field searchable datastore, wherein said at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored; receiving an incoming search query that references a field name, wherein the incoming search query comprises keywords and the field name; evaluating the incoming search query, wherein the evaluating comprises decomposing the search query to analyze it and determine respective portions of the search query addressable by the field searchable datastore and by the inverted index; and responsive to the evaluating, determining results for the incoming search query by executing the search query across the field searchable datastore or the inverted index or both, wherein the field name in the search query is used to perform a search of the inverted index, and wherein a search for the keywords is serviced using the field searchable datastore. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A processor readable non-transitive storage media that includes instructions wherein execution of the instructions by a processor device enables actions, wherein the actions comprise:
-
providing an inverted index that comprises at least one record comprising at least one field name and a corresponding at least one field value extracted from time-stamped searchable events, the time-stamped searchable events comprising portions of raw machine data and stored in a field searchable datastore, wherein the at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored; receiving an incoming search query that references a field name, wherein the incoming search query comprises keywords and the field name; evaluating the incoming search query, wherein the evaluating comprises decomposing the search query to analyze it and determine respective portions of the search query addressable by the field searchable datastore and by the inverted index; and responsive to the evaluating, determining results for the incoming search query by executing the search query across the field searchable datastore or the inverted index or both, wherein the field name in the search query is used to perform a search of the inverted index, and wherein a search for the keywords is serviced using the field searchable datastore. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification