Directly field searchable and indirectly searchable by inverted indexes raw machine datastore
First Claim
1. A method for searching data, the method comprising:
- generating an inverted index that comprises at least one record comprising at least one field name and a corresponding at least one field value extracted from time-stamped searchable events comprising portions of raw machine data and stored in a field searchable datastore, wherein each of the at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored;
receiving an incoming search query that references a field name from the at least one field name, wherein the incoming search query comprises keywords and the field name;
evaluating the incoming search query, wherein the evaluating comprises decomposing the search query and determine respective portions of the search query directly addressable by the field searchable datastore and portions for which the field searchable datastore is searchable by entries corresponding to the field name in the inverted index; and
generating results for the incoming search query based on the field searchable datastore, wherein the field searchable datastore is directly searchable by the field name or searchable by entries corresponding to the field name in the inverted index, wherein posting values corresponding to the entries in the inverted index are used to access the field searchable datastore, and further wherein a search for the keywords is directly addressed using the field searchable data store.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments are directed towards a method for searching data. The method comprises generating an inverted index that comprises at least one record, wherein the at least one record comprises at least one field name and a corresponding at least one field value. The at least one field name and corresponding value are extracted from time-stamped searchable events that are stored in a field searchable datastore and comprise portions of raw data. The at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored. The method further comprises receiving an incoming search query that references a field name. Furthermore, the method comprises generating results to the incoming search query based on the field searchable datastore, wherein the field searchable datastore is directly searchable by the field name.
-
Citations
21 Claims
-
1. A method for searching data, the method comprising:
-
generating an inverted index that comprises at least one record comprising at least one field name and a corresponding at least one field value extracted from time-stamped searchable events comprising portions of raw machine data and stored in a field searchable datastore, wherein each of the at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored; receiving an incoming search query that references a field name from the at least one field name, wherein the incoming search query comprises keywords and the field name; evaluating the incoming search query, wherein the evaluating comprises decomposing the search query and determine respective portions of the search query directly addressable by the field searchable datastore and portions for which the field searchable datastore is searchable by entries corresponding to the field name in the inverted index; and generating results for the incoming search query based on the field searchable datastore, wherein the field searchable datastore is directly searchable by the field name or searchable by entries corresponding to the field name in the inverted index, wherein posting values corresponding to the entries in the inverted index are used to access the field searchable datastore, and further wherein a search for the keywords is directly addressed using the field searchable data store. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A network device that is operative for searching data, the device comprising:
-
a transceiver that is operative to communicate over a network; a memory that is operative to store at least one instruction; and a processor device that is operative to execute instructions that enable actions, the actions comprising; generating an inverted index that comprises at least one record comprising at least one field name and a corresponding at least one field value extracted from time-stamped searchable events comprising portions of raw machine data and stored in a field searchable datastore, wherein each of the at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored; receiving an incoming search query that references a field name from the at least one field name, wherein the incoming search query comprises keywords and the field name; evaluating the incoming search query, wherein the evaluating comprises decomposing the search query and determine respective portions of the search query directly addressable by the field searchable datastore and portions for which the field searchable datastore is searchable by entries corresponding to the field name in the inverted index; and generating results for the incoming search query based on the field searchable datastore, wherein the field searchable datastore is directly searchable by the field name or searchable by entries corresponding to the field name in the inverted index, wherein posting values corresponding to the entries in the inverted index are used to access the field searchable datastore, and further wherein a search for the keywords is directly addressed using the field searchable data store. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A processor readable non-transitive storage media that includes instructions wherein execution of the instructions by a processor device enables actions, wherein the actions comprise:
-
generating an inverted index that comprises at least one record comprising at least one field name and a corresponding at least one field value extracted from time-stamped searchable events comprising portions of raw machine data and stored in a field searchable datastore, wherein each of the at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored; receiving an incoming search query that references a field name from the at least one field name, wherein the incoming search query comprises keywords and the field name; evaluating the incoming search query, wherein the evaluating comprises decomposing the search query and determine respective portions of the search query directly addressable by the field searchable datastore and portions for which the field searchable datastore is searchable by entries corresponding to the field name in the inverted index; and generating results for the incoming search query based on the field searchable datastore, wherein the field searchable datastore is directly searchable by the field name or searchable by entries corresponding to the field name in the inverted index, wherein posting values corresponding to the entries in the inverted index are used to access the field searchable datastore, and further wherein a search for the keywords is directly addressed using the field searchable data store. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification