Determining events associated with a value
First Claim
1. A computer-implemented method, comprising:
- accessing a set of events in a field-searchable data store that acts as a persistent repository for the events that each include a portion of raw machine data in textual form being produced by a component within an information technology environment and reflecting activity within the information technology environment, wherein the field-searchable data store of events is field-searchable such that a plurality of search queries each containing at least one criterion for a field is executable against the events in the field-searchable data store to cause comparison between the at least one criterion and values extracted from the events by an extraction rule defining the field;
applying an extraction rule, which specifies how to extract a subportion of text from a larger portion of text, to the portion of raw machine data in textual form in each event in the accessed set of events to extract a set of values;
for a first unique extracted value and a second unique extracted value in the extracted set of values, determining a first count of a first unique extracted value in a field defined by the extraction rule and a second count of a second unique extracted value in the field defined by the extraction rule;
causing display of a first display area that presents the first unique extracted value and the second unique extracted value concurrently with the corresponding first count of the first unique extracted value in the field defined by the extraction rule and the second count of the second unique extracted value in the field defined by the extraction rule; and
causing display of a second display area that presents at least a portion of the events, wherein the first unique extracted value and the second unique extracted value are visually emphasized in the displayed events, wherein the method is performed by one or more computing devices.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments are directed towards real time display of event records and extracted values based on at least one extraction rule, such as a regular expression. A user interface may be employed to enable a user to have an extraction rule automatically generate and/or to manually enter an extraction rule. The user may be enabled to manually edit a previously provided extraction rule, which may result in real time display of updated extracted values. The extraction rule may be utilized to extract values from each of a plurality of records, including event records of unstructured machine data. Statistics may be determined for each unique extracted value, and may be displayed to the user in real time. The user interface may also enable the user to select at least one unique extracted value to display those event records that include an extracted value that matches the selected value.
-
Citations
21 Claims
-
1. A computer-implemented method, comprising:
-
accessing a set of events in a field-searchable data store that acts as a persistent repository for the events that each include a portion of raw machine data in textual form being produced by a component within an information technology environment and reflecting activity within the information technology environment, wherein the field-searchable data store of events is field-searchable such that a plurality of search queries each containing at least one criterion for a field is executable against the events in the field-searchable data store to cause comparison between the at least one criterion and values extracted from the events by an extraction rule defining the field; applying an extraction rule, which specifies how to extract a subportion of text from a larger portion of text, to the portion of raw machine data in textual form in each event in the accessed set of events to extract a set of values; for a first unique extracted value and a second unique extracted value in the extracted set of values, determining a first count of a first unique extracted value in a field defined by the extraction rule and a second count of a second unique extracted value in the field defined by the extraction rule; causing display of a first display area that presents the first unique extracted value and the second unique extracted value concurrently with the corresponding first count of the first unique extracted value in the field defined by the extraction rule and the second count of the second unique extracted value in the field defined by the extraction rule; and causing display of a second display area that presents at least a portion of the events, wherein the first unique extracted value and the second unique extracted value are visually emphasized in the displayed events, wherein the method is performed by one or more computing devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 20, 21)
-
-
10. A non-transitory computer readable storage medium impressed with computer program instructions that, when executed on a processor, implement a method comprising:
-
accessing a set of events in a field-searchable data store that acts as a persistent repository for the events that each include a portion of raw machine data in textual form being produced by a component within an information technology environment and reflecting activity within the information technology environment, wherein the field-searchable data store of events is field-searchable such that a plurality of search queries each containing at least one criterion for a field is executable against the events in the field-searchable data store to cause comparison between the at least one criterion and values extracted from the events by an extraction rule defining the field; applying an extraction rule, which specifies how to extract a subportion of text from a larger portion of text, to the portion of raw machine data in textual form in each event in the accessed set of events to extract a set of values; for a first unique extracted value and a second unique extracted value in the extracted set of values, determining a first count of a first unique extracted value in a field defined by the extraction rule and a second count of a second unique extracted value in the field defined by the extraction rule; causing display of a first display area that presents the first unique extracted value and the second unique extracted value concurrently with the corresponding first count of the first unique extracted value in the field defined by the extraction rule and the second count of the second unique extracted value in the field defined by the extraction rule; and causing display of a second display area that presents at least a portion of the events, wherein the first unique extracted value and the second unique extracted value are visually emphasized in the displayed events, wherein the method is performed by one or more computing devices. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A system including one or more processors coupled to memory, the memory loaded with computer instructions that, when executed on the processors, implement actions comprising:
-
accessing a set of events in a field-searchable data store that acts as a persistent repository for the events that each include a portion of raw machine data in textual form being produced by a component within an information technology environment and reflecting activity within the information technology environment, wherein the field-searchable data store of events is field-searchable such that a plurality of search queries each containing at least one criterion for a field is executable against the events in the field-searchable data store to cause comparison between the at least one criterion and values extracted from the events by an extraction rule defining the field; applying an extraction rule, which specifies how to extract a subportion of text from a larger portion of text, to the portion of raw machine data in textual form in each event in the accessed set of events to extract a set of values; for a first unique extracted value and a second unique extracted value in the extracted set of values, determining a first count of a first unique extracted value in a field defined by the extraction rule and a second count of a second unique extracted value in the field defined by the extraction rule; causing display of a first display area that presents the first unique extracted value and the second unique extracted value concurrently with the corresponding first count of the first unique extracted value in the field defined by the extraction rule and the second count of the second unique extracted value in the field defined by the extraction rule; and causing display of a second display area that presents at least a portion of the events, wherein the first unique extracted value and the second unique extracted value are visually emphasized in the displayed events, wherein the method is performed by one or more computing devices. - View Dependent Claims (16, 17, 18, 19)
-
Specification