Cross-system journey monitoring based on relation of machine data

US 10,678,804 B2
Filed: 09/25/2017
Issued: 06/09/2020
Est. Priority Date: 09/25/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining information describing a user journey, the user journey comprising a plurality of steps,wherein each step of the plurality of steps corresponds to a query to be applied to one or more field-searchable data stores storing a plurality of events, wherein each event of the plurality of events includes a portion of machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment;

relating, based on the obtained information, a set of events returned as a result of the plurality of queries, wherein relating the set of events is based on one or more stitching schemes, wherein a stitching scheme indicates a relation between information included in a first event and information included in a second event, and wherein relating the set of events based on a particular stitching scheme comprises;

identifying that a same entity is associated with a first particular event of the set of events and a second particular event of the set of events, the first particular event being associated with a first data source and the second particular event being associated with a second data source; and

causing display of results of the relating.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed for cross-system journey modeling based on relation of machine data. An example method includes obtaining information describing a user journey that includes multiple steps, each step corresponding to a query to be applied to one or more field-searchable data stores storing events, each event including a portion of machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment, and each event being associated with a timestamp extracted from the portion of machine data of that event. Events returned as a result of the query of each step are related. The results of the relating are displayed.

Citations

29 Claims

1. A method comprising:
- obtaining information describing a user journey, the user journey comprising a plurality of steps,wherein each step of the plurality of steps corresponds to a query to be applied to one or more field-searchable data stores storing a plurality of events, wherein each event of the plurality of events includes a portion of machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment;
  
  relating, based on the obtained information, a set of events returned as a result of the plurality of queries, wherein relating the set of events is based on one or more stitching schemes, wherein a stitching scheme indicates a relation between information included in a first event and information included in a second event, and wherein relating the set of events based on a particular stitching scheme comprises;
  
  identifying that a same entity is associated with a first particular event of the set of events and a second particular event of the set of events, the first particular event being associated with a first data source and the second particular event being associated with a second data source; and
  
  causing display of results of the relating.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein the obtained information specifies at least one data source associated with machine data corresponding to at least one step of the plurality of steps.
  - 3. The method of claim 1, wherein the obtained information specifies at least one data source for each step, and wherein the query corresponding to each step are applied to events associated with the at least one data source specified for the step.
  - 4. The method of claim 1, wherein events are associated with one or more corresponding data sources, and wherein events associated with each data source include values for a respective plurality of fields, and wherein the query corresponding to each step are associated with one or more of the fields.
  - 5. The method of claim 1, wherein events are associated with one or more corresponding data sources, and wherein events associated with each data source include values for a respective plurality of fields, and wherein the query corresponding to a particular step identify values to be identified in respective fields.
  - 6. The method of claim 1, wherein each event is associated with a respective entity.
  - 7. The method of claim 1, wherein the events returned as a result of the query corresponding to each of the plurality of steps are related as being associated with respective entities.
  - 8. The method of claim 1, wherein relating a set of events comprises:
    - executing the query corresponding to each step; and
      
      determining, based on events returned as a result of the executed queries, the set of events associated with respective entities.
  - 9. The method of claim 1, wherein relating a set of events comprises:
    - executing, in parallel, the query corresponding to each of the plurality of steps; and
      
      determining, based on events returned as a result of the executed queries, the set of events associated with respective entities.
  - 10. The method of claim 1, wherein relating the set of events is based on a session identifier included in the events.
  - 11. The method of claim 1, wherein relating the set of events is based on a user identifier included in the events.
  - 12. The method of claim 1, wherein events are associated with one or more corresponding data sources, wherein each event associated with the first data source includes a first field whose value is indicative of an entity associated with the event and each event associated the second data source includes a second field whose value is indicative of an entity associated with the event,and wherein the method further comprises:
    - determining, based on a specified stitching scheme associated with the first data source and the second data source, that a value of the first field corresponds with a value of the second field.
  - 13. The method of claim 1, wherein events are associated with one or more corresponding data sources, wherein each event associated with the first data source includes a first field whose value is indicative of an entity associated with the event and each event associated the second data source includes a second field whose value is indicative of an entity associated with the event,and wherein the method further comprises:
    - determining, based on a specified stitching scheme associated with the first data source and the second data source that a value of the first field corresponds via a lookup table with a value of the second field.
  - 14. The method of claim 1, wherein the obtained information identifies an initial step and a final step, and wherein one or more paths from the initial step to the final step are determined based on the relating, each path indicating a unique traversal order of steps.
  - 15. The method of claim 1, further comprising providing, for presentation on a user device, a user journey creation interface, wherein the user journey creation interface:
    - presents steps available to be included in a user journey; and
      
      causes, in response to selection of one or more steps, creation of a user journey.
  - 16. The method of claim 1, further comprising providing, for presentation on a user device, a user journey creation interface, wherein the user journey creation interface:
    - presents, for a particular data source, fields included in events associated with the particular data source;
      
      receives selection of a field, and presents values associated with the field, the values being obtained from events associated with the particular data source; and
      
      presents steps available to be included in a user journey, each step corresponding to query identifying one of the presented values.
  - 17. The method of claim 1, wherein statistical information is determined for each step.
  - 18. The method of claim 1, wherein statistical information is determined for each step, and wherein statistical information for a step indicates an average time associated with completion of the step.
  - 19. The method of claim 1, wherein a display of the results comprises a graphical depiction of the user journey, the graphical depiction presenting statistical information associated with each step included in the user journey.
  - 20. The method of claim 1, wherein a display of the results comprises a graphical depiction of the user journey, and wherein the method further comprises:
    - receive, from a user viewing the display, selection of a particular entity; and
      
      updating the graphical depiction of the user journey to present times at which the particular entity completed each step.
  - 21. The method of claim 1, wherein a display of the results comprises a timeline associated with touchpoints associated with a particular entity, wherein each touchpoint is determined based on occurrences of each step that are associated with the particular entity, and wherein the timeline represents interactions of the particular entity with the information technology environment.

22. A computing system, comprising:
- one or more processing devices configured to;
  
  obtain information describing a user journey, the user journey comprising a plurality of steps,wherein each step of the plurality of steps corresponds to a query to be applied to one or more field-searchable data stores storing a plurality of events, wherein each event of the plurality of events includes a portion of machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment;
  
  relate, based on the obtained information, a set of events returned as a result of the plurality of queries, wherein relating the set of events is based on one or more stitching schemes, wherein a stitching scheme indicates a relation between information included in a first event and information included in a second event, and wherein relating the set of events based on a particular stitching scheme comprises;
  
  identifying that a same entity is associated with a first particular event of the set of events and a second particular event of the set of events, the first particular event being associated with a first data source and the second particular event being associated with a second data source; and
  
  cause display of results of the relating.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The system of claim 22, wherein relating a set of events comprises:
    - executing the query corresponding to each step; and
      
      determining, based on events returned as a result of the executed queries, the set of events associated with respective entities.
  - 24. The system of claim 22, wherein relating a set of events comprises:
    - executing, in parallel, the query corresponding to each of the plurality of steps; and
      
      determining, based on events returned as a result of the executed queries, the set of events associated with respective entities.
  - 25. The system of claim 22, wherein the processing devices are further configured to:
    - provide, for presentation on a user device, a user journey creation interface, wherein the user journey creation interface;
      
      presents steps available to be included in a user journey; and
      
      causes, in response to selection of one or more steps, creation of a user journey.
  - 26. The system of claim 22, wherein a display of the results comprises a graphical depiction of the user journey, the graphical depiction presenting statistical information associated with each step included in the user journey.

27. Non-transitory computer readable media comprising computer-executable instructions that, when executed by a computing system, cause the computing system to:
- obtain information describing a user journey, the user journey comprising a plurality of steps,wherein each step of the plurality of steps corresponds to a query to be applied to one or more field-searchable data stores storing a plurality of events, wherein each event of the plurality of events includes a portion of machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment, wherein each event is associated with a timestamp extracted from the portion of machine data of that event;
  
  relate, based on the obtained information, a set of events returned as a result of the plurality of queries, wherein relating the set of events is based on one or more stitching schemes, wherein a stitching scheme indicates a relation between information included in a first event and information included in a second event, and wherein relating the set of events based on a particular stitching scheme comprises;
  
  identifying that a same entity is associated with a first particular event of the set of events and a second particular event of the set of events, the first particular event being associated with a first data source and the second particular event being associated with a second data source; and
  
  cause display of results of the relating.
- View Dependent Claims (28, 29)
- - 28. The computer readable medium of claim 27, wherein relating a set of events comprises:
    - executing the query corresponding to each step; and
      
      determining, based on events returned as a result of the executed queries, the set of events associated with respective entities.
  - 29. The computer readable medium of claim 27, wherein relating events comprises:
    - executing, in parallel, the query corresponding to each of the plurality of steps; and
      
      determining, based on events returned as a result of the executed queries, events associated with respective entities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Beringer, Joerg, Park, Isabelle
Primary Examiner(s)
Mackes, Kris E

Application Number

US15/715,074
Publication Number

US 20190095502A1
Time in Patent Office

988 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2457 with adaptation to user needs

G06F 16/248 Presentation of query results

Cross-system journey monitoring based on relation of machine data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Cross-system journey monitoring based on relation of machine data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links