SEARCHING FOR ASSOCIATED EVENTS IN LOG DATA

US 20130185286A1
Filed: 11/05/2012
Published: 07/18/2013
Est. Priority Date: 10/02/2007
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a query searching for associated events in log data, the associated events being multiple events that are related to one another by a common component;

parsing the received query, including;

locating a reserved term from the received query;

identifying, from a portion of the received query after the reserved term, an intermediate component of the received query; and

identifying, from a portion of the received query preceding the reserved term, a final component of the received query;

forming and then performing an intermediate query for the intermediate component, including determining, using the intermediate query, one or more keywords for including in a final query for the final component;

forming the final query using a result of performing the intermediate query;

merging the result of performing the intermediate query and a result of performing the final query; and

designating the merged results as the associated events in response to the received query,wherein the method is performed by one or more computers.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To retrieve a sequence of associated events in log data, a request expression is parsed to retrieve types of dependencies between events which are searched, and the constraints (e.g., keywords) which characterize each event. Based on the parsing results, query components can be formed, expressing the constraints for individual events and interrelations (e.g., time spans) between events. A resultant span query comprising the query components can then be run against an index of events, which encodes a mutual location of associated events in storage.

Citations

18 Claims

1. A method, comprising:
- receiving a query searching for associated events in log data, the associated events being multiple events that are related to one another by a common component;
  
  parsing the received query, including;
  
  locating a reserved term from the received query;
  
  identifying, from a portion of the received query after the reserved term, an intermediate component of the received query; and
  
  identifying, from a portion of the received query preceding the reserved term, a final component of the received query;
  
  forming and then performing an intermediate query for the intermediate component, including determining, using the intermediate query, one or more keywords for including in a final query for the final component;
  
  forming the final query using a result of performing the intermediate query;
  
  merging the result of performing the intermediate query and a result of performing the final query; and
  
  designating the merged results as the associated events in response to the received query,wherein the method is performed by one or more computers.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein:
    - the common component includes at least one of a device or a user, andthe reserved term includes a reserved word for identifying the device or a reserved word for identifying the user.
  - 3. The method of claim 2, wherein the reserved word for identifying the device is “
    - which” and
      
      the reserved word for identifying the user is “
      
      who.”
  - 4. The method of claim 1, wherein the result of the intermediate query is designated as a selection constraint in the final query.
  - 5. The method of claim 1, wherein designating the merged results as the associated events comprises:
    - providing for display a user interface view that presents an individual event from the intermediate query along with a set of events from the final query associated with the individual event.
  - 6. The method of claim 1, wherein each of the received query, the intermediate query, and the final query is written in a structured query language.

7. A system comprising:
- a storage device operable for storing one or more events as log messages; and
  
  a processor coupled to the storage device and configured to perform operations comprising;
  
  receiving a query searching for associated events in log data, the associated events being multiple events that are related to one another by a common component;
  
  parsing the received query, including;
  
  locating a reserved term from the received query;
  
  identifying, from a portion of the received query after the reserved term, an intermediate component of the received query; and
  
  identifying, from a portion of the received query preceding the reserved term, a final component of the received query;
  
  forming and then performing an intermediate query for the intermediate component, including determining, using the intermediate query, one or more keywords for including in a final query for the final component;
  
  forming the final query using a result of performing the intermediate query;
  
  merging the result of performing the intermediate query and a result of performing the final query; and
  
  designating the merged results as the associated events in response to the received query.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein:
    - the common component includes at least one of a device or a user, andthe reserved term includes a reserved word for identifying the device or a reserved word for identifying the user.
  - 9. The system of claim 8, wherein the reserved word for identifying the device is “
    - which” and
      
      the reserved word for identifying the user is “
      
      who.”
  - 10. The system of claim 7, wherein the result of the intermediate query is designated as a selection constraint in the final query.
  - 11. The system of claim 7, wherein designating the merged results as the associated events comprises:
    - providing for display a user interface view that presents an individual event from the intermediate query along with a set of events from the final query associated with the individual event.
  - 12. The system of claim 7, wherein each of the received query, the intermediate query, and the final query is written in a structured query language.

13. A non-transitory storage device storing instructions operable to cause one or more computers to perform operations comprising:
- receiving a query searching for associated events in log data, the associated events being multiple events that are related to one another by a common component;
  
  parsing the received query, including;
  
  locating a reserved term from the received query;
  
  identifying, from a portion of the received query after the reserved term, an intermediate component of the received query;
  
  identifying, from a portion of the received query preceding the reserved term, a final component of the received query;
  
  forming and then performing an intermediate query for the intermediate component, including determining, using the intermediate query, one or more keywords for including in a final query for the final component;
  
  forming the final query using a result of performing the intermediate query;
  
  merging the result of performing the intermediate query and a result of performing the final query; and
  
  designating the merged results as the associated events in response to the received query.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory storage device of claim 13, wherein:
    - the common component includes at least one of a device or a user, andthe reserved term includes a reserved word for identifying the device or a reserved word for identifying the user.
  - 15. The non-transitory storage device of claim 14, wherein the reserved word for identifying the device is “
    - which” and
      
      the reserved word for identifying the user is “
      
      who.”
  - 16. The non-transitory storage device of claim 13, wherein the result of the intermediate query is designated as a selection constraint in the final query.
  - 17. The non-transitory storage device of claim 13, wherein designating the merged results as the associated events comprises:
    - providing for display a user interface view that presents an individual event from the intermediate query along with a set of events from the final query associated with the individual event.
  - 18. The non-transitory storage device of claim 13, wherein each of the received query, the intermediate query, and the final query is written in a structured query language.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cloud Software Group
Original Assignee
TIBCO Software Incorporated (Cloud Software Group)
Inventors
Galitsky, Boris, Botros, Sherif

Granted Patent

US 9,171,037 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/722
CPC Class Codes

G06F 16/245   Query processing

G06F 16/332   Query formulation

G06F 16/3335   Syntactic pre-processing, e...

SEARCHING FOR ASSOCIATED EVENTS IN LOG DATA

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

SEARCHING FOR ASSOCIATED EVENTS IN LOG DATA

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links