SUPPLEMENTING A HIGH PERFORMANCE ANALYTICS STORE WITH EVALUATION OF INDIVIDUAL EVENTS TO RESPOND TO AN EVENT QUERY
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments are directed are towards the transparent summarization of events. Queries directed towards summarizing and reporting on event records may be received at a search head. Search heads may be associated with one more indexers containing event records. The search head may forward the query to the indexers the can resolve the query for concurrent execution. If a query is a collection query, indexers may generate summarization information based on event records located on the indexers. Event record fields included in the summarization information may be determined based on terms included in the collection query. If a query is a stats query, each indexer may generate a partial result set from previously generated summarization information, returning the partial result sets to the search head. Collection queries may be saved and scheduled to run and periodically update the summarization information.
63 Citations
43 Claims
-
1-30. -30. (canceled)
-
31. A computer implemented method, comprising:
-
receiving raw data at a computing device; generating event records, wherein each of the event records includes a portion of the raw data and is associated with a time derived from the portion of raw data included in the event record; storing the event records in an indexed data store; generating a summarization table that; identifies one or more field-value combinations, wherein a field-value combination includes a field and a value that appears in one or more of the event records for that field, and wherein a data model or a command is used to identify one or more fields for inclusion in the summarization table; and for each field-value combination, identifies a set of one or more posting values of event records that have the value for the field, wherein a posting value provides a way to retrieve the event to which it corresponds from the indexed data store; receiving a query; determining whether the query can be answered from the summarization table without evaluating individual event records; and based on determining that the query cannot be answered from the summarization table without evaluating individual event records, evaluating individual event records to respond to the query. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
-
Specification