DISCOVERING FIELDS TO FILTER DATA RETURNED IN RESPONSE TO A SEARCH

US 20150026167A1
Filed: 07/31/2014
Published: 01/22/2015
Est. Priority Date: 09/07/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

discovering fields in events returned in response to an initial search query, wherein the events comprise portions of raw data, and the fields are defined by extraction rules for extracting values from corresponding portions of raw data;

causing display of a graphical user interface (GUI) that enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar;

receiving through a portion of the GUI that does not include a search bar for entering a search query at least one criterion for at least one field from the subset of the discovered fields; and

causing, by a processing device, the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Fields may be discovered in events that are returned in response to an initial search. The events may comprise portions of raw data. Furthermore, the fields may be defined by extraction rules for extracting values from corresponding portions of raw data. The displaying of a graphical user interface (GUI) may be caused where the GUI enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar. At least one criterion for at least one field from the subset of the discovered fields may be received through a portion of the GUI that does not include a search bar for entering a search query. The events returned in response to the initial search query may be caused to be filtered based on the received criterion.

Citations

30 Claims

1. A method comprising:
- discovering fields in events returned in response to an initial search query, wherein the events comprise portions of raw data, and the fields are defined by extraction rules for extracting values from corresponding portions of raw data;
  
  causing display of a graphical user interface (GUI) that enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar;
  
  receiving through a portion of the GUI that does not include a search bar for entering a search query at least one criterion for at least one field from the subset of the discovered fields; and
  
  causing, by a processing device, the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the raw data included in the events includes machine data.
  - 3. The method of claim 1, further comprising:
    - determining a number of the returned events that comprise a first field of the discovered fields; and
      
      calculating a score for the first field based on the number of the returned events that comprise the first field, wherein the subset of the discovered fields is selected to be displayed in the GUI based on the calculated score.
  - 4. The method of claim 1, further comprising:
    - determining a number of unique values of a first field of the discovered fields; and
      
      calculating a score for the first field based on the number of unique values of the first field, wherein the subset of the discovered fields is selected to be displayed in the GUI based on the calculated score.
  - 5. The method of claim 1, wherein causing the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field comprises:
    - generating a filtering search query that includes the at least one criterion for the at least one field; and
      
      applying the filtering search query to the events returned in response to the initial search query.
  - 6. The method of claim 1, wherein the raw data included in the events includes unstructured data.
  - 7. The method of claim 1, further comprising:
    - calculating a score for each of the discovered fields; and
      
      receiving a threshold percentage of the discovered fields to display in the GUI, wherein the subset of the discovered fields are selected to be displayed in the GUI based on the threshold percentage and the calculated score for each of the discovered fields, wherein the threshold percentage indicates a percentage of the discovered fields to be selected to be displayed in the GUI.
  - 8. The method of claim 1, wherein receiving through the GUI the at least one criterion for the at least one field comprises:
    - causing display of a text box for entering at least a portion of the at least one criterion for the at least one field.
  - 9. The method of claim 1, further comprising:
    - generating a data model based on discovered fields and the initial search query.
  - 10. The method of claim 1, further comprising:
    - generating a data model based on the discovered fields; and
      
      modifying a search defining events to which a data model is applicable based on the at least one criterion for the at least one field.
  - 11. The method of claim 1, wherein causing the events returned in response to the initial search query to be filtered based on the at least one criterion for the at least one field comprises:
    - generating a replacement search query that includes both (i) criteria from the initial search query, and (ii) the received at least one criterion for the at least one field; and
      
      applying the replacement search query to a set of events searched by the initial search query to generate the events used to discover the subset of the discovered fields.
  - 12. The method of claim 1, wherein the fields are included in a late-binding schema.
  - 13. The method of claim 1, wherein receiving through the GUI the at least one criterion for the at least one field comprises:
    - causing display of a drop-down menu for entering at least a portion of the at least one criterion for the at least one field.
  - 14. The method of claim 1, further comprising:
    - causing display of a visualization of data in the filtered events.
  - 15. The method of claim 1, further comprising:
    - generating a data model based on the initial search query and the discovered fields;
      
      saving the data model; and
      
      applying the data model to a different data set than was searched using the initial search query.

16. A system comprising:
- a memory; and
  
  a processing device coupled to the memory and to;
  
  discover fields in events returned in response to an initial search query, wherein the events comprise portions of raw data, and the fields are defined by extraction rules for extracting values from corresponding portions of raw data;
  
  cause display of a graphical user interface (GUI) that enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar field;
  
  receive through a portion of the GUI that does not include a search bar for entering a search query at least one criterion for at least one field from the subset of the discovered fields; and
  
  cause the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The system of claim 16, wherein the raw data included in the events includes machine data.
  - 18. The system of claim 16, wherein the processing device is further configured to:
    - determine a number of the returned events that comprise a first field of the discovered fields; and
      
      calculate a score for the first field based on the number of the returned events that comprise the first field, wherein the subset of the discovered fields is selected to be displayed in the GUI based on the calculated score.
  - 19. The system of claim 16, wherein the processing device is further configured to:
    - determine a number of unique values of a first field of the discovered fields; and
      
      calculate a score for the first field based on the number of unique values of the first field, wherein the subset of the discovered fields is selected to be displayed in the GUI based on the calculated score.
  - 20. The system of claim 16, wherein causing the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field comprises:
    - generating a filtering search query that includes the at least one criterion for the at least one field; and
      
      applying the filtering search query to the events returned in response to the initial search query.
  - 21. The system of claim 16, wherein the fields are included in a late-binding schema.
  - 22. The system of claim 16, wherein causing the events returned in response to the initial search query to be filtered based on the at least one criterion for the at least one field comprises:
    - generating a replacement search query that includes both (i) criteria from the initial search query, and (ii) the received at least one criterion for the at least one field; and
      
      applying the replacement search query to a set of events searched by the initial search query to generate the events used to discover the subset of the discovered fields.
  - 23. The system of claim 16, wherein the processing device is further configured to:
    - generate a data model based on discovered fields and the initial search query.

24. A non-transitory computer readable storage medium encoding instructions thereon that, in response to execution by a processing device, cause the processing device to perform operations comprising:
- discovering fields in events returned in response to an initial search query, wherein the events comprise portions of raw data, and the fields are defined by extraction rules for extracting values from corresponding portions of raw data;
  
  causing display of a graphical user interface (GUI) that enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar field;
  
  receiving through a portion of the GUI that does not include a search bar for entering a search query at least one criterion for at least one field from the subset of the discovered fields; and
  
  causing the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The non-transitory computer readable storage medium of claim 24, wherein the raw data included in the events includes machine data.
  - 26. The non-transitory computer readable storage medium of claim 24, the operations further comprising:
    - determining a number of the returned events that comprise a first field of the discovered fields; and
      
      calculating a score for the first field based on the number of the returned events that comprise the first field, wherein the subset of the discovered fields is selected to be displayed in the GUI based on the calculated score.
  - 27. The non-transitory computer readable storage medium of claim 24, wherein causing the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field comprises:
    - generating a filtering search query that includes the at least one criterion for the at least one field; and
      
      applying the filtering search query to the events returned in response to the initial search query.
  - 28. The non-transitory computer readable storage medium of claim 24, wherein the fields are included in a late-binding schema.
  - 29. The non-transitory computer readable storage medium of claim 24, wherein causing the events returned in response to the initial search query to be filtered based on the at least one criterion for the at least one field comprises:
    - generating a replacement search query filtering search that includes both (i) criteria from the initial search query, and (ii) the received at least one criterion for the at least one field; and
      
      applying the replacement search query to a set of events searched by the initial search query to generate the events used to discover the subset of the discovered fields.
  - 30. The non-transitory computer readable storage medium of claim 24, the operations further comprising:
    - generating a data model based on discovered fields and the initial search query.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Neels, Alice, Vasan, Sundar, Fishel, Simon, Robichaud, Marc

Granted Patent

US 9,582,585 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/723
CPC Class Codes

G06F 16/245   Query processing

G06F 16/24578   using ranking

G06F 16/9535   Search customisation based ...

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

DISCOVERING FIELDS TO FILTER DATA RETURNED IN RESPONSE TO A SEARCH

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

DISCOVERING FIELDS TO FILTER DATA RETURNED IN RESPONSE TO A SEARCH

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links