Generating and Storing Summarization Tables for Sets of Searchable Events
First Claim
1. A method, comprising:
- creating two or more sets of searchable, time stamped event records from raw data stored in at least one data store, wherein each searchable, time stamped event record in the two or more sets of searchable, time stamped event records includes a portion of the raw data and is associated with a time stamp derived from the raw data, wherein the raw data reflects activity in an information technology environment;
generating a summarization table for each set of searchable, time stamped event records in the two or more sets of searchable, time stamped event records that;
identifies one or more field values, wherein a field value comprises a value that appears in an associated field in one or more searchable, time stamped event records in the set of searchable, time stamped event records; and
for each field value, identifies the one or more searchable, time stamped event records in the set of searchable, time stamped event records that contain the field value for the associated field;
storing the summarization table for each set of searchable, time stamped event records among the two or more sets of time stamped searchable event records;
selecting a stored summarization table based on a received query that includes search criteria for evaluating field values for one or more fields;
using the search criteria to evaluate field values for one or more fields in the selected summarization table to generate a query result; and
wherein the query result reflects an aspect of activity in the information technology environment.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments are directed are towards the transparent summarization of events. Queries directed towards summarizing and reporting on event records may be received at a search head. Search heads may be associated with one more indexers containing event records. The search head may forward the query to the indexers the can resolve the query for concurrent execution. If a query is a collection query, indexers may generate summarization information based on event records located on the indexers. Event record fields included in the summarization information may be determined based on terms included in the collection query. If a query is a stats query, each indexer may generate a partial result set from previously generated summarization information, returning the partial result sets to the search head. Collection queries may be saved and scheduled to run and periodically update the summarization information.
-
Citations
45 Claims
-
1. A method, comprising:
-
creating two or more sets of searchable, time stamped event records from raw data stored in at least one data store, wherein each searchable, time stamped event record in the two or more sets of searchable, time stamped event records includes a portion of the raw data and is associated with a time stamp derived from the raw data, wherein the raw data reflects activity in an information technology environment; generating a summarization table for each set of searchable, time stamped event records in the two or more sets of searchable, time stamped event records that; identifies one or more field values, wherein a field value comprises a value that appears in an associated field in one or more searchable, time stamped event records in the set of searchable, time stamped event records; and for each field value, identifies the one or more searchable, time stamped event records in the set of searchable, time stamped event records that contain the field value for the associated field; storing the summarization table for each set of searchable, time stamped event records among the two or more sets of time stamped searchable event records; selecting a stored summarization table based on a received query that includes search criteria for evaluating field values for one or more fields; using the search criteria to evaluate field values for one or more fields in the selected summarization table to generate a query result; and wherein the query result reflects an aspect of activity in the information technology environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. An apparatus, comprising:
-
an event record creator, implemented at least partially in hardware, that creates two or more sets of searchable, time stamped event records from raw data stored in at least one data store, wherein each searchable, time stamped event record in the two or more sets of searchable, time stamped event records includes a portion of the raw data and is associated with a time stamp derived from the raw data, wherein the raw data reflects activity in an information technology environment; a summarization table generator, implemented at least partially in hardware, that generates a summarization table for each set of searchable, time stamped event records in the two or more sets of searchable, time stamped event records that; identifies one or more field values, wherein a field value comprises a value that appears in an associated field in one or more searchable, time stamped event records in the set of searchable, time stamped event records; and for each field value, identifies the one or more searchable, time stamped event records in the set of searchable, time stamped event records that contain the field value for the associated field; a summarization table storage system, implemented at least partially in hardware, that stores the summarization table for each set of searchable, time stamped event records among the two or more sets of time stamped searchable event records; a summarization table selector, implemented at least partially in hardware, that selects a stored summarization table based on a received query that includes search criteria for evaluating field values for one or more fields; a subsystem, implemented at least partially in hardware, that uses the search criteria to evaluate field values for one or more fields in the selected summarization table to generate a query result; and wherein the query result reflects an aspect of activity in the information technology environment. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. One or more non-transitory computer-readable storage media, storing software instructions, which when executed by one or more processors cause performance of:
-
creating two or more sets of searchable, time stamped event records from raw data stored in at least one data store, wherein each searchable, time stamped event record in the two or more sets of searchable, time stamped event records includes a portion of the raw data and is associated with a time stamp derived from the raw data, wherein the raw data reflects activity in an information technology environment; generating a summarization table for each set of searchable, time stamped event records in the two or more sets of searchable, time stamped event records that; identifies one or more field values, wherein a field value comprises a value that appears in an associated field in one or more searchable, time stamped event records in the set of searchable, time stamped event records; and for each field value, identifies the one or more searchable, time stamped event records in the set of searchable, time stamped event records that contain the field value for the associated field; storing the summarization table for each set of searchable, time stamped event records among the two or more sets of time stamped searchable event records; selecting a stored summarization table based on a received query that includes search criteria for evaluating field values for one or more fields; using the search criteria to evaluate field values for one or more fields in the selected summarization table to generate a query result; and wherein the query result reflects an aspect of activity in the information technology environment. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
-
Specification