Displaying Drill-Down Event Information Using Event Identifiers

US 20160140181A1
Filed: 01/25/2016
Published: 05/19/2016
Est. Priority Date: 03/14/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, at a first device, a search query to be performed on a set of event records accessible by a second device;

sending, by the first device, at least a portion of the search query to the second device;

receiving, by the first device, a search result from the second device, the search result including one or more event identifiers, each event identifier of the one or more event identifiers is associated with a specific event record of a set of event records accessible by the second device that satisfied the search query, each event identifier enables locating an associated specific event record accessible by the second device without searching the set of event records;

causing, by the first device, display of information associated with at least a portion of the search result;

receiving, by the first device, a request to view underlying data associated with the at least a portion of the search result;

determining, by the first device, at least one event identifier in the search result associated with the request;

sending, by the first device, a request for event records, the request including the at least one event identifier;

receiving from the second device, by the first device, at least one event record associated with the at least one event identifier, the at least one event record is comprised of raw data that relates to operations or activities in an information technology environment;

causing display of information associated with the received at least one event record.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.

7 Citations

View as Search Results

20 Claims

1. A method, comprising:
- receiving, at a first device, a search query to be performed on a set of event records accessible by a second device;
  
  sending, by the first device, at least a portion of the search query to the second device;
  
  receiving, by the first device, a search result from the second device, the search result including one or more event identifiers, each event identifier of the one or more event identifiers is associated with a specific event record of a set of event records accessible by the second device that satisfied the search query, each event identifier enables locating an associated specific event record accessible by the second device without searching the set of event records;
  
  causing, by the first device, display of information associated with at least a portion of the search result;
  
  receiving, by the first device, a request to view underlying data associated with the at least a portion of the search result;
  
  determining, by the first device, at least one event identifier in the search result associated with the request;
  
  sending, by the first device, a request for event records, the request including the at least one event identifier;
  
  receiving from the second device, by the first device, at least one event record associated with the at least one event identifier, the at least one event record is comprised of raw data that relates to operations or activities in an information technology environment;
  
  causing display of information associated with the received at least one event record.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as recited in claim 1, wherein each event record in the set of event records is associated with a time stamp.
  - 3. The method as recited in claim 1, wherein each event record in the set of event records is associated with a time stamp and is searchable based on a time represented by the time stamp.
  - 4. The method as recited in claim 1, wherein an event identifier includes an identification of both an event record and a device having access to the event record.
  - 5. The method as recited in claim 1, wherein the received at least one event identifier received by the first device includes an identification of both an event record and the first device.
  - 6. The method as recited in claim 1, wherein the search result sent by the second device to the first device does not include an event record associated with an event identifier that was included in the search result.
  - 7. The method as recited in claim 1, wherein the second device includes an indexer.
  - 8. The method as recited in claim 1, wherein the first device includes a search head.
  - 9. The method as recited in claim 1, wherein the second device includes an indexer, and wherein the first device includes a search head.

10. An apparatus, comprising:
- a search query receiver, at a first device, implemented at least partially in hardware, that receives a search query to be performed on a set of event records accessible by a second device;
  
  a search query transmitter, at the first device, implemented at least partially in hardware, that sends at least a portion of the search query to the second device;
  
  a search result receiver, at the first device, implemented at least partially in hardware, that receives a search result from the second device, the search result including one or more event identifiers, each event identifier of the one or more event identifiers is associated with a specific event record of a set of event records accessible by the second device that satisfied the search query, each event identifier enables locating an associated specific event record accessible by the second device without searching the set of event records;
  
  a display information formatter, at the first device, implemented at least partially in hardware, that causes display of information associated with at least a portion of the search result;
  
  a subsystem, at the first device, implemented at least partially in hardware, that receives a request to view underlying data associated with the at least a portion of the search result;
  
  a subsystem, at the first device, implemented at least partially in hardware, that determines at least one event identifier in the search result associated with the request;
  
  an event record retrieval subsystem, at the first device, implemented at least partially in hardware, that sends a request for event records, the request including the at least one event identifier;
  
  wherein the event record retrieval subsystem receives at least one event record associated with the at least one event identifier, the at least one event record is comprised of raw data that relates to operations or activities in an information technology environment;
  
  wherein the display information formatter causes display of information associated with the received at least one event record.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The apparatus as recited in claim 10, wherein each event record in the set of event records is associated with a time stamp.
  - 12. The apparatus as recited in claim 10, wherein each event record in the set of event records is associated with a time stamp and is searchable based on a time represented by the time stamp.
  - 13. The apparatus as recited in claim 10, wherein an event identifier includes an identification of both an event record and a device having access to the event record.
  - 14. The apparatus as recited in claim 10, wherein the received at least one event identifier received by the first device includes an identification of both an event record and the first device.
  - 15. The apparatus as recited in claim 10, wherein the search result sent by the second device to the first device does not include an event record associated with an event identifier that was included in the search result.

16. One or more non-transitory computer-readable storage media, storing one or more sequences of instructions, which when executed by one or more processors cause performance of:
- receiving, at a first device, a search query to be performed on a set of event records accessible by a second device;
  
  sending, by the first device, at least a portion of the search query to the second device;
  
  receiving, by the first device, a search result from the second device, the search result including one or more event identifiers, each event identifier of the one or more event identifiers is associated with a specific event record of a set of event records accessible by the second device that satisfied the search query, each event identifier enables locating an associated specific event record accessible by the second device without searching the set of event records;
  
  causing, by the first device, display of information associated with at least a portion of the search result;
  
  receiving, by the first device, a request to view underlying data associated with the at least a portion of the search result;
  
  determining, by the first device, at least one event identifier in the search result associated with the request;
  
  sending, by the first device, a request for event records, the request including the at least one event identifier;
  
  receiving from the second device, by the first device, at least one event record associated with the at least one event identifier, the at least one event record is comprised of raw data that relates to operations or activities in an information technology environment;
  
  causing display of information associated with the received at least one event record.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The one or more non-transitory computer-readable storage media as recited in claim 16, wherein each event record in the set of event records is associated with a time stamp.
  - 18. The one or more non-transitory computer-readable storage media as recited in claim 16, wherein each event record in the set of event records is associated with a time stamp and is searchable based on a time represented by the time stamp.
  - 19. The one or more non-transitory computer-readable storage media as recited in claim 16, wherein an event identifier includes an identification of both an event record and a device having access to the event record.
  - 20. The one or more non-transitory computer-readable storage media as recited in claim 16, wherein the received at least one event identifier received by the first device includes an identification of both an event record and the first device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Zhang, Steve Yu, Sorkin, Stephen Phillip

Granted Patent

US 10,318,535 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/182   Distributed file systems

G06F 16/22   Indexing; Data structures t...

G06F 16/2322   using timestamps

G06F 16/24   Querying

G06F 16/2455   Query execution

G06F 16/24553   of query operations

G06F 16/24554   Unary operations; Data part...

G06F 16/24575   using context

G06F 16/24578   using ranking

G06F 16/2471   Distributed queries

G06F 16/2477   Temporal data queries

G06F 16/248   Presentation of query results

G06F 16/334   Query execution G06F16/335 ...

G06F 16/90328   using search space presenta...

G06F 16/9038   Presentation of query results

G06F 16/951   Indexing; Web crawling tech...

G06F 16/9535   Search customisation based ...

G06F 16/9538   Presentation of query results

H04L 41/0604   using filtering, e.g. reduc...

H04L 41/22   comprising specially adapte...

H04L 67/1097 : for distributed storage of ...

View All

Displaying Drill-Down Event Information Using Event Identifiers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

7 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Displaying Drill-Down Event Information Using Event Identifiers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links