Distinguishing Field Labels From Multiple Extractions

US 20160224659A1
Filed: 01/30/2015
Published: 08/04/2016
Est. Priority Date: 01/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

extracting first one or more values from a plurality of events using a first extraction rule;

assigning the extracted first one or more values to a first field of the plurality of events as a first set of field-data item pairs;

assigning a field label to the first field;

extracting second one or more values and a field label corresponding to the second one or more values from the plurality of the events using a second extraction rule, the extracted field label corresponding to the assigned field label of the first field; and

assigning the extracted second one or more values to a second field of the plurality of events as a second set of field-data item pairs, thereby distinguishing the extracted second one or more values from the extracted first one or more values.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

First one or more values are extracted from a plurality of events using a first extraction rule. The extracted first one or more values are assigned to a first field of the plurality of events as a first set of field-data item pairs and a field label is assigned to the first field. Second one or more values and a field label corresponding to the second one or more values are extracted from the plurality of the events using a second extraction rule, where the extracted field label corresponds to the assigned field label of the first field. The extracted second one or more values are assigned to a second field of the plurality of events as a second set of field-data item pairs, thereby distinguishing the extracted second one or more values from the extracted first one or more values.

51 Citations

View as Search Results

30 Claims

1. A computer-implemented method, comprising:
- extracting first one or more values from a plurality of events using a first extraction rule;
  
  assigning the extracted first one or more values to a first field of the plurality of events as a first set of field-data item pairs;
  
  assigning a field label to the first field;
  
  extracting second one or more values and a field label corresponding to the second one or more values from the plurality of the events using a second extraction rule, the extracted field label corresponding to the assigned field label of the first field; and
  
  assigning the extracted second one or more values to a second field of the plurality of events as a second set of field-data item pairs, thereby distinguishing the extracted second one or more values from the extracted first one or more values.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer-implemented method of claim 1, wherein the using the second extraction rule identifies a value of the second one or more values for each text portion in a set of data items of the plurality of events discovered as being separated by one or more designated demarcating characters from another text portion that matches the field label, the discovered text portion being used as the value.
  - 3. The computer-implemented method of claim 1, wherein the using the second extraction rule is part of a command that automatically extracts all identified field label-value pairs in a set of data items of the plurality of events, each field label-value pair comprising a field label and a value, wherein one of the field label-value pairs is identified for each first text portion separated by one or more designated demarcating characters from a second text portion in the set of data items, the first text portion matching the field label and the second text portion being used as the value.
  - 4. The computer-implemented method of claim 1, wherein the using the second extraction rule is part of a command that automatically extracts all identified field label-value pairs within a set of data items specified by a command element of the command, wherein each pair of text portions separated by one or more designated demarcating characters in the set of data items is identified as one of the field label-value pairs.
  - 5. The computer-implemented method of claim 1, wherein the first extraction rule comprises instructions defining identification and extraction of a value for a data item of a field and a field label corresponding to the value from data.
  - 6. The computer-implemented method of claim 1, wherein the second extraction rule generates the second one or more values and the field label corresponding to the second one or more values from the first one or more values of the first set of field-data item pairs.
  - 7. The computer-implemented method of claim 1, further comprising:
    - identifying that the extracted field label corresponds to the assigned field label of the first field; and
      
      assigning the extracted second one or more values to the second field as the second set of field-data item pairs based on the extracted field label corresponding to the assigned field label of the first field.
  - 8. The computer-implemented method of claim 1, further comprising:
    - identifying that the extracted field label corresponds to the assigned field label of the first field; and
      
      causing one or more options to be presented to the user based on the identified correspondence, at least one of the options being selectable by the user to cause the assigning of the extracted second one or more values to the second field as the second set of field-data item pairs.
  - 9. The computer-implemented method of claim 1, further comprising assigning a different field label than the extracted field label corresponding to the second one or more values to the second field.
  - 10. The computer-implemented method of claim 1, further comprising assigning a modified version of the extracted field label corresponding to the second one or more values to the second field.
  - 11. The computer-implemented method of claim 1, further comprising assigning a modified version of the extracted field label corresponding to the second one or more values to the second field, the modified version being the extracted field label prepended with text from a field label assigned to an event attribute that the second one or more values were extracted from.
  - 12. The computer-implemented method of claim 1, wherein the using the second extraction rule generates the second one or more values and the field label from event raw data of the plurality of events.
  - 13. The computer-implemented method of claim 1, comprising applying a late binding schema to the plurality of events, the late binding schema being defined by at least the first and second extraction rules.
  - 14. The computer-implemented method of claim 1, wherein the extracting the first one or more values from the plurality of events using the first extraction rule is performed as part of a first command of a search query being executed by a search system and the extracting the second one or more values and the field label corresponding to the second one or more values from the plurality of the events using the second extraction rule is performed as part of a second command of the search query being executed by the search system.
  - 15. The computer-implemented method of claim 1, further comprising:
    - modifying the extracted field label corresponding to the second one or more values to include at least a portion of text of a field label assigned to an event attribute that the second one or more values were extracted from; and
      
      assigning the modified version of the extracted field label to the second field.

16. A system comprising:
- one or more data processors; and
  
  one or more computer-readable storage media containing instructions which when executed on the one or more data processors, cause the one or more processors to perform operations including;
  
  extracting first one or more values from a plurality of events using a first extraction rule;
  
  assigning the extracted first one or more values to a first field as a first set of field-data item pairs;
  
  assigning a field label to the first field of the plurality of events;
  
  extracting second one or more values and a field label corresponding to the second one or more values from the plurality of the events using a second extraction rule, the extracted field label corresponding to the assigned field label of the first field; and
  
  assigning the extracted second one or more values to a second field of the plurality of events as a second set of field-data item pairs, thereby distinguishing the extracted second one or more values from the extracted first one or more values.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The system of claim 16, wherein the using the second extraction rule identifies a value of the second one or more values for each text portion in a set of data items of the plurality of events discovered as being separated by one or more designated demarcating characters from another text portion that matches the field label, the discovered text portion being used as the value.
  - 18. The system of claim 16, wherein the using the second extraction rule is part of a command that automatically extracts all identified field label-value pairs within a set of data items specified by a command element of the command, wherein each pair of text portions separated by one or more designated demarcating characters in the set of data items is identified as one of the field label-value pairs.
  - 19. The system of claim 16, wherein the first extraction rule comprises instructions defining identification and extraction of a value for a data item of a field and a field label corresponding to the value from data.
  - 20. The system of claim 16, wherein the second extraction rule generates the second one or more values and the field label corresponding to the second one or more values from the first one or more values of the first set of field-data item pairs.
  - 21. The system of claim 16, wherein the operations further comprise:
    - identifying that the extracted field label corresponds to the assigned field label of the first field; and
      
      assigning the extracted second one or more values to the second field as the second set of field-data item pairs based on the extracted field label corresponding to the assigned field label of the first field.
  - 22. The system of claim 16, wherein the operations further comprise:
    - identifying that the extracted field label corresponds to the assigned field label of the first field; and
      
      causing one or more options to be presented to the user based on the identified correspondence, at least one of the options being selectable by the user to cause the assigning of the extracted second one or more values to the second field as the second set of field-data item pairs.
  - 23. The system of claim 16, wherein the operations further comprise assigning a different field label than the extracted field label corresponding to the second one or more values to the second field.

24. One or more computer-storage media storing computer-useable instructions that, when executed by a computing device, perform a method, the method comprising:
- extracting first one or more values from a plurality of events using a first extraction rule;
  
  assigning the extracted first one or more values to a first field as a first set of field-data item pairs;
  
  assigning a field label to the first field of the plurality of events;
  
  extracting second one or more values and a field label corresponding to the second one or more values from the plurality of the events using a second extraction rule, the extracted field label corresponding to the assigned field label of the first field; and
  
  assigning the extracted second one or more values to a second field of the plurality of events as a second set of field-data item pairs, thereby distinguishing the extracted second one or more values from the extracted first one or more values.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The one or more computer-storage media of claim 24, wherein the using the second extraction rule identifies a value of the second one or more values for each text portion in a set of data items of the plurality of events discovered as being separated by one or more designated demarcating characters from another text portion that matches the field label, the discovered text portion being used as the value.
  - 26. The one or more computer-storage media of claim 24, wherein the using the second extraction rule is part of a command that automatically extracts all identified field label-value pairs within a set of data items specified by a command element of the command, wherein each pair of text portions separated by one or more designated demarcating characters in the set of data items is identified as one of the field label-value pairs.
  - 27. The one or more computer-storage media of claim 24, wherein the first extraction rule comprises instructions defining identification and extraction of a value for a data item of a field and a field label corresponding to the value from data.
  - 28. The one or more computer-storage media of claim 24, wherein the second extraction rule generates the second one or more values and the field label corresponding to the second one or more values from the first one or more values of the first set of field-data item pairs.
  - 29. The one or more computer-storage media of claim 24, the method further comprising:
    - identifying that the extracted field label corresponds to the assigned field label of the first field; and
      
      assigning the extracted second one or more values to the second field as the second set of field-data item pairs based on the extracted field label corresponding to the assigned field label of the first field.
  - 30. The one or more computer-storage media of claim 24, the method further comprising:
    - identifying that the extracted field label corresponds to the assigned field label of the first field; and
      
      causing one or more options to be presented to the user based on the identified correspondence, at least one of the options being selectable by the user to cause the assigning of the extracted second one or more values to the second field as the second set of field-data item pairs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Robichaud, Marc Vincent

Granted Patent

US 9,842,160 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/313 Selection or weighting of t...

G06F 3/04842 Selection of displayed obje...

Distinguishing Field Labels From Multiple Extractions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Distinguishing Field Labels From Multiple Extractions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links