USER INTERFACE FOR EVENT DATA STORE

US 20160248803A1
Filed: 02/24/2016
Published: 08/25/2016
Est. Priority Date: 02/25/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a processing device, a query comprising a first field value and a time period;

performing, by the processing device, a first search of a data store using the first field value to identify a plurality of events having the time period and at least one field that comprises the first field value;

determining a first subset of the plurality of events associated with a first context definition;

determining a plurality of fields specified in the first context definition;

determining, for events in the first subset, field values of one or more fields specified in the first context definition;

generating a report based on the field values of the one or more fields specified in the first context definition from the events in the first subset; and

generating a response to the query that comprises at least a portion of the report.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processing device receives a query comprising a first field value and a time period and performs a first search of a data store using the first field value to identify a plurality of events having the time period and a field that comprises the first field value. The processing device determines a first subset of the plurality of events associated with a first context definition and determines a plurality of fields specified in the first context definition. The processing device determines, for events in the first subset, field values of one or more fields specified in the first context definition. The processing device generates a report based on the field values of the one or more fields specified in the first context definition from the events in the first subset. The processing device generates a response to the query that comprises at least a portion of the report.

21 Citations

View as Search Results

21 Claims

1. A method comprising:
- receiving, by a processing device, a query comprising a first field value and a time period;
  
  performing, by the processing device, a first search of a data store using the first field value to identify a plurality of events having the time period and at least one field that comprises the first field value;
  
  determining a first subset of the plurality of events associated with a first context definition;
  
  determining a plurality of fields specified in the first context definition;
  
  determining, for events in the first subset, field values of one or more fields specified in the first context definition;
  
  generating a report based on the field values of the one or more fields specified in the first context definition from the events in the first subset; and
  
  generating a response to the query that comprises at least a portion of the report.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein determining the first context definition comprises:
    - determining a first source type associated with the first subset of the plurality of events; and
      
      determining that the first source type is associated with the first context definition, wherein the first context definition identifies the first plurality of fields that are pertinent to context of a particular event.
  - 3. The method of claim 1, further comprising:
    - labeling, for events in the first subset, field values of the one or more fields as being a cause for inclusion of the event in the first subset.
  - 4. The method of claim 1, wherein the first context definition has a first context type, and wherein a first section of the report is associated with the first context type, the method further comprising:
    - determining a second subset of the plurality of events associated with a second context definition having a second context type;
      
      determining a second plurality of fields specified in the second context definition;
      
      determining, for events in the second subset, field values of one or more fields specified in the second context definition; and
      
      generating a second section of the report based on the field values of the one or more fields specified in the second context definition from the events in the second subset.
  - 5. The method of claim 1, wherein the first context definition has a first context type, the method further comprising:
    - determining a second subset of the plurality of events associated with a second context definition having the first context type;
      
      determining a second plurality of fields specified in the second context definition; and
      
      determining, for events in the second subset, field values of one or more fields specified in the second context definition, wherein the report is further based on the field values of the one or more fields specified in the second context definition from the events in the second subset.
  - 6. The method of claim 5, further comprising:
    - determining an event context for each event in the first subset, each event context from an event in the first subset comprising a list of key value pairs, wherein keys in the list correspond to the fields specified in the first context definition and values in the list correspond to field values associated with the fields;
      
      determining the event context for each event in the second subset, each event context from events in the second subset comprising an additional list of key value pairs, wherein keys in the additional list correspond to the fields specified in the second context definition and values in the list correspond to field values associated with the fields;
      
      determining a plurality of events from the first subset and the second having a particular event context; and
      
      indicating in a first section of the report associated with the first context type a number of events having the particular event context.
  - 7. The method of claim 1, further comprising:
    - determining a second field value of a field having a field type specified in the first context definition that appears most frequently in the first subset; and
      
      generating a notification indicating the second field value.
  - 8. The method of claim 1, wherein each of the plurality of events comprises a log entry having an original log entry format as generated by a source of the log entry, and wherein a first log entry format of a first log entry is different from a second log entry format of a second log entry.
  - 9. The method of claim 1, further comprising:
    - outputting the response for presentation in a user interface, wherein the plurality of events comprises more than a thousand events, and wherein the response to the query comprises a single page divided into sections, wherein each section comprises information associated with a different context type.
  - 10. The method of claim 1, wherein the plurality of events comprises a first subset of events associated with the first context definition, a second subset of events associated with a second context definition, a third subset of events associated with a third context definition, and a fourth subset of events associated with a fourth context definition, wherein the first context definition and the second context definition share a first context type, and wherein the third context definition and the fourth context definition share a second context type, the method further comprising:
    - aggregating information from the first subset of events and the second subset of events together in a first section of the report associated with the first context type, the first section indicating a first number of events included in the first subset of events and the second number of events; and
      
      aggregating information from the third subset of events and the fourth subset of events in a second section of the report associated with the second context type, the second section indicating a second number of events included in the third subset of events and the fourth subset of events.
  - 11. The method of claim 1, further comprising:
    - determining, for a first event of the first subset, a second field value of a second field that is specified in the first context definition, the second field having an assigned field type;
      
      performing, without receipt of a second query, a second search of the data store using the additional field value to identify a second plurality of events having the time period and the additional field value;
      
      determining a second subset of the second plurality of events associated with the first context definition; and
      
      determining, for events in the second subset, additional field values of the one or more fields specified in the first context definition;
      
      wherein the report is further based on the additional field values of the one or more fields specified in the first context definition from the events in the second subset.

12. A computing device comprising:
- a memory; and
  
  a processing device operatively coupled to the memory, the processing device to;
  
  receive a query comprising a first field value and a time period;
  
  perform a first search of a data store using the first field value to identify a plurality of events having the time period and at least one field that comprises the first field value;
  
  determine a first subset of the plurality of events associated with a first context definition;
  
  determine a plurality of fields specified in the first context definition;
  
  determine, for events in the first subset, field values of one or more fields specified in the first context definition;
  
  generate a report based on the field values of the one or more fields specified in the first context definition from the events in the first subset; and
  
  generate a response to the query that comprises at least a portion of the report.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The computing device of claim 12, wherein determining the first context definition comprises:
    - determining a first source type associated with the first subset of the plurality of events; and
      
      determining that the first source type is associated with the first context definition, wherein the first context definition identifies the first plurality of fields that are pertinent to context of a particular event.
  - 14. The computing device of claim 12, wherein the processing device is further to:
    - label, for events in the first subset, field values of the one or more fields as being a cause for inclusion of the event in the first subset.
  - 15. The computing device of claim 12, wherein the first context definition has a first context type, and wherein a first section of the report is associated with the first context type, and wherein the processing device is further to:
    - determine a second subset of the plurality of events associated with a second context definition having a second context type;
      
      determine a second plurality of fields specified in the second context definition;
      
      determine, for events in the second subset, field values of one or more fields specified in the second context definition; and
      
      generate a second section of the report based on the field values of the one or more fields specified in the second context definition from the events in the second subset.
  - 16. The computing device of claim 12, wherein the first context definition has a first context type, and wherein the processing device is further to:
    - determine a second subset of the plurality of events associated with a second context definition having the first context type;
      
      determine a second plurality of fields specified in the second context definition; and
      
      determine, for events in the second subset, field values of one or more fields specified in the second context definition, wherein the report is further based on the field values of the one or more fields specified in the second context definition from the events in the second subset.
  - 17. The computing device of claim 16, wherein the processing device is further to:
    - determine an event context for each event in the first subset, each event context from an event in the first subset comprising a list of key value pairs, wherein keys in the list correspond to the fields specified in the first context definition and values in the list correspond to field values associated with the fields;
      
      determine the event context for each event in the second subset, each event context from events in the second subset comprising an additional list of key value pairs, wherein keys in the additional list correspond to the fields specified in the second context definition and values in the list correspond to field values associated with the fields;
      
      determine a plurality of events from the first subset and the second having a particular event context; and
      
      indicate in a first section of the report associated with the first context type a number of events having the particular event context.
  - 18. The computing device of claim 12, wherein each of the plurality of events comprises a log entry having an original log entry format as generated by a source of the log entry, and wherein a first log entry format of a first log entry is different from a second log entry format of a second log entry.
  - 19. The computing device of claim 12, wherein the processing device is further to:
    - output the response for presentation in a user interface, wherein the plurality of events comprises more than a thousand events, and wherein the response to the query comprises a single page divided into sections, wherein each section comprises information associated with a different context type.
  - 20. The computing device of claim 12, wherein the processing device is further to:
    - determine, for a first event of the first subset, a second field value of a second field that is specified in the first context definition, the second field having an assigned field type;
      
      perform, without receipt of a second query, a second search of the data store using the additional field value to identify a second plurality of events having the time period and the additional field value;
      
      determine a second subset of the second plurality of events associated with the first context definition; and
      
      determine, for events in the second subset, additional field values of the one or more fields specified in the first context definition;
      
      wherein the report is further based on the additional field values of the one or more fields specified in the first context definition from the events in the second subset.

21. A computer readable storage medium comprising instructions that, when executed by a processing device, cause the processing device to perform operations comprising:
- receiving, by the processing device, a query comprising a first field value and a time period;
  
  performing, by the processing device, a first search of a data store using the first field value to identify a plurality of events having the time period and at least one field that comprises the first field value;
  
  determining a first subset of the plurality of events associated with a first context definition;
  
  determining a plurality of fields specified in the first context definition;
  
  determining, for events in the first subset, field values of one or more fields specified in the first context definition;
  
  generating a report based on the field values of the one or more fields specified in the first context definition from the events in the first subset; and
  
  generating a response to the query that comprises at least a portion of the report.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sumo Logic, Inc.
Original Assignee
FactorChain, Inc. (Sumo Logic, Inc.)
Inventors
O'Connell, Brendan, Tidwell, Kenny, Frampton, David

Granted Patent

US 10,795,890 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/2228   Indexing structures

G06F 16/2358   Change logging, detection, ...

G06F 16/245   Query processing

G06F 16/2455   Query execution

G06F 16/24575   using context

G06F 16/2477   Temporal data queries

G06F 16/25   Integrating or interfacing ...

G06F 16/258   Data format conversion from...

G06F 16/282   Hierarchical databases, e.g...

G06F 16/285   Clustering or classification

G06F 16/951   Indexing; Web crawling tech...

G06F 21/552   involving long-term monitor...

G06F 40/205   Parsing

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H05K 999/99   dummy group

USER INTERFACE FOR EVENT DATA STORE

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

USER INTERFACE FOR EVENT DATA STORE

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links