Visualization of Unique Field Values for a Field in a Set of Events

US 20170032550A1
Filed: 07/31/2016
Published: 02/02/2017
Est. Priority Date: 01/27/2014
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

creating a set of time stamped, searchable events from a set of raw data, each event in the set of time stamped, searchable events includes a portion of the set of raw data from which the time stamped, searchable event was derived, the set of raw data related to security or performance aspects of one or more information technology systems;

identifying a set of unique values included in a particular field that is present in one or more time stamped, searchable events in the set of time stamped, searchable events;

causing display of a plurality of rows, each row corresponding to one unique value among the set of unique values, each row having one or more indicators displayed along a timeline, each indicator among the one or more indicators indicating a number of time stamped, searchable events in the set of time stamped, searchable events within a certain time period that includes the unique value in the particular field, each indicator of the one or more indicators is positioned along the timeline according to the certain time period;

wherein the method is performed by one or more computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for visualizing the number of events having different values for a field of interest over a selected time range. The events may be derived from machine data obtained from one or more data sources. User input received via a graphical user interface may specify the field of interest, a time range, and a time granularity for displaying counts of the number of events having various values during different time slots within the selected time range. Events including the specified field during the user-selected time range are identified and values for the field are extracted from the identified events. A visualization indicating a relation between a number of the events occurring within each of a plurality of time slots over the selected time range and each of the unique extracted values of the field is provided to the user via the graphical user interface.

Citations

20 Claims

1. A method comprising:
- creating a set of time stamped, searchable events from a set of raw data, each event in the set of time stamped, searchable events includes a portion of the set of raw data from which the time stamped, searchable event was derived, the set of raw data related to security or performance aspects of one or more information technology systems;
  
  identifying a set of unique values included in a particular field that is present in one or more time stamped, searchable events in the set of time stamped, searchable events;
  
  causing display of a plurality of rows, each row corresponding to one unique value among the set of unique values, each row having one or more indicators displayed along a timeline, each indicator among the one or more indicators indicating a number of time stamped, searchable events in the set of time stamped, searchable events within a certain time period that includes the unique value in the particular field, each indicator of the one or more indicators is positioned along the timeline according to the certain time period;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the raw data is machine data.
  - 3. The method of claim 1, wherein the time stamped, searchable events are derived at least in part from log files generated by one or more servers.
  - 4. The method of claim 1, wherein each indicator among the one or more indicators is an absolute or relative indication of the number of time stamped, searchable events and is displayed using a color or shade.
  - 5. The method of claim 1, wherein each indicator among the one or more indicators is an absolute or relative indication of the number of time stamped, searchable events and is displayed using a color or shade, the color or shade is applied to each intersection according to a linear scale.
  - 6. The method of claim 1, wherein each indicator among the one or more indicators is an absolute or relative indication of the number of time stamped, searchable events and is displayed using a color or shade, the color or shade is applied to each intersection according to a logarithmic scale.
  - 7. The method of claim 1, wherein each indicator among the one or more indicators is an absolute or relative indication of the number of time stamped, searchable events and is displayed using a color or shade, the color or shade is applied to each intersection according to an exponential scale.
  - 8. The method of claim 1, wherein each indicator among the one or more indicators is an absolute or relative indication of the number of time stamped, searchable events and is displayed using a color or shade, the color or shade is applied to each intersection according to a linear scale, the color or shade is applied to each intersection according to a rank assigned to that intersection based on a corresponding number of events.
  - 9. The method of claim 1, wherein each indicator among the one or more indicators is an absolute or relative indication of the number of time stamped, searchable events and is displayed using a color or shade, the color or shade is applied to each intersection according to a linear scale, the color or shade is applied to each intersection using a scale based on a maximum event count and a minimum event count determined from (i) intersections within a row including the intersection for which the color or shade is being applied, (ii) intersections within a column including the intersection for which the color or shade is being applied, or (iii) all displayed intersections.
  - 10. The method of claim 1, further compromising;
    - receiving user input that specifies a time granularity; and
      
      determining a duration of time covered by each of the plurality of time periods based on the time granularity
  - 11. The method of claim 1, further compromising;
    - predicting what a plot of a number of events having a specified value for the particular field would look like for future time periods based on extrapolating from an actual number of events for previous time periods;
      
      causing display of a graphical representation of a plot based on the predicting.
  - 12. The method of claim 1, further comprising:
    - receiving user input indicating a particular time period to be used for sorting the plurality of rows; and
      
      sorting the plurality of rows, wherein each row is positioned in ascending or descending order based on a number of events corresponding to the intersection of that row with the particular time period.
  - 13. The method of claim 1, further comprising:
    - receiving user input selecting an intersection of a row and a time period; and
      
      causing display of information pertaining to the intersection that includes any of;
      
      a corresponding field value, a count value indicating a number of events associated with the intersection, or a time period associated with the intersection.
  - 14. The method of claim 1, further comprising displaying a statistic for each unique value in the set of unique values for the particular field, wherein the statistic for a given unique value includes any combination of:
    - a minimum event count corresponding to intersections in the row corresponding to the given unique value with time periods, a maximum event count corresponding to the intersections, an average of event counts corresponding to the intersections, a total count of events in multiple intersections, or a percentage of the set of time stamped, searchable events that correspond to multiple intersections.
  - 15. The method of claim 1, further comprising:
    - reordering the plurality of rows based on a drag and drop gesture received from a user input device.

16. A non-transitory computer readable storage medium, storing instructions that, when executed by one or more processors, cause performance of:
- creating a set of time stamped, searchable events from a set of raw data, each event in the set of time stamped, searchable events includes a portion of the set of raw data from which the time stamped, searchable event was derived, the set of raw data related to security or performance aspects of one or more information technology systems;
  
  identifying a set of unique values included in a particular field that is present in one or more time stamped, searchable events in the set of time stamped, searchable events;
  
  causing display of a plurality of rows, each row corresponding to one unique value among the set of unique values, each row having one or more indicators displayed along a timeline, each indicator among the one or more indicators indicating a number of time stamped, searchable events in the set of time stamped, searchable events within a certain time period that includes the unique value in the particular field, each indicator of the one or more indicators is positioned along the timeline according to the certain time period.
- View Dependent Claims (17)
- - 17. The non-transitory computer readable storage medium of claim 16, further compromising;
    - predicting what a plot of a number of events having a specified value for the particular field would look like for future time periods based on extrapolating from an actual number of events for previous time periods;
      
      causing display of a graphical representation of a plot based on the predicting.

18. A system comprising:
- a memory having processor-readable instructions stored therein; and
  
  a processor configured to access the memory and execute the processor-readable instructions, which when executed by the processor, configures the processor to perform a plurality of functions, including functions to;
  
  creating a set of time stamped, searchable events from a set of raw data, each event in the set of time stamped, searchable events includes a portion of the set of raw data from which the time stamped, searchable event was derived, the set of raw data related to security or performance aspects of one or more information technology systems;
  
  identifying a set of unique values included in a particular field that is present in one or more time stamped, searchable events in the set of time stamped, searchable events;
  
  causing display of a plurality of rows, each row corresponding to one unique value among the set of unique values, each row having one or more indicators displayed along a timeline, each indicator among the one or more indicators indicating a number of time stamped, searchable events in the set of time stamped, searchable events within a certain time period that includes the unique value in the particular field, each indicator of the one or more indicators is positioned along the timeline according to the certain time period.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the processor is further configured to perform functions to:
    - predicting what a plot of a number of events having a specified value for the particular field would look like for future time periods based on extrapolating from an actual number of events for previous time periods;
  - 20. The system of claim 18, further comprising displaying a statistic for each unique value in the set of unique values for the particular field, wherein the statistic for a given unique value includes any combination of:
    - a minimum event count corresponding to intersections in the row corresponding to the given unique value with time periods, a maximum event count corresponding to the intersections, an average of event counts corresponding to the intersections, a total count of events in multiple intersections, or a percentage of the set of time stamped, searchable events that correspond to multiple intersections.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Vander Broek, Philip John

Application Number

US15/224,651
Publication Number

US 20170032550A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/2477   Temporal data queries

G06F 3/04847   Interaction techniques to c...

G06F 3/0486   Drag-and-drop

G06Q 10/06   Resources, workflows, human...

G06Q 30/02   Marketing; Price estimation...

G06Q 30/0201   Market modelling; Market an...

G06T 11/001   Texturing; Colouring; Gener...

G06T 11/206   Drawing of charts or graphs

Visualization of Unique Field Values for a Field in a Set of Events

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Visualization of Unique Field Values for a Field in a Set of Events

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links