Real time display of data field values based on manual editing of regular expressions

US 8,682,906 B1
Filed: 01/23/2013
Issued: 03/25/2014
Est. Priority Date: 01/23/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving raw data on a computing device;

dividing the raw data into a set of time stamped searchable events;

storing the set of events in an indexed data store;

displaying an extraction rule in a first portion of a graphical interface, wherein an extraction rule defines a field within an event from which to extract a value;

extracting one or more values from a field within one or more of the events using the extraction rule;

displaying a subset of the set of events in a second portion of the graphical interface, wherein the one or more values extracted from the field within the one or more events are emphasized in the displayed subset, and wherein the first portion and the second portion are concurrently displayed in the same graphical interface;

receiving input corresponding to an edit of the extraction rule displayed in the first portion;

extracting one or more values from the field within the one or more events using the edited extraction rule; and

modifying the displayed subset of events in the second portion of the graphical interface, wherein the displayed subset of events is modified in real time using the edited extraction rule, and wherein the one or more values extracted from the field defined by the edited extraction rule are emphasized in the modified displayed subset.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed towards real time display of event records and extracted values based on at least one extraction rule, such as a regular expression. A user interface may be employed to enable a user to have an extraction rule automatically generate and/or to manually enter an extraction rule. The user may be enabled to manually edit a previously provided extraction rule, which may result in real time display of updated extracted values. The extraction rule may be utilized to extract values from each of a plurality of records, including event records of unstructured machine data. Statistics may be determined for each unique extracted value, and may be displayed to the user in real time. The user interface may also enable the user to select at least one unique extracted value to display those event records that include an extracted value that matches the selected value.

70 Citations

View as Search Results

24 Claims

1. A computer-implemented method, comprising:
- receiving raw data on a computing device;
  
  dividing the raw data into a set of time stamped searchable events;
  
  storing the set of events in an indexed data store;
  
  displaying an extraction rule in a first portion of a graphical interface, wherein an extraction rule defines a field within an event from which to extract a value;
  
  extracting one or more values from a field within one or more of the events using the extraction rule;
  
  displaying a subset of the set of events in a second portion of the graphical interface, wherein the one or more values extracted from the field within the one or more events are emphasized in the displayed subset, and wherein the first portion and the second portion are concurrently displayed in the same graphical interface;
  
  receiving input corresponding to an edit of the extraction rule displayed in the first portion;
  
  extracting one or more values from the field within the one or more events using the edited extraction rule; and
  
  modifying the displayed subset of events in the second portion of the graphical interface, wherein the displayed subset of events is modified in real time using the edited extraction rule, and wherein the one or more values extracted from the field defined by the edited extraction rule are emphasized in the modified displayed subset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein modifying the displayed subset includes modifying the displayed subset in real time as the extraction rule is being edited.
  - 3. The method of claim 1, further comprising:
    - determining a statistic for one or more extracted values displayed in the graphical interface; and
      
      displaying the statistic in the graphical interface.
  - 4. The method of claim 1, further comprising:
    - determining a statistic for one or more extracted values displayed in the graphical interface, wherein the statistic includes a percentage of the set of events in which the one or more extracted values appear in the field defined by the extraction rule; and
      
      displaying the statistic in the graphical interface.
  - 5. The method of claim 1, further comprising:
    - receiving input corresponding to a selection of a value displayed in the second portion of the graphical interface;
      
      determining a group of events from the set of events in response to receiving the selection, wherein each event in the group includes as the value of the field a value that matches the selected value; and
      
      modifying the display of the events to include only events in the group of events.
  - 6. The method of claim 1, wherein the extraction rule includes a regular expression rule.
  - 7. The method of claim 1, wherein the extraction rule includes a regular expression rule automatically generated to extract a value selected from an event.
  - 8. The method of claim 1, wherein the set of events includes unstructured machine data.

9. A system, comprising:
- a processor; and
  
  a non-transitory computer-readable storage medium containing instructions configured to cause the processor to perform operations including;
  
  receiving raw data on a computing device;
  
  dividing the raw data into a set of time stamped searchable events;
  
  storing the set of events in an indexed data store;
  
  displaying an extraction rule in a first portion of a graphical interface, wherein an extraction rule defines a field within an event from which to extract a value;
  
  extracting one or more values from a field within one or more of the events using the extraction rule;
  
  displaying a subset of the set of events in a second portion of the graphical interface, wherein the one or more values extracted from the field within the one or more events are emphasized in the displayed subset, and wherein the first portion and the second portion are concurrently displayed in the same graphical interface;
  
  receiving input corresponding to an edit of the extraction rule displayed in the first portion;
  
  extracting one or more values from the field within the one or more events using the edited extraction rule; and
  
  modifying the displayed subset of events in the second portion of the graphical interface, wherein the displayed subset of events is modified in real time using the edited extraction rule, and wherein the one or more values extracted from the field defined by the edited extraction rule are emphasized in the modified displayed subset.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein modifying the displayed subset includes modifying the displayed subset in real time as the extraction rule is being edited.
  - 11. The system of claim 9, wherein the non-transitory computer-readable storage medium contains further instructions configured to cause the processor to perform operations including:
    - determining a statistic for one or more extracted values displayed in the graphical interface; and
      
      displaying the statistic in the graphical interface.
  - 12. The system of claim 9, wherein the non-transitory computer-readable storage medium contains further instructions configured to cause the processor to perform operations including:
    - determining a statistic for one or more extracted values displayed in the graphical interface, wherein the statistic includes a percentage of the set of events in which the one or more extracted values appear in the field defined by the extraction rule; and
      
      displaying the statistic in the graphical interface.
  - 13. The system of claim 9, wherein the non-transitory computer-readable storage medium contains further instructions configured to cause the processor to perform operations including:
    - receiving input corresponding to a selection of a value displayed in the second portion of the graphical interface;
      
      determining a group of events from the set of events in response to receiving the selection, wherein each event in the group includes as the value of the field a value that matches the selected value; and
      
      modifying the display of the events to include only events in the group of events.
  - 14. The system of claim 9, wherein the extraction rule includes a regular expression rule.
  - 15. The system of claim 9, wherein the extraction rule includes a regular expression rule automatically generated to extract a value selected from an event.
  - 16. The system of claim 9, wherein the set of events includes unstructured machine data.

17. A computer-program product, tangibly embodied in a non-transitory machine-readable medium, including instructions configured to cause a data processing apparatus to:
- receive raw data on a computing device;
  
  divide the raw data into a set of time stamped searchable events;
  
  store the set of events in an indexed data store;
  
  display an extraction rule in a first portion of a graphical interface, wherein an extraction rule defines a field within an event from which to extract a value;
  
  extract one or more values from a field within one or more of the events using the extraction rule;
  
  display a subset of the set of events in a second portion of the graphical interface, wherein the one or more values extracted from the field within the one or more events are emphasized in the displayed subset, and wherein the first portion and the second portion are concurrently displayed in the same graphical interface;
  
  receive input corresponding to an edit of the extraction rule displayed in the first portion;
  
  extract one or more values from the field within the one or more events using the edited extraction rule; and
  
  modify the displayed subset of events in the second portion of the graphical interface, wherein the displayed subset of events is modified in real time using the edited extraction rule, and wherein the one or more values extracted from the field defined by the edited extraction rule are emphasized in the modified displayed subset.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer-program product of claim 17, wherein modifying the displayed subset includes modifying the displayed subset in real time as the extraction rule is being edited.
  - 19. The computer-program product of claim 17, further including instructions configured to cause the data processing apparatus to:
    - determine a statistic for one or more extracted values displayed in the graphical interface; and
      
      display the statistic in the graphical interface.
  - 20. The computer-program product of claim 17, further including instructions configured to cause the data processing apparatus to:
    - determine a statistic for one or more extracted values displayed in the graphical interface, wherein the statistic includes a percentage of the set of events in which the one or more extracted values appear in the field defined by the extraction rule; and
      
      display the statistic in the graphical interface.
  - 21. The computer-program product of claim 17, further including instructions configured to cause the data processing apparatus to:
    - receive input corresponding to a selection of a value displayed in the second portion of the graphical interface;
      
      determine a group of events from the set of events in response to receiving the selection, wherein each event in the group includes as the value of the field a value that matches the selected value; and
      
      modify the display of the events to include only events in the group of events.
  - 22. The computer-program product of claim 17, wherein the extraction rule includes a regular expression rule.
  - 23. The computer-program product of claim 17, wherein the extraction rule includes a regular expression rule automatically generated to extract a value selected from an event.
  - 24. The computer-program product of claim 17, wherein the set of events includes unstructured machine data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Carasso, R. David, Delfino, Micah James, Hwang, Johnvey
Primary Examiner(s)
Jalil, Neveen Abel
Assistant Examiner(s)
Ellis, Matthew

Application Number

US13/748,313
Time in Patent Office

426 Days
Field of Search

707/757, 707/736, 707/705
US Class Current

707/749
CPC Class Codes

G06F 16/242   Query formulation

G06F 16/2423   Interactive query statement...

G06F 16/2477   Temporal data queries

G06F 16/34   Browsing; Visualisation the...

G06F 3/0484   for the control of specific...

G06F 3/04842   Selection of displayed obje...

G06F 40/166   Editing, e.g. inserting or ...

G06F 40/174   Form filling; Merging

G06F 40/40   Processing or translation o...

H04L 67/10   in which an application is ...

Real time display of data field values based on manual editing of regular expressions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

70 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Real time display of data field values based on manual editing of regular expressions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others