Data model for machine data for semantic search
First Claim
1. A computer implemented method, comprising:
- accessing time stamped events in a data store on a computing device including one or more processors, wherein the set of events are searchable;
maintaining a data model that is associated with a set of the time stamped events, wherein the data model defines a schema to apply to the set of the time stamped events, wherein the data model includes one or more sub-models, and wherein each sub-model of the one or more sub-models is associated with a subset of events in the set of the time stamped events, the subset of events being smaller than the set of the time stamped events;
causing display of a graphical interface that lists the one or more sub-models of the data model;
receiving first input corresponding to a selection of a particular sub-model of the one or more sub-models through the graphical interface;
responsive to the first input, narrowing the set of the time stamped events that are searchable to a particular subset of events that is associated with the selected particular sub-model;
subsequent to receiving the first input, receiving second input corresponding to criteria for a search query;
after receiving the second input, initiating a search that uses the received criteria to evaluate values extracted using an extraction rule or a regular expression from events in the particular subset of events, wherein the extraction rule or the regular expression corresponds to a field in the schema.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments are directed towards generating data models that may give semantic meaning for unstructured data or structured data that may include data generated and/or received by search engines, including a time series engine. Data models also may be generated to provide semantic meaning to structured data. A data model may be composed of a hierarchical data model objects analogous to an object-oriented programming class hierarchy. Users may employ a data modeling application to produce reports using search objects that may be part of, or associated with the data model. The data modeling application may employ the search object and the data model to generate a query string for searching a data repository to produce a result set. A data modeling application may map the result set data to data model objects that may be used to generate reports.
495 Citations
30 Claims
-
1. A computer implemented method, comprising:
-
accessing time stamped events in a data store on a computing device including one or more processors, wherein the set of events are searchable; maintaining a data model that is associated with a set of the time stamped events, wherein the data model defines a schema to apply to the set of the time stamped events, wherein the data model includes one or more sub-models, and wherein each sub-model of the one or more sub-models is associated with a subset of events in the set of the time stamped events, the subset of events being smaller than the set of the time stamped events; causing display of a graphical interface that lists the one or more sub-models of the data model; receiving first input corresponding to a selection of a particular sub-model of the one or more sub-models through the graphical interface; responsive to the first input, narrowing the set of the time stamped events that are searchable to a particular subset of events that is associated with the selected particular sub-model; subsequent to receiving the first input, receiving second input corresponding to criteria for a search query; after receiving the second input, initiating a search that uses the received criteria to evaluate values extracted using an extraction rule or a regular expression from events in the particular subset of events, wherein the extraction rule or the regular expression corresponds to a field in the schema. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system, comprising:
-
one or more processors; and one or more non-transitory computer-readable storage media storing instructions configured to cause the one or more processors to perform operations including; accessing time stamped events in a data store, wherein the set of events are searchable; maintaining a data model that is associated with a set of the time stamped events, wherein the data model defines a schema to apply to the set of the time stamped events, wherein the data model includes one or more sub-models, and wherein each sub-model of the one or more sub-models is associated with a subset of events in the set of the time stamped events, the subset of events being smaller than the set of the time stamped events; causing display of a graphical interface that lists the one or more sub-models of the data model; receiving first input corresponding to a selection of a particular sub-model of the one or more sub-models through the graphical interface; responsive to the first input, narrowing the set of the time stamped events that are searchable to a particular subset of events that is associated with the selected particular sub-model; subsequent to receiving the first input, receiving second input corresponding to criteria for a search query; after receiving the second input, initiating a search that uses the received criteria to evaluate values extracted using an extraction rule or a regular expression from events in the particular subset of events, wherein the extraction rule or the regular expression corresponds to a field in the schema. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computer-program product, tangibly embodied in one or more non-transitory machine-readable media, including instructions configured to cause one or more data processing apparatuses to:
-
access time stamped events in a data store on a computing device including one or more processors, wherein the set of events are searchable; maintain a data model that is associated with a set of the time stamped events, wherein the data model defines a schema to apply to the set of the time stamped events, wherein the data model includes one or more sub-models, and wherein each sub-model of the one or more sub-models is associated with a subset of events in the set of the time stamped events, the subset of events being smaller than the set of the time stamped events; cause display of a graphical interface that lists the one or more sub-models of the data model; receive first input corresponding to a selection of a particular sub-model of the one or more sub-models through the graphical interface; responsive to the first input, narrow the set of the time stamped events that are searchable to a particular subset of events that is associated with the selected particular sub-model; subsequent to receiving the first input, receive second input corresponding to criteria for a search query; after receiving the second input, initiating a search that uses the received criteria to evaluate values extracted using an extraction rule or a regular expression from events in the particular subset of events, wherein the extraction rule or the regular expression corresponds to a field in the schema. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
-
Specification