Event field distributed search display
First Claim
1. A method, comprising:
- receiving a query including a criterion for searching a set of events stored across a plurality of distributed machines, wherein each distributed machine has responsibility to search a time-based subgroup of the set of events, wherein each distributed machine has responsibility to search a time-based subgroup different than time-based subgroups that other distributed machines have responsibility to search, and wherein each event in the set of events is associated with a timestamp;
in response to receiving the query, directing at least a portion of the plurality of distributed machines to search, in respective time-based subgroups, for events responsive to the query;
receiving from the distributed machines information relating to values for a field that are in the events responsive to the query;
aggregating the received information to determine a number corresponding to how many unique values exist for the field in the events responsive to the query;
displaying the number corresponding to how many unique values exist for the field;
wherein the method is performed by one or more computing devices.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.
-
Citations
39 Claims
-
1. A method, comprising:
-
receiving a query including a criterion for searching a set of events stored across a plurality of distributed machines, wherein each distributed machine has responsibility to search a time-based subgroup of the set of events, wherein each distributed machine has responsibility to search a time-based subgroup different than time-based subgroups that other distributed machines have responsibility to search, and wherein each event in the set of events is associated with a timestamp; in response to receiving the query, directing at least a portion of the plurality of distributed machines to search, in respective time-based subgroups, for events responsive to the query; receiving from the distributed machines information relating to values for a field that are in the events responsive to the query; aggregating the received information to determine a number corresponding to how many unique values exist for the field in the events responsive to the query; displaying the number corresponding to how many unique values exist for the field; wherein the method is performed by one or more computing devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An apparatus, comprising:
-
a subsystem, implemented at least partially in hardware, that receives a query including a criterion for searching a set of events stored across a plurality of distributed machines, wherein each distributed machine has responsibility to search a time-based subgroup of the set of events, wherein each distributed machine has responsibility to search a time-based subgroup different than time-based subgroups that other distributed machines have responsibility to search, and wherein each event in the set of events is associated with a timestamp; a subsystem, implemented at least partially in hardware, that, in response to receiving the query, directs at least a portion of the plurality of distributed machines to search, in respective time-based subgroups, for events responsive to the query; a subsystem, implemented at least partially in hardware, that receives from the distributed machines information relating to values for a field that are in the events responsive to the query; a subsystem, implemented at least partially in hardware, that aggregates the received information to determine a number corresponding to how many unique values exist for the field in the events responsive to the query; a subsystem, implemented at least partially in hardware, that displays the number corresponding to how many unique values exist for the field. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A non-transitory computer-readable medium storing one or more sequences of instructions, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform:
-
receiving a query including a criterion for searching a set of events stored across a plurality of distributed machines, wherein each distributed machine has responsibility to search a time-based subgroup of the set of events, wherein each distributed machine has responsibility to search a time-based subgroup different than time-based subgroups that other distributed machines have responsibility to search, and wherein each event in the set of events is associated with a timestamp; in response to receiving the query, directing at least a portion of the plurality of distributed machines to search, in respective time-based subgroups, for events responsive to the query; receiving from the distributed machines information relating to values for a field that are in the events responsive to the query; aggregating the received information to determine a number corresponding to how many unique values exist for the field in the events responsive to the query; displaying the number corresponding to how many unique values exist for the field. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
Specification