Identifying events using informational fields

US 9,146,962 B1
Filed: 01/31/2015
Issued: 09/29/2015
Est. Priority Date: 10/09/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining if events in a machine data store in a computer memory satisfy event selection criteria of a search query, the machine data store comprising machine data, and the event selection criteria including a first field-value pair;

wherein determining if one of the events satisfies the event selection criteria includes comparing the first field-value pair with a second field-value pair from an entity definition associated with the event via a third field-value pair associated with data corresponding to the event in the machine data store;

reflecting in the computer memory a result for the search query based at least in part on said determining;

wherein the entity definition represents an entity that provides a service, the service being represented by a service definition, the entity definition having an association with the service definition, and the service definition having an associated key performance indicator (KPI) defined by a KPI search query that produces a value from machine data identified in one or more entity definitions associated with the service, the value indicative of how the service is performing at a point in time or during a period of time;

wherein the entity definition and the service definition are stored in the computer memory; and

wherein the method is performed by a computer system comprising one or more processing devices coupled to the computer memory.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system determines if events in a machine data store satisfy event selection criteria, the event selection criteria including a first field-value pair. To determine if one of the events satisfies the event selection criteria, the computer system compares the first field-value pair of the event selection criteria with a second field-value pair from an entity definition associated with the event by using a third field-value pair from data corresponding to the event in the machine data store.

Citations

30 Claims

1. A method comprising:
- determining if events in a machine data store in a computer memory satisfy event selection criteria of a search query, the machine data store comprising machine data, and the event selection criteria including a first field-value pair;
  
  wherein determining if one of the events satisfies the event selection criteria includes comparing the first field-value pair with a second field-value pair from an entity definition associated with the event via a third field-value pair associated with data corresponding to the event in the machine data store;
  
  reflecting in the computer memory a result for the search query based at least in part on said determining;
  
  wherein the entity definition represents an entity that provides a service, the service being represented by a service definition, the entity definition having an association with the service definition, and the service definition having an associated key performance indicator (KPI) defined by a KPI search query that produces a value from machine data identified in one or more entity definitions associated with the service, the value indicative of how the service is performing at a point in time or during a period of time;
  
  wherein the entity definition and the service definition are stored in the computer memory; and
  
  wherein the method is performed by a computer system comprising one or more processing devices coupled to the computer memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising executing the search query in an event processing system, and wherein the executing the search query comprises the determining if one of the events satisfies the event selection criteria.
  - 3. The method of claim 1, wherein the first field-value pair comprises a key representing a query field name and a value representing a query value for a query field.
  - 4. The method of claim 1, wherein the second field-value pair comprises a key representing a metadata field name and a value representing a metadata value for a metadata field.
  - 5. The method of claim 1, wherein the second field-value pair comprises an informational field, wherein the informational field is exposed for use by a search to attribute a metadata field and a metadata value to an event.
  - 6. The method of claim 1, wherein the third field-value pair is associated with data corresponding to the event in the machine data store using an extraction rule.
  - 7. The method of claim 1, wherein the third field-value pair is associated with data corresponding to the event in the machine data store using a late-binding schema.
  - 8. The method of claim 1, wherein the entity definition is associated with the event using alias information of the entity definition.
  - 9. The method of claim 1, wherein the entity definition is associated with the event using alias information of the entity definition wherein the alias information is exposed for use by a search of the machine data store to associate an event in the machine data store with an entity represented by the entity definition.
  - 10. The method of claim 1, wherein the entity definition is associated with the event by matching alias information from the entity definition with the third field-value pair, the third field-value pair being associated with data corresponding to the event in the machine data store using a late-binding schema.
  - 11. The method of claim 1, further comprising:
    - receiving the search query in response to user input to a graphical user interface.
  - 12. The method of claim 1, wherein the event selection criteria comprises one or more event selection criteria.
  - 13. The method of claim 1, further comprising:
    - receiving user input for determining the second field-value pair, the second field-value pair comprising a key representing a metadata field name and a value representing a metadata value for a metadata field; and
      
      adding the second field-value pair to the entity definition, the entity definition comprising an instance of the third field-value pair.
  - 14. The method of claim 1, wherein the events in the machine data store each comprise a timestamped portion of raw machine data.
  - 15. The method of claim 1, wherein the search query is the KPI search query.

16. A system comprising:
- a memory; and
  
  a processing device coupled with the memory to;
  
  determine if events in a machine data store satisfy event selection criteria of a search query, the machine data store comprising machine data, and the event selection criteria including a first field-value pair, wherein to determine if one of the events satisfies the event selection criteria includes comparing the first field-value pair with a second field-value pair from an entity definition associated with the event via a third field-value pair associated with data corresponding to the event in the machine data store;
  
  reflect in the memory a result for the search query based at least in part on said determination; and
  
  wherein the entity definition represents an entity that provides a service, the service being represented by a service definition, the entity definition having an association with the service definition, and the service definition having an associated key performance indicator (KPI) defined by a KPI search query that produces a value from machine data identified in one or more entity definitions associated with the service, the value indicative of how the service is performing at a point in time or during a period of time.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The system of claim 16 wherein each of the events comprise a timestamped segment of raw machine data.
  - 18. The system of claim 16, wherein the third field-value pair is associated with data corresponding to the event in the machine data store using an extraction rule.
  - 19. The system of claim 16, wherein the third field-value pair is associated with data corresponding to the event in the machine data store using a late-binding schema.
  - 20. The system of claim 16, wherein the entity definition is associated with the event using alias information of the entity definition.
  - 21. The system of claim 16, wherein the entity definition is associated with the event using alias information of the entity definition wherein the alias information is exposed for use by a search of the machine data store to associate an event in the machine data store with an entity represented by the entity definition.
  - 22. The system of claim 16, wherein the entity definition is associated with the event by matching alias information from the entity definition with the third field-value pair, the third field-value pair being associated with data corresponding to the event in the machine data store using a late-binding schema.
  - 23. The system of claim 16, the processing device coupled with the memory to further:
    - receive the search query in response to user input to a graphical user interface.
  - 24. The system of claim 16, the processing device coupled with the memory to further:
    - receive user input for determining the second field-value pair, the second field-value pair comprising a key representing a metadata field name and a value representing a metadata value for a metadata field; and
      
      add the second field-value pair to the entity definition, the entity definition comprising an instance of the third field-value pair.
  - 25. The system of claim 16, wherein the events in the machine data store each comprise a timestamped portion of raw machine data.

26. A non-transitory computer readable storage medium encoding instructions thereon that, in response to execution by one or more processing devices, cause the one or more processing devices to perform operations comprising:
- determining if events in a machine data store in a computer memory satisfy event selection criteria of a search query, the machine data store comprising machine data, and the event selection criteria including a first field-value pair;
  
  wherein determining if one of the events satisfies the event selection criteria includes comparing the first field-value pair with a second field-value pair from an entity definition associated with the event via a third field-value pair associated with data corresponding to the event in the machine data store;
  
  reflecting in the computer memory a result for the search query based at least in part on said determining;
  
  wherein the entity definition represents an entity that provides a service, the service being represented by a service definition, the entity definition having an association with the service definition, and the service definition having an associated key performance indicator (KPI) defined by a KPI search query that produces a value from machine data identified in one or more entity definitions associated with the service, the value indicative of how the service is performing at a point in time or during a period of time; and
  
  wherein the entity definition and the service definition are stored in the computer memory; and
  
  wherein the operations are performed by the one or more processing devices.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The non-transitory computer readable storage medium of claim 26 wherein each of the events comprises a timestamped segment of raw machine data.
  - 28. The non-transitory computer readable storage medium of claim 26, wherein the third field-value pair is associated with data corresponding to the event in the machine data store using an extraction rule.
  - 29. The non-transitory computer readable storage medium of claim 26, wherein the third field-value pair is associated with data corresponding to the event in the machine data store using a late-binding schema.
  - 30. The non-transitory computer readable storage medium of claim 26, wherein the entity definition is associated with the event using alias information of the entity definition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Boe, Brent, Bhide, Alok Anant, Maheshwari, Sonal
Primary Examiner(s)
Maung, Zarni

Application Number

US14/611,213
Time in Patent Office

241 Days
Field of Search

709/203, 709223-229, 709/250
US Class Current

1/1
CPC Class Codes

G06F 16/168   Details of user interfaces ...

G06F 16/2228   Indexing structures

G06F 16/2322   using timestamps

G06F 16/245   Query processing

G06F 3/0484   for the control of specific...

G06F 9/542   Event management; Broadcast...

H04L 41/0213   Standardised network manage...

H04L 41/22   comprising specially adapte...

H04L 41/5012   determining service availab...

H04L 41/5032   Generating service level re...

H04L 41/5045   Making service definitions ...

Identifying events using informational fields

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying events using informational fields

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links