Real time display of statistics and values for selected regular expressions

US 9,152,929 B2
Filed: 01/23/2013
Issued: 10/06/2015
Est. Priority Date: 01/23/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

accessing a set of events for a computing system, wherein each event in the set includes a portion of raw machine data, and wherein at least two events have their respective portions of raw machine data in different data formats;

extracting a plurality of values from the events using an extraction rule, wherein the extraction rule defines where to find a field within the portion of raw machine data in an event and how to extract the value of the field without modifying the portion of the raw machine data;

causing display of a plurality of the events in a first portion of a graphical interface, wherein values extracted from the displayed events are emphasized in the displayed events;

causing display of a subset of the plurality of extracted values in a second portion of the graphical interface;

determining a statistic that is a proportion of events that include the extracted values for the displayed subset of the extracted values; and

causing display of the statistic in the second portion of the graphical interface;

wherein the second portion and the first portion are concurrently displayed in a same graphical interface.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed towards real time display of event records and extracted values based on at least one extraction rule, such as a regular expression. A user interface may be employed to enable a user to have an extraction rule automatically generate and/or to manually enter an extraction rule. The user may be enabled to manually edit a previously provided extraction rule, which may result in real time display of updated extracted values. The extraction rule may be utilized to extract values from each of a plurality of records, including event records of unstructured machine data. Statistics may be determined for each unique extracted value, and may be displayed to the user in real time. The user interface may also enable the user to select at least one unique extracted value to display those event records that include an extracted value that matches the selected value.

Citations

27 Claims

1. A computer-implemented method, comprising:
- accessing a set of events for a computing system, wherein each event in the set includes a portion of raw machine data, and wherein at least two events have their respective portions of raw machine data in different data formats;
  
  extracting a plurality of values from the events using an extraction rule, wherein the extraction rule defines where to find a field within the portion of raw machine data in an event and how to extract the value of the field without modifying the portion of the raw machine data;
  
  causing display of a plurality of the events in a first portion of a graphical interface, wherein values extracted from the displayed events are emphasized in the displayed events;
  
  causing display of a subset of the plurality of extracted values in a second portion of the graphical interface;
  
  determining a statistic that is a proportion of events that include the extracted values for the displayed subset of the extracted values; and
  
  causing display of the statistic in the second portion of the graphical interface;
  
  wherein the second portion and the first portion are concurrently displayed in a same graphical interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein causing display of the subset of the extracted values in the second portion of the graphical interface includes displaying only unique values in the second portion of the graphical interface.
  - 3. The method of claim 1, wherein the statistic includes a percentage of the set of events in which the one or more extracted values appear in the field defined by the extraction rule.
  - 4. The method of claim 1, further comprising:
    - receiving input corresponding to a selection of a value from the extracted values displayed in the first or second portion of the graphical interface;
      
      determining a subset of the set of events in response to receiving the selection, wherein each event of the subset includes an extracted value that matches the selected value; and
      
      modifying the one or more of the events in the first portion of the graphical interface to cause display of the subset of the set of events and to hide events that do not include an extracted value that matches the selected value.
  - 5. The method of claim 1, wherein the extraction rule includes a regular expression rule.
  - 6. The method of claim 1, wherein the extraction rule includes a regular expression rule automatically generated to extract a value selected from an event.
  - 7. The method of claim 1, wherein the extraction rule is editable, the method further comprising:
    - receiving input corresponding to an edit of the extraction rule;
      
      modifying the one or more of the events in the first portion of the graphical interface to cause the display to emphasize one or more values extracted from a field defined by the edited extraction rule; and
      
      updating the one or more of the extracted values in the second portion of the graphical interface to cause the display to reflect the values extracted from the field defined by the edited extraction rule.
  - 8. The method of claim 1, wherein the set of events is a sample subset of a larger dataset of events.
  - 9. The method of claim 1, further comprising:
    - receiving input corresponding to an edit of the extraction rule; and
      
      dynamically causing updating in real-time of the one or more of the events in the first portion of the graphical interface.

10. A system, comprising:
- one or more processor; and
  
  one or more non-transitory computer-readable storage media storing instructions programmed to cause the one or more processors to perform operations including;
  
  accessing a set of events for a computing system, wherein each event in the set includes a portion of raw machine data, and wherein at least two events have their respective portions of raw machine data in different data formats;
  
  extracting a plurality of values from the events using an extraction rule, wherein the extraction rule defines where to find a field within the portion of the raw machine data in an event and how to extract the value of the field without modifying the portion of the raw machine data;
  
  causing display of a plurality of the events in a first portion of a graphical interface, wherein values extracted from the displayed events are emphasized in the displayed events;
  
  causing display of a subset of the plurality of extracted values in a second portion of the graphical interface;
  
  determining a statistic that is a proportion of events that include the extracted values for the displayed subset of the extracted values; and
  
  causing display of the statistic in the second portion of the graphical interface;
  
  wherein the second portion and the first portion are concurrently displayed in a same graphical interface.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein causing display of the subset of the extracted values in the second portion of the graphical interface includes displaying only unique values in the second portion of the graphical interface.
  - 12. The system of claim 10, wherein the statistic includes a percentage of the set of events in which the one or more extracted values appear in the field defined by the extraction rule.
  - 13. The system of claim 10, wherein the non-transitory computer-readable storage media contains further instructions programmed to cause the processor to perform operations including:
    - receiving input corresponding to a selection of a value from the extracted values displayed in the first or second portion of the graphical interface;
      
      determining a subset of the set of events in response to receiving the selection, wherein each event of the subset includes an extracted value that matches the selected value; and
      
      modifying the one or more of the events in the first portion of the graphical interface to cause display of the subset of the set of events and to hide events that do not include an extracted value that matches the selected value.
  - 14. The system of claim 10, wherein the extraction rule includes a regular expression rule.
  - 15. The system of claim 10, wherein the extraction rule includes a regular expression rule automatically generated to extract a value selected from an event.
  - 16. The system of claim 10, wherein the extraction rule is editable, andwherein the non-transitory computer-readable storage medium contains further instructions programmed to cause the processor to perform operations including:
    - receiving input corresponding to an edit of the extraction rule;
      
      modifying the one or more of the events in the first portion of the graphical interface to cause the display to emphasize one or more values extracted from a field defined by the edited extraction rule; and
      
      updating the one or more of the extracted values in the second portion of the graphical interface to cause the display to reflect the values extracted from the field defined by the edited extraction rule.
  - 17. The system of claim 10, wherein the set of events is a sample subset of a larger dataset of events.
  - 18. The system of claim 10, wherein the extraction rule is editable, andwherein the non-transitory computer-readable storage medium contains further instructions programmed to cause the processor to perform operations including:
    - receiving input corresponding to an edit of the extraction rule; and
      
      dynamically causing updating in real-time of the one or more of the events in the first portion of the graphical interface.

19. A computer-program product, tangibly embodied in a non-transitory machine-readable medium, including instructions programmed to cause a data processing apparatus to perform a process including:
- accessing a set of events for a computing system, wherein each event in the set includes a portion of raw machine data, and wherein at least two events have their respective portions of raw machine data in different data formats;
  
  extracting a plurality of values from the events using an extraction rule, wherein the extraction rule defines where to find a field within the portion of raw machine data in an event and how to extract the value of the field without modifying the portion of the raw machine data;
  
  causing display of a plurality of the events in a first portion of a graphical interface, wherein values extracted from the displayed events are emphasized in the displayed events;
  
  causing display of a subset of the plurality of extracted values in a second portion of the graphical interface;
  
  determining a statistic that is a proportion of events that include the extracted values for the displayed subset of the extracted values; and
  
  causing display of the statistic in the second portion of the graphical interface;
  
  wherein the second portion and the first portion are concurrently displayed in a same graphical interface.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The computer-program product of claim 19, wherein causing display of the subset of the extracted values in the second portion of the graphical interface includes displaying only unique values in the second portion of the graphical interface.
  - 21. The computer-program product of claim 19, wherein the statistic includes a percentage of the set of events in which the one or more extracted values appear in the field defined by the extraction rule.
  - 22. The computer-program product of claim 19, further including instructions configured to cause the data processing apparatus to perform a process including:
    - receiving input corresponding to a selection of a value from the extracted values displayed in the first or second portion of the graphical interface;
      
      determining a subset of the set of events in response to receiving the selection, wherein each event of the subset includes an extracted value that matches the selected value; and
      
      modifying the one or more of the events in the first portion of the graphical interface to cause display of the subset of the set of events and to hide events that do not include an extracted value that matches the selected value.
  - 23. The computer-program product of claim 19, wherein the extraction rule includes a regular expression rule.
  - 24. The computer-program product of claim 19, wherein the extraction rule includes a regular expression rule automatically generated to extract a value selected from an event.
  - 25. The computer-program product of claim 19, further including instructions programmed to cause the data processing apparatus to perform a process including:
    - receiving input corresponding to an edit of the extraction rule;
      
      modifying the one or more of the events in the first portion of the graphical interface to cause the display to emphasize one or more values extracted from a field defined by the edited extraction rule; and
      
      updating the one or more of the extracted values in the second portion of the graphical interface to cause the display to reflect the values extracted from the field defined by the edited extraction rule.
  - 26. The computer-program product of claim 19, wherein the set of events is a sample subset of a larger dataset of events.
  - 27. The computer-program product of claim 19, further including instructions programmed to cause the data processing apparatus to:
    - receiving input corresponding to an edit of the extraction rule; and
      
      dynamically causing updating in real-time the one or more of the events in the first portion of the graphical interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Carasso, R. David, Delfino, Micah James, Hwang, Johnvey
Primary Examiner(s)
Young, Kevin L
Assistant Examiner(s)
ELLIS, MATTHEW J

Application Number

US13/748,360
Publication Number

US 20140208218A1
Time in Patent Office

986 Days
Field of Search

707/757, 707/736, 707/705
US Class Current

1/1
CPC Class Codes

G06F 16/248   Presentation of query results

G06F 16/287   Visualization; Browsing

G06F 16/332   Query formulation

G06F 16/334   Query execution G06F16/335 ...

G06F 16/338   Presentation of query results

G06F 16/34   Browsing; Visualisation the...

G06F 16/93   Document management systems

G06F 16/951   Indexing; Web crawling tech...

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

G06F 40/166   Editing, e.g. inserting or ...

G06F 40/169   Annotation, e.g. comment da...

G06F 40/174   Form filling; Merging

G06Q 10/00   Administration; Management

G06Q 10/0637   Strategic management or ana...

Y04S 10/50   Systems or methods supporti...

Real time display of statistics and values for selected regular expressions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Real time display of statistics and values for selected regular expressions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links