Incident review interface

US 9,158,811 B1
Filed: 01/31/2015
Issued: 10/13/2015
Est. Priority Date: 10/09/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

automatically performing a correlation search in accordance with a defined frequency, the correlation search associated with a service provided by one or more entities that each have corresponding machine data, the service having one or more key performance indicators (KPIs), each KPI defined by a search query that derives a value from the corresponding machine data to indicate a state of the service at a point in time or during a period of time;

wherein the correlation search associated with the service comprises search criteria pertaining to the one or more KPIs, and a triggering condition to be applied to data identified by a search query using the search criteria;

storing a notable event in response to the data identified by the search query satisfying the triggering condition; and

causing display of a graphical user interface presenting information pertaining to the stored notable event, the information comprising an identification of the correlation search that triggered the storing of the notable event and an identification of the service associated with the correlation search;

wherein each of the entities corresponds to a stored entity definition having an identification of the corresponding machine data, and the service corresponds to a stored service definition referencing the stored entity definitions;

wherein the method is performed by a computer system comprising one or more processing devices coupled to a memory for storing the notable event, the service definition, the entity definitions, and the KPIs.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing machine performs a correlation search associated with a service provided by one or more entities that each have corresponding machine data, the service having one or more key performance indicators (KPIs) that each indicate a state of the service at a point in time or during a period of time and that each derive from the corresponding machine data for the one or more entities. The correlation search associated with the service comprises search criteria pertaining to the one or more KPIs, and a triggering condition to be applied to data identified by a search query using the search criteria. The computing machine stores a notable event in response to the data identified by the search query satisfying the triggering condition and causes display of a graphical user interface presenting information pertaining to the stored notable event, the information comprising an identifier of the correlation search that triggered the storing of the notable event and an identifier of the service associated with the correlation search.

217 Citations

30 Claims

1. A method comprising:
- automatically performing a correlation search in accordance with a defined frequency, the correlation search associated with a service provided by one or more entities that each have corresponding machine data, the service having one or more key performance indicators (KPIs), each KPI defined by a search query that derives a value from the corresponding machine data to indicate a state of the service at a point in time or during a period of time;
  
  wherein the correlation search associated with the service comprises search criteria pertaining to the one or more KPIs, and a triggering condition to be applied to data identified by a search query using the search criteria;
  
  storing a notable event in response to the data identified by the search query satisfying the triggering condition; and
  
  causing display of a graphical user interface presenting information pertaining to the stored notable event, the information comprising an identification of the correlation search that triggered the storing of the notable event and an identification of the service associated with the correlation search;
  
  wherein each of the entities corresponds to a stored entity definition having an identification of the corresponding machine data, and the service corresponds to a stored service definition referencing the stored entity definitions;
  
  wherein the method is performed by a computer system comprising one or more processing devices coupled to a memory for storing the notable event, the service definition, the entity definitions, and the KPIs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The method of claim 1, wherein the information pertaining to the stored notable event further comprises information identifying one or more associated services.
  - 3. The method of claim 1, wherein the information pertaining to the stored notable event further comprises information identifying one or more associated services, the one or more associated services determined by reference to the stored service definition.
  - 4. The method of claim 1, wherein the information pertaining to the stored notable event further comprises information identifying one or more associated services, the one or more associated services determined by reference to dependency information of the stored service definition.
  - 5. The method of claim 1, wherein the information pertaining to the stored notable event further comprises information identifying one or more associated services from a stored definition of the correlation search.
  - 6. The method of claim 1, wherein the search criteria pertaining to the one or more KPIs pertains to an aggregate KPI characterizing the state of the service as a whole, and the triggering condition is based at least in part on one or more KPI states indicated by the aggregate KPI data satisfying the search criteria.
  - 7. The method of claim 1, wherein the search criteria pertaining to the one or more KPIs pertains to an aspect KPI characterizing the state of an aspect of the service, and the triggering condition is based at least in part on one or more KPI states indicated by the aspect KPI data satisfying the search criteria.
  - 8. The method of claim 1, wherein the correlation search comprises a KPI correlation search.
  - 9. The method of claim 1, wherein the triggering condition is satisfied based at least in part on a number of the one or more KPIs having a specified state at a point in time.
  - 10. The method of claim 1, wherein storing the notable event comprises storing the notable event in a notable events index along with one or more other notable events associated with the service.
  - 11. The method of claim 1, further comprising:
    - receiving user input through the graphical user interface, the user input comprising filtering criteria identify the stored notable event from among a plurality of stored notable events in a notable events index.
  - 12. The method of claim 1, wherein the causing display of a graphical user interface is preconditioned on the notable event satisfying a filter criteria.
  - 13. The method of claim 1, wherein the causing display of a graphical user interface is preconditioned on the notable event satisfying a filter criteria applied in response to user input.
  - 14. The method of claim 1, wherein the causing display of a graphical user interface is preconditioned on the notable event satisfying a filter criteria comprising severity level filter criteria.
  - 15. The method of claim 1, wherein the causing display of a graphical user interface is preconditioned on the notable event satisfying a filter criteria comprising severity level filter criteria, the severity level filter criteria included in the filter criteria in response to receiving user input indicating selection of a severity level from a severity chart of a graphical user interface component.
  - 16. The method of claim 1, further comprising:
    - causing display of the graphical user interface presenting information pertaining to a plurality of stored notable events, the plurality of stored notable events determined according to received user input comprising event filtering criteria.
  - 17. The method of claim 1, further comprising:
    - causing display of one or more actions to be performed with respect to the notable event, the one or more actions comprising generating a time-based graphical visualization corresponding to the notable event.
  - 18. The method of claim 1, further comprising:
    - generating a time-based graphical visualization of values pertaining to the one or more KPIs of the service associated with the correlation search that caused the storing of the notable event.
  - 19. The method of claim 1, wherein the machine data corresponding to a particular one of the one or more entities includes machine data produced by the particular entity or about the particular entity.
  - 20. The method of claim 1, wherein the machine data corresponding to at least one of the one or more entities is obtained through an application programming interface (API) from software that monitors the performance of the respective entity.
  - 21. The method of claim 1, wherein the machine data corresponding to at least one of the one or more entities is derived from network packet data that references the respective entity.
  - 22. The method of claim 1, wherein the machine data corresponding to at least one of the one or more entities is represented as events each comprising a portion of raw data.
  - 23. The method of claim 1, wherein the service definition includes an indication that the service is dependent on another service for which a respective service definition has been created and stored.
  - 24. The method of claim 1, wherein the correlation search is associated with no service other than the service.
  - 25. The method of claim 1, wherein the search query that derives a value from the corresponding machine data, that defines at least one of the KPIs, derives the value by at least extracting a field value from an event of the corresponding machine data.
  - 26. The method of claim 1, wherein the search query that derives a value from the corresponding machine data, that defines at least one of the KPIs, derives the value by at least extracting a field value from an event of the corresponding machine data using a late-binding schema.
  - 27. The method of claim 1, wherein the search query that derives a value from the corresponding machine data, that defines at least one of the KPIs, derives the value by at least calculating a statistic using the corresponding machine data.
  - 28. The method of claim 1, wherein the search query that derives a value from the corresponding machine data, that defines at least one of the KPIs, derives the value by at least counting a number of results satisfying criteria included in a search query.

29. A system comprising:
- a memory; and
  
  a processing device coupled with the memory to;
  
  automatically perform a correlation search in accordance with a defined frequency, the correlation search associated with a service provided by one or more entities that each have corresponding machine data, the service having one or more key performance indicators (KPIs), each KPI defined by a search query that derives a value from the corresponding machine data to indicate a state of the service at a point in time or during a period of time;
  
  wherein the correlation search associated with the service comprises search criteria pertaining to the one or more KPIs, and a triggering condition to be applied to data identified by a search query using the search criteria;
  
  store a notable event in response to the data identified by the search query satisfying the triggering condition; and
  
  cause display of a graphical user interface presenting information pertaining to the stored notable event, the information comprising an identification of the correlation search that triggered the storing of the notable event and an identification of the service associated with the correlation search;
  
  wherein each of the entities corresponds to a stored entity definition having an identification of the corresponding machine data, and the service corresponds to a stored service definition referencing the stored entity definitions.

30. A non-transitory computer readable storage medium encoding instructions thereon that, in response to execution by one or more processing devices, cause the one or more processing devices to perform operations comprising:
- automatically performing a correlation search in accordance with a defined frequency, the correlation search associated with a service provided by one or more entities that each have corresponding machine data, the service having one or more key performance indicators (KPIs), each KPI defined by a search query that derives a value from the corresponding machine data to indicate a state of the service at a point in time or during a period of time;
  
  wherein the correlation search associated with the service comprises search criteria pertaining to the one or more KPIs, and a triggering condition to be applied to data identified by a search query using the search criteria;
  
  storing a notable event in response to the data identified by the search query satisfying the triggering condition; and
  
  causing display of a graphical user interface presenting information pertaining to the stored notable event, the information comprising an identification of the correlation search that triggered the storing of the notable event and an identification of the service associated with the correlation search;
  
  wherein each of the entities corresponds to a stored entity definition having an identification of the corresponding machine data, and the service corresponds to a stored service definition referencing the stored entity definitions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Noel, Cary Glen, Choudhary, Hemendra Singh
Primary Examiner(s)
Maung, Zarni

Application Number

US14/611,215
Time in Patent Office

255 Days
Field of Search

709/203, 709223-229, 709/232, 709/238, 709/240, 709/250
US Class Current

1/1
CPC Class Codes

G06F 16/2428   Query predicate definition ...

G06F 16/24565   Triggers; Constraints

G06F 16/248   Presentation of query results

G06F 16/26   Visual data mining; Browsin...

G06F 9/542   Event management; Broadcast...

H04L 41/0213   Standardised network manage...

H04L 41/5009   Determining service level p...

H04L 41/5032   Generating service level re...

H04L 69/329   in the application layer [O...

Incident review interface

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

217 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Incident review interface

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

217 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links