Identifying anomalous conditions in machine data
First Claim
1. A computer-implemented method comprising:
- receiving machine data from one or more data sources, the machine data related to performance aspects of one or more information technology systems;
parsing the received machine data to determine event boundaries within the received machine data to generate a plurality of time stamped events, thereby transforming the received machine data into the plurality of time stamped events, the time stamp for each event extracted from the parsed machine data associated with that event;
analyzing the plurality of time stamped events using heuristics to identify an occurrence of an event pattern;
comparing the occurrence of the event pattern to one or more registered event patterns to identify whether the event pattern is an anomalous pattern, the one or more registered event patterns indicative of performance aspects of the one or more information technology systems; and
generating a notification based upon the identification.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments are directed towards the visualization of machine data received from computing clusters. Embodiments may enable improved analysis of computing cluster performance, error detection, troubleshooting, error prediction, or the like. Individual cluster nodes may generate machine data that includes information and data regarding the operation and status of the cluster node. The machine data is received from each cluster node for indexing by one or more indexing applications. The indexed machine data including the complete data set may be stored in one or more index stores. A visualization application enables a user to select one or more analysis lenses that may be used to generate visualizations of the machine data. The visualization application employs the analysis lens to produce visualizations of the computing cluster machine data.
14 Citations
30 Claims
-
1. A computer-implemented method comprising:
-
receiving machine data from one or more data sources, the machine data related to performance aspects of one or more information technology systems; parsing the received machine data to determine event boundaries within the received machine data to generate a plurality of time stamped events, thereby transforming the received machine data into the plurality of time stamped events, the time stamp for each event extracted from the parsed machine data associated with that event; analyzing the plurality of time stamped events using heuristics to identify an occurrence of an event pattern; comparing the occurrence of the event pattern to one or more registered event patterns to identify whether the event pattern is an anomalous pattern, the one or more registered event patterns indicative of performance aspects of the one or more information technology systems; and generating a notification based upon the identification. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. One or more non-transitory computer-readable storage media, storing one or more sequences of instructions, which when executed by one or more processors cause performance of:
-
receiving machine data from a computing cluster, the computing cluster including a plurality of computational nodes; parsing the received machine data to determine event boundaries within the received machine data to generate a plurality of time stamped events, the time stamp for each event extracted from the parsed machine data associated with that event; analyzing the plurality of time stamped events using heuristics to identify an occurrence of an event pattern; comparing the occurrence of the event pattern to one or more registered event patterns that are indicative of a previously determined or known problem for operation of the computing cluster to identify a particular registered event pattern that is the same as or similar to the occurrence of the event pattern; and generating a notification based upon the identification. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
-
24. An apparatus comprising:
-
a subsystem, implemented at least partially in hardware, that receives machine data from a computing cluster, the computing cluster including a plurality of computational nodes; a subsystem, implemented at least partially in hardware, that parses the received machine data to determine event boundaries within the received machine data to generate a plurality of time stamped events, the time stamp for each event extracted from the parsed machine data associated with that event; a subsystem, implemented at least partially in hardware, that analyzes the plurality of time stamped events using heuristics to identify an occurrence of an event pattern; a subsystem, implemented at least partially in hardware, that compares the occurrence of the event pattern to one or more registered event patterns that are indicative of a previously determined or known problem for operation of the computing cluster to identify a particular registered event pattern that is the same as or similar to the occurrence of the event pattern; a subsystem, implemented at least partially in hardware, that generates a notification based upon the identification. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
Specification