Normalization of time stamps for event data
First Claim
Patent Images
1. A method, comprising:
- detecting whether time information is present in an event that includes a portion of raw data, the event being derived from raw data that includes the portion of raw data, the raw data pertaining to performance or security aspects of one or more information technology systems;
in response to detecting that the time information is present in the event;
determining a time zone in the detected time information;
generating an offset by normalizing the detected time information using the determined time zone;
generating a time stamp based on the offset; and
associating the generated time stamp with the event, thereby enabling the event to be searched using the time stamp;
in response to detecting that the time information is not present in the event;
interpolating a time stamp for the event using at least one event preceding the event and at least one event succeeding the event; and
associating the interpolated time stamp with the event;
wherein the method is performed by one or more computing devices.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and apparatus consistent with the invention provide the ability to organize, index, search, and present time series data based on searches. Time series data are sequences of time stamped records occurring in one or more usually continuous streams, representing some type of activity. In one embodiment, time series data is organized into discrete events with normalized time stamps and the events are indexed by time and keyword. A search is received and relevant event information is retrieved based in whole or in part on the time indexing mechanism, keyword indexing mechanism, or statistical indices calculated at the time of the search.
-
Citations
20 Claims
-
1. A method, comprising:
-
detecting whether time information is present in an event that includes a portion of raw data, the event being derived from raw data that includes the portion of raw data, the raw data pertaining to performance or security aspects of one or more information technology systems; in response to detecting that the time information is present in the event; determining a time zone in the detected time information; generating an offset by normalizing the detected time information using the determined time zone; generating a time stamp based on the offset; and associating the generated time stamp with the event, thereby enabling the event to be searched using the time stamp; in response to detecting that the time information is not present in the event; interpolating a time stamp for the event using at least one event preceding the event and at least one event succeeding the event; and associating the interpolated time stamp with the event; wherein the method is performed by one or more computing devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus, comprising:
-
an event processor, implemented at least partially in hardware, that detects whether time information is present in an event that includes a portion of raw data, the event being derived from raw data that includes the portion of raw data, the raw data pertaining to performance or security aspects of one or more information technology systems; in response to the event processor detecting that the time information is present in the event, the event processor; determines a time zone in the detected time information; generates an offset by normalizing the detected time information using the determined time zone; generates a time stamp based on the offset; and associates the generated time stamp with the event, thereby enabling the event to be searched using the time stamp; in response to the event processor detecting that the time information is not present in the event, the event processor; interpolates a time stamp for the event using at least one event preceding the event and at least one event succeeding the event; and associates the interpolated time stamp with the event. - View Dependent Claims (12, 13, 14, 19)
-
-
15. One or more non-transitory computer-readable storage media, storing one or more sequences of instructions, which when executed by one or more processors cause performance of:
-
detecting whether time information is present in an event that includes a portion of raw data, the event being derived from raw data that includes the portion of raw data, the raw data pertaining to performance or security aspects of one or more information technology systems; in response to detecting that the time information is present in the event; determining a time zone in the detected time information; generating an offset by normalizing the detected time information using the determined time zone; generating a time stamp based on the offset; and associating the generated time stamp with the event, thereby enabling the event to be searched using the time stamp; in response to detecting that the time information is not present in the event; interpolating a time stamp for the event using at least one event preceding the event and at least one event succeeding the event; and associating the interpolated time stamp with the event. - View Dependent Claims (16, 17, 18, 20)
-
Specification