Discovering fields to filter data returned in response to a search
First Claim
1. A method comprising:
- accessing events returned in response to an initial search query, the accessed events comprising portions of raw data;
discovering fields in the accessed events, the fields being defined by extraction rules each comprising a regular expression for extracting values from corresponding portions of raw data;
causing display of a graphical user interface (GUI) that enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar;
receiving through a portion of the GUI that does not include a search bar for entering a search query at least one criterion for at least one field from the subset of the discovered fields;
causing, by a processing device, the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field;
determining a number of the returned events that comprise a first field of the discovered fields; and
calculating a score for the first field based on the number of the returned events that comprise the first field, wherein a first field name associated with the first field is selected to be displayed in the GUI based on the calculated score.
1 Assignment
0 Petitions
Accused Products
Abstract
Fields may be discovered in events that are returned in response to an initial search. The events may comprise portions of raw data. Furthermore, the fields may be defined by extraction rules for extracting values from corresponding portions of raw data. The displaying of a graphical user interface (GUI) may be caused where the GUI enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar. At least one criterion for at least one field from the subset of the discovered fields may be received through a portion of the GUI that does not include a search bar for entering a search query. The events returned in response to the initial search query may be caused to be filtered based on the received criterion.
99 Citations
40 Claims
-
1. A method comprising:
-
accessing events returned in response to an initial search query, the accessed events comprising portions of raw data; discovering fields in the accessed events, the fields being defined by extraction rules each comprising a regular expression for extracting values from corresponding portions of raw data; causing display of a graphical user interface (GUI) that enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar; receiving through a portion of the GUI that does not include a search bar for entering a search query at least one criterion for at least one field from the subset of the discovered fields; causing, by a processing device, the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field; determining a number of the returned events that comprise a first field of the discovered fields; and calculating a score for the first field based on the number of the returned events that comprise the first field, wherein a first field name associated with the first field is selected to be displayed in the GUI based on the calculated score. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method comprising:
-
accessing events returned in response to an initial search query, the accessed events comprising portions of raw data; discovering fields in the accessed events, the fields being defined by extraction rules each comprising a regular expression for extracting values from corresponding portions of raw data; causing display of a graphical user interface (GUI) that enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar; receiving through a portion of the GUI that does not include a search bar for entering a search query at least one criterion for at least one field from the subset of the discovered fields; causing, by a processing device, the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field; determining a number of unique values of a first field of the discovered fields; and calculating a score for the first field based on the number of unique values of the first field, wherein a first field name associated with the first field is selected to be displayed in the GUI based on the calculated score. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method comprising:
-
accessing events returned in response to an initial search query, the accessed events comprising portions of raw data; discovering fields in the accessed events, the fields being defined by extraction rules each comprising a regular expression for extracting values from corresponding portions of raw data; causing display of a graphical user interface (GUI) that enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar; receiving through a portion of the GUI that does not include a search bar for entering a search query at least one criterion for at least one field from the subset of the discovered fields; causing, by a processing device, the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field; calculating a score for each of the discovered fields; and receiving a threshold percentage of the discovered fields to display in the GUI, wherein the set of field names associated with at least a portion of the discovered fields are selected to be displayed in the GUI based on the threshold percentage and the calculated score for each of the discovered fields, wherein the threshold percentage indicates a percentage of the discovered fields to be selected to be displayed in the GUI. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method comprising:
-
accessing events returned in response to an initial search query, the accessed events comprising portions of raw data; discovering fields in the accessed events, the fields being defined by extraction rules each comprising a regular expression for extracting values from corresponding portions of raw data; causing display of a graphical user interface (GUI) that enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar; receiving through a portion of the GUI that does not include a search bar for entering a search query at least one criterion for at least one field from the subset of the discovered fields; causing, by a processing device, the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field; generating a data model based on discovered fields and the initial search query. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A method comprising:
-
accessing events returned in response to an initial search query, the accessed events comprising portions of raw data; discovering fields in the accessed events, the fields being defined by extraction rules each comprising a regular expression for extracting values from corresponding portions of raw data; causing display of a graphical user interface (GUI) that enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar; receiving through a portion of the GUI that does not include a search bar for entering a search query at least one criterion for at least one field from the subset of the discovered fields; causing, by a processing device, the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field; generating a data model based on the discovered fields; and modifying a search defining events to which a data model is applicable based on the one or more discovered fields associated with the selected one or more field names. - View Dependent Claims (22, 23, 24, 25)
-
-
26. A method comprising:
-
accessing events returned in response to an initial search query, the accessed events comprising portions of raw data; discovering fields in the accessed events, the fields being defined by extraction rules each comprising a regular expression for extracting values from corresponding portions of raw data; causing display of a graphical user interface (GUI) that enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar; receiving through a portion of the GUI that does not include a search bar for entering a search query at least one criterion for at least one field from the subset of the discovered fields; causing, by a processing device, the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field; generating a data model based on the initial search query and the discovered fields; saving the data model; and applying the data model to a different data set than was searched using the initial search query. - View Dependent Claims (27, 28, 29, 30)
-
-
31. A system comprising:
-
a memory; and a processing device coupled to the memory, to; access events returned in response to an initial search query, the accessed events comprising portions of raw data; discover fields in the accessed events, the fields being defined by extraction rules each comprising a regular expression for extracting values from corresponding portions of raw data; cause display of a graphical user interface (GUI) that enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar; receive through a portion of the GUI that does not include a search bar for entering a search query at least one criterion for at least one field from the subset of the discovered fields; cause the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field; determine a number of the returned events that comprise a first field of the discovered fields; and calculate a score for the first field based on the number of the returned events that comprise the first field, wherein a first field name associated with the first field is selected to be displayed in the GUI based on the calculated score. - View Dependent Claims (32)
-
-
33. A system comprising:
-
a memory; and a processing device coupled to the memory, to; access events returned in response to an initial search query, the accessed events comprising portions of raw data; discover fields in the accessed events, the fields being defined by extraction rules each comprising a regular expression for extracting values from corresponding portions of raw data; cause display of a graphical user interface (GUI) that enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar; receive through a portion of the GUI that does not include a search bar for entering a search query at least one criterion for at least one field from the subset of the discovered fields; cause the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field; determine a number of unique values of a first field of the discovered fields; and calculate a score for the first field based on the number of unique values of the first field, wherein a first field name associated with the first field is selected to be displayed in the GUI based on the calculated score. - View Dependent Claims (34)
-
-
35. A system comprising:
-
a memory; and a processing device coupled to the memory, to; access events returned in response to an initial search query, the accessed events comprising portions of raw data; discover fields in the accessed events, the fields being defined by extraction rules each comprising a regular expression for extracting values from corresponding portions of raw data; cause display of a graphical user interface (GUI) that enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar; receive through a portion of the GUI that does not include a search bar for entering a search query at least one criterion for at least one field from the subset of the discovered fields; cause the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field; generate a data model based on discovered fields and the initial search query. - View Dependent Claims (36)
-
-
37. One or more non-transitory computer readable storage media storing instructions which, when executed by one or more computing devices, cause:
-
accessing events returned in response to an initial search query, the accessed events comprising portions of raw data; discovering fields in the accessed events, the fields being defined by extraction rules each comprising a regular expression for extracting values from corresponding portions of raw data; causing display of a graphical user interface (GUI) that enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar; receiving through a portion of the GUI that does not include a search bar for entering a search query at least one criterion for at least one field from the subset of the discovered fields; causing, by a processing device, the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field; determining a number of the returned events that comprise a first field of the discovered fields; and calculating a score for the first field based on the number of the returned events that comprise the first field, wherein a first field name associated with the first field is selected to be displayed in the GUI based on the calculated score. - View Dependent Claims (38)
-
-
39. One or more non-transitory computer readable storage media storing instructions which, when executed by one or more computing devices, cause:
-
accessing events returned in response to an initial search query, the accessed events comprising portions of raw data; discovering fields in the accessed events, the fields being defined by extraction rules each comprising a regular expression for extracting values from corresponding portions of raw data; causing display of a graphical user interface (GUI) that enables a user to select or enter criteria for a subset of the discovered fields without entering a search query in a search bar; receiving through a portion of the GUI that does not include a search bar for entering a search query at least one criterion for at least one field from the subset of the discovered fields; causing, by a processing device, the events returned in response to the initial search query to be filtered based on the received at least one criterion for the at least one field; and generating a data model based on discovered fields and the initial search query. - View Dependent Claims (40)
-
Specification