Flexible schema column store
First Claim
1. A method comprising:
- providing a datastore comprising a plurality of time-stamped, searchable events, each event having a portion of raw data and a timestamp extracted from the portion of raw data, the portion of raw data produced by at least one hardware system;
providing a data structure that contains a plurality of field names, each field name among the plurality of field names associated with a set of pointers to time-stamped, searchable events having a value for a field referred to by the field name;
receiving an incoming search query that references one or more field names among the plurality of field names contained in the data structure and a time range criteria; and
in response to the incoming search query, servicing the incoming search query by;
(i) executing the incoming search query across the data structure, wherein one or more values from the data structure are used to create a search result; and
(ii) supplementing the search result by executing a search comprising the time range criteria of the incoming search query across the time-stamped searchable events, independent of the data structure.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments are directed towards receiving and processing search queries directed towards relatively large sets of data. The data is stored in a record based datastore. From the stored data, field names, corresponding field values, and posting values may be determined. Posting values may be employed to locate records in the datastore that include the field names and field values. The field names, field values, and posting values may be employed to generate a lexicon. If queries are received, a lexicon query processor may employ the lexicon separate from the datastore to generate responses to the received queries. Queries may include clauses that may be processed using the lexicon separate from the datastore, such as, where clause expressions, group-by clause expressions, aggregation functions, or the like. A time values array may be used to enable queries to process group-by-time expressions that may return results grouped into sub-sets based on time ranges.
-
Citations
30 Claims
-
1. A method comprising:
-
providing a datastore comprising a plurality of time-stamped, searchable events, each event having a portion of raw data and a timestamp extracted from the portion of raw data, the portion of raw data produced by at least one hardware system; providing a data structure that contains a plurality of field names, each field name among the plurality of field names associated with a set of pointers to time-stamped, searchable events having a value for a field referred to by the field name; receiving an incoming search query that references one or more field names among the plurality of field names contained in the data structure and a time range criteria; and in response to the incoming search query, servicing the incoming search query by; (i) executing the incoming search query across the data structure, wherein one or more values from the data structure are used to create a search result; and (ii) supplementing the search result by executing a search comprising the time range criteria of the incoming search query across the time-stamped searchable events, independent of the data structure. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A network device comprising:
-
a transceiver that is operative to communicate over a network; a memory that is operative to store at least instructions; and a processor device that is operative to execute instructions that enable actions, including; providing a datastore comprising a plurality of time-stamped, searchable events, each event having a portion of raw data and a timestamp extracted from the portion of raw data, the portion of raw data produced by at least one hardware system; providing a data structure that contains a plurality of field names, each field name among the plurality of field names associated with a set of pointers to time-stamped, searchable events having a value for a field referred to by the field name; receiving an incoming search query that references one or more field names among the plurality of field names contained in the data structure and a time range criteria; and in response to the incoming search query, servicing the incoming search query by; (i) executing the incoming search query across the data structure, wherein one or more values from the data structure are used to create a search result; and (ii) supplementing the search result by executing a search comprising the time range criteria of the incoming search query across the time-stamped searchable events, independent of the data structure. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A processor readable non-transitive storage media that includes instructions wherein execution of the instructions by a processor device enables actions, comprising:
-
providing a datastore comprising a plurality of time-stamped, searchable events, each event having a portion of raw data and a timestamp extracted from the portion of raw data, the portion of raw data produced by at least one hardware system; providing a data structure that contains a plurality of field names, each field name among the plurality of field names associated with a set of pointers to time-stamped, searchable events having a value for a field referred to by the field name; receiving an incoming search query that references one or more field names among the plurality of field names contained in the data structure and a time range criteria; and in response to the incoming search query, servicing the incoming search query by; (i) executing the incoming search query across the data structure, wherein one or more values from the data structure are used to create a search result; and (ii) supplementing the search result by executing a search comprising the time range criteria of the incoming search query across the time-stamped searchable events, independent of the data structure. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification