Defining fields from particular occurences of field labels in events
First Claim
1. A computer-implemented method, comprising:
- accessing a set of events in a data store, each event in the set of events including a portion of raw machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment;
automatically identifying a field for the set of events based on determining the portion of raw machine data of a first event includes text corresponding to a field label of the field and an associated value; and
defining the identified field by an extraction rule for producing a first value for the identified field for a second event in association with a first occurrence of the field label in the portion of raw machine data of the second event, wherein a second value is not produced for the field in association with a second occurrence of the field label in the portion of raw machine data.
1 Assignment
0 Petitions
Accused Products
Abstract
First one or more values are extracted from a plurality of events using a first extraction rule. The extracted first one or more values are assigned to a first field of the plurality of events as a first set of field-data item pairs and a field label is assigned to the first field. Second one or more values and a field label corresponding to the second one or more values are extracted from the plurality of the events using a second extraction rule, where the extracted field label corresponds to the assigned field label of the first field. The extracted second one or more values are assigned to a second field of the plurality of events as a second set of field-data item pairs, thereby distinguishing the extracted second one or more values from the extracted first one or more values.
152 Citations
30 Claims
-
1. A computer-implemented method, comprising:
-
accessing a set of events in a data store, each event in the set of events including a portion of raw machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment; automatically identifying a field for the set of events based on determining the portion of raw machine data of a first event includes text corresponding to a field label of the field and an associated value; and defining the identified field by an extraction rule for producing a first value for the identified field for a second event in association with a first occurrence of the field label in the portion of raw machine data of the second event, wherein a second value is not produced for the field in association with a second occurrence of the field label in the portion of raw machine data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system, comprising:
-
one or more data processors; and one or more computer-readable storage media containing instructions which when executed on the one or more data processors, cause the one or more processors to perform operations including; accessing a set of events in a data store, each event in the set of events including a portion of raw machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment; automatically identifying a field for the set of events based on determining the portion of raw machine data of a first event includes text corresponding to a field label of the field and an associated value; and defining the identified field by an extraction rule for producing a first value for the identified field for a second event in association with a first occurrence of the field label in the portion of raw machine data of the second event, wherein a second value is not produced for the field in association with a second occurrence of the field label in the portion of raw machine data. - View Dependent Claims (21, 22, 23, 24, 25)
-
-
26. One or more non-transitory computer-storage media storing computer-useable instructions that, when executed by a computing device, perform a method, the method comprising:
-
accessing a set of events in a data store, each event in the set of events including a portion of raw machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment; automatically identifying a field for the set of events based on determining the portion of raw machine data of a first event includes text corresponding to a field label of the field and an associated value; and defining the identified field by an extraction rule for producing a first value for the identified field for a second event in association with a first occurrence of the field label in the portion of raw machine data of the second event, wherein a second value is not produced for the field in association with a second occurrence of the field label in the portion of raw machine data. - View Dependent Claims (27, 28, 29, 30)
-
Specification