Defining fields from particular occurences of field labels in events

US 9,842,160 B2
Filed: 01/30/2015
Issued: 12/12/2017
Est. Priority Date: 01/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

accessing a set of events in a data store, each event in the set of events including a portion of raw machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment;

automatically identifying a field for the set of events based on determining the portion of raw machine data of a first event includes text corresponding to a field label of the field and an associated value; and

defining the identified field by an extraction rule for producing a first value for the identified field for a second event in association with a first occurrence of the field label in the portion of raw machine data of the second event, wherein a second value is not produced for the field in association with a second occurrence of the field label in the portion of raw machine data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

First one or more values are extracted from a plurality of events using a first extraction rule. The extracted first one or more values are assigned to a first field of the plurality of events as a first set of field-data item pairs and a field label is assigned to the first field. Second one or more values and a field label corresponding to the second one or more values are extracted from the plurality of the events using a second extraction rule, where the extracted field label corresponds to the assigned field label of the first field. The extracted second one or more values are assigned to a second field of the plurality of events as a second set of field-data item pairs, thereby distinguishing the extracted second one or more values from the extracted first one or more values.

152 Citations

30 Claims

1. A computer-implemented method, comprising:
- accessing a set of events in a data store, each event in the set of events including a portion of raw machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment;
  
  automatically identifying a field for the set of events based on determining the portion of raw machine data of a first event includes text corresponding to a field label of the field and an associated value; and
  
  defining the identified field by an extraction rule for producing a first value for the identified field for a second event in association with a first occurrence of the field label in the portion of raw machine data of the second event, wherein a second value is not produced for the field in association with a second occurrence of the field label in the portion of raw machine data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein the automatically identifying the field includes identifying the field label and the associated value in the portion of raw machine data of the first event.
  - 3. The method of claim 1, wherein the automatically identifying the field includes identifying the field label and the associated value in another field extracted from the portion of raw machine data of the first event.
  - 4. The method of claim 1, wherein the determining is based on identifying at least one designated demarcating character separating a first subportion of the text representing the field label from a second subportion of the text representing the associated value.
  - 5. The method of claim 1, wherein the automatically identifying is part of executing a command that automatically identifies and extracts a plurality of fields for the set of events from a first field, each field being identified by a corresponding field label identified within text of values of the first field.
  - 6. The method of claim 1, wherein the automatically identifying is part of executing a command that automatically identifies the field, produces values for the field from values of a first field, and associates the produced values with corresponding events of the set of events.
  - 7. The method of claim 1, wherein the automatically identifying is part of executing a command that automatically identifies the field, produces values for the field from the portion of raw machine data of a plurality of the events, and associates the produced values with corresponding ones of the events.
  - 8. The computer-implemented method of claim 1, wherein the extraction rule comprises instructions defining identification and extraction of the first value for field in association with the first occurrence of the field label.
  - 9. The method of claim 1, further comprising defining an additional field by another extraction rule for producing the second value for the additional field for the second event in association with the second occurrence of the field label in the portion of raw machine data of the second event, wherein the first value is not produced for the additional field in association with the first occurrence of the field label in the portion of raw machine data.
  - 10. The method of claim 1, further comprising assigning the first value to the field based on identifying the field label corresponds to a field name of a different field.
  - 11. The method of claim 1, further comprising:
    - identifying the field label corresponds to a field name of a different field; and
      
      causing an option to be presented based on the identified correspondence, the option being user selectable to cause the first value to be assigned to the field.
  - 12. The method of claim 1, further comprising assigning a field name to the identified field that is different than the field label.
  - 13. The method of claim 1, further comprising assigning a modified version of the field label extracted from the text to the field as a field name.
  - 14. The method of claim 1, wherein the automatically identifying is part of executing a command that extracts the field label from a value of an additional field, combines the extracted field label with a field name of the additional field, and assigns the combination as a field name of the field.
  - 15. The method of claim 1, comprising applying a late-binding schema to the set of events, the late-binding schema extracting values of the field using the extraction rule.
  - 16. The method of claim 1, further comprising producing values of the field from text from the portion of raw machine data of at least some of the events in the data store as part of a command of a search query executed by a search system.
  - 17. The method of claim 1, wherein the extraction rule includes at least one regular expression.
  - 18. The method of claim 1, wherein the automatically identifying the field is performed based on a user selection of at least some of the text within either a value extracted from the portion of raw machine data of the first event, or the portion of raw machine data.
  - 19. The method of claim 1, further comprising:
    - causing execution of a search query, wherein values of the identified field are extracted from text from at least some of the events as part of a command of the search query; and
      
      causing display of at least some of the events in a search interface with at least some of the values of the identified field.

20. A system, comprising:
- one or more data processors; and
  
  one or more computer-readable storage media containing instructions which when executed on the one or more data processors, cause the one or more processors to perform operations including;
  
  accessing a set of events in a data store, each event in the set of events including a portion of raw machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment;
  
  automatically identifying a field for the set of events based on determining the portion of raw machine data of a first event includes text corresponding to a field label of the field and an associated value; and
  
  defining the identified field by an extraction rule for producing a first value for the identified field for a second event in association with a first occurrence of the field label in the portion of raw machine data of the second event, wherein a second value is not produced for the field in association with a second occurrence of the field label in the portion of raw machine data.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The system of claim 20, wherein the automatically identifying the field includes identifying the field label and the associated value in the portion of raw machine data of the first event.
  - 22. The system of claim 20, wherein the automatically identifying the field includes identifying the field label and the associated value in another field extracted from the portion of raw machine data of the first event.
  - 23. The system of claim 20, wherein the determining is based on identifying at least one designated demarcating character separating a first subportion of the text representing the field label from a second subportion of the text representing the associated value.
  - 24. The system of claim 20, wherein the automatically identifying is part of executing a command that automatically identifies and extracts a plurality of fields for the set of events from a first field, each field being identified by a corresponding field label identified within text of values of the first field.
  - 25. The system of claim 20, wherein the automatically identifying is part of executing a command that automatically identifies the field, produces values for the field from values of a first field, and associates the produced values with corresponding events of the set of events.

26. One or more non-transitory computer-storage media storing computer-useable instructions that, when executed by a computing device, perform a method, the method comprising:
- accessing a set of events in a data store, each event in the set of events including a portion of raw machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment;
  
  automatically identifying a field for the set of events based on determining the portion of raw machine data of a first event includes text corresponding to a field label of the field and an associated value; and
  
  defining the identified field by an extraction rule for producing a first value for the identified field for a second event in association with a first occurrence of the field label in the portion of raw machine data of the second event, wherein a second value is not produced for the field in association with a second occurrence of the field label in the portion of raw machine data.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The computer-storage media of claim 26, wherein the automatically identifying the field includes identifying the field label and the associated value in the portion of raw machine data of the first event.
  - 28. The computer-storage media of claim 26, wherein the automatically identifying the field includes identifying the field label and the associated value in another field extracted from the portion of raw machine data of the first event.
  - 29. The computer-storage media of claim 26, wherein the determining is based on identifying at least one designated demarcating character separating a first subportion of the text representing the field label from a second subportion of the text representing the associated value.
  - 30. The computer-storage media of claim 26, wherein the automatically identifying is part of executing a command that automatically identifies and extracts a plurality of fields for the set of events from a first field, each field being identified by a corresponding field label identified within text of values of the first field.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Robichaud, Marc Vincent
Primary Examiner(s)
Bullock, Joshua

Application Number

US14/610,676
Publication Number

US 20160224659A1
Time in Patent Office

1,047 Days
Field of Search

707722
US Class Current
CPC Class Codes

G06F 16/313 Selection or weighting of t...

G06F 3/04842 Selection of displayed obje...

Defining fields from particular occurences of field labels in events

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

152 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Defining fields from particular occurences of field labels in events

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

152 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links