Storing log data as events and performing a search on the log data and data obtained from a real-time monitoring environment

US 9,922,067 B2
Filed: 07/27/2017
Issued: 03/20/2018
Est. Priority Date: 10/05/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

obtaining log data generated by at least one component in an information processing environment and reflecting activity in the information processing environment;

obtaining data that is not log data from a real-time monitoring environment;

storing at least a subset of the log data in a searchable time series data store as a plurality of events, wherein each event includes at least a portion of the log data and is associated with a time stamp extracted from the log data;

storing the data that is not log data obtained from the real-time monitoring environment in the searchable time series data store;

receiving a search query that includes search criteria identifying a relationship between the log data and the data that is not log data obtained from the real-time monitoring environment; and

executing the search query to identify the log data and the data that is not log data obtained from the real-time monitoring environment that meet the search criteria.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus consistent with the invention provide the ability to organize, index, search, and present time series data based on searches. Time series data are sequences of time stamped records occurring in one or more usually continuous streams, representing some type of activity. In one embodiment, time series data is stored as discrete events time stamps. A search is received and relevant event information is retrieved based in whole or in part on the time stamp, a keyword indexing mechanism, or statistical indices calculated at the time of the search.

Citations

30 Claims

1. A computer-implemented method, comprising:
- obtaining log data generated by at least one component in an information processing environment and reflecting activity in the information processing environment;
  
  obtaining data that is not log data from a real-time monitoring environment;
  
  storing at least a subset of the log data in a searchable time series data store as a plurality of events, wherein each event includes at least a portion of the log data and is associated with a time stamp extracted from the log data;
  
  storing the data that is not log data obtained from the real-time monitoring environment in the searchable time series data store;
  
  receiving a search query that includes search criteria identifying a relationship between the log data and the data that is not log data obtained from the real-time monitoring environment; and
  
  executing the search query to identify the log data and the data that is not log data obtained from the real-time monitoring environment that meet the search criteria.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The computer-implemented method of claim 1, wherein the search criteria includes finding similar data.
  - 3. The computer-implemented method of claim 1, wherein the search criteria includes finding related data.
  - 4. The computer-implemented method of claim 1, wherein the data that is not log data obtained from the real-time monitoring environment includes sensor data.
  - 5. The computer-implemented method of claim 1, wherein the data that is not log data obtained from the real-time monitoring environment includes measurement data.
  - 6. The computer-implemented method of claim 1, wherein the data that is not log data obtained from the real-time monitoring environment includes operational performance data.
  - 7. The computer-implemented method of claim 1, wherein the search criteria includes a defined time range.
  - 8. The computer-implemented method of claim 1, wherein the search criteria includes a frequency of distribution.
  - 9. The computer-implemented method of claim 1, wherein the search criteria includes a pattern of occurrence.
  - 10. The computer-implemented method of claim 1, further comprising causing display of data identified by executing the search query.
  - 11. The computer-implemented method of claim 1, wherein the search criteria includes a defined time range, and wherein the computer-implemented method further comprises causing display of data identified by executing the search query.
  - 12. The computer-implemented method of claim 1, further comprising providing data identified by executing the search query through an application program interface (API).
  - 13. The computer-implemented method of claim 1, wherein the log data comes from two or more sources.
  - 14. The computer-implemented method of claim 1, wherein the data that is not log data obtained from the real-time monitoring environment comes from two or more sources.
  - 15. The computer-implemented method of claim 1, wherein at least some of the data that is not log data obtained from the real-time monitoring environment is obtained synchronously.
  - 16. The computer-implemented method of claim 1, wherein at least some of the data that is not log data obtained from the real-time monitoring environment is obtained asynchronously.
  - 17. The computer-implemented method of claim 1, wherein at least some of the data that is not log data obtained from the real-time monitoring environment is obtained synchronously and at least some of the data that is not log data obtained from the real-time monitoring environment is obtained asynchronously.
  - 18. The computer-implemented method of claim 1, further comprising time stamping the log data prior to storing the log data in the searchable time series data store.
  - 19. The computer-implemented method of claim 1, wherein storing the log data as the plurality of events comprises:
    - identifying boundaries within the log data that separate the log data into sections; and
      
      storing at least a portion of each section as an event of the plurality of events in the searchable time series data store.
  - 20. The computer-implemented method of claim 1, wherein storing the log data as the plurality of events comprises:
    - identifying boundaries within the log data that separate the log data into sections;
      
      extracting a time stamp from each section; and
      
      storing, in the searchable time series data store, at least a portion of each section as an event of the plurality of events in association with the time stamp extracted from that section.
  - 21. The computer-implemented method of claim 1, wherein storing the log data as the plurality of events comprises:
    - identifying boundaries within the log data that separate the log data into sections;
      
      extracting a time stamp from each section; and
      
      storing at least a portion of each section as an event of the plurality of events in chronological order based on the time stamp extracted from that section.
  - 22. The computer-implemented method of claim 1, wherein storing the log data as the plurality of events comprises:
    - identifying boundaries within the log data that separate the log data into sections;
      
      classifying the sections by domain;
      
      extracting time stamps from the sections based on the domain; and
      
      for each section, storing at least a portion of the section as an event of the plurality of events in the searchable time series data store.
  - 23. The computer-implemented method of claim 1, wherein storing the log data as the plurality of events comprises:
    - identifying boundaries within the log data that separate the log data into sections;
      
      classifying the sections by domain;
      
      interpolating a time stamp for at least one section of the sections that is not classified in a domain with a known time stamp format; and
      
      storing the at least one section as an event of the plurality of events in the searchable time series data store.
  - 24. The computer-implemented method of claim 1, wherein storing the log data as the plurality of events comprises:
    - aggregating the log data into the plurality of events;
      
      time stamping the plurality of events; and
      
      storing the plurality of events in the searchable time series data store.
  - 25. The computer-implemented method of claim 1, wherein storing the log data as the plurality of events comprises:
    - aggregating the log data into the plurality of events;
      
      time stamping the plurality of events; and
      
      storing the plurality of events in the searchable time series data store in chronological order based on the time stamping.
  - 26. The computer-implemented method of claim 1, wherein storing the log data as the plurality of events comprises:
    - aggregating the log data into the plurality of events using extraction to detect a beginning and ending of the plurality of events; and
      
      storing the plurality of events in the searchable time series data store.
  - 27. The computer-implemented method of claim 1, wherein storing the log data as the plurality of events comprises:
    - aggregating the log data into the plurality of events using machine learning to identify boundaries between events; and
      
      storing the plurality of events in the searchable time series data store.
  - 28. The computer-implemented method of claim 1, wherein storing the log data as the plurality of events comprises:
    - aggregating the log data into the plurality of events;
      
      time stamping the plurality of events;
      
      combining a group of the plurality of events into a hot index, which is not searchable and does not persist; and
      
      converting the hot index into a warm index when the hot index is at capacity, the warm index being stored in the searchable time series data store.

29. A system comprising:
- a memory; and
  
  a processing device coupled with the memory to;
  
  obtain log data generated by at least one component in an information processing environment and reflecting activity in the information processing environment,obtain data that is not log data from a real-time monitoring environment,store at least a subset of the log data in a searchable time series data store as a plurality of events, wherein each event includes at least a portion of the log data and is associated with a time stamp extracted from the log data,store the data that is not log data obtained from the real-time monitoring environment in the searchable time series data store,receive a search query that includes search criteria identifying a relationship between the log data and the data that is not log data obtained from the real-time monitoring environment, andexecute the search query to identify the log data and the data that is not log data obtained from the real-time monitoring environment that meet the search criteria.

30. A non-transitory computer-readable medium encoding instructions thereon that, in response to execution by one or more processing devices, cause the one or more processing devices to:
- obtain log data generated by at least one component in an information processing environment and reflecting activity in the information processing environment;
  
  obtain data that is not log data from a real-time monitoring environment;
  
  store at least a subset of the log data in a searchable time series data store as a plurality of events;
  
  wherein each event includes at least a portion of the log data and is associated with a time stamp extracted from the log data;
  
  store the data that is not log data obtained from the real-time monitoring environment in the searchable time series data store;
  
  receive a search query that includes search criteria identifying a relationship between the log data and the data that is not log data obtained from the real-time monitoring environment; and
  
  execute the search query to identify the log data and the data that is not log data obtained from the real-time monitoring environment that meet the search criteria.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Baum, Michael Joseph, Carasso, R. David, Das, Robin Kumar, Greene, Rory, Hall, Bradley, Mealy, Nicholas Christian, Murphy, Brian Philip, Sorkin, Stephen Phillip, Stechert, Andre David, Swan, Erik M.
Primary Examiner(s)
Arjomandi, Noosha

Application Number

US15/661,286
Publication Number

US 20170344591A1
Time in Patent Office

236 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2228   Indexing structures

G06F 16/2272   Management thereof

G06F 16/2291   User-Defined Types; Storage...

G06F 16/2322   using timestamps

G06F 16/24568   Data stream processing; Con...

G06F 16/24575   using context

G06F 16/24578   using ranking

G06F 16/2477   Temporal data queries

G06F 16/248   Presentation of query results

G06F 16/951   Indexing; Web crawling tech...

Storing log data as events and performing a search on the log data and data obtained from a real-time monitoring environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Storing log data as events and performing a search on the log data and data obtained from a real-time monitoring environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links