Event limited field picker

US 9,922,099 B2
Filed: 10/30/2014
Issued: 03/20/2018
Est. Priority Date: 09/30/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for machine-data analysis of activity by a component in an information technology environment, comprising:

accessing a set of events in a data store in response to a query, each event including a portion of raw machine data that reflects the activity in the information technology environment and is produced by the component of the information technology environment, each event associated with a timestamp extracted from the portion of raw machine data associated with the event;

causing display of a plurality of events, of the accessed set of events as search results of the query;

receiving a first user selection of a particular event in the displayed plurality of events;

based on receiving the first user selection of the particular event, causing display of a field information panel that displays fields having corresponding values for the particular event, each field defined by an extraction rule that when applied extracts a portion of a character string that represents the portion of raw machine data of the particular event by identifying a pattern in the character string to generate the corresponding value for the field from the portion of the character string, the display of the field information panel being in the display of the plurality of events; and

based on receiving a second user selection of at least one of the fields displayed in the field information panel, executing an updated query that corresponds to the at least one of the fields, and causing an update to the displayed plurality of events to display a new set of the events that are search results of the updated query.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An event limited field picker for a search user interface is described. In one or more implementations, a service may operate to collect and store data as events each of which includes a portion of the data correlated with a point in time. Clients may use a search user interface perform searches by input of search criteria. Responsive to receiving search criteria, the service may operate to apply a late binding schema to extract events that match the search criteria and provide search results for display via the search user interface. The search user interface exposes an event limited field picker operable to make selections of fields with respect to individual events in a view of the search results. In response to receiving an indication of a fields selected via the picker, visibility of selected fields may be updated to control which field and values are included in different views.

87 Citations

View as Search Results

30 Claims

1. A computer-implemented method for machine-data analysis of activity by a component in an information technology environment, comprising:
- accessing a set of events in a data store in response to a query, each event including a portion of raw machine data that reflects the activity in the information technology environment and is produced by the component of the information technology environment, each event associated with a timestamp extracted from the portion of raw machine data associated with the event;
  
  causing display of a plurality of events, of the accessed set of events as search results of the query;
  
  receiving a first user selection of a particular event in the displayed plurality of events;
  
  based on receiving the first user selection of the particular event, causing display of a field information panel that displays fields having corresponding values for the particular event, each field defined by an extraction rule that when applied extracts a portion of a character string that represents the portion of raw machine data of the particular event by identifying a pattern in the character string to generate the corresponding value for the field from the portion of the character string, the display of the field information panel being in the display of the plurality of events; and
  
  based on receiving a second user selection of at least one of the fields displayed in the field information panel, executing an updated query that corresponds to the at least one of the fields, and causing an update to the displayed plurality of events to display a new set of the events that are search results of the updated query.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the display of fields comprises a name used to reference a field in a search query.
  - 3. The method of claim 1, further comprising causing display in the field information panel of the corresponding value for each of the fields displayed in the panel.
  - 4. The method of claim 1, further comprising causing display in the field information panel of a statistic based on the corresponding value for each field of the fields.
  - 5. The method of claim 1, further comprising causing display in the field information panel of a statistic based on the corresponding value for each field of the fields, the statistic representing a percentage of events that have the corresponding value for the field relative to a set of events that were retrieved by a search query and that include at least the plurality of displayed events.
  - 6. The method of claim 1, further comprising causing display in the field information panel of both the corresponding value for each field of the fields and a statistic based on the corresponding value.
  - 7. The method of claim 1, further comprising causing display in the field information panel of the portion of raw machine data included in the selected event.
  - 8. The method of claim 1, further comprising causing display in the field information panel of both the corresponding value for each field of the fields and the portion of raw machine data included in the selected event.
  - 9. The method of claim 1, wherein the accessing of the set of events is in response to a search query, and wherein the method further comprises:
    - causing display in the field information panel of the corresponding value for each field of the fields;
      
      receiving a selection from the field information panel corresponding to a particular displayed field of the fields;
      
      based on receiving the selection identifying a subset of the set of events that have a same value for the particular displayed field as the selected particular event; and
      
      causing display of the subset of the set of events.
  - 10. The method of claim 1, wherein the accessing of the set of events is in response to a search query, and wherein the method further comprises:
    - causing display in the field information panel of the corresponding value for each field of the fields;
      
      receiving a selection from the field information panel corresponding to a particular displayed field of the fields;
      
      based on receiving the selection, identifying a subset of the set of events that have a same value for the particular displayed field as the selected particular event;
      
      causing display of the subset of the set of events; and
      
      causing emphasis of the same value in each event in the displayed subset of the set of events.
  - 11. The method of claim 1, further comprising causing display in the field information panel of an interactive element for selecting one or more particular fields of the fields, the selecting causing corresponding field values to be displayed for the plurality of events.
  - 12. The method of claim 1, further comprising:
    - causing display in the field information panel of an interactive element for selecting one or more particular fields associated with the displayed fields;
      
      receiving a selection through the interactive element of the one or more particular fields; and
      
      causing display in a table format of events retrieved using a search query, the table format including information about values for the displayed events for the selected one or more particular fields.
  - 13. The method of claim 1, further comprising:
    - causing display in the field information panel of an interactive element for selecting one or more particular fields of the fields;
      
      receiving a selection through the interactive element of the one or more particular fields; and
      
      causing display in a list format of events retrieved using a search query, the list format including for each displayed event information about the values for that event for the selected one or more particular fields.
  - 14. The method of claim 1, further comprising:
    - causing display in the field information panel of an interactive element for selecting one or more particular fields of the fields;
      
      receiving a selection through the interactive element of the one or more particular fields; and
      
      causing display in a list format of events retrieved using a search query, the list format including for each displayed event information about the values for that event for the selected one or more particular fields, the information corresponding to a given event displayed proximate to raw machine data included in the given event.
  - 15. The method of claim 1, further comprising:
    - causing display in the field information panel of an interactive element for selecting one or more particular fields of the fields;
      
      receiving a selection through the interactive element of the one or more particular fields;
      
      causing display in a second field information panel an identification of the selected one or more particular fields, the second field information panel displaying additional non-selected fields defined for events retrieved by a search query, the second field information panel displayed concurrently with the events retrieved by the search query.
  - 16. The method of claim 1, wherein a first value of the corresponding values of a first field of the fields is generated from a first portion of the character string using a first extraction rule and a second value of the corresponding values of a second field of the fields is generated from a second portion of the character string using a second extraction rule.
  - 17. The method of claim 1, wherein the field information panel is exposed in the display of the plurality of events at a location corresponding to the selected particular event, and the first user selection is of a graphical interface toggle element corresponding to the displayed particular event.
  - 18. The method of claim 1, wherein the portion of raw machine data in at least one of the displayed events comprises unstructured data.

19. One or more non-transitory computer-readable storage media comprising instructions that are stored thereon that, responsive to execution by a computing device, cause the computing device to perform operations for machine-data analysis of activity by a component in an information technology environment, the operations comprising:
- accessing a set of events in a data store in response to a query, each event including a portion of raw machine data that reflects the activity in the information technology environment and is produced by the component of the information technology environment, each event associated with a timestamp extracted from the portion of raw machine data associated with the event;
  
  causing display of a plurality of events, of the accessed set of events as search results of the query;
  
  receiving a first user selection of a particular event in the displayed plurality of events;
  
  based on receiving the first user selection of the particular event, causing display of a field information panel that displays fields having corresponding values for the particular event, each field defined by an extraction rule that when applied extracts a portion of a character string that represents the portion of raw machine data of the particular event by identifying a pattern in the character string to generate the corresponding value for the field from the portion of the character string, the display of the field information panel being in the display of the plurality of events; and
  
  based on receiving a second user selection of at least one of the fields displayed in the field information panel, executing an updated query that corresponds to the at least one of the fields, and causing an update to the displayed plurality of events to display a new set of the events that are search results of the updated query.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. One or more computer-readable storage media as recited in claim 19, further comprising instructions for causing display in the field information panel of the corresponding value of the fields.
  - 21. One or more computer-readable storage media as recited in claim 19, further comprising instructions for causing display in the field information panel of a statistic based on the corresponding value.
  - 22. One or more computer-readable storage media as recited in claim 19, further comprising instructions for causing display in the field information panel of the portion of raw machine data included in the selected event.
  - 23. One or more computer-readable storage media as recited in claim 19, wherein the plurality of displayed events is included in a set of events retrieved by a search query, and further comprising instructions for:
    - causing display in the field information panel of the corresponding value for each field of the fields;
      
      receiving a selection corresponding to a particular field of the fields;
      
      based on receiving the selection corresponding to the particular field, identifying a subset of the set of events that have a same value for the particular field as the selected particular event; and
      
      causing display of the subset of the set of events.
  - 24. One or more computer-readable storage media as recited in claim 19, further comprising instructions for:
    - causing display in the field information panel of an interactive element for selecting one or more particular fields of the fields;
      
      receiving a selection through the interactive element of the one or more particular fields;
      
      causing display in a table format of events retrieved using a search query, the table format including information about values for the displayed events for the selected one or more particular fields.

25. A computer-implemented system comprising:
- at least one processor;
  
  one or more non-transitory computer-readable media storing instructions that when executed via the at least one processor, causes the at least one processor to perform operations for machine-data analysis of activity by a component in an information technology environment, the operations including;
  
  accessing a set of events in a data store in response to a query, each event including a portion of raw machine data that reflects the activity in the information technology environment and is produced by the component of the information technology environment, each event associated with a timestamp extracted from the portion of raw machine data associated with the event;
  
  causing display of a plurality of events, of the accessed set of events as search results of the query;
  
  receiving a first user selection of a particular event in the displayed plurality of events;
  
  based on receiving the first user selection of the particular event, causing display of a field information panel that displays fields having corresponding values for the particular event, each field defined by an extraction rule that when applied extracts a portion of a character string that represents the portion of raw machine data of the particular event by identifying a pattern in the character string to generate the corresponding value for the field from the portion of the character string, the display of the field information panel being in the display of the plurality of events; and
  
  based on receiving a second user selection of at least one of the fields displayed in the field information panel, executing an updated query that corresponds to the at least one of the fields, and causing an update to the displayed plurality of events to display a new set of the events that are search results of the updated query.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. A system as recited in claim 25, wherein the operations further include causing display in the field information panel of the corresponding value for each field of the fields.
  - 27. A system as recited in claim 25, wherein the operations further include causing display in the field information panel of a statistic based on the corresponding value of the fields.
  - 28. A system as recited in claim 25, wherein the operations further include causing display in the field information panel of the portion of raw machine data included in the selected event.
  - 29. A system as recited in claim 25, wherein the operations further include:
    - causing display in the field information panel of the corresponding value for each field of the fields;
      
      receiving a selection corresponding to a particular field of the fields;
      
      based on receiving the selection corresponding to the particular field, identifying a subset of the set of events that have a same value for the particular field as the selected particular event; and
      
      causing display of the subset of the set of events.
  - 30. A system as recited in claim 25, wherein the operations further include:
    - causing display in the field information panel of an interactive element for selecting one or more particular fields of the fields;
      
      receiving a selection through the interactive element of the one or more particular fields;
      
      causing display in a table format of events retrieved using a search query, the table format including information about values for the displayed events for the selected one or more particular fields.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Lamas, Divanny I., Robichaud, Marc Vincent, Yestrau, Carl Sterling
Primary Examiner(s)
Alam, Shahid

Application Number

US14/528,951
Publication Number

US 20160092601A1
Time in Patent Office

1,237 Days
Field of Search

707722
US Class Current
CPC Class Codes

G06F 16/2393   Updating materialised views

G06F 16/2455   Query execution

G06F 16/2477   Temporal data queries

G06F 16/25   Integrating or interfacing ...

G06F 16/26   Visual data mining; Browsin...

G06F 16/9038   Presentation of query results

G06F 3/04817   using icons graphical or vi...

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

Event limited field picker

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

87 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Event limited field picker

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links