Column-based table manipulation of event data

US 9,977,803 B2
Filed: 01/30/2015
Issued: 05/22/2018
Est. Priority Date: 01/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

causing display of a set of events that are search results of a search query represented as a search string that specifies a plurality of commands, each event corresponding to a portion of raw machine data associated with a timestamp, the display of the set of events being in a table format that includes;

a plurality of columns, each column comprising data items of an event attribute, the data items being of the set of events, wherein each column is selectable by a user; and

a plurality of rows forming cells with the plurality of columns, each cell comprising one or more of the data items of the event attribute of a corresponding column;

based on a user selection of one or more of the columns of the plurality of columns in the table format;

causing display of a list of options corresponding to the selected one or more columns; and

causing one or more commands to be added to the search query sequentially after the search string, wherein the one or more commands are based on an option that is selected from the list of options and the event attribute corresponding to the selected one or more columns.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A search interface is displayed in a table format that includes a plurality of columns, each column including data items of an event attribute, the data items being of a set of events, each column being selectable by a user, and a plurality of rows forming cells with the one or more columns, each cell comprising one or more of the data items of the event attribute of a corresponding column. Based on the user selecting one or more of the columns, a list of options is displayed corresponding to the selected one or more columns, and one or more commands are added to a search query that corresponds to the set of events. The one or more commands are based on at least an option that is selected from the list of options and the event attribute of each of the selected one or more columns.

172 Citations

40 Claims

1. A computer-implemented method comprising:
- causing display of a set of events that are search results of a search query represented as a search string that specifies a plurality of commands, each event corresponding to a portion of raw machine data associated with a timestamp, the display of the set of events being in a table format that includes;
  
  a plurality of columns, each column comprising data items of an event attribute, the data items being of the set of events, wherein each column is selectable by a user; and
  
  a plurality of rows forming cells with the plurality of columns, each cell comprising one or more of the data items of the event attribute of a corresponding column;
  
  based on a user selection of one or more of the columns of the plurality of columns in the table format;
  
  causing display of a list of options corresponding to the selected one or more columns; and
  
  causing one or more commands to be added to the search query sequentially after the search string, wherein the one or more commands are based on an option that is selected from the list of options and the event attribute corresponding to the selected one or more columns.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 2. The computer-implemented method of claim 1, further comprising causing the selected option to be included in the displayed list of options based on a determination that at least one of the cells of at least one of the selected one or more of the columns is an empty cell.
  - 3. The computer-implemented method of claim 1, further comprising causing the selected option to be included in the displayed list of options based on a determination that at least one of the selected one or more of the columns represents data items of a numeric data type.
  - 4. The computer-implemented method of claim 1, further comprising causing the selected option to be included in the displayed list of options based on a determination that at least one of the selected one or more of the columns represents data items of a categorical data type.
  - 5. The computer-implemented method of claim 1, further comprising causing the selected option to be included in the displayed list of options based on a determination that at least one of the selected one or more of the columns comprises the portion of raw machine data for the set of events.
  - 6. The computer-implemented method of claim 1, further comprising causing the selected option to be included in the displayed list of options based on a determination that at least one of the selected one or more of the columns represents a timestamp field comprising the timestamp associated with the portion of raw machine data for the set of events.
  - 7. The computer-implemented method of claim 1, wherein the plurality of columns in the table format are individually selectable by the user.
  - 8. The computer-implemented method of claim 1, wherein the user selection causes each cell of the selected one or more columns to be automatically highlighted in the table format.
  - 9. The computer-implemented method of claim 1, wherein the selected one or more columns comprises at least a first selected column and a second selected column.
  - 10. The computer-implemented method of claim 1, further comprising causing the selected option to be included in the displayed list of options based on a determination that at least one of the selected one or more of the columns represents data items comprising statistical values generated by one or more statistical functions performed on values of data items of at least some of the set of events.
  - 11. The computer-implemented method of claim 1, further comprising causing the selected option to be included in the displayed list of options based on detection of at least one field label-value pair in the selected one or more columns.
  - 12. The computer-implemented method of claim 1, further comprising causing the selected option to be generated at least partially based on detection of at least one field label-value pair in a subportion of text displayed in a cell of the selected one or more columns.
  - 13. The computer-implemented method of claim 1, wherein the data items of the event attribute of at least one of the selected one or more columns comprise values of a field extracted from the set of events using a common extraction rule.
  - 14. The computer-implemented method of claim 1, further comprising causing the selected option to be generated at least partially based on detection of at least one field label-value pair in the selected one or more columns.
  - 15. The computer-implemented method of claim 1, further comprising:
    - causing a field label of a field label-value pair to be detected in a subportion of a value displayed in a cell of the selected one or more columns; and
      
      causing the field label to be displayed in an option in the displayed list of options.
  - 16. The computer-implemented method of claim 1, comprising receiving one or more command elements of the one or more commands entered into a form by the user, the option being displayed in the list of options as the form.
  - 17. The computer-implemented method of claim 1, wherein one or more command elements of the one or more commands include at least one value of the data items for each of the selected one or more columns.
  - 18. The computer-implemented method of claim 1, further based on the user selecting the one or more of the columns of the plurality of columns in the table format:
    - causing the event attribute for each of the data items of each of the selected one or more columns to be included as one or more command elements of the one or more commands, wherein at least two event attributes are included in the one or more command elements.
  - 19. The computer-implemented method of claim 1, comprising:
    - further based on the user selection;
      
      causing the search query comprising the added one or more commands to be automatically executed; and
      
      causing the set of events displayed in the table format to be updated to correspond to search results of the executed search query comprising the added one or more commands.
  - 20. The computer-implemented method of claim 1, comprising:
    - further based on the user selection, further comprising causing a displayed representation of the search query in the user interface to be automatically updated to include a representation of the added one or more commands.
  - 21. The computer-implemented method of claim 1, comprising:
    - further based on the user selection, causing the search query comprising the added one or more commands to be executed, the executing applying a late-binding schema to events, using one or more extraction rules defining one or more fields for the set of events.
  - 22. The computer-implemented method of claim 1, wherein the one or more commands cause extraction of one or more field label-values pairs from at least the data items of each of the selected one or more columns and cause the field label-value pairs to be associated with at least one event of the set of events.
  - 23. The computer-implemented method of claim 1, further comprising causing display of the option as a form in the displayed list of options, the form comprising at least one form element operable to enter one or more command elements into the one or more commands to be added to the search query;
    - andafter adding the one or more commands to the search query using the form, causing display of a reproduction of the form, the reproduction comprising the one or more command elements and being user operable to modify the one or more commands that were added to the search query.
  - 24. The computer-implemented method of claim 1, comprising:
    - further based on the user selecting the one or more of the columns of the plurality of columns in the table format, causing a command entry that represents the one or more commands to be automatically added to a displayed list of command entries in the search interface, each of the command entries respectively representing one or more commands of a plurality of commands of the search query, the list of command entries being displayed in a sequence corresponding to the plurality of commands in the search query.
  - 25. The computer-implemented method of claim 1, wherein the one or more commands are of a pipelined search language in which a command of the search query produces an output from an input of the command, and the input is an output of a prior command of the search query.
  - 26. The computer-implemented method of claim 1, further comprising causing the plurality of columns of the table format to be reordered in the displayed table format based on a user interaction with the table format.
  - 27. The computer-implemented method of claim 1, further comprising causing the selected option to be included in the displayed list of options based on a data type assigned to the event attribute of at least one of the one or more of the data items of at least one of the selected one or more cells.
  - 28. The computer-implemented method of claim 1, wherein the display of the set of events in the table format is in a search screen, and the causing one or more commands to be added to the search query causes the table format in the displayed search screen to be automatically updated to add a new column that represents a new field extracted from the events by the one or more commands added to the search query.
  - 29. The computer-implemented method of claim 1, wherein the one or more commands includes a command of a plurality of predetermined commands of a search language, the option, when selected:
    - causing a command identifier of the command to be added to the search query independent of which of the plurality of columns was user selected to cause the display of the list of options; and
      
      causing arguments of the command to be added to the search query that are composed based on which of the plurality of columns was user selected to cause the display of the list of options.

30. A computer-implemented system for searching data, the system comprising:
- one or more data processors; and
  
  one or more computer-readable storage media containing instructions which when executed on the one or more data processors, cause the one or more processors to perform operations including;
  
  causing display of a set of events that are search results of a search query represented as a search string that specifies a plurality of commands, each event corresponding to a portion of raw machine data associated with a timestamp, the display of the set of events being in a table format that includes;
  
  a plurality of columns, each column comprising data items of an event attribute, the data items being of the set of events, wherein each column is selectable by a user; and
  
  a plurality of rows forming cells with the plurality of columns, each cell comprising one or more of the data items of the event attribute of a corresponding column;
  
  based on a user selection of one or more of the columns of the plurality of columns in the table format;
  
  causing display of a list of options corresponding to the selected one or more columns; and
  
  causing one or more commands to be added to the search query sequentially after the search string, wherein the one or more commands are based on an option that is selected from the list of options and the event attribute corresponding to the selected one or more columns.
- View Dependent Claims (31, 32, 33)
- - 31. The system of claim 30, wherein the operations comprise:
    - further based on the user selecting the one or more of the columns of the plurality of columns in the table format selection;
      
      causing the search query comprising the added one or more commands to be automatically executed; and
      
      causing the set of events displayed in the table format to be updated to correspond to search results of the executed search query comprising the added one or more commands.
  - 32. The system of claim 30, wherein the display of the set of events in the table format is in a search screen, and the causing one or more commands to be added to the search query causes the table format in the displayed search screen to be automatically updated to add a new column that represents a new field extracted from the events by the one or more commands added to the search query.
  - 33. The system of claim 30, wherein the one or more commands includes a command of a plurality of predetermined commands of a search language, the option, when selected:
    - causing a command identifier of the command to be added to the search query independent of which of the plurality of columns was user selected to cause the display of the list of options; and
      
      causing arguments of the command to be added to the search query that are composed based on which of the plurality of columns was user selected to cause the display of the list of options.

34. One or more non-transitory computer-storage media storing computer-useable instructions that, when executed by at least one computing device, cause the at least one computing device to perform a method, the method comprising:
- causing display of a set of events that are search results of a search query represented as a search string that specifies a plurality of commands, each event corresponding to a portion of raw machine data associated with a timestamp, the display of the set of events being in a table format that includes;
  
  a plurality of columns, each column comprising data items of an event attribute, the data items being of the set of events, wherein each column is selectable by a user; and
  
  a plurality of rows forming cells with the plurality of columns, each cell comprising one or more of the data items of the event attribute of a corresponding column;
  
  based on a user selection of one or more of the columns of the plurality of columns in the table format;
  
  causing display of a list of options corresponding to the selected one or more columns; and
  
  causing one or more commands to be added to the search query sequentially after the search string, wherein the one or more commands are based on an option that is selected from the list of options and the event attribute corresponding to the selected one or more columns.
- View Dependent Claims (35, 36, 37, 38, 39, 40)
- - 35. The one or more computer-storage media of claim 34, wherein the added one or more commands cause search results of the search query to be produced from intermediate search results produced by the plurality of commands.
  - 36. The one or more computer-storage media of claim 34, wherein a column of the selected one or more columns corresponds to a single field and each cell of a plurality of cells in the column comprises a value of the single field for a different event of the set of events.
  - 37. The one or more computer-storage media of claim 34, further comprising accessing the events in a data store to produce the search results of the search query, wherein each event in the data store includes the portion of raw machine data of that event.
  - 38. The one or more computer-storage media of claim 34, wherein each row of the plurality of rows represents a different event of the set of events.
  - 39. The one or more computer-storage media of claim 34, wherein the display of the set of events in the table format is in a search screen, and the causing one or more commands to be added to the search query causes the table format in the displayed search screen to be automatically updated to add a new column that represents a new field extracted from the events by the one or more commands added to the search query.
  - 40. The one or more computer-storage media of claim 34, wherein the one or more commands includes a command of a plurality of predetermined commands of a search language, the option, when selected:
    - causing a command identifier of the command to be added to the search query independent of which of the plurality of columns was user selected to cause the display of the list of options; and
      
      causing arguments of the command to be added to the search query that are composed based on which of the plurality of columns was user selected to cause the display of the list of options.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Robichaud, Marc Vincent, Burke, Cory Eugene, Lloyd, Jeffrey Thomas
Primary Examiner(s)
Bullock, Joshua

Application Number

US14/611,018
Publication Number

US 20160224626A1
Time in Patent Office

1,208 Days
Field of Search

707713
US Class Current
CPC Class Codes

G06F 16/221   Column-oriented storage; Ma...

G06F 16/24   Querying

G06F 16/2455   Query execution

Column-based table manipulation of event data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

172 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Column-based table manipulation of event data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

172 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links