Real time indication of previously extracted data fields for regular expressions

US 10,019,226 B2
Filed: 05/01/2014
Issued: 07/10/2018
Est. Priority Date: 01/23/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

organizing, on a first device, machine data into a plurality of events, each event in the plurality of events being associated with a timestamp and including a portion of machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment;

receiving, via a user interface, a user selection of a text value from displayed machine data associated with an event among the plurality of events;

automatically generating at least one extraction rule in response to the selection of the text value from machine data associated with the event; and

extracting at least one text value from at least one event in the plurality of events using the at least one extraction rule.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed towards real time display of event records with an indication of previously provided extraction rules. A plurality of extraction rules may be provided to the system, such as automatically generated and/or user created extraction rules. These extraction rules may include regular expressions. A plurality of event records may be displayed to the user, such that text in a field defined by an extraction rule is emphasized in the display of the event record. The same emphasis may be provided for text in overlapping fields, or the emphasis may be somewhat different for different fields. The user interface may enable a user to select a portion of text of an event record, such as by rolling-over or clicking on an emphasized part of the event record. By selecting the portion of the event record, the interface may display each extraction rule associated with the selected portion.

209 Citations

36 Claims

1. A method, comprising:
- organizing, on a first device, machine data into a plurality of events, each event in the plurality of events being associated with a timestamp and including a portion of machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment;
  
  receiving, via a user interface, a user selection of a text value from displayed machine data associated with an event among the plurality of events;
  
  automatically generating at least one extraction rule in response to the selection of the text value from machine data associated with the event; and
  
  extracting at least one text value from at least one event in the plurality of events using the at least one extraction rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method as recited in claim 1, wherein an extraction rule defines a subfield of another field.
  - 3. The method as recited in claim 1, wherein two or more extraction rules may define fields in an event that partially or completely overlap each other.
  - 4. The method as recited in claim 1, wherein an event comprises at least a portion of one or more lines of data within the machine data.
  - 5. The method as recited in claim 1, wherein an event comprises at least a portion from each of two or more lines of data within the machine data.
  - 6. The method as recited in claim 1, further comprising:
    - calculating a statistical value corresponding to one or more unique values extracted from the at least one event in the plurality of events.
  - 7. The method as recited in claim 1, wherein a second device displays, via the user interface, the at least one extraction rule along with the extracted at least one text value.
  - 8. The method as recited in claim 1, wherein the machine data includes unstructured data.
  - 9. The method as recited in claim 1, wherein the at least one extraction rule includes a regular expression.
  - 10. The method as recited in claim 1, wherein automatically generating at least one extraction rule based on the text value selected from machine data in the event among the plurality of events comprises receiving the selection of the text value from the user through the user interface that displays one or more of the plurality of events.
  - 11. The method as recited in claim 1, further comprising:
    - delivering the extracted at least one text value for display.
  - 12. The method as recited in claim 1, further comprising:
    - causing highlighting of the text value in the user interface that displays one or more of the plurality of events.

13. An apparatus, comprising:
- a subsystem, on a first device, implemented at least partially in hardware, that organizes machine data into a plurality of events, each event in the plurality of events being associated with a timestamp and including a portion of machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment;
  
  a subsystem, implemented at least partially in hardware, that receives, via a user interface, a user selection of a text value from displayed machine data associated with an event among the plurality of events, and automatically generates at least one extraction rule in response to the selection of the text value from machine data associated with the event; and
  
  a subsystem, implemented at least partially in hardware, that extracts at least one text value from at least one event in the plurality of events using the at least one extraction rule.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The apparatus as recited in claim 13, wherein an extraction rule defines a subfield of another field.
  - 15. The apparatus as recited in claim 13, wherein two or more extraction rules may define fields in an event that partially or completely overlap each other.
  - 16. The apparatus as recited in claim 13, wherein an event comprises at least a portion of one or more lines of data within the machine data.
  - 17. The apparatus as recited in claim 13, wherein an event comprises at least a portion from each of two or more lines of data within the machine data.
  - 18. The apparatus as recited in claim 13, further comprising:
    - a subsystem, implemented at least partially in hardware, that calculates a statistical value corresponding to one or more unique values extracted from the at least one event in the plurality of events.
  - 19. The apparatus as recited in claim 13, wherein a second device displays the at least one extraction rule along with the extracted at least one text value.
  - 20. The apparatus as recited in claim 13, wherein the machine data includes unstructured data.
  - 21. The apparatus as recited in claim 13, wherein the at least one extraction rule includes a regular expression.
  - 22. The apparatus as recited in claim 13, wherein automatically generating at least one extraction rule based on the text value selected from machine data in the event among the plurality of events comprises receiving the selection of the text value from the user through the user interface that displays one or more of the plurality of events.
  - 23. The apparatus as recited in claim 13, further comprising:
    - a subsystem, implemented at least partially in hardware, that delivers the extracted at least one text value for display.
  - 24. The apparatus as recited in claim 13, further comprising:
    - a subsystem, implemented at least partially in hardware, that causes highlighting of the text value in the user interface that displays one or more of the plurality of events.

25. A non-transitory computer-readable medium storing one or more sequences of instructions, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform:
- organizing, on a first device, machine data into a plurality of events, each event in the plurality of events being associated with a timestamp and including a portion of machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment;
  
  receiving, via a user interface, a user selection of a text value from displayed machine data associated with an event among the plurality of events;
  
  automatically generating at least one extraction rule in response to the selection of the text value from machine data associated with the event; and
  
  extracting at least one text value from at least one event in the plurality of events using the at least one extraction rule.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The non-transitory computer-readable medium as recited in claim 25, wherein an extraction rule defines a subfield of another field.
  - 27. The non-transitory computer-readable medium as recited in claim 25, wherein two or more extraction rules may define fields in an event that partially or completely overlap each other.
  - 28. The non-transitory computer-readable medium as recited in claim 25, wherein an event comprises at least a portion of one or more lines of data within the machine data.
  - 29. The non-transitory computer-readable medium as recited in claim 25, wherein an event comprises at least a portion from each of two or more lines of data within the machine data.
  - 30. The non-transitory computer-readable medium as recited in claim 25, further comprising:
    - calculating a statistical value corresponding to one or more unique values extracted from the at least one event in the plurality of events.
  - 31. The non-transitory computer-readable medium as recited in claim 25, wherein a second device displays the at least one extraction rule along with the extracted at least one text value.
  - 32. The non-transitory computer-readable medium as recited in claim 25, wherein the machine data includes unstructured data.
  - 33. The non-transitory computer-readable medium as recited in claim 25, wherein the at least one extraction rule includes a regular expression.
  - 34. The non-transitory computer-readable medium as recited in claim 25, wherein automatically generating at least one extraction rule based on the text value selected from machine data in the event among the plurality of events comprises receiving the selection of the text value from the user through the user interface that displays one or more of the plurality of events.
  - 35. The non-transitory computer-readable medium as recited in claim 25, further comprising:
    - delivering the extracted at least one text value for display.
  - 36. The non-transitory computer-readable medium as recited in claim 25, further comprising:
    - causing highlighting of the text value in the user interface that displays one or more of the plurality of events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Carasso, R. David, Delfino, Micah James, Hwang, Johnvey
Primary Examiner(s)
Angkool, David Phantana

Application Number

US14/266,839
Publication Number

US 20140236971A1
Time in Patent Office

1,531 Days
Field of Search

715823
US Class Current
CPC Class Codes

G06F 16/2477 Temporal data queries

G06F 7/24 Sorting, i.e. extracting da...

Real time indication of previously extracted data fields for regular expressions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

209 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Real time indication of previously extracted data fields for regular expressions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

209 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links