Time stamp creation for event data

US 10,255,312 B2
Filed: 10/31/2016
Issued: 04/09/2019
Est. Priority Date: 10/05/2006
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method for improving machine data analysis, comprising:

creating a set of searchable events by segmenting raw time series machine data received from at least one data source in an information technology environment into searchable events, the raw time series machine data reflecting activity in the information technology environment, each searchable event including at least a portion of the segmented raw time series machine data thereby allowing application of time-based search phrases across at least a portion of events in the set of searchable events to search the segmented raw time series machine data in the at least a portion of the events;

detecting whether time information is present in the raw time series machine data of an event in the set of searchable events;

in response to detecting that the time information is present in the event;

extracting the time information from the raw time series machine data of the event;

determining a time zone in the extracted time information;

generating an offset by normalizing the extracted time information using the determined time zone;

generating a time stamp based on the offset; and

associating the generated time stamp with the event, thereby enabling the event to be searched using the generated time stamp;

in response to detecting that the time information is not present in the event;

calculating a time stamp for the event using one or more stored time stamps, wherein the one or more stored time stamps are time stamps stored from one or more earlier processed events selected on a periodic basis in order to facilitate time stamp creation; and

associating the calculated time stamp with the event, thereby enabling the event to be searched using the created time stamp;

wherein the method is performed by one or more computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

Methods and apparatus consistent with the invention provide the ability to organize, index, search, and present time series data based on searches. Time series data are sequences of time stamped records occurring in one or more usually continuous streams, representing some type of activity. In one embodiment, time series data is organized into discrete events with normalized time stamps and the events are indexed by time and keyword. A search is received and relevant event information is retrieved based in whole or in part on the time indexing mechanism, keyword indexing mechanism, or statistical indices calculated at the time of the search.

123 Citations

14 Claims

1. A method for improving machine data analysis, comprising:
- creating a set of searchable events by segmenting raw time series machine data received from at least one data source in an information technology environment into searchable events, the raw time series machine data reflecting activity in the information technology environment, each searchable event including at least a portion of the segmented raw time series machine data thereby allowing application of time-based search phrases across at least a portion of events in the set of searchable events to search the segmented raw time series machine data in the at least a portion of the events;
  
  detecting whether time information is present in the raw time series machine data of an event in the set of searchable events;
  
  in response to detecting that the time information is present in the event;
  
  extracting the time information from the raw time series machine data of the event;
  
  determining a time zone in the extracted time information;
  
  generating an offset by normalizing the extracted time information using the determined time zone;
  
  generating a time stamp based on the offset; and
  
  associating the generated time stamp with the event, thereby enabling the event to be searched using the generated time stamp;
  
  in response to detecting that the time information is not present in the event;
  
  calculating a time stamp for the event using one or more stored time stamps, wherein the one or more stored time stamps are time stamps stored from one or more earlier processed events selected on a periodic basis in order to facilitate time stamp creation; and
  
  associating the calculated time stamp with the event, thereby enabling the event to be searched using the created time stamp;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein associating the generated time stamp further comprises modifying the time information in the event to match the generated time stamp.
  - 3. The method of claim 1, further comprising:
    - processing a search phrase;
      
      executing the search phrase across the set of searchable events.
  - 4. The method of claim 1, further comprising:
    - indexing the set of searchable events;
      
      processing a search phrase;
      
      executing the search phrase across the set of indexed searchable events.
  - 5. The method of claim 1, further comprising:
    - identifying a domain for the event;
      
      wherein the detecting whether time information is present in the event further comprises;
      
      determining a location of the time information within the raw time series machine data of the event using the identified domain.
  - 6. The method of claim 1, wherein the raw time series machine data includes unstructured data.

7. An apparatus for improving machine data analysis, comprising:
- an event processor, implemented at least partially in hardware, that creates a set of searchable events by segmenting raw time series machine data received from at least one data source in an information technology environment into searchable events, the raw time series machine data reflecting activity in the information technology environment, each searchable event including at least a portion of the segmented raw time series machine data thereby allowing application of time-based search phrases across at least a portion of events in the set of searchable events to search the segmented raw time series machine data in the at least a portion of the events;
  
  wherein the event processor detects whether time information is present in the raw time series machine data of an event in the set of searchable events;
  
  in response to the event processor detecting that the time information is present in the event, the event processor;
  
  extracts the time information from the raw time series machine data of the event;
  
  determines a time zone in the extracted time information;
  
  generates an offset by normalizing the extracted time information using the determined time zone;
  
  generates a time stamp based on the offset; and
  
  associates the generated time stamp with the event, thereby enabling the event to be searched using the generated time stamp;
  
  in response to the event processor detecting that the time information is not present in the event, the event processor;
  
  calculates a time stamp for the event using one or more stored time stamps, wherein the one or more stored time stamps are time stamps stored from one or more earlier processed events selected on a periodic basis in order to facilitate time stamp creation; and
  
  associates the calculated time stamp with the event, thereby enabling the event to be searched using the created time stamp.
- View Dependent Claims (8, 9, 10)
- - 8. The apparatus of claim 7, wherein the event processor further:
    - modifies the time information in the event to match the generated time stamp.
  - 9. The apparatus of claim 7, wherein the event processor further:
    - indexes the set of searchable events;
      
      processes a search phrase;
      
      executes the search phrase across the set of indexed searchable events.
  - 10. The apparatus of claim 7, wherein the raw time series machine data includes unstructured data.

11. One or more non-transitory computer-readable storage media, storing one or more sequences of instructions for improving machine data analysis, which when executed by one or more processors cause performance of:
- creating a set of searchable events by segmenting raw time series machine data received from at least one data source in an information technology environment into searchable events, the raw time series machine data reflecting activity in the information technology environment, each searchable event including at least a portion of the segmented raw time series machine data thereby allowing application of time-based search phrases across at least a portion of events in the set of searchable events to search the segmented raw time series machine data in the at least a portion of the events;
  
  detecting whether time information is present in the raw time series machine data of an event in the set of searchable events;
  
  in response to detecting that the time information is present in the event;
  
  extracting the time information from the raw time series machine data of the event;
  
  determining a time zone in the extracted time information;
  
  generating an offset by normalizing the extracted time information using the determined time zone;
  
  generating a time stamp based on the offset; and
  
  associating the generated time stamp with the event, thereby enabling the event to be searched using the generated time stamp;
  
  in response to detecting that the time information is not present in the event;
  
  calculating a time stamp for the event using one or more stored time stamps, wherein the one or more stored time stamps are time stamps stored from one or more earlier processed events selected on a periodic basis in order to facilitate time stamp creation; and
  
  associating the calculated time stamp with the event, thereby enabling the event to be searched using the created time stamp.
- View Dependent Claims (12, 13, 14)
- - 12. The one or more non-transitory computer-readable storage media of claim 11, wherein associating the generated time stamp further comprises modifying the time information in the event to match the generated time stamp.
  - 13. The one or more non-transitory computer-readable storage media of claim 11, further comprising:
    - indexing the set of searchable events;
      
      processing a search phrase;
      
      executing the search phrase across the set of indexed searchable events.
  - 14. The one or more non-transitory computer-readable storage media of claim 11, wherein the raw time series machine data includes unstructured data.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Swan, Erik M., Carasso, R. David, Das, Robin Kumar, Greene, Rory, Hall, Bradley, Mealy, Nicholas Christian, Murphy, Brian Philip, Sorkin, Stephen Phillip, Stechert, Andre David, Baum, Michael Joseph
Primary Examiner(s)
Uddin, Mohammed R

Application Number

US15/339,887
Publication Number

US 20170046402A1
Time in Patent Office

890 Days
Field of Search

707746, 707752, 707753, 707999003
US Class Current
CPC Class Codes

G06F 16/2228   Indexing structures

G06F 16/2272   Management thereof

G06F 16/2291   User-Defined Types; Storage...

G06F 16/2322   using timestamps

G06F 16/24568   Data stream processing; Con...

G06F 16/24575   using context

G06F 16/24578   using ranking

G06F 16/2477   Temporal data queries

G06F 16/248   Presentation of query results

G06F 16/951   Indexing; Web crawling tech...

Time stamp creation for event data

First Claim

1 Assignment

Litigations

0 Petitions

Accused Products

Abstract

123 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Time stamp creation for event data

First Claim

1 Assignment

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

123 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links