Determining events associated with a value

US 10,579,648 B2
Filed: 04/29/2017
Issued: 03/03/2020
Est. Priority Date: 01/23/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

accessing a set of events in a field-searchable data store that acts as a persistent repository for the events that each include a portion of raw machine data in textual form being produced by a component within an information technology environment and reflecting activity within the information technology environment, wherein the field-searchable data store of events is field-searchable such that a plurality of search queries each containing at least one criterion for a field is executable against the events in the field-searchable data store to cause comparison between the at least one criterion and values extracted from the events by an extraction rule defining the field;

applying an extraction rule, which specifies how to extract a subportion of text from a larger portion of text, to the portion of raw machine data in textual form in each event in the accessed set of events to extract a set of values;

for a first unique extracted value and a second unique extracted value in the extracted set of values, determining a first count of a first unique extracted value in a field defined by the extraction rule and a second count of a second unique extracted value in the field defined by the extraction rule;

causing display of a first display area that presents the first unique extracted value and the second unique extracted value concurrently with the corresponding first count of the first unique extracted value in the field defined by the extraction rule and the second count of the second unique extracted value in the field defined by the extraction rule; and

causing display of a second display area that presents at least a portion of the events, wherein the first unique extracted value and the second unique extracted value are visually emphasized in the displayed events, wherein the method is performed by one or more computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed towards real time display of event records and extracted values based on at least one extraction rule, such as a regular expression. A user interface may be employed to enable a user to have an extraction rule automatically generate and/or to manually enter an extraction rule. The user may be enabled to manually edit a previously provided extraction rule, which may result in real time display of updated extracted values. The extraction rule may be utilized to extract values from each of a plurality of records, including event records of unstructured machine data. Statistics may be determined for each unique extracted value, and may be displayed to the user in real time. The user interface may also enable the user to select at least one unique extracted value to display those event records that include an extracted value that matches the selected value.

227 Citations

21 Claims

1. A computer-implemented method, comprising:
- accessing a set of events in a field-searchable data store that acts as a persistent repository for the events that each include a portion of raw machine data in textual form being produced by a component within an information technology environment and reflecting activity within the information technology environment, wherein the field-searchable data store of events is field-searchable such that a plurality of search queries each containing at least one criterion for a field is executable against the events in the field-searchable data store to cause comparison between the at least one criterion and values extracted from the events by an extraction rule defining the field;
  
  applying an extraction rule, which specifies how to extract a subportion of text from a larger portion of text, to the portion of raw machine data in textual form in each event in the accessed set of events to extract a set of values;
  
  for a first unique extracted value and a second unique extracted value in the extracted set of values, determining a first count of a first unique extracted value in a field defined by the extraction rule and a second count of a second unique extracted value in the field defined by the extraction rule;
  
  causing display of a first display area that presents the first unique extracted value and the second unique extracted value concurrently with the corresponding first count of the first unique extracted value in the field defined by the extraction rule and the second count of the second unique extracted value in the field defined by the extraction rule; and
  
  causing display of a second display area that presents at least a portion of the events, wherein the first unique extracted value and the second unique extracted value are visually emphasized in the displayed events, wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 20, 21)
- - 2. The method of claim 1, wherein the field-searchable data store is searchable to reveal a performance or security of the information technology environment based on the activity reflected by the raw machine data in the data store.
  - 3. The method of claim 1, wherein the extracted set of values produced by applying extraction rule to the accessed set of events are semantically related.
  - 4. The method of claim 1, wherein the extraction rule at least in part defines the field that can be referenced in a search query by a name for the field.
  - 5. The method of claim 1, further comprising causing display of an indication of a relative rate of occurrence in events of different values from the extracted set of values.
  - 6. The method of claim 1, wherein causing display of the first display area that presents the first unique extracted value and the second unique extracted value concurrently with the corresponding first count and the second count further comprises causing display of the first unique extracted value and the second unique extracted value in a sorted order based on the associated counts.
  - 7. The method of claim 1, wherein the extraction rule is a regular expression.
  - 8. The method of claim 1, wherein the extraction rule is a regular expression that has been automatically generated to correspond to a user-selected portion of raw machine data in a particular event.
  - 9. The method of claim 1, further comprising:
    - receiving input corresponding to a selection of the first unique extracted value that has been displayed with its associated count;
      
      based on receiving the selection, determining a subset of the set of events such that each event in the subset includes the selected first unique extracted value in the field defined by the extraction rule; and
      
      modifying the second display area to include only events in the determined subset and to hide any events not in the determined subset.
  - 20. The method of claim 1, further comprising:
    - applying a second extraction rule to the portion of raw machine data in textual form in each event in the accessed set of events to extract a second set of values;
      
      for a third extracted value in the extracted second set of values, determining a third count of the third extracted value in a second field defined by the second extraction rule; and
      
      causing display of the first extracted value, the second extracted value, and the third extracted value concurrently with the corresponding first count, second count, and third count.
  - 21. The method of claim 1, wherein the second display area is presented concurrently with the first display area.

10. A non-transitory computer readable storage medium impressed with computer program instructions that, when executed on a processor, implement a method comprising:
- accessing a set of events in a field-searchable data store that acts as a persistent repository for the events that each include a portion of raw machine data in textual form being produced by a component within an information technology environment and reflecting activity within the information technology environment, wherein the field-searchable data store of events is field-searchable such that a plurality of search queries each containing at least one criterion for a field is executable against the events in the field-searchable data store to cause comparison between the at least one criterion and values extracted from the events by an extraction rule defining the field;
  
  applying an extraction rule, which specifies how to extract a subportion of text from a larger portion of text, to the portion of raw machine data in textual form in each event in the accessed set of events to extract a set of values;
  
  for a first unique extracted value and a second unique extracted value in the extracted set of values, determining a first count of a first unique extracted value in a field defined by the extraction rule and a second count of a second unique extracted value in the field defined by the extraction rule;
  
  causing display of a first display area that presents the first unique extracted value and the second unique extracted value concurrently with the corresponding first count of the first unique extracted value in the field defined by the extraction rule and the second count of the second unique extracted value in the field defined by the extraction rule; and
  
  causing display of a second display area that presents at least a portion of the events, wherein the first unique extracted value and the second unique extracted value are visually emphasized in the displayed events, wherein the method is performed by one or more computing devices.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computer readable medium of claim 10, wherein the field-searchable data store is searchable to reveal a performance or security of the information technology environment based on the activity reflected by the raw machine data in the data store.
  - 12. The computer readable medium of claim 10, wherein causing display of the first display area that presents the first unique extracted value and the second unique extracted value concurrently with the corresponding first count and the second count further comprises causing display of the first unique extracted value and the second unique extracted value in a sorted order based on the associated counts.
  - 13. The computer readable medium of claim 10, wherein the extraction rule is a regular expression that has been automatically generated to correspond to a user-selected portion of raw machine data in a particular event.
  - 14. The computer readable medium of claim 10, implementing the method further comprising:
    - receiving input corresponding to a selection of the first unique extracted value that has been displayed with its associated count;
      
      based on receiving the selection, determining a subset of the set of events such that each event in the subset includes the selected first unique extracted value in the field defined by the extraction rule; and
      
      modifying the second display area to include only events in the determined subset and to hide any events not in the determined subset.

15. A system including one or more processors coupled to memory, the memory loaded with computer instructions that, when executed on the processors, implement actions comprising:
- accessing a set of events in a field-searchable data store that acts as a persistent repository for the events that each include a portion of raw machine data in textual form being produced by a component within an information technology environment and reflecting activity within the information technology environment, wherein the field-searchable data store of events is field-searchable such that a plurality of search queries each containing at least one criterion for a field is executable against the events in the field-searchable data store to cause comparison between the at least one criterion and values extracted from the events by an extraction rule defining the field;
  
  applying an extraction rule, which specifies how to extract a subportion of text from a larger portion of text, to the portion of raw machine data in textual form in each event in the accessed set of events to extract a set of values;
  
  for a first unique extracted value and a second unique extracted value in the extracted set of values, determining a first count of a first unique extracted value in a field defined by the extraction rule and a second count of a second unique extracted value in the field defined by the extraction rule;
  
  causing display of a first display area that presents the first unique extracted value and the second unique extracted value concurrently with the corresponding first count of the first unique extracted value in the field defined by the extraction rule and the second count of the second unique extracted value in the field defined by the extraction rule; and
  
  causing display of a second display area that presents at least a portion of the events, wherein the first unique extracted value and the second unique extracted value are visually emphasized in the displayed events, wherein the method is performed by one or more computing devices.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The system of claim 15, wherein the field-searchable data store is searchable to reveal a performance or security of the information technology environment based on the activity reflected by the raw machine data in the data store.
  - 17. The system of claim 15, wherein causing display of the first display area that presents the first unique extracted value and the second unique extracted value concurrently with the corresponding first count and the second count further comprises causing display of the first unique extracted value and the second unique extracted value in a sorted order based on the associated counts.
  - 18. The system of claim 15, wherein the extraction rule is a regular expression that has been automatically generated to correspond to a user-selected portion of raw machine data in a particular event.
  - 19. The system of claim 15, further implementing actions comprising:
    - receiving input corresponding to a selection of a first unique extracted value that has been displayed with its associated count;
      
      based on receiving the selection, determining a subset of the set of events such that each event in the subset includes the selected first unique extracted value in the field defined by the extraction rule; and
      
      modifying the second display area to include only events in the determined subset and to hide any events not in the determined subset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Carasso, R. David, Delfino, Micah James, Hwang, Johnvey
Primary Examiner(s)
Ellis, Matthew J

Application Number

US15/582,668
Publication Number

US 20170255601A1
Time in Patent Office

1,039 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/248   Presentation of query results

G06F 16/287   Visualization; Browsing

G06F 16/332   Query formulation

G06F 16/334   Query execution G06F16/335 ...

G06F 16/338   Presentation of query results

G06F 16/34   Browsing; Visualisation the...

G06F 16/93   Document management systems

G06F 16/951   Indexing; Web crawling tech...

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

G06F 40/166   Editing, e.g. inserting or ...

G06F 40/169   Annotation, e.g. comment da...

G06F 40/174   Form filling; Merging

G06Q 10/00   Administration; Management

G06Q 10/0637   Strategic management or ana...

Y04S 10/50   Systems or methods supporti...

Determining events associated with a value

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

227 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Determining events associated with a value

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

227 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others