Query handling using summarization tables
First Claim
1. A method, comprising:
- creating a set of field searchable, time stamped event records from raw data stored in at least one datastore, wherein each field searchable, time stamped event record in the set of field searchable, time stamped event records comprises a portion of the raw data and is associated with a time stamp derived from the raw data;
generating a summarization table for a set of field names in the set of field searchable, time stamped event records that identifies one or more field values associated with the set of field names and further generating, for each field value, one or more posting values to field searchable, time stamped event records in the at least one data store having the field value, wherein a field value comprises a value that appears in connection with an associated field name in one or more field searchable, time stamped event records in the set of field searchable, time stamped event records, and wherein each posting value of the one or more posting values references a location of a corresponding field searchable, time stamped event record in the at least one data store;
storing the summarization table;
receiving a search query that includes search criteria for evaluating field values for one or more field names;
using the search criteria to evaluate the field values for the one or more field names in the summarization table to generate a query result;
causing display of information based on the query result.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments are directed are towards the transparent summarization of events. Queries directed towards summarizing and reporting on event records may be received at a search head. Search heads may be associated with one more indexers containing event records. The search head may forward the query to the indexers the can resolve the query for concurrent execution. If a query is a collection query, indexers may generate summarization information based on event records located on the indexers. Event record fields included in the summarization information may be determined based on terms included in the collection query. If a query is a stats query, each indexer may generate a partial result set from previously generated summarization information, returning the partial result sets to the search head. Collection queries may be saved and scheduled to run and periodically update the summarization information.
101 Citations
31 Claims
-
1. A method, comprising:
-
creating a set of field searchable, time stamped event records from raw data stored in at least one datastore, wherein each field searchable, time stamped event record in the set of field searchable, time stamped event records comprises a portion of the raw data and is associated with a time stamp derived from the raw data; generating a summarization table for a set of field names in the set of field searchable, time stamped event records that identifies one or more field values associated with the set of field names and further generating, for each field value, one or more posting values to field searchable, time stamped event records in the at least one data store having the field value, wherein a field value comprises a value that appears in connection with an associated field name in one or more field searchable, time stamped event records in the set of field searchable, time stamped event records, and wherein each posting value of the one or more posting values references a location of a corresponding field searchable, time stamped event record in the at least one data store; storing the summarization table; receiving a search query that includes search criteria for evaluating field values for one or more field names; using the search criteria to evaluate the field values for the one or more field names in the summarization table to generate a query result; causing display of information based on the query result. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer-readable medium storing computer-executable instructions which, when executed by a processor, cause the processor to perform operations comprising:
-
creating a set of field searchable, time stamped event records from raw data stored in at least one datastore, wherein each field searchable, time stamped event record in the set of field searchable, time stamped event records comprises a portion of the raw data and is associated with a time stamp derived from the raw data; generating a summarization table for a set of field names in the set of field searchable, time stamped event records that identifies one or more field values associated with the set of field names and further generating, for each field value, one or more posting values to field searchable, time stamped event records in the at least one data store having the field value, wherein a field value comprises a value that appears in connection with an associated field name in one or more field searchable, time stamped event records in the set of field searchable, time stamped event records, and wherein each posting value of the one or more posting values references a location of a corresponding field searchable, time stamped event record in the at least one data store; storing the summarization table; receiving a search query that includes search criteria for evaluating field values for one or more field names; using the search criteria to evaluate the field values for the one or more field names in the summarization table to generate a query result; causing display of information based on the query result. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A system comprising:
-
at least one memory storing computer-executable instructions; and at least one processor, wherein the at least one processor is configured to access the at least one memory and to execute the computer-executable instructions to; create a set of field searchable, time stamped event records from raw data stored in at least one datastore, wherein each field searchable, time stamped event record in the set of field searchable, time stamped event records comprises a portion of the raw data and is associated with a time stamp derived from the raw data; generate a summarization table for a set of field names in the set of field searchable, time stamped event records that identifies one or more field values associated with the set of field names and further generate, for each field value, one or more posting values to field searchable, time stamped event records in the at least one data store having the field value, wherein a field value comprises a value that appears in connection with an associated field name in one or more field searchable, time stamped event records in the set of field searchable, time stamped event records, and wherein each posting value of the one or more posting values references a location of a corresponding field searchable, time stamped event record in the at least one data store; store the summarization table; receive a search query that includes search criteria for evaluating field values for one or more field names; use the search criteria to evaluate the field values for the one or more field names in the summarization table to generate a query result; cause display of information based on the query result.
-
Specification