Displaying a proportion of events that have a particular value for a field in a set of events
First Claim
1. A computer-implemented method, comprising:
- accessing a set of events in a field-searchable data store that acts as a persistent repository for the events, wherein each even in the set includes a portion of raw machine data in textual form, and wherein the raw machine data is produced by a component within an information technology environment and reflects activity within the information technology environment;
receiving a user selection of a first portion of raw machine data in a particular event presented in a first portion of a display screen;
applying an extraction rule, which specifies how to extract a subportion of text from a larger portion of text, to the portion of raw machine data in textual form in each event in the accessed set of events to extract a set of values, wherein the extraction rule comprises a regular expression rule updated and presented in a second portion of the display screen in real-time to correspond with the user-selected first portion of raw machine data;
for one or more particular values in the extracted set of values, determining a proportion from events that include the particular value at a location corresponding to the extraction rule;
updating, in real-time in a third portion of the display screen, a display of one or more particular values and its associated proportion; and
wherein the method is performed by one or more computing devices.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments are directed towards real time display of event records and extracted values based on at least one extraction rule, such as a regular expression. A user interface may be employed to enable a user to have an extraction rule automatically generate and/or to manually enter an extraction rule. The user may be enabled to manually edit a previously provided extraction rule, which may result in real time display of updated extracted values. The extraction rule may be utilized to extract values from each of a plurality of records, including event records of unstructured machine data. Statistics may be determined for each unique extracted value, and may be displayed to the user in real time. The user interface may also enable the user to select at least one unique extracted value to display those event records that include an extracted value that matches the selected value.
282 Citations
26 Claims
-
1. A computer-implemented method, comprising:
-
accessing a set of events in a field-searchable data store that acts as a persistent repository for the events, wherein each even in the set includes a portion of raw machine data in textual form, and wherein the raw machine data is produced by a component within an information technology environment and reflects activity within the information technology environment; receiving a user selection of a first portion of raw machine data in a particular event presented in a first portion of a display screen; applying an extraction rule, which specifies how to extract a subportion of text from a larger portion of text, to the portion of raw machine data in textual form in each event in the accessed set of events to extract a set of values, wherein the extraction rule comprises a regular expression rule updated and presented in a second portion of the display screen in real-time to correspond with the user-selected first portion of raw machine data; for one or more particular values in the extracted set of values, determining a proportion from events that include the particular value at a location corresponding to the extraction rule; updating, in real-time in a third portion of the display screen, a display of one or more particular values and its associated proportion; and
wherein the method is performed by one or more computing devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 26)
-
-
14. A non-transitory computer readable storage medium impressed with computer program Instructions that, when executed on a processor, implement a method comprising:
-
accessing a set of events in a field-searchable data store that acts as a persistent repository for the events, wherein each even in the set includes a portion of raw machine data in textual form, and wherein the raw machine data is produced by a component within an information technology environment and reflects activity within the information technology environment; receiving a user selection of a first portion of raw machine data in a particular event presented in a first portion of a display screen; applying an extraction rule, which specifies how to extract a subportion of text from a larger portion of text, to the portion of raw machine data in textual form in each event in the accessed set of events to extract a set of values, wherein the extraction rule comprises a regular expression rule updated and presented in a second portion of the display screen in real-time to correspond with the user-selected first portion of raw machine data; for one or more particular values in the extracted set of values, determining a proportion from events that include the particular value at a location corresponding to the extraction rule; updating, in real-time in a third portion of the display screen, a display of one or more particular values and its associated proportion; and
wherein the method is performed by one or more computing devices. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A system including one or more processors coupled to memory, the memory loaded with computer instructions that, when executed on the processors, implement actions comprising:
-
accessing a set of events in a field-searchable data store that acts as a persistent repository for the events, wherein each even in the set includes a portion of raw machine data in textual form, and wherein the raw machine data is produced by a component within an information technology environment and reflects activity within the information technology environment; receiving a user selection of a first portion of raw machine data in a particular event presented in a first portion of a display screen; applying an extraction rule, which specifies how to extract a subportion of text from a larger portion of text, to the portion of raw machine data in textual form in each event in the accessed set of events to extract a set of values, wherein the extraction rule comprises a regular expression rule updated and presented in a second portion of the display screen in real-time to correspond with the user-selected first portion of raw machine data; for one or more particular values in the extracted set of values, determining a proportion from events that include the particular value at a location corresponding to the extraction rule; and updating, in real-time in a third portion of the display screen, a display of one or more particular values and its associated proportion. - View Dependent Claims (21, 22, 23, 24, 25)
-
Specification