Suggested field extraction

US 10,915,583 B2
Filed: 01/30/2015
Issued: 02/09/2021
Est. Priority Date: 01/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

displaying, in a graphical interface, one or more events in a table format that includes one or more rows and each of the one or more rows includes one or more cells, wherein each of the one or more rows corresponds to one of the one or more events and at least one of the one or more cells of each row displays raw data that is associated with a corresponding event of the one or more events;

based on a first user selection of first one or more values included in a portion of the raw data that is displayed in a particular cell of a particular row corresponding to a particular event of one or more events, automatically determining an extraction rule that includes instructions to extract a field label-value pair from the portion of the raw data, wherein the field label-value pair includes a particular value of the selected first one or more values and a particular field label that indicates a location in the particular event that contains the particular value and the instructions of the extraction rule identifies, within the portion of the raw data, each of the particular value and the particular field label based on one or more demarcating characters included in the portion of the raw data;

causing display of an option corresponding to the determined extraction rule in the graphical interface; and

based on a second user selection of the option in the graphical interface, causing display of second one or more values of one or more additional field label-value pairs, wherein the one or more additional field label-value pairs are extracted from additional portions of the raw data that are associated with additional events of the one or more events using the extraction rule.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A based on a selection by a user of first one or more values of one or more events displayed in a graphical interface, an extraction rule is automatically determined that is capable of extracting a field label-value pair at least partially within at least the selected one or more values. An option is displayed that correspond to the determined extraction rule in the graphical interface. Based on the user selecting the option in the graphical interface, display is caused of second one or more values of one or more field label-value pairs extracted from the one or more events using the extraction rule. The one or more events may be displayed in a table format, and the first one or more value may be selected by the user selecting one or more cells, columns, or text portions in the table format.

199 Citations

30 Claims

1. A computer-implemented method comprising:
- displaying, in a graphical interface, one or more events in a table format that includes one or more rows and each of the one or more rows includes one or more cells, wherein each of the one or more rows corresponds to one of the one or more events and at least one of the one or more cells of each row displays raw data that is associated with a corresponding event of the one or more events;
  
  based on a first user selection of first one or more values included in a portion of the raw data that is displayed in a particular cell of a particular row corresponding to a particular event of one or more events, automatically determining an extraction rule that includes instructions to extract a field label-value pair from the portion of the raw data, wherein the field label-value pair includes a particular value of the selected first one or more values and a particular field label that indicates a location in the particular event that contains the particular value and the instructions of the extraction rule identifies, within the portion of the raw data, each of the particular value and the particular field label based on one or more demarcating characters included in the portion of the raw data;
  
  causing display of an option corresponding to the determined extraction rule in the graphical interface; and
  
  based on a second user selection of the option in the graphical interface, causing display of second one or more values of one or more additional field label-value pairs, wherein the one or more additional field label-value pairs are extracted from additional portions of the raw data that are associated with additional events of the one or more events using the extraction rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer implemented method of claim 1, wherein the one or more events are displayed in the table format, and the first user selection is of the particular cell in the table format, the particular cell displaying the first one or more values.
  - 3. The computer implemented method of claim 1, wherein the one or more events are displayed in the table format, and the first user selection is of a column in the table format, the column comprising the first one or more values.
  - 4. The computer implemented method of claim 1, wherein the portion of the raw data includes a portion of text indicating the particular field label and the particular value of the field label-value pair, the portion of text is in a second value assigned to the particular event of the one or more events, the portion of text is displayed in the particular cell of the table format during the first user selection, and the first user selection comprises a click on the particular cell.
  - 5. The computer implemented method of claim 1, wherein the automatically determining the extraction rule comprises automatically generating the extraction rule from the selected first one or more values.
  - 6. The computer implemented method of claim 1, further comprising:
    - based on the second user selection of the option in the graphical interface, causing the second one or more values to be assigned to a field of the one or more events.
  - 7. The computer implemented method of claim 1, further comprising:
    - based on the first user selection of the first one or more values, causing the determined extraction rule to be saved to a configuration file for a future field extraction that is used to apply a late binding schema to a set of events.
  - 8. The computer implemented method of claim 1, wherein the determined extraction rule comprises a regular expression.
  - 9. The computer implemented method of claim 1, wherein the automatically determining the extraction rule comprises detecting a first text portion of the portion of the raw data as being separated by the one or more demarcating characters from a second text portion of the portion of the raw data.
  - 10. The computer implemented method of claim 1, wherein the automatically determining the extraction rule comprises detecting the one or more demarcating characters in the selected first one or more values.
  - 11. The computer implemented method of claim 1, wherein the first user selection is of a portion of a displayed textual representation of the raw data.
  - 12. The computer implemented method of claim 1, wherein the second one or more values of the one or more additional field label-value pairs are extracted from the one or more additional events using the extraction rule as part of a command that is based on the second user selection of the option, wherein the command automatically extracts all identified field label-value pairs in a set of data items of the one or more events, each extracted field label-value pair comprising a field label and a value, wherein one of the field label-value pairs is identified for each first text portion separated by the one or more demarcating characters from a second text portion in the set of data items, the first text portion matching the field label and the second text portion being used as the value.
  - 13. The computer implemented method of claim 1, comprising applying a late binding schema to the one or more events using a plurality of extraction rules that comprise the determined extraction rule based on the second user selection of the option in the graphical interface.
  - 14. The computer implemented method of claim 1, wherein the instructions define identification and extraction of a field label represented in the raw data and a corresponding value represented in the raw data.
  - 15. The computer implemented method of claim 1, wherein the causing display of the second the second one or more values of the one or more additional field label-value pairs extracted from the one or more additional events using the extraction rule causes the second one or more values to be displayed with the one or more additional events in the table format.

16. A system comprising:
- one or more data processors; and
  
  one or more computer-readable storage media containing instructions which when executed on the one or more data processors, cause the one or more processors to perform operations including;
  
  displaying, in a graphical interface, one or more events in a table format that includes one or more rows and each of the one or more rows includes one or more cells, wherein each of the one or more rows corresponds to one of the one or more events and at least one of the one or more cells of each row displays raw data that is associated with a corresponding event of the one or more events;
  
  based on a first user selection of first one or more values included in a portion of the raw data that is displayed in a particular cell of a particular row corresponding to a particular event of one or more events, automatically determining an extraction rule that includes instructions to extract a field label-value pair from the portion of the raw data, wherein the field label-value pair includes a particular value of the selected first one or more values and a particular field label that indicates a location in the particular event that contains the particular value and the instructions of the extraction rule identifies, within the portion of the raw data, each of the particular value and the particular field label based on one or more demarcating characters included in the portion of the raw data;
  
  causing display of an option corresponding to the determined extraction rule in the graphical interface; and
  
  based on a second user selection of the option in the graphical interface, causing display of second one or more values of one or more additional field label-value pairs, wherein the one or more additional field label-value pairs are extracted from additional portions of the raw data that are associated with additional events of the one or more events using the extraction rule.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The system of claim 16, wherein the one or more events are displayed in the table format, and the first user selection is of the particular cell in the table format, the particular cell displaying the first one or more values.
  - 18. The system of claim 16, wherein the one or more events are displayed in the table format, and the first user selection is of a column in the table format, the column comprising a plurality of the first one or more values.
  - 19. The system of claim 16, wherein the portion of the raw data includes a portion of text indicating the particular field label particular value of the field label-value pair, and the portion of text is in a second value assigned to the particular event of the one or more events.
  - 20. The system of claim 16, wherein the automatically determining the extraction rule comprises automatically generating the extraction rule from the selected first one or more values.
  - 21. The system of claim 16, the operations further comprising:
    - based on the second user selection of the option in the graphical interface, causing the second one or more values to be assigned to a field of the one or more events.

22. One or more non-transitory computer-storage media storing computer-useable instructions that, when executed by a computing device, perform a method, the method comprising:
- displaying, in a graphical interface, one or more events in a table format that includes one or more rows and each of the one or more rows includes one or more cells, wherein each of the one or more rows corresponds to one of the one or more events and at least one of the one or more cells of each row displays raw data that is associated with a corresponding event of the one or more events;
  
  based on a first user selection of first one or more values included in a portion of the raw data that is displayed in a particular cell of a particular row corresponding to a particular event of one or more events, automatically determining an extraction rule that includes instructions to extract a field label-value pair from the portion of the raw data, wherein the field label-value pair includes a particular value of the selected first one or more values and a particular field label that indicates a location in the particular event that contains the particular value and the instructions of the extraction rule identifies, within the portion of the raw data, each of the particular value and the particular field label based on one or more demarcating characters included in the portion of the raw data;
  
  causing display of an option corresponding to the determined extraction rule in the graphical interface; and
  
  based on a second user selection of the option in the graphical interface, causing display of second one or more values of one or more additional field label-value pairs, wherein the one or more additional field label-value pairs are extracted from additional portions of the raw data that are associated with additional events of the one or more events using the extraction rule.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. The one or more computer-storage media of claim 22, wherein the one or more events are displayed in the table format, and the first user selection is of the particular cell in the table format, the particular cell displaying the first one or more values.
  - 24. The one or more computer-storage media of claim 22, wherein the one or more events are displayed in the table format, and the first user selection is of a column in the table format, the column comprising the first one or more values.
  - 25. The one or more computer-storage media of claim 22, wherein the portion of the raw data includes a portion of text indicating the particular field label and the particular value of the field label-value pair, and the portion of text is in a second value assigned to the particular event of the one or more events.
  - 26. The one or more computer-storage media of claim 22, wherein the automatically determining the extraction rule comprises automatically generating the extraction rule from the selected first one or more values.
  - 27. The one or more computer-storage media of claim 22, the method further comprising:
    - based on the second user selection of selecting the option in the graphical interface, causing the second one or more values to be assigned to a field of the one or more events.
  - 28. The one or more computer-storage media of claim 22, the method further comprising:
    - based on the first user selection of the first one or more values, causing the determined extraction rule to be saved to a configuration file for a future field extraction that is used to apply a late binding schema to a set of events.
  - 29. The one or more computer-storage media of claim 22, wherein the determined extraction rule comprises a regular expression.
  - 30. The one or more computer-storage media of claim 22, wherein the automatically determining the extraction rule comprises detecting a first text portion of the portion of the raw data as being separated by the one or more demarcating characters from a second text portion of the portion of the raw data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Robichaud, Marc Vincent, Burke, Cory Eugene, Lloyd, Jeffrey Thomas
Primary Examiner(s)
Hong, Stephen S
Assistant Examiner(s)
Sheffield, Hope C

Application Number

US14/610,717
Publication Number

US 20160224531A1
Time in Patent Office

2,202 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/242   Query formulation

G06F 16/2428   Query predicate definition ...

G06F 16/2477   Temporal data queries

G06F 16/248   Presentation of query results

G06F 16/9038   Presentation of query results

G06F 16/93   Document management systems

G06F 3/0482   Interaction with lists of s...

Suggested field extraction

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

199 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Suggested field extraction

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

199 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links