Advanced Field Extractor

US 20170270219A1
Filed: 04/28/2017
Published: 09/21/2017
Est. Priority Date: 01/22/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

generating a graphical interface on a computing device, wherein the graphical interface displays;

a plurality of event records, wherein one or more locations within an event record includes time information; and

a timestamp selection tool, wherein the timestamp selection tool enables selection of the one or more locations within the event record;

receiving input corresponding to a selection of the one or more locations within the event record, wherein the selection is made using the timestamp selection tool;

associating the one or more selected locations with timestamp information;

storing the association between the one or more selected locations and the timestamp information, wherein the stored association is used in an extraction rule;

extracting the time information from the one or more selected locations within the event record using the extraction rule; and

creating a timestamp for the event record using the extracted time information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed towards a graphical user interface identify locations within event records with splittable timestamp information. A display of event records is provided using any of a variety of formats. A splittable timestamp selector allows a user to select one or more locations within event records as having time related information that may be split across the one or more locations, including, information based on date, time of day, day of the week, or other time information. Any of a plurality of mechanisms is used to associate the selected locations with the split timestamp information, including tags, labels, or header information within the event records. In other embodiments, a separate table, list, index, or the like may be generated that associates the selected locations with the split timestamp information. The split timestamp information may be used within extraction rules for selecting subsets or the event records.

2 Citations

27 Claims

1. A computer-implemented method, comprising:
- generating a graphical interface on a computing device, wherein the graphical interface displays;
  
  a plurality of event records, wherein one or more locations within an event record includes time information; and
  
  a timestamp selection tool, wherein the timestamp selection tool enables selection of the one or more locations within the event record;
  
  receiving input corresponding to a selection of the one or more locations within the event record, wherein the selection is made using the timestamp selection tool;
  
  associating the one or more selected locations with timestamp information;
  
  storing the association between the one or more selected locations and the timestamp information, wherein the stored association is used in an extraction rule;
  
  extracting the time information from the one or more selected locations within the event record using the extraction rule; and
  
  creating a timestamp for the event record using the extracted time information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the time information for the event record is split across a plurality of locations within the event record, and wherein receiving input corresponding to the selection of the one or more locations comprises selection of the plurality of locations.
  - 3. The method of claim 2, wherein one or more of the locations that include time information are not selected as time information for stamping the event record.
  - 4. The method of claim 1, wherein at least one of the plurality of event records includes unstructured data.
  - 5. The method of claim 1, wherein at least one of the plurality of event records includes unstructured machine data.
  - 6. The method of claim 1, wherein associating the one or more selected locations with the timestamp information further includes using a tag, a label, or a header to create the association.
  - 7. The method of claim 1, wherein associating the one or more selected locations with the timestamp information further includes using a table, a list, or an index to create the association.
  - 8. The method of claim 1, wherein the time information includes a year, a month, a day, a time of day, or a day of week information.
  - 9. The method of claim 1, wherein the one or more locations that include time information within the event record correspond to a field that defines a location across multiple event records of a category of time information, and wherein creating a timestamp for the event record using the extracted time information comprises time stamping multiple event records with their respective values for the field.

10. A system for managing resources, comprising:
- at least one network device, comprising;
  
  a processor, anda non-transitory computer-readable storage medium containing instructions configured to cause the processor to perform operations including;
  
  generating a graphical interface, wherein the graphical interface displays;
  
  a plurality of event records, wherein one or more locations within an event record includes time information; and
  
  a timestamp selection tool, wherein the timestamp selection tool enables selection of the one or more locations within the event record;
  
  receiving input corresponding to a selection of the one or more locations within the event record, wherein the selection is made using the timestamp selection tool;
  
  associating the one or more selected locations with timestamp information;
  
  storing the association between the one or more selected locations and the timestamp information, wherein the stored association is used in an extraction rule;
  
  extracting the time information from the one or more selected locations within the event record using the extraction rule; and
  
  creating a timestamp for the event record using the extracted time information.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the time information for the event record is split across a plurality of locations within the event record, and wherein receiving input corresponding to the selection of the one or more locations comprises selection of the plurality of locations.
  - 12. The system of claim 11, wherein one or more of the locations that include time information are not selected as time information for stamping the event record.
  - 13. The system of claim 10, wherein at least one of the plurality of event records includes unstructured data.
  - 14. The system of claim 10, wherein at least one of the plurality of event records includes unstructured machine data.
  - 15. The system of claim 10, wherein associating the one or more selected locations with the timestamp information further includes using a tag, a label, or a header to create the association.
  - 16. The system of claim 10, wherein associating the one or more selected locations with the timestamp information further includes using a table, a list, or an index to create the association.
  - 17. The system of claim 10, wherein the time information includes a year, a month, a day, a time of day, or a day of week information.
  - 18. The system of claim 10, wherein the one or more locations that include time information within the event record correspond to a field that defines a location across multiple event records of a category of time information, and wherein creating a timestamp for the event record using the extracted time information comprises time stamping multiple event records with their respective values for the field.

19. A computer-program product, tangibly embodied in a non-transitory machine-readable medium, including instructions configured to cause a data processing apparatus to:
- generate a graphical interface, wherein the graphical interface displays;
  
  a plurality of event records, wherein one or more locations within an event record includes time information; and
  
  a timestamp selection tool, wherein the timestamp selection tool enables selection of the one or more locations within the event record;
  
  receive input corresponding to a selection of the one or more locations within the event record, wherein the selection is made using the timestamp selection tool;
  
  associate the one or more selected locations with timestamp information;
  
  store the association between the one or more selected locations and the timestamp information, wherein the stored association is used in an extraction rule;
  
  extract the time information from the one or more selected locations within the event record using the extraction rule; and
  
  create a timestamp for the event record using the extracted time information.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The computer-program product of claim 19, wherein the time information for the event record is split across a plurality of locations within the event record, and wherein receiving input corresponding to the selection of the one or more locations comprises selection of the plurality of locations.
  - 21. The computer-program product of claim 20, wherein one or more of the locations that include time information are not selected as time information for stamping the event record.
  - 22. The computer-program product of claim 19, wherein at least one of the plurality of event records includes unstructured data.
  - 23. The computer-program product of claim 19, wherein at least one of the plurality of event records includes unstructured machine data.
  - 24. The computer-program product of claim 19, wherein associating the one or more selected locations with the timestamp information further includes using a tag, a label, or a header to create the association.
  - 25. The computer-program product of claim 19, wherein associating the one or more selected locations with the timestamp information further includes using a table, a list, or an index to create the association.
  - 26. The computer-program product of claim 19, wherein the time information includes a year, a month, a day, a time of day, or a day of week information.
  - 27. The computer-program product of claim 19, wherein the one or more locations that include time information within the event record correspond to a field that defines a location across multiple event records of a category of time information, and wherein creating a timestamp for the event record using the extracted time information comprises time stamping multiple event records with their respective values for the field.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Carasso, R. David, Delfino, Micah James

Granted Patent

US 10,318,537 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2477   Temporal data queries

G06F 16/9014   hash tables

G06F 40/284   Lexical analysis, e.g. toke...

Advanced Field Extractor

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

2 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Advanced Field Extractor

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

2 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links