Data model for machine data for semantic search
First Claim
1. A computer implemented method, comprising:
- accessing time-stamped events in a data store on a computing device including one or more processors;
maintaining a data model that is associated with a set of the time-stamped events, wherein the data model includes one or more sub-models, wherein each sub-model of the one or more sub-models is associated with a subset of events in the set of time-stamped events, wherein each sub-model of the one or more sub-models includes one or more fields, and wherein each field of a sub-model is associated with a field definition for how to extract a value for the field from one or more events in the subset of events associated with the sub-model;
causing display of identifiers for the one or more sub-models;
receiving a selection of one of the displayed identifiers, indicating a selection of a particular sub-model of the one or more sub-models;
causing display of a graphical interface that includes an interactive element enabling a user to select or enter criteria for a particular field included in the selected particular sub-model;
receiving, through the graphical interface, input corresponding to a selection or entry of particular criteria for the particular field;
generating a search query in a search language designed for accessing the time-stamped events in the data store, wherein the search query is configured to (i) cause extraction of values for the particular field by applying an extraction rule or a regular expression included in the field definition for the particular field to a particular subset of events associated with the selected particular sub-model, and (ii) cause comparison of the extracted values for the particular field to the selected or entered particular criteria; and
initiating execution of the search query.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments are directed towards generating data models that may give semantic meaning for unstructured data or structured data that may include data generated and/or received by search engines, including a time series engine. Data models also may be generated to provide semantic meaning to structured data. A data model may be composed of a hierarchical data model objects analogous to an object-oriented programming class hierarchy. Users may employ a data modeling application to produce reports using search objects that may be part of, or associated with the data model. The data modeling application may employ the search object and the data model to generate a query string for searching a data repository to produce a result set. A data modeling application may map the result set data to data model objects that may be used to generate reports.
165 Citations
24 Claims
-
1. A computer implemented method, comprising:
-
accessing time-stamped events in a data store on a computing device including one or more processors; maintaining a data model that is associated with a set of the time-stamped events, wherein the data model includes one or more sub-models, wherein each sub-model of the one or more sub-models is associated with a subset of events in the set of time-stamped events, wherein each sub-model of the one or more sub-models includes one or more fields, and wherein each field of a sub-model is associated with a field definition for how to extract a value for the field from one or more events in the subset of events associated with the sub-model; causing display of identifiers for the one or more sub-models; receiving a selection of one of the displayed identifiers, indicating a selection of a particular sub-model of the one or more sub-models; causing display of a graphical interface that includes an interactive element enabling a user to select or enter criteria for a particular field included in the selected particular sub-model; receiving, through the graphical interface, input corresponding to a selection or entry of particular criteria for the particular field; generating a search query in a search language designed for accessing the time-stamped events in the data store, wherein the search query is configured to (i) cause extraction of values for the particular field by applying an extraction rule or a regular expression included in the field definition for the particular field to a particular subset of events associated with the selected particular sub-model, and (ii) cause comparison of the extracted values for the particular field to the selected or entered particular criteria; and initiating execution of the search query. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system, comprising:
-
one or more processors; and one or more non-transitory computer-readable storage media storing instructions configured to cause the one or more processors to perform operations including; accessing time-stamped events in a data store on a computing device including one or more processors; maintaining a data model that is associated with a set of the time-stamped events, wherein the data model includes one or more sub-models, wherein each sub-model of the one or more sub-models is associated with a subset of events in the set of time-stamped events, wherein each sub-model of the one or more sub-models includes one or more fields, and wherein each field of a sub-model is associated with a field definition for how to extract a value for the field from one or more events in the subset of events associated with the sub-model; causing display of identifiers for the one or more sub-models; receiving a selection of one of the displayed identifiers, indicating a selection of a particular sub-model of the one or more sub-models; causing display of a graphical interface that includes an interactive element enabling a user to select or enter criteria for a particular field included in the selected particular sub-model; receiving, through the graphical interface, input corresponding to a selection or entry of particular criteria for the particular field; generating a search query in a search language designed for accessing the time-stamped events in the data store, wherein the search query is configured to (i) cause extraction of values for the particular field by applying an extraction rule or a regular expression included in the field definition for the particular field to a particular subset of events associated with the selected particular sub-model, and (ii) cause comparison of the extracted values for the particular field to the selected or entered particular criteria; and initiating execution of the search query. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer-program product, tangibly embodied in one or more non-transitory machine-readable media, including instructions configured to cause one or more data processing apparatuses to:
-
access time-stamped events in a data store on a computing device including one or more processors; maintain a data model that is associated with a set of the time-stamped events, wherein the data model includes one or more sub-models, wherein each sub-model of the one or more sub-models is associated with a subset of events in the set of time-stamped events, wherein each sub-model of the one or more sub-models includes one or more fields, and wherein each field of a sub-model is associated with a field definition for how to extract a value for the field from one or more events in the subset of events associated with the sub-model; cause display of identifiers for the one or more sub-models; receive a selection of one of the displayed identifiers, indicating a selection of a particular sub-model of the one or more sub-models; cause display of a graphical interface that includes an interactive element enabling a user to select or enter criteria for a particular field included in the selected particular sub-model; receive, through the graphical interface, input corresponding to a selection or entry of particular criteria for the particular field; generate a search query in a search language designed for accessing the time-stamped events in the data store, wherein the search query is configured to (i) cause extraction of values for the particular field by applying an extraction rule or a regular expression included in the field definition for the particular field to a particular subset of events associated with the selected particular sub-model, and (ii) cause comparison of the extracted values for the particular field to the selected or entered particular criteria; and initiate execution of the search query. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification