公开(公告)号：US08682925B1

公开(公告)日：2014-03-25

申请号：US13756147

申请日：2013-01-31

Applicant: Splunk Inc.

Inventor： David Ryan Marquardt ,  Stephen Phillip Sorkin ,  Steve Yu Zhang

IPC: G06F17/30

CPC classification number: G06F17/30321 ,  G06F17/30 ,  G06F17/30457 ,  G06F17/30477 ,  G06F17/30554 ,  G06F17/30595 ,  G06F17/30864

Abstract: Embodiments are directed are towards the transparent summarization of events. Queries directed towards summarizing and reporting on event records may be received at a search head. Search heads may be associated with one more indexers containing event records. The search head may forward the query to the indexers the can resolve the query for concurrent execution. If a query is a collection query, indexers may generate summarization information based on event records located on the indexers. Event record fields included in the summarization information may be determined based on terms included in the collection query. If a query is a stats query, each indexer may generate a partial result set from previously generated summarization information, returning the partial result sets to the search head. Collection queries may be saved and scheduled to run and periodically update the summarization information.

Abstract translation: 实施例针对事件的透明总结。 可以在搜索头收到针对事件记录的总结和报告的查询。 搜索头可能与一个包含事件记录的索引器相关联。 搜索头可以将查询转发给索引器，可以解析用于并发执行的查询。 如果查询是集合查询，则索引器可以基于位于索引器上的事件记录生成摘要信息。 包含在汇总信息中的事件记录字段可以基于收集查询中包含的项来确定。 如果查询是统计查询，则每个索引器可以从先前生成的摘要信息生成部分结果集，将部分结果集返回到搜索头。 收集查询可以保存并计划运行，并定期更新摘要信息。

公开(公告)号：US08682886B2

公开(公告)日：2014-03-25

申请号：US13664239

申请日：2012-10-30

Applicant: Splunk Inc.

Inventor： Stephen Phillip Sorkin ,  Steve Yu Zhang ,  Ledion Bitincka

IPC: G06F17/30

CPC classification number: G06F17/30321 ,  G06F17/30424 ,  G06F17/30554 ,  G06F17/30584 ,  G06F17/30946

Abstract: A method and system for managing searches of a data set that is partitioned based on a plurality of events. A structure of a search query may be analyzed to determine if logical computational actions performed on the data set is reducible. Data in each partition is analyzed to determine if at least a portion of the data in the partition is reducible. In response to a subsequent or reoccurring search request, intermediate summaries of reducible data and reducible search computations may be aggregated for each partition. Next, a search result may be generated based on at least one of the aggregated intermediate summaries, the aggregated reducible search computations, and a query of adhoc non-reducible data arranged in at least one of the plurality of partitions for the data set.

Abstract translation: 一种用于管理基于多个事件划分的数据集的搜索的方法和系统。 可以分析搜索查询的结构以确定对数据集执行的逻辑计算动作是否可减少。 分析每个分区中的数据以确定分区中的数据的至少一部分是否可缩减。 响应于随后或重复出现的搜索请求，可以针对每个分区聚合可缩减数据和可缩减搜索计算的中间摘要。 接下来，可以基于聚合中间摘要，聚合可缩减搜索计算以及排列在用于数据集的多个分区中的至少一个分区中的adhoc不可还原数据的查询中的至少一个来生成搜索结果。

公开(公告)号：US20130311509A1

公开(公告)日：2013-11-21

申请号：US13664239

申请日：2012-10-30

Applicant: SPLUNK INC.

Inventor： Stephen Phillip Sorkin ,  Steve Yu Zhang ,  Ledion Bitincka

IPC: G06F17/30

CPC classification number: G06F17/30321 ,  G06F17/30424 ,  G06F17/30554 ,  G06F17/30584 ,  G06F17/30946

Abstract: A method and system for managing searches of a data set that is partitioned based on a plurality of events. A structure of a search query may be analyzed to determine if logical computational actions performed on the data set is reducible. Data in each partition is analyzed to determine if at least a portion of the data in the partition is reducible. In response to a subsequent or reoccurring search request, intermediate summaries of reducible data and reducible search computations may be aggregated for each partition. Next, a search result may be generated based on at least one of the aggregated intermediate summaries, the aggregated reducible search computations, and a query of adhoc non-reducible data arranged in at least one of the plurality of partitions for the data set.

Abstract translation: 一种用于管理基于多个事件划分的数据集的搜索的方法和系统。 可以分析搜索查询的结构以确定对数据集执行的逻辑计算动作是否可减少。 分析每个分区中的数据以确定分区中的数据的至少一部分是否可缩减。 响应于随后或重复出现的搜索请求，可以针对每个分区聚合可缩减数据和可缩减搜索计算的中间摘要。 接下来，可以基于聚合中间摘要，聚合可缩减搜索计算以及排列在用于数据集的多个分区中的至少一个分区中的adhoc不可还原数据的查询中的至少一个来生成搜索结果。

公开(公告)号：US08589432B2

公开(公告)日：2013-11-19

申请号：US13660707

申请日：2012-10-25

Applicant: Splunk Inc.

Inventor： Steve Yu Zhang ,  Stephen Phillip Sorkin ,  Vishal Patel

IPC: G06F17/30

CPC classification number: G06F17/30516

Abstract: A system arranged to search machine data to generate reports in real time. A search query is provided that includes a plurality of search commands. The search query is parsed to form a main search query and a remote search query. Machine data is collected from remote data sources and evaluated against one of the main and remote search queries to generate a set of search results. The main search query is then evaluated against at least a partial set of the search result to generate at least one report regarding the collected machine data. Initially a search window is pre-populated with historical machine data related to the search query. Over time the historical machine data is replaced with the collected machine data.

公开(公告)号：US20130073542A1

公开(公告)日：2013-03-21

申请号：US13660845

申请日：2012-10-25

Applicant: SPLUNK INC.

Inventor： Steve Yu Zhang ,  Stephen Phillip Sorkin

IPC: G06F17/30

CPC classification number: G06F17/3053 ,  G06F17/30194 ,  G06F17/30312 ,  G06F17/30353 ,  G06F17/30386 ,  G06F17/30477 ,  G06F17/30483 ,  G06F17/30486 ,  G06F17/30528 ,  G06F17/30545 ,  G06F17/30551 ,  G06F17/30554 ,  G06F17/30675 ,  G06F17/30864 ,  G06F17/30867 ,  G06F17/30973 ,  G06F17/30991 ,  H04L41/0604 ,  H04L41/22 ,  H04L67/1097

Abstract: A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.

Abstract translation: 方法，系统和处理器可读存储介质被引导为生成从存储在多个分布式节点上的诸如事件数据的数据导出的报告。 在一个实施例中，使用分割和征服算法生成分析，使得每个分布式节点分析本地存储的事件数据，同时聚合节点组合这些分析结果以生成报告。 在一个实施例中，每个分布式节点还将与分析结果相关联的事件数据引用的列表发送到聚合节点。 然后，聚合节点可以基于从每个分布式节点接收的事件数据参考的列表来生成数据引用的全局有序列表。 随后，响应于用户选择一系列全局事件数据，报告可以动态地从一个或多个分布式节点检索事件数据，以便根据全局顺序进行显示。

公开(公告)号：US20130046783A1

公开(公告)日：2013-02-21

申请号：US13660707

申请日：2012-10-25

Applicant: SPLUNK INC.

Inventor： Steve Yu Zhang ,  Stephen Phillip Sorkin ,  Vishal Patel

IPC: G06F17/30

CPC classification number: G06F17/30516

Abstract: A system arranged to search machine data to generate reports in real time. A search query is provided that includes a plurality of search commands. The search query is parsed to form a main search query and a remote search query. Machine data is collected from remote data sources and evaluated against one of the main and remote search queries to generate a set of search results. The main search query is then evaluated against at least a partial set of the search result to generate at least one report regarding the collected machine data. Initially a search window is pre-populated with historical machine data related to the search query. Over time the historical machine data is replaced with the collected machine data.

Abstract translation: 一种系统，用于搜索机器数据以实时生成报告。 提供了包括多个搜索命令的搜索查询。 解析搜索查询以形成主搜索查询和远程搜索查询。 机器数据从远程数据源收集，并针对主要和远程搜索查询之一进行评估，以生成一组搜索结果。 然后根据搜索结果的至少一部分集合来评估主搜索查询以生成关于所收集的机器数据的至少一个报告。 最初，搜索窗口预先填充与搜索查询相关的历史机器数据。 随着时间的推移，历史机器数据被收集的机器数据所替代。