公开(公告)号：US20210279244A1

公开(公告)日：2021-09-09

申请号：US17230646

申请日：2021-04-14

Applicant: SPLUNK INC.

Inventor： Vishal Patel ,  Mitchell Neuman Blank, JR. ,  Sundar Renegarajan Vasan ,  Stephen Phillip Sorkin

IPC: G06F16/2457 ,  G06F16/9537 ,  G06F16/9535 ,  G06F16/22 ,  G06F16/27 ,  G06F16/29 ,  H04L29/08 ,  G06F11/20

Abstract: A method of data replication in a clustered computing environment comprises receiving, at a selected indexer within a plurality of indexers in a cluster, data from a forwarder indexer, wherein the selected indexer is designated as a primary indexer for the data, wherein the primary indexer has primary responsibility for responding to search queries pertaining to the data, wherein the cluster comprises a plurality of sites. The method further comprises receiving, at the selected indexer, data replication instructions, wherein the data replication instructions comprise a number of other indexers in the cluster for storing a replicated copy of the data and further comprise a number of sites from the plurality of sites across which to store a replicated copy of the data determined in accordance with a site replication factor.

公开(公告)号：US20190303373A1

公开(公告)日：2019-10-03

申请号：US16444593

申请日：2019-06-18

Applicant: SPLUNK, INC.

Inventor： Vishal Patel ,  Mitchell Neuman Blank, JR. ,  Sundar Renegarajan Vasan ,  Stephen Phillip Sorkin

IPC: G06F16/2457 ,  G06F16/9537 ,  G06F16/9535 ,  G06F16/22 ,  G06F16/27 ,  G06F16/29 ,  G06F11/20 ,  H04L29/08

Abstract: Embodiments are directed towards managing within a cluster environment having a plurality of indexers for data storage using redundancy the data being managed using a generation identifier, such that a primary indexer is designated for a given generation of data. When a master device for the cluster fails, data may continue to be stored using redundancy, and data searches performed may still be performed.

公开(公告)号：US20170344576A1

公开(公告)日：2017-11-30

申请号：US15663652

申请日：2017-07-28

Applicant: Splunk Inc.

Inventor： Amritpal Singh Bath ,  Mitchell Neuman Blank, JR. ,  Vishal Patel ,  Stephen Phillip Sorkin

IPC: G06F17/30

CPC classification number: G06F16/1734 ,  G06F16/174 ,  G06F16/20

Abstract: Embodiments are directed towards managing and tracking item identification of a plurality of items to determine if an item is a new or existing item, where an existing item has been previously processed. In some embodiments, two or more item identifiers may be generated. In one embodiment, generating the two or more item identifiers may include analyzing the item using a small item size characteristic, a compressed item, or for an identifier collision. The two or more item identifiers may be employed to determine if the item is a new or existing item. In one embodiment, the two or more item identifiers may be compared to a record about an existing item to determine if the item is a new or existing item. If the item is an existing item, then the item may be further processed to determine if the existing item has actually changed.

公开(公告)号：US20160342696A1

公开(公告)日：2016-11-24

申请号：US15224655

申请日：2016-07-31

Applicant: Splunk Inc.

Inventor： Mitchell Neuman Blank, JR. ,  Leonid Budchenko ,  David Carasso ,  Micah James Delfino ,  Johnvey Hwang ,  Stephen Phillip Sorkin

IPC: G06F17/30 ,  G06F3/0485 ,  G06F3/0482 ,  G06F17/27

CPC classification number: G06F17/30867 ,  G06F3/0482 ,  G06F3/04842 ,  G06F3/0485 ,  G06F17/2705 ,  G06F17/30321 ,  G06F17/30507 ,  G06F17/30551 ,  G06F17/30554 ,  G06F17/3056 ,  G06F17/30619 ,  G06F17/30864

Abstract: Embodiments are directed towards previewing results generated from indexing data raw data before the corresponding index data is added to an index store. Raw data may be received from a preview data source. After an initial set of configuration information may be established, the preview data may be submitted to an index processing pipeline. A previewing application may generate preview results based on the preview index data and the configuration information. The preview results may enable previewing how the data is being processed by the indexing application. If the preview results are not acceptable, the configuration information may be modified. The preview application enables modification of the configuration information until the generated preview results may be acceptable. If the configuration information is acceptable, the preview data may be processed and indexed in one or more index stores.

Abstract translation: 实施例针对在将对应的索引数据添加到索引存储之前预览从索引数据原始数据生成的结果。 可以从预览数据源接收原始数据。 在可以建立一组初始配置信息之后，可以将预览数据提交给索引处理流水线。 预览应用可以基于预览索引数据和配置信息生成预览结果。 预览结果可能可以预览索引应用程序如何处理数据。 如果预览结果不可接受，则可以修改配置信息。 预览应用程序可以修改配置信息，直到生成的预览结果可以接受。 如果配置信息是可接受的，则预览数据可以在一个或多个索引存储中被处理和索引。

公开(公告)号：US20200311160A1

公开(公告)日：2020-10-01

申请号：US16870233

申请日：2020-05-08

Applicant: Splunk Inc.

Inventor： Mitchell Neuman Blank, JR. ,  Leonid Budchenko ,  David Carasso ,  Micah James Delfino ,  Johnvey Hwang ,  Stephen Phillip Sorkin ,  Eric Timothy Woo

IPC: G06F16/9535 ,  G06F16/248 ,  G06F16/25 ,  G06F16/31 ,  G06F16/951 ,  G06F16/22 ,  G06F16/2458 ,  G06F16/2455 ,  G06F40/205 ,  G06F3/0484 ,  G06F3/0482 ,  G06F3/0485

Abstract: Embodiments are directed towards previewing results generated from indexing data raw data before the corresponding index data is added to an index store. Raw data may be received from a preview data source. After an initial set of configuration information may be established, the preview data may be submitted to an index processing pipeline. A previewing application may generate preview results based on the preview index data and the configuration information. The preview results may enable previewing how the data is being processed by the indexing application. If the preview results are not acceptable, the configuration information may be modified. The preview application enables modification of the configuration information until the generated preview results may be acceptable. If the configuration information is acceptable, the preview data may be processed and indexed in one or more index stores.

公开(公告)号：US20190278752A1

公开(公告)日：2019-09-12

申请号：US16424307

申请日：2019-05-28

Applicant: Splunk Inc.

Inventor： David Ryan Marquardt ,  Mitchell Neuman Blank, JR. ,  Stephen Phillip Sorkin

IPC: G06F16/22 ,  G06F16/2453 ,  G06F16/2458 ,  G06F16/23 ,  G06F16/338 ,  G06F16/2455 ,  G06F16/28 ,  G06F16/248 ,  G06F16/242 ,  G06F16/33 ,  G06F16/31

Abstract: Embodiments are directed towards a method for searching data. The method comprises providing an inverted index that comprises at least one record, wherein the at least one record comprises at least one field name and a corresponding at least one field value. The at least one field name and corresponding value are extracted from time-stamped searchable events that are stored in a field searchable datastore and comprise portions of raw data. The at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored. The method further comprises receiving an incoming search query that references a field name and evaluating the incoming search query. Furthermore, responsive to the evaluating, the method comprises determining results for the incoming search query using both of the field searchable datastore and the inverted index.

公开(公告)号：US20180246939A1

公开(公告)日：2018-08-30

申请号：US15967385

申请日：2018-04-30

Applicant: SPLUNK, INC.

Inventor： Vishal Patel ,  Mitchell Neuman Blank, JR. ,  Sundar Renegarajan Vasan ,  Stephen Phillip Sorkin

IPC: G06F17/30 ,  G06F11/20

CPC classification number: G06F16/24575 ,  G06F3/0617 ,  G06F3/065 ,  G06F3/067 ,  G06F11/20 ,  G06F11/2094 ,  G06F16/2272 ,  G06F16/27 ,  G06F16/275 ,  G06F16/29 ,  G06F16/9535 ,  G06F16/9537 ,  H04L67/1097

Abstract: Embodiments are directed towards managing within a cluster environment having a plurality of indexers for data storage using redundancy the data being managed using a generation identifier, such that a primary indexer is designated for a given generation of data. When a master device for the cluster fails, data may continue to be stored using redundancy, and data searches performed may still be performed.

公开(公告)号：US20170300585A1

公开(公告)日：2017-10-19

申请号：US15642062

申请日：2017-07-05

Applicant: Splunk Inc.

Inventor： Mitchell Neuman Blank, JR. ,  Leonid Budchenko ,  David Carasso ,  Micah James Delfino ,  Johnvey Hwang ,  Stephen Phillip Sorkin ,  Eric Timothy Woo

IPC: G06F17/30 ,  G06F3/0482 ,  G06F17/27 ,  G06F3/0485 ,  G06F3/0484

CPC classification number: G06F16/9535 ,  G06F3/0482 ,  G06F3/04842 ,  G06F3/0485 ,  G06F16/2228 ,  G06F16/24564 ,  G06F16/2477 ,  G06F16/248 ,  G06F16/252 ,  G06F16/316 ,  G06F16/951 ,  G06F17/2705

Abstract: Embodiments are directed towards previewing results generated from indexing data raw data before the corresponding index data is added to an index store. Raw data may be received from a preview data source. After an initial set of configuration information may be established, the preview data may be submitted to an index processing pipeline. A previewing application may generate preview results based on the preview index data and the configuration information. The preview results may enable previewing how the data is being processed by the indexing application. If the preview results are not acceptable, the configuration information may be modified. The preview application enables modification of the configuration information until the generated preview results may be acceptable. If the configuration information is acceptable, the preview data may be processed and indexed in one or more index stores.

公开(公告)号：US20170139964A1

公开(公告)日：2017-05-18

申请号：US15421127

申请日：2017-01-31

Applicant: SPLUNK INC.

Inventor： David Ryan Marquardt ,  Mitchell Neuman Blank, JR. ,  Stephen Phillip Sorkin

IPC: G06F17/30

CPC classification number: G06F16/221 ,  G06F16/2228 ,  G06F16/2322 ,  G06F16/243 ,  G06F16/2453 ,  G06F16/2455 ,  G06F16/2477 ,  G06F16/248 ,  G06F16/282 ,  G06F16/319 ,  G06F16/33 ,  G06F16/338

Abstract: Embodiments are directed towards a method for searching data. The method comprises providing an inverted index that comprises at least one record, wherein the at least one record comprises at least one field name and a corresponding at least one field value. The at least one field name and corresponding value are extracted from time-stamped searchable events that are stored in a field searchable datastore and comprise portions of raw data. The at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored. The method further comprises receiving an incoming search query that references a field name and evaluating the incoming search query. Furthermore, responsive to the evaluating, the method comprises determining results for the incoming search query using the field searchable datastore or the inverted index.

公开(公告)号：US20130311438A1

公开(公告)日：2013-11-21

申请号：US13662984

申请日：2012-10-29

Applicant: SPLUNK INC.

Inventor： David Ryan Marquardt ,  Mitchell Neuman Blank, JR. ,  Stephen Phillip Sorkin

IPC: G06F17/30

CPC classification number: G06F17/30442 ,  G06F17/30315 ,  G06F17/30321 ,  G06F17/30353 ,  G06F17/30401 ,  G06F17/30551 ,  G06F17/30554 ,  G06F17/30589 ,  G06F17/30622 ,  G06F17/30634 ,  G06F17/30696

Abstract: Embodiments are directed towards receiving and processing search queries directed towards relatively large sets of data. The data is stored in a record based datastore. From the stored data, field names, corresponding field values, and posting values may be determined. Posting values may be employed to locate records in the datastore that include the field names and field values. The field names, field values, and posting values may be employed to generate a lexicon. If queries are received, a lexicon query processor may employ the lexicon separate from the datastore to generate responses to the received queries. Queries may include clauses that may be processed using the lexicon separate from the datastore, such as, where clause expressions, group-by clause expressions, aggregation functions, or the like. A time values array may be used to enable queries to process group-by-time expressions that may return results grouped into sub-sets based on time ranges.

Abstract translation: 实施例旨在接收和处理针对相对大的数据集的搜索查询。 数据存储在基于记录的数据存储中。 从存储的数据可以确定字段名称，对应的字段值和过帐值。 可以使用发布值来定位数据存储中包含字段名称和字段值的记录。 可以使用字段名称，字段值和发布值来生成词典。 如果接收到查询，则词典查询处理器可以使用与数据存储区分开的词典来生成对所接收的查询的响应。 查询可以包括可以使用从数据存储区分开的词典来处理的子句，例如where子句表达式，分组子句表达式，聚合函数等。 时间值数组可用于使查询能够处理按时间范围分组成子集的结果的逐个逐句表达式。