公开(公告)号：US11940967B2

公开(公告)日：2024-03-26

申请号：US17364617

申请日：2021-06-30

Applicant: SPLUNK INC.

Inventor： David Ryan Marquardt ,  Mitchell Neuman Blank, Jr. ,  Stephen Phillip Sorkin

IPC: G06F16/00 ,  G06F16/22 ,  G06F16/23 ,  G06F16/242 ,  G06F16/2453 ,  G06F16/2455 ,  G06F16/2458 ,  G06F16/248 ,  G06F16/28 ,  G06F16/31 ,  G06F16/33 ,  G06F16/338

CPC classification number: G06F16/221 ,  G06F16/2228 ,  G06F16/2322 ,  G06F16/243 ,  G06F16/2453 ,  G06F16/2455 ,  G06F16/2477 ,  G06F16/248 ,  G06F16/282 ,  G06F16/319 ,  G06F16/33 ,  G06F16/338

Abstract: Embodiments are directed towards a method for searching data. The method comprises providing an inverted index that comprises at least one record, wherein the at least one record comprises at least one field name and a corresponding at least one field value. The at least one field name and corresponding value are extracted from time-stamped searchable events that are stored in a field searchable datastore and comprise portions of raw data. The at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored. The method further comprises evaluating an incoming search query that references a field name. Responsive to the evaluating, the method comprises determining results for the incoming search query by executing the incoming search query across the field searchable datastore or the inverted index.

公开(公告)号：US11436222B2

公开(公告)日：2022-09-06

申请号：US16591432

申请日：2019-10-02

Applicant: Splunk Inc.

Inventor： David Ryan Marquardt ,  Karthikeyan Sabhanatarajan ,  Steve Yu Zhang

IPC: G06F17/30 ,  G06F16/2453 ,  G06F16/2458 ,  G06F16/22

Abstract: Embodiments of the present disclosure provide techniques for using an inverted index in a pipelined search query. A field searchable data store is provided that comprises a plurality of event records, each event record comprising a time-stamped portion of raw machine data. Responsive to the receipt of an incoming search query, the search engine accesses an inverted index, wherein each entry in the inverted index comprises at least one field name, a corresponding at least one field value and a reference value associated with each field name and value pair that identifies a location in the data store where an associated event record is stored. Once the inverted index is accessed, it can be used to identify and search a subset of the plurality of event records, wherein the subset comprises one or more event records with corresponding reference values in the inverted index.

公开(公告)号：US20220012221A1

公开(公告)日：2022-01-13

申请号：US17482781

申请日：2021-09-23

Applicant: SPLUNK INC.

Inventor： David Ryan Marquardt ,  Stephen Phillip Sorkin ,  Steve Yu Zhang

IPC: G06F16/22 ,  G06F16/00 ,  G06F16/248 ,  G06F16/28 ,  G06F16/951 ,  G06F16/2455 ,  G06F16/2453

Abstract: Embodiments are directed are towards a method for generating a query response, which comprises creating two or more partitions of event records from raw data stored in a data store, wherein each event record in the two or more partitions of event records includes a portion of the raw data and is associated with a time stamp derived from the raw data. The method also comprises generating a summarization table for each partition of the two or more partitions that: (a) identifies a field value comprising a value that corresponds to an associated field extracted from a respective event record; and (b) for the field value, includes a posting value to the respective event record within a respective partition. The method further comprises generating partial results for a received query using summarization tables in the partitions and generating a response to the query by combining the partial results.

公开(公告)号：US11144608B2

公开(公告)日：2021-10-12

申请号：US16900628

申请日：2020-06-12

Applicant: SPLUNK INC.

Inventor： Hailun Yan ,  Ledion Bitincka ,  Kishore Reddy Ramasayam ,  Elizabeth Lin ,  David Ryan Marquardt

IPC: G06F16/9535 ,  G06F16/28 ,  G06F16/2455

Abstract: Embodiments of the present invention are directed to facilitating data model acceleration in association with an external data system. In accordance with aspects of the present disclosure, at a core engine, a search request associated with a data model is received. The data model generally designates one or more fields, from among a plurality of fields, that are of interest for subsequent searches. Thereafter, it is determined that an accelerated data model summary associated with the data model is stored at an external data system remote from the core engine that received the search request. The accelerated data model summary includes field values associated with the one or more fields designated in the data model. A search for the received search request is initiated using the accelerated data model summary at the external data. A set of search results relevant to the search request is obtained and provided to a user device for display to a user.

公开(公告)号：US10997138B2

公开(公告)日：2021-05-04

申请号：US16424307

申请日：2019-05-28

Applicant: Splunk Inc.

Inventor： David Ryan Marquardt ,  Mitchell Neuman Blank, Jr. ,  Stephen Phillip Sorkin

IPC: G06F16/00 ,  G06F16/22 ,  G06F16/2453 ,  G06F16/33 ,  G06F16/242 ,  G06F16/248 ,  G06F16/28 ,  G06F16/31 ,  G06F16/338 ,  G06F16/23 ,  G06F16/2458 ,  G06F16/2455

Abstract: Embodiments are directed towards a method for searching data. The method comprises providing an inverted index that comprises at least one record, wherein the at least one record comprises at least one field name and a corresponding at least one field value. The at least one field name and corresponding value are extracted from time-stamped searchable events that are stored in a field searchable datastore and comprise portions of raw data. The at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored. The method further comprises receiving an incoming search query that references a field name and evaluating the incoming search query. Furthermore, responsive to the evaluating, the method comprises determining results for the incoming search query using both of the field searchable datastore and the inverted index.

公开(公告)号：US20210034623A1

公开(公告)日：2021-02-04

申请号：US16527719

申请日：2019-07-31

Applicant: Splunk Inc.

Inventor： Karthikeyan Sabhanatarajan ,  David Ryan Marquardt ,  Steve Zhang ,  Nicholas Romito ,  Sophia Zhu

IPC: G06F16/2453 ,  G06F16/903

Abstract: Embodiments of the present disclosure provide techniques for emitting structured and dynamic fields from an accelerated data model. The method comprises evaluating a query to search a data model, wherein the data model is defined by a set of events and at least one structured field from fields associated with the set of events. Each event comprises a time-stamped portion of raw machine data and is stored in a field searchable data store. A summarization table is associated with the data model and comprises a plurality of entries comprising reference values, wherein a respective summarization table entry comprises: the at least one structured field; a respective field value; and a reference value. The method further comprises accessing the set of events from the field searchable data store using the reference values in the summarization table and annotating the set of events with the at least one structured field and with at least one dynamic field from the fields associated with the set of events, wherein the at least one dynamic field is not defined in the data model.

公开(公告)号：US10713314B2

公开(公告)日：2020-07-14

申请号：US15011361

申请日：2016-01-29

Applicant: Splunk Inc.

Inventor： Hailun Yan ,  Ledion Bitincka ,  Kishore Reddy Ramasayam ,  Elizabeth Lin ,  David Ryan Marquardt

IPC: G06F16/9535 ,  G06F16/28 ,  G06F16/2455

Abstract: Embodiments are directed to facilitating data model acceleration in association with an external data system. In some embodiments, at a core engine, a search request associated with a data model is received. The data model generally designates one or more fields, from among a plurality of fields of interest for subsequent searches. Thereafter, it is determined that an accelerated data model summary associated with the data model is stored at an external data system remote from the core engine that received the search request. The accelerated data model summary includes field values associated with the one or more fields designated in the data model. A search for the received search request is initiated using the accelerated data model summary at the external data. A set of search results relevant to the search request is obtained and provided to a user device for display to a user.

公开(公告)号：US10606857B2

公开(公告)日：2020-03-31

申请号：US15339894

申请日：2016-10-31

Applicant: Splunk Inc.

Inventor： Thomas Allan Haggie ,  Clint Sharp ,  Alexander Douglas James ,  David Ryan Marquardt

IPC: G06F17/30 ,  G06F16/248 ,  G06F16/22 ,  G06F16/25 ,  G06F16/28 ,  G06F16/901 ,  G06F16/951 ,  G06F16/242 ,  G06F16/2455 ,  G06F16/2458 ,  G06F16/835 ,  G06F16/9038 ,  G06F16/9535 ,  G06F16/903 ,  H04L29/08 ,  G06F3/0481 ,  G06T11/20 ,  H04L12/26

Abstract: The disclosed embodiments include a method performed by a data intake and query system. The method includes populating each metric including a measure value, cataloging metadata in an in-memory metrics catalog, where the metadata is related to the metrics. The method further includes receiving a search query including search criteria, evaluating the search query by applying the search criteria to the metadata of the metrics catalog to obtain results that satisfy the search criteria, and causing display, on a display device, of the results or data indicative of the results.

公开(公告)号：US10423595B2

公开(公告)日：2019-09-24

申请号：US15421212

申请日：2017-01-31

Applicant: Splunk Inc.

Inventor： David Ryan Marquardt ,  Mitchell Neuman Blank, Jr. ,  Stephen Phillip Sorkin

IPC: G06F16/00 ,  G06F16/22 ,  G06F16/2453 ,  G06F16/33 ,  G06F16/242 ,  G06F16/248 ,  G06F16/28 ,  G06F16/31 ,  G06F16/338 ,  G06F16/23 ,  G06F16/2458 ,  G06F16/2455

Abstract: Embodiments are directed towards a method for searching data. The method comprises providing an inverted index that comprises at least one record, wherein the at least one record comprises at least one field name and a corresponding at least one field value. The at least one field name and corresponding value are extracted from time-stamped searchable events that are stored in a field searchable datastore and comprise portions of raw data. The at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored. The method further comprises receiving an incoming search query that references a field name and evaluating the incoming search query. Furthermore, responsive to the evaluating, the method comprises determining results for the incoming search query using both of the field searchable datastore and the inverted index.

公开(公告)号：US20180246918A1

公开(公告)日：2018-08-30

申请号：US15967400

申请日：2018-04-30

Applicant: SPLUNK, INC.

Inventor： David Ryan Marquardt ,  Stephen Phillip Sorkin ,  Steve Yu Zhang

IPC: G06F17/30

Abstract: Embodiments are directed are towards the transparent summarization of events. Queries directed towards summarizing and reporting on event records may be received at a search head. Search heads may be associated with one more indexers containing event records. The search head may forward the query to the indexers the can resolve the query for concurrent execution. If a query is a collection query, indexers may generate summarization information based on event records located on the indexers. Event record fields included in the summarization information may be determined based on terms included in the collection query. If a query is a stats query, each indexer may generate a partial result set from previously generated summarization information, returning the partial result sets to the search head. Collection queries may be saved and scheduled to run and periodically update the summarization information.