公开(公告)号：US11436222B2

公开(公告)日：2022-09-06

申请号：US16591432

申请日：2019-10-02

Applicant: Splunk Inc.

Inventor： David Ryan Marquardt ,  Karthikeyan Sabhanatarajan ,  Steve Yu Zhang

IPC: G06F17/30 ,  G06F16/2453 ,  G06F16/2458 ,  G06F16/22

Abstract: Embodiments of the present disclosure provide techniques for using an inverted index in a pipelined search query. A field searchable data store is provided that comprises a plurality of event records, each event record comprising a time-stamped portion of raw machine data. Responsive to the receipt of an incoming search query, the search engine accesses an inverted index, wherein each entry in the inverted index comprises at least one field name, a corresponding at least one field value and a reference value associated with each field name and value pair that identifies a location in the data store where an associated event record is stored. Once the inverted index is accessed, it can be used to identify and search a subset of the plurality of event records, wherein the subset comprises one or more event records with corresponding reference values in the inverted index.

公开(公告)号：US20220012221A1

公开(公告)日：2022-01-13

申请号：US17482781

申请日：2021-09-23

Applicant: SPLUNK INC.

Inventor： David Ryan Marquardt ,  Stephen Phillip Sorkin ,  Steve Yu Zhang

IPC: G06F16/22 ,  G06F16/00 ,  G06F16/248 ,  G06F16/28 ,  G06F16/951 ,  G06F16/2455 ,  G06F16/2453

Abstract: Embodiments are directed are towards a method for generating a query response, which comprises creating two or more partitions of event records from raw data stored in a data store, wherein each event record in the two or more partitions of event records includes a portion of the raw data and is associated with a time stamp derived from the raw data. The method also comprises generating a summarization table for each partition of the two or more partitions that: (a) identifies a field value comprising a value that corresponds to an associated field extracted from a respective event record; and (b) for the field value, includes a posting value to the respective event record within a respective partition. The method further comprises generating partial results for a received query using summarization tables in the partitions and generating a response to the query by combining the partial results.

公开(公告)号：US11055300B2

公开(公告)日：2021-07-06

申请号：US15339909

申请日：2016-10-31

Applicant: Splunk Inc.

Inventor： Steve Yu Zhang ,  Ledion Bitincka ,  Vishal Patel ,  David E. Simmen

IPC: G06F16/248 ,  G06F16/22 ,  G06F16/25 ,  G06F16/28 ,  G06F16/901 ,  G06F16/951 ,  G06F16/242 ,  G06F16/2455 ,  G06F16/2458 ,  G06F16/835 ,  G06F16/9038 ,  G06F16/9535 ,  G06F16/903 ,  H04L29/08 ,  G06F3/0481 ,  H04L12/26 ,  G06T11/20

Abstract: The disclosed embodiments include a method performed by a data intake and query system. The method includes receiving a real-time search query including search criteria, and receiving a stream of metrics, where each metric includes a measured value taken of a computing device. The method further includes filtering the metrics to obtain filtered metrics satisfying the search criteria, creating an in-memory summarization data structure based on the filtered metrics, communicating the summarization data to a search head, and providing search results including the summarization data, where the summarization data or data indicative of the summarization data is displayed on a display of a display device.

公开(公告)号：US11003675B2

公开(公告)日：2021-05-11

申请号：US16455193

申请日：2019-06-27

Applicant: SPLUNK INC.

Inventor： Steve Yu Zhang ,  Stephen Phillip Sorkin

IPC: G06F16/2457 ,  G06F16/22 ,  G06F16/24 ,  G06F16/182 ,  G06F16/248 ,  G06F16/33 ,  G06F16/951 ,  G06F16/23 ,  G06F16/2455 ,  G06F16/2458 ,  G06F16/9038 ,  G06F16/9535 ,  G06F16/9032 ,  H04L12/24 ,  H04L29/08

Abstract: A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.

公开(公告)号：US10860592B2

公开(公告)日：2020-12-08

申请号：US16397429

申请日：2019-04-29

Applicant: SPLUNK INC.

Inventor： Steve Yu Zhang ,  Stephen Phillip Sorkin

IPC: G06F16/2457 ,  G06F16/22 ,  G06F16/24 ,  G06F16/182 ,  G06F16/248 ,  G06F16/33 ,  G06F16/951 ,  G06F16/23 ,  G06F16/2455 ,  G06F16/2458 ,  G06F16/9038 ,  G06F16/9535 ,  G06F16/9032 ,  H04L12/24 ,  H04L29/08

Abstract: A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.

公开(公告)号：US10719493B2

公开(公告)日：2020-07-21

申请号：US16155746

申请日：2018-10-09

Applicant: Splunk Inc.

Inventor： Stephen Phillip Sorkin ,  Steve Yu Zhang ,  Ledion Bitincka

IPC: G06F16/22 ,  G06F16/245 ,  G06F16/248 ,  G06F16/27 ,  G06F16/901

Abstract: A method and system for managing searches of a data set that is partitioned based on a plurality of events. A structure of a search query may be analyzed to determine if logical computational actions performed on the data set is reducible. Data in each partition is analyzed to determine if at least a portion of the data in the partition is reducible. In response to a subsequent or reoccurring search request, intermediate summaries of reducible data and reducible search computations may be aggregated for each partition. Next, a search result may be generated based on at least one of the aggregated intermediate summaries, the aggregated reducible search computations, and a query of adhoc non-reducible data arranged in at least one of the plurality of partitions for the data set.

公开(公告)号：US10169405B2

公开(公告)日：2019-01-01

申请号：US15421415

申请日：2017-01-31

Applicant: Splunk Inc.

Inventor： Alice Emily Neels ,  Archana Sulochana Ganapathi ,  Marc Vincent Robichaud ,  Stephen Phillip Sorkin ,  Steve Yu Zhang

IPC: G06F17/30 ,  G06F17/24 ,  G06F3/0482

Abstract: Embodiments include generating data models that may give semantic meaning for unstructured or structured data that may include data generated and/or received by search engines, including a time series engine. A method includes generating a data model for data stored in a repository. Generating the data model includes generating an initial query string, executing the initial query string on the data, generating an initial result set based on the initial query string being executed on the data, determining one or more candidate fields from one or results of the initial result set, generating a candidate data model based on the one or more candidate fields, iteratively modifying the candidate data model until the candidate data model models the data, and using the candidate data model as the data model.

公开(公告)号：US20180246918A1

公开(公告)日：2018-08-30

申请号：US15967400

申请日：2018-04-30

Applicant: SPLUNK, INC.

Inventor： David Ryan Marquardt ,  Stephen Phillip Sorkin ,  Steve Yu Zhang

IPC: G06F17/30

Abstract: Embodiments are directed are towards the transparent summarization of events. Queries directed towards summarizing and reporting on event records may be received at a search head. Search heads may be associated with one more indexers containing event records. The search head may forward the query to the indexers the can resolve the query for concurrent execution. If a query is a collection query, indexers may generate summarization information based on event records located on the indexers. Event record fields included in the summarization information may be determined based on terms included in the collection query. If a query is a stats query, each indexer may generate a partial result set from previously generated summarization information, returning the partial result sets to the search head. Collection queries may be saved and scheduled to run and periodically update the summarization information.

公开(公告)号：US09817862B2

公开(公告)日：2017-11-14

申请号：US14834361

申请日：2015-08-24

Applicant: Splunk Inc.

Inventor： Archana Sulochana Ganapathi ,  Alice Emily Neels ,  Marc Vincent Robichaud ,  Stephen Phillip Sorkin ,  Steve Yu Zhang

IPC: G06F17/30

CPC classification number: G06F17/30395 ,  G06F17/30424 ,  G06F17/30477 ,  G06F17/30554

Abstract: Embodiments are directed towards determining and tracking metadata for the generation of visualizations of requested data. A user may request data by providing a query that may be employed to search for the requested data. The query may include a plurality of commands, which may be employed in a pipeline to perform the search and to generate a table of the requested data. In some embodiments, each command may be executed to perform an action on a set of data. The execution of a command may generate one or more columns to append and/or insert into the table of requested data. Metadata for each generated column may be determined based on the actions performed by executing the commands. The table of requested data and the column metadata may be employed to generate and display a visualization of at least a portion of the requested data to a user.

公开(公告)号：US20150347526A1

公开(公告)日：2015-12-03

申请号：US14815978

申请日：2015-08-01

Applicant: Splunk Inc.

Inventor： Steve Yu Zhang ,  Stephen Phillip Sorkin

IPC: G06F17/30

CPC classification number: G06F17/3053 ,  G06F17/30194 ,  G06F17/30312 ,  G06F17/30353 ,  G06F17/30386 ,  G06F17/30477 ,  G06F17/30483 ,  G06F17/30486 ,  G06F17/30528 ,  G06F17/30545 ,  G06F17/30551 ,  G06F17/30554 ,  G06F17/30675 ,  G06F17/30864 ,  G06F17/30867 ,  G06F17/30973 ,  G06F17/30991 ,  H04L41/0604 ,  H04L41/22 ,  H04L67/1097

Abstract: A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.

Abstract translation: 方法，系统和处理器可读存储介质被引导为生成从存储在多个分布式节点上的诸如事件数据的数据导出的报告。 在一个实施例中，使用“分割和征服”算法生成分析，使得每个分布式节点分析本地存储的事件数据，而聚合节点组合这些分析结果以生成报告。 在一个实施例中，每个分布式节点还将与分析结果相关联的事件数据引用的列表发送到聚合节点。 然后，聚合节点可以基于从每个分布式节点接收的事件数据参考的列表来生成数据引用的全局有序列表。 随后，响应于用户选择一系列全局事件数据，报告可以动态地从一个或多个分布式节点检索事件数据，以便根据全局顺序进行显示。