公开(公告)号：US20170139996A1

公开(公告)日：2017-05-18

申请号：US15421236

申请日：2017-01-31

Applicant: SPLUNK INC.

Inventor： David Ryan Marquardt ,  Mitchell Blank ,  Stephen Sorkin

IPC: G06F17/30

CPC classification number: G06F17/30477 ,  G06F17/30315 ,  G06F17/30336 ,  G06F17/30377 ,  G06F17/30864

Abstract: Embodiments of the present disclosure provide a method for generating an inverted index in accordance with a user generated collection query. The method comprises providing a field searchable data store that comprises a plurality of event records, each event record comprising a time-stamped portion of raw machine data. The method further comprises receiving a collection query that references a field name. Further, responsive to the collection query, an inverted index is generated by: a) determining an extraction rule associated with the field name; b) extracting a field value corresponding to the field name from one or more event records in the field searchable data store using the extraction rule; and c) populating the inverted index responsive to each extracted field value, wherein each entry comprises the field name, the corresponding field value and a reference value that identifies a location in the field searchable data store where an associated event record is stored

公开(公告)号：US20170139965A1

公开(公告)日：2017-05-18

申请号：US15421212

申请日：2017-01-31

Applicant: Splunk Inc.

Inventor： David Ryan Marquardt ,  Mitchell Neuman Blank, JR. ,  Stephen Phillip Sorkin

IPC: G06F17/30

Abstract: Embodiments are directed towards a method for searching data. The method comprises providing an inverted index that comprises at least one record, wherein the at least one record comprises at least one field name and a corresponding at least one field value. The at least one field name and corresponding value are extracted from time-stamped searchable events that are stored in a field searchable datastore and comprise portions of raw data. The at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored. The method further comprises receiving an incoming search query that references a field name and evaluating the incoming search query. Furthermore, responsive to the evaluating, the method comprises determining results for the incoming search query using both of the field searchable datastore and the inverted index.

公开(公告)号：US12066995B2

公开(公告)日：2024-08-20

申请号：US17482781

申请日：2021-09-23

Applicant: SPLUNK INC.

Inventor： David Ryan Marquardt ,  Stephen Phillip Sorkin ,  Steve Yu Zhang

IPC: G06F7/00 ,  G06F16/00 ,  G06F16/22 ,  G06F16/2453 ,  G06F16/2455 ,  G06F16/248 ,  G06F16/28 ,  G06F16/951

CPC classification number: G06F16/2228 ,  G06F16/00 ,  G06F16/24539 ,  G06F16/2455 ,  G06F16/248 ,  G06F16/284 ,  G06F16/951

Abstract: Embodiments are directed are towards a method for generating a query response, which comprises creating two or more partitions of event records from raw data stored in a data store, wherein each event record in the two or more partitions of event records includes a portion of the raw data and is associated with a time stamp derived from the raw data. The method also comprises generating a summarization table for each partition of the two or more partitions that: (a) identifies a field value comprising a value that corresponds to an associated field extracted from a respective event record; and (b) for the field value, includes a posting value to the respective event record within a respective partition. The method further comprises generating partial results for a received query using summarization tables in the partitions and generating a response to the query by combining the partial results.

公开(公告)号：US11977544B2

公开(公告)日：2024-05-07

申请号：US17876404

申请日：2022-07-28

Applicant: Splunk Inc.

Inventor： David Ryan Marquardt ,  Karthikeyan Sabhanatarajan ,  Steve Yu Zhang

IPC: G06F16/20 ,  G06F16/22 ,  G06F16/2453 ,  G06F16/2458

CPC classification number: G06F16/24537 ,  G06F16/2228 ,  G06F16/2477

Abstract: Embodiments of the present disclosure provide techniques for using an inverted index in a pipelined search query. A field searchable data store is provided that comprises a plurality of event records, each event record comprising a time-stamped portion of raw machine data. Responsive to the reciept of an incoming search query, the search engine accesses an inverted index, wherein each entry in the inverted index comprises at least one field name, a corresponding at least one field value and a reference value associated with each field name and value pair that identifies a location in the data store where an associated event record is stored. Once the inverted index is accessed, it can be used to identify and search a subset of the plurality of event records, wherein the subset comprises one or more event records with corresponding reference values in the inverted index.

公开(公告)号：US20230015186A1

公开(公告)日：2023-01-19

申请号：US17944065

申请日：2022-09-13

Applicant: Splunk Inc.

Inventor： Alexander Douglas James ,  David Ryan Marquardt ,  Karthikeyan Sabhanatarajan

IPC: G06F16/2453 ,  G06F16/2458

Abstract: A method includes receiving an initial pipeline including a sequence of commands for execution on a computing system, and obtaining, for each command in the sequence of commands, semantic information. The sequence of commands includes a command with incomplete semantic information. The method further includes generating an abstract semantic tree (AST) with the semantic information and a placeholder for the incomplete semantic information, and manipulating the AST to generate a revised AST. The revised AST corresponds to a revised pipeline that reduces an execution time on the computing system. The method further includes executing the revised pipeline.

公开(公告)号：US20220365932A1

公开(公告)日：2022-11-17

申请号：US17876404

申请日：2022-07-28

Applicant: Splunk Inc.

Inventor： David Ryan Marquardt ,  Karthikeyan Sabhanatarajan ,  Steve Yu Zhang

IPC: G06F16/2453 ,  G06F16/2458 ,  G06F16/22

Abstract: Embodiments of the present disclosure provide techniques for using an inverted index in a pipelined search query. A field searchable data store is provided that comprises a plurality of event records, each event record comprising a time-stamped portion of raw machine data. Responsive to the reciept of an incoming search query, the search engine accesses an inverted index, wherein each entry in the inverted index comprises at least one field name, a corresponding at least one field value and a reference value associated with each field name and value pair that identifies a location in the data store where an associated event record is stored. Once the inverted index is accessed, it can be used to identify and search a subset of the plurality of event records, wherein the subset comprises one or more event records with corresponding reference values in the inverted index.

公开(公告)号：US11429608B2

公开(公告)日：2022-08-30

申请号：US16527719

申请日：2019-07-31

Applicant: Splunk Inc.

Inventor： Karthikeyan Sabhanatarajan ,  David Ryan Marquardt ,  Steve Zhang ,  Nicholas Romito ,  Sophia Zhu

IPC: G06F16/24 ,  G06F16/2453 ,  G06F16/903

Abstract: Embodiments of the present disclosure provide techniques for emitting structured and dynamic fields from an accelerated data model. The method comprises evaluating a query to search a data model, wherein the data model is defined by a set of events and at least one structured field from fields associated with the set of events. Each event comprises a time-stamped portion of raw machine data and is stored in a field searchable data store. A summarization table is associated with the data model and comprises a plurality of entries comprising reference values, wherein a respective summarization table entry comprises: the at least one structured field; a respective field value; and a reference value. The method further comprises accessing the set of events from the field searchable data store using the reference values in the summarization table and annotating the set of events with the at least one structured field and with at least one dynamic field from the fields associated with the set of events, wherein the at least one dynamic field is not defined in the data model.

公开(公告)号：US11379530B2

公开(公告)日：2022-07-05

申请号：US16527854

申请日：2019-07-31

Applicant: Splunk Inc.

Inventor： Karthikeyan Sabhanatarajan ,  David Ryan Marquardt ,  Steve Zhang ,  Nicholas Romito

IPC: G06F17/30 ,  G06F16/903 ,  G06F16/901

Abstract: Embodiments of the present disclosure provide techniques for performing searches of event records by leveraging reference values in an inverted index. A method of searching comprises accessing a query associated with a first set of event records in a field searchable data store, each event record comprising a time-stamped portion of raw machine data. The method further comprises evaluating the query and generating results for the query by accessing an inverted index, wherein each entry in the inverted index comprises at least one field, a corresponding at least one field value and a reference value that identifies a location in the field searchable data store where an associated event record is stored. The method further comprises performing a search to filter out a second set of event records and retrieving the second set of event records from the field searchable data store using reference values in the inverted index.

公开(公告)号：US20200334309A1

公开(公告)日：2020-10-22

申请号：US16900628

申请日：2020-06-12

Applicant: SPLUNK INC.

Inventor： Hailun Yan ,  Ledion Bitincka ,  Kishore Reddy Ramasayam ,  Elizabeth Lin ,  David Ryan Marquardt

IPC: G06F16/9535 ,  G06F16/28 ,  G06F16/2455

Abstract: Embodiments of the present invention are directed to facilitating data model acceleration in association with an external data system. In accordance with aspects of the present disclosure, at a core engine, a search request associated with a data model is received. The data model generally designates one or more fields, from among a plurality of fields, that are of interest for subsequent searches. Thereafter, it is determined that an accelerated data model summary associated with the data model is stored at an external data system remote from the core engine that received the search request. The accelerated data model summary includes field values associated with the one or more fields designated in the data model. A search for the received search request is initiated using the accelerated data model summary at the external data. A set of search results relevant to the search request is obtained and provided to a user device for display to a user.

公开(公告)号：US20200034363A1

公开(公告)日：2020-01-30

申请号：US16591432

申请日：2019-10-02

Applicant: Splunk Inc.

Inventor： David Ryan Marquardt ,  Karthikeyan Sabhanatarajan ,  Steve Yu Zhang

IPC: G06F16/2453 ,  G06F16/2458 ,  G06F16/22

Abstract: Embodiments of the present disclosure provide techniques for using an inverted index in a pipelined search query. A field searchable data store is provided that comprises a plurality of event records, each event record comprising a time-stamped portion of raw machine data. Responsive to the receipt of an incoming search query, the search engine accesses an inverted index, wherein each entry in the inverted index comprises at least one field name, a corresponding at least one field value and a reference value associated with each field name and value pair that identifies a location in the data store where an associated event record is stored. Once the inverted index is accessed, it can be used to identify and search a subset of the plurality of event records, wherein the subset comprises one or more event records with corresponding reference values in the inverted index.