公开(公告)号：US10162863B2

公开(公告)日：2018-12-25

申请号：US14530692

申请日：2014-11-01

Applicant: Splunk Inc.

Inventor： Steve Yu Zhang ,  Stephen P. Sorkin

IPC: G06F17/30 ,  H04L12/24 ,  H04L29/08

Abstract: A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.

公开(公告)号：US20180316702A1

公开(公告)日：2018-11-01

申请号：US15498418

申请日：2017-04-26

Applicant: Splunk Inc.

Inventor： Camille Gaspard

IPC: H04L29/06 ,  H04L29/08

Abstract: In one embodiment, a discrepancy detection application automatically detects and addresses unauthorized activities associated with one or more authorization keys based on a request log and a provider log. The request log specifies activities that a client initiated, where the activities are associated with the authorization keys. The provider log specifies activities that a cloud provider performed, where the activities are associated with the authorization keys. In operation, the discrepancy detection application determines that one or more unauthorized activities have occurred based on comparing the request log to the provider log. The discrepancy detection application then performs an action that addresses the unauthorized activities. Advantageously, by detecting discrepancies between activities initiated by the client and activities performed by the cloud provider, the discrepancy detection application automatically detects any leaked authorization keys and minimizes resulting damages incurred by the client.

公开(公告)号：US20180315074A1

公开(公告)日：2018-11-01

申请号：US15582523

申请日：2017-04-28

Applicant: Splunk, Inc.

Inventor： Brian Gabriel Nash ,  Andrew Hoy Stein

IPC: G06Q30/02

Abstract: Embodiments are disclosed for a method that may include accessing, from a first data source, events including interactions between a mobile device and one or more network devices on a network at a locale, and receiving external data from a second data source that excludes the network devices. The method may further include determining, based on the interactions, one or more geographic positions and one or more corresponding time intervals of the mobile device at the geographic positions, and correlating the geographic positions and the time intervals with the external data to obtain a metric.

公开(公告)号：US20180314734A1

公开(公告)日：2018-11-01

申请号：US15582519

申请日：2017-04-28

Applicant: Splunk, Inc.

Inventor： Alexander Douglas James ,  David Ryan Marquardt ,  Karthikeyan Sabhanatarajan

IPC: G06F17/30 ,  G06F9/48

CPC classification number: G06F16/24542 ,  G06F16/2477

Abstract: A method includes receiving an initial pipeline including a sequence of commands for execution on a computing system, and obtaining, for each command in the sequence of commands, semantic information. The sequence of commands includes a command with incomplete semantic information. The method further includes generating an abstract semantic tree (AST) with the semantic information and a placeholder for the incomplete semantic information, and manipulating the AST to generate a revised AST. The revised AST corresponds to a revised pipeline that reduces an execution time on the computing system. The method further includes executing the revised pipeline.

公开(公告)号：US20180314731A1

公开(公告)日：2018-11-01

申请号：US15582424

申请日：2017-04-28

Applicant: Splunk Inc.

Inventor： Ashish Mathew

IPC: G06F17/30

CPC classification number: G06F16/2272 ,  G06F16/256

Abstract: Embodiments of the present disclosure provide a method for performing search queries. The method comprises transmitting a list of active indexers in an indexer cluster from a cluster master for receipt by a first search head, wherein the cluster master is communicatively coupled with an indexer cluster comprising a plurality of indexers and the first search head. The method further comprises receiving a first slot request at the cluster master in response to a query from the first search head, wherein the first search head is operable to transmit the query to the active indexers for execution if granted the slot request. Further, the method comprises evaluating a plurality of policies to determine if the first slot request can be granted and responsive to a positive determination, transmitting an authorization token for a slot to the first search head.

公开(公告)号：US20180314601A1

公开(公告)日：2018-11-01

申请号：US15582441

申请日：2017-04-28

Applicant: SPLUNK INC.

Inventor： Ankit Jain ,  Manu Jose, JR. ,  Bharath Aleti ,  Amritpal Singh Bath ,  Yuan Xu

IPC: G06F11/14 ,  G06F17/30

Abstract: Embodiments of the present disclosure provide solutions for determining an elected search head captain is unqualified for the position, identifying a more qualified search head, and transferring the captain position to the more qualified search head. A method is provided that includes referencing qualification parameters in an elected search head captain, determining whether the newly elected search head captain is qualified for the position based on the parameters, identifying a more qualified search head to be the search head captain if the newly elected search head captain is determined to be unqualified for the position, and transferring the position of captain to the more qualified search head. The qualification parameters may include, for example, a pre-determined static flag set by an administrator of the search environment, and configuration replication status that corresponds to the most recent configuration state of the search head as recorded by the previous search head captain.

公开(公告)号：US20180302423A1

公开(公告)日：2018-10-18

申请号：US16016472

申请日：2018-06-22

Applicant: Splunk Inc.

Inventor： Sudhakar Muddu ,  Christos Tryfonas ,  Yijiang Li

IPC: H04L29/06 ,  G06N99/00 ,  G06F17/30 ,  H04L12/26 ,  H04L12/24 ,  G06F3/0484 ,  G06K9/20 ,  G06F3/0482 ,  G06N7/00 ,  G06N5/04 ,  G06F17/22

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

公开(公告)号：US20180300349A1

公开(公告)日：2018-10-18

申请号：US16013381

申请日：2018-06-20

Applicant: Splunk Inc.

Inventor： Alexander Munk ,  Jesse Miller

IPC: G06F17/30 ,  G06F3/0482

Abstract: A data intake and query system provides interfaces that enable users to configure source type definitions used by the system. A data intake and query system generally refers to a system for collecting and analyzing data including machine-generated data. Such a system may be configured to consume many different types of machine data generated by any number of different data sources including various servers, network devices, applications, etc. At a high level, a source type definition comprises one or more properties that define how various components of a data intake and query system collect, index, store, search and otherwise interact with particular types of data consumed by the system. The interfaces provided by the system generally comprise one or more interface components for configuring various attributes of a source type definition.

公开(公告)号：US20180293051A1

公开(公告)日：2018-10-11

申请号：US16003998

申请日：2018-06-08

Applicant: Splunk Inc.

Inventor： R. David Carasso ,  Micah James Delfino ,  Johnvey Hwang

IPC: G06F7/24 ,  G06F17/30

CPC classification number: G06F7/24 ,  G06F16/2477

Abstract: Embodiments are directed towards real time display of event records with an indication of previously provided extraction rules. A plurality of extraction rules may be provided to the system, such as automatically generated and/or user created extraction rules. These extraction rules may include regular expressions. A plurality of event records may be displayed to the user, such that text in a field defined by an extraction rule is emphasized in the display of the event record. The same emphasis may be provided for text in overlapping fields, or the emphasis may be somewhat different for different fields. The user interface may enable a user to select a portion of text of an event record, such as by rolling-over or clicking on an emphasized part of the event record. By selecting the portion of the event record, the interface may display each extraction rule associated with the selected portion.

公开(公告)号：US10091227B2

公开(公告)日：2018-10-02

申请号：US15339955

申请日：2016-11-01

Applicant: Splunk Inc.

Inventor： Munawar Monzy Merza ,  John Coates ,  James M Hansen ,  Lucas Murphey ,  David Hazekamp ,  Michael Kinsley ,  Alexander Raitz

IPC: H04L29/06 ,  G06F21/55 ,  G06F17/30

Abstract: A metric value is determined for each event in a set of events that characterizes a computational communication or object. For example, a metric value could include a length of a URL or agent string in the event. A subset criterion is generated, such that metric values within the subset are relatively separated from a population's center (e.g., within a distribution tail). Application of the criterion to metric values produces a subset. A representation of the subset is presented in an interactive dashboard. The representation can include unique values in the subset and counts of corresponding event occurrences. Clients can select particular elements in the representation to cause more detail to be presented with respect to individual events corresponding to specific values in the subset. Thus, clients can use their knowledge system operations and observance of value frequencies and underlying events to identify anomalous metric values and potential security threats.