公开(公告)号：US20180260296A1

公开(公告)日：2018-09-13

申请号：US15981745

申请日：2018-05-16

Applicant: SPLUNK, INC.

Inventor： Alok A. Bhide ,  Poorva Malviya ,  Leonid V. Alekseyev

IPC: G06F11/32 ,  G06F9/50 ,  G06F3/06 ,  G06F11/34 ,  G06F3/048 ,  G06F9/455

Abstract: The disclosed embodiments include a method for identifying a performance metric to diagnose a cause of a performance issues of virtual machine. The method includes obtaining data of a virtual machine, an indication that a storage volume contains data of the virtual machine, data about the storage volume, and an identification of the storage volume. The data of the virtual machine is correlated with the data about the storage volume based on the indication that the storage volume contains data of the virtual machine and the identification of the storage volume. A performance metric is identified based at least in part on an outcome of the correlating. The performance metric indicates that the storage volume is a cause of a performance issue of the virtual machine. A state related to the storage volume is changed to mitigate the cause of the performance issue of the virtual machine.

公开(公告)号：US10069849B2

公开(公告)日：2018-09-04

申请号：US14929184

申请日：2015-10-30

Applicant: Splunk Inc.

Inventor： Sudhakar Muddu ,  Christos Tryfonas ,  Marios Iliofotou

IPC: H04L29/06 ,  G06N99/00 ,  G06F17/30 ,  G06N7/00 ,  G06F3/0482 ,  G06K9/20 ,  G06F3/0484 ,  H04L12/24 ,  H04L12/26

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

公开(公告)号：US10067876B2

公开(公告)日：2018-09-04

申请号：US15402105

申请日：2017-01-09

Applicant: Splunk, Inc.

Inventor： Ledion Bitincka ,  Alexandros Batsakis ,  Paul J. Lucas ,  Nicholas Robert Romito

IPC: G06F12/00 ,  G06F12/0875 ,  G06F17/30 ,  G06F12/0862 ,  G06F3/06 ,  G06F12/0873 ,  G06F12/0802 ,  G06F12/0866 ,  G06F12/0868 ,  G06F12/0871

CPC classification number: G06F12/0875 ,  G06F16/172 ,  G06F16/951 ,  G06F16/9574 ,  G06F2212/1021 ,  G06F2212/45 ,  G06F2212/6024 ,  G06F2212/6026 ,  G06F2212/6028

Abstract: Embodiments are disclosed for a prefetching method that may include copying, in response to a search query, a first bucket from a remote storage to a cache. The first bucket may include first data associated with the search query. The method may further include identifying a first file type associated with a first file in the first bucket. The first file may be associated with a usage status. The method may further include accessing, based on the search query, a second bucket from the remote storage. The second bucket may include second data associated with the search query. The method may further include identifying a second file in the second bucket having the first file type, and copying, in response to the usage status indicating that the first file was used in processing the search query, the second file from the remote storage to the cache.

公开(公告)号：US20180246942A1

公开(公告)日：2018-08-30

申请号：US15966279

申请日：2018-04-30

Applicant: Splunk Inc.

Inventor： KEN CHEN ,  GANG TAO ,  LAI QIANG DING ,  JUNQING HAO ,  TING WANG ,  ELIAS HADDAD ,  DRITAN BITINCKA

IPC: G06F17/30 ,  H04L12/26

CPC classification number: G06F16/248 ,  H04L43/024 ,  H04L43/0817

Abstract: Techniques and mechanisms are disclosed that enable a data collection system to adaptively control collection of data from one or more external data sources. At a high level, adaptively controlling collection of data from external data sources may include collecting performance information related to one or more data collection nodes and, in response to analyzing the collected performance information, adapting rates at which the data collection nodes send data collection requests to external data sources. Data collection performance information generally may include, but is not limited to, network traffic data, error messages generated by external data sources and/or data collection nodes, computing device performance information, and any other types of information related to a data collection node's ability to collect data from external data sources.

公开(公告)号：US10061821B2

公开(公告)日：2018-08-28

申请号：US15224657

申请日：2016-07-31

Applicant: Splunk Inc.

Inventor： Steve Yu Zhang ,  Stephen Phillip Sorkin

IPC: G06F17/30 ,  H04L12/24 ,  H04L29/08

CPC classification number: G06F16/24578 ,  G06F16/182 ,  G06F16/22 ,  G06F16/2322 ,  G06F16/24 ,  G06F16/2455 ,  G06F16/24553 ,  G06F16/24554 ,  G06F16/24575 ,  G06F16/2471 ,  G06F16/2477 ,  G06F16/248 ,  G06F16/334 ,  G06F16/90328 ,  G06F16/9038 ,  G06F16/951 ,  G06F16/9535 ,  H04L41/0604 ,  H04L41/22 ,  H04L67/1097

Abstract: A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.

公开(公告)号：US10061807B2

公开(公告)日：2018-08-28

申请号：US15421236

申请日：2017-01-31

Applicant: SPLUNK INC.

Inventor： David Ryan Marquardt ,  Mitchell Blank ,  Stephen Sorkin

IPC: G06F17/30

CPC classification number: G06F16/2455 ,  G06F16/221 ,  G06F16/2272 ,  G06F16/2379 ,  G06F16/951

Abstract: Embodiments of the present disclosure provide a method for generating an inverted index in accordance with a user generated collection query. The method comprises providing a field searchable data store that comprises a plurality of event records, each event record comprising a time-stamped portion of raw machine data. The method further comprises receiving a collection query that references a field name. Further, responsive to the collection query, an inverted index is generated by: a) determining an extraction rule associated with the field name; b) extracting a field value corresponding to the field name from one or more event records in the field searchable data store using the extraction rule; and c) populating the inverted index responsive to each extracted field value, wherein each entry comprises the field name, the corresponding field value and a reference value that identifies a location in the field searchable data store where an associated event record is stored.

公开(公告)号：US20180219896A1

公开(公告)日：2018-08-02

申请号：US15885709

申请日：2018-01-31

Applicant: Splunk Inc.

Inventor： Kurt Kokko ,  Damien Lindauer ,  Brad Lovering ,  Lynn Kasel

IPC: H04L29/06 ,  G06F21/53 ,  G06F21/54

CPC classification number: H04L63/1425 ,  G06F21/53 ,  G06F21/54 ,  G06N20/00 ,  H04L63/1433

Abstract: Techniques and mechanisms are disclosed for creating an environment for detecting malicious network traffic. A test computer network including a plurality of cloned nodes is created. The plurality of cloned nodes in the test computer network corresponds to at least some of a plurality of target nodes of a host computer network, and the test computer network has no network connectivity to the host computer network. Sensors in both the host computer network and the test computer network generate network flow records that are sent to a detection processing pipeline. The detection processing pipeline merges the records received from the sensors and uses the merged records to train at least one model used to identify instances of malicious network traffic.

公开(公告)号：US20180219888A1

公开(公告)日：2018-08-02

申请号：US15419959

申请日：2017-01-30

Applicant: Splunk Inc.

Inventor： Georgios Apostolopoulos

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/1425 ,  G06F17/30958

Abstract: The disclosed techniques relate to a graph-based network security analytic framework to combine multiple sources of information and security knowledge in order to detect risky behaviors and potential threats. In some examples, the input can be anomaly events or simply regular events. The entities associated with the activities can be grouped into smaller time units, e.g., per day. The riskiest days of activity can be found by computing a risk score for each day and according to the features in the day. A graph can be built with links between the time units. The links can also receive scoring based on a number of factors. The resulting graph can be compared with known security knowledge for adjustments. Threats can be detected based on the adjusted risk score for a component (i.e., a group of linked entities) as well as a number of other factors.

公开(公告)号：US20180219879A1

公开(公告)日：2018-08-02

申请号：US15418464

申请日：2017-01-27

Applicant: Splunk, Inc.

Inventor： John Clifton Pierce

IPC: H04L29/06 ,  H04L12/26

Abstract: Various embodiments of the present invention set forth techniques for security monitoring of a network connection, including analyzing network traffic data for a network connection associated with a computing device, identifying one or more network traffic metrics for the network connection based on the network traffic data, determining that the network connection corresponds to at least one network connection profile based on the one or more network traffic metrics, detecting a potential security threat for the network connection based on the one or more network traffic metrics and the at least one network connection profile, and initiating a mitigation action with respect to the network connection in response to detecting the potential security threat. Advantageously, the techniques allow detecting potential security threats based on network traffic metrics and categorizations, without requiring monitoring of the content or the total volume of all traffic exchanged via the connection.

公开(公告)号：US20180218269A1

公开(公告)日：2018-08-02

申请号：US15419918

申请日：2017-01-30

Applicant: SPLUNK INC.

Inventor： Adam Jamison Oliner ,  Aungon Nag Radon ,  Manwah Wong ,  Manish Sainani ,  Harsh Keswani

IPC: G06N5/04 ,  G06N99/00 ,  G06F17/30

CPC classification number: G06N5/04 ,  G06F16/2465 ,  G06F16/26 ,  G06N20/00

Abstract: Embodiments of the present invention are directed to facilitating event forecasting. In accordance with aspects of the present disclosure, a set of events determined from raw machine data is obtained. The events are analyzed to identify leading indicators that indicate a future occurrence of a target event, wherein the leading indicators occur during a search period of time the precedes a warning period of time, thereby providing time for an action to be performed prior to an occurrence of a predicted target event. At least one of the leading indicators is used to predict a target event. An event notification is provided indicating the prediction of the target event.