公开(公告)号：US10474674B2

公开(公告)日：2019-11-12

申请号：US15421293

申请日：2017-01-31

Applicant: Splunk Inc.

Inventor： David Ryan Marquardt ,  Karthikeyan Sabhanatarajan ,  Steve Yu Zhang

IPC: G06F7/00 ,  G06F16/2453

Abstract: Embodiments of the present disclosure provide techniques for using an inverted index in a pipelined search query. A field searchable data store is provided that comprises a plurality of event records, each event record comprising a time-stamped portion of raw machine data. Responsive to the reciept of an incoming search query, the search engine accesses an inverted index, wherein each entry in the inverted index comprises at least one field name, a corresponding at least one field value and a reference value associated with each field name and value pair that identifies a location in the data store where an associated event record is stored. Once the inverted index is accessed, it can be used to filter out a subset of the plurality of event records, wherein the subset comprises one or more event records with corresponding reference values in the inverted index.

公开(公告)号：US20190278754A1

公开(公告)日：2019-09-12

申请号：US16424358

申请日：2019-05-28

Applicant: SPLUNK INC.

Inventor： David Ryan Marquardt ,  Mitchell Neuman Blank, JR. ,  Stephen Phillip Sorkin

IPC: G06F16/22 ,  G06F16/2453 ,  G06F16/2458 ,  G06F16/23 ,  G06F16/338 ,  G06F16/2455 ,  G06F16/28 ,  G06F16/248 ,  G06F16/242 ,  G06F16/33 ,  G06F16/31

Abstract: Embodiments are directed towards a method for searching data. The method comprises providing an inverted index that comprises at least one record, wherein the at least one record comprises at least one field name and a corresponding at least one field value. The at least one field name and corresponding value are extracted from time-stamped searchable events that are stored in a field searchable datastore and comprise portions of raw data. The at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored. The method further comprises receiving an incoming search query that references a field name and evaluating the incoming search query. Furthermore, responsive to the evaluating, the method comprises determining results for the incoming search query using the field searchable datastore or the inverted index.

公开(公告)号：US20190278753A1

公开(公告)日：2019-09-12

申请号：US16424311

申请日：2019-05-28

Applicant: SPLUNK INC.

Inventor： David Ryan Marquardt ,  Mitchell Neuman Blank, JR. ,  Stephen Phillip Sorkin

IPC: G06F16/22 ,  G06F16/2453 ,  G06F16/2458 ,  G06F16/23 ,  G06F16/338 ,  G06F16/2455 ,  G06F16/28 ,  G06F16/248 ,  G06F16/242 ,  G06F16/33 ,  G06F16/31

Abstract: Embodiments are directed towards a method for searching data. The method comprises generating an inverted index that comprises at least one record, wherein the at least one record comprises at least one field name and a corresponding at least one field value. The at least one field name and corresponding value are extracted from time-stamped searchable events that are stored in a field searchable datastore and comprise portions of raw data. The at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored. The method further comprises receiving an incoming search query that references a field name. Furthermore, the method comprises generating results to the incoming search query based on the field searchable datastore, wherein the field searchable datastore is directly searchable by the field name.

公开(公告)号：US20180089290A1

公开(公告)日：2018-03-29

申请号：US15339912

申请日：2016-10-31

Applicant: Splunk Inc.

Inventor： Thomas Allan Haggie ,  Clint Sharp ,  Alexander Douglas James ,  David Ryan Marquardt ,  Hailun Yan ,  Christopher Pride ,  Vishal Patel ,  Amrittpal Singh Bath ,  Pratiksha Shah ,  Murugan Kandaswamy ,  Steve Yu Zhang ,  Ledion Bitincka ,  David E. Simmen ,  Marc Andre Chene ,  Esguerra Ma Kharisma ,  Igor Stojanovski

IPC: G06F17/30

CPC classification number: G06F16/248 ,  G06F3/0481 ,  G06F16/22 ,  G06F16/2228 ,  G06F16/2255 ,  G06F16/2425 ,  G06F16/2455 ,  G06F16/24568 ,  G06F16/2462 ,  G06F16/2477 ,  G06F16/25 ,  G06F16/285 ,  G06F16/8373 ,  G06F16/901 ,  G06F16/90335 ,  G06F16/9038 ,  G06F16/951 ,  G06F16/9535 ,  G06T11/206 ,  G06T2200/24 ,  H04L43/08 ,  H04L67/02 ,  H04L67/025

Abstract: The disclosed embodiments include a method performed by a data intake and query system. The method includes ingesting each metric including at least one key value and a measured value taken of a computing resource, and storing each metric in an index of a metrics store, where the index defines at least one dimension populated with the at least one key value and a measure populated with the measured value. The method further includes cataloging metadata in a metrics catalog, where the metadata is related to the metrics stored in the metrics store, performing an analysis of metrics data included in the metrics store and/or the metrics catalog to obtain results, and causing display of the results or an indication of the results on a display device.

公开(公告)号：US12141143B2

公开(公告)日：2024-11-12

申请号：US17944065

申请日：2022-09-13

Applicant: Splunk Inc.

Inventor： Alexander Douglas James ,  David Ryan Marquardt ,  Karthikeyan Sabhanatarajan

IPC: G06F16/20 ,  G06F16/2453 ,  G06F16/2458

Abstract: A method includes receiving an initial pipeline including a sequence of commands for execution on a computing system, and obtaining, for each command in the sequence of commands, semantic information. The sequence of commands includes a command with incomplete semantic information. The method further includes generating an abstract semantic tree (AST) with the semantic information and a placeholder for the incomplete semantic information, and manipulating the AST to generate a revised AST. The revised AST corresponds to a revised pipeline that reduces an execution time on the computing system. The method further includes executing the revised pipeline.

公开(公告)号：US11960545B1

公开(公告)日：2024-04-16

申请号：US17829179

申请日：2022-05-31

Applicant: Splunk Inc.

Inventor： Karthikeyan Sabhanatarajan ,  David Ryan Marquardt ,  Steve Zhang ,  Nicholas Romito

IPC: G06F16/903 ,  G06F16/901

CPC classification number: G06F16/90335 ,  G06F16/901

Abstract: Embodiments of the present disclosure provide techniques for performing searches of event records by leveraging reference values in an inverted index. A method of searching comprises accessing a query associated with a first set of event records in a field searchable data store, each event record comprising a time-stamped portion of raw machine data. The method further comprises evaluating the query and generating results for the query by accessing an inverted index, wherein each entry in the inverted index comprises at least one field, a corresponding at least one field value and a reference value that identifies a location in the field searchable data store where an associated event record is stored. The method further comprises performing a search to filter out a second set of event records and retrieving the second set of event records from the field searchable data store using reference values in the inverted index.

公开(公告)号：US11487759B1

公开(公告)日：2022-11-01

申请号：US16669429

申请日：2019-10-30

Applicant: Splunk Inc.

Inventor： Alexander Douglas James ,  David Ryan Marquardt ,  Karthikeyan Sabhanatarajan

IPC: G06F7/00 ,  G06F16/2453 ,  G06F16/2458

Abstract: A method includes receiving an initial pipeline including a sequence of commands for execution on a computing system, and obtaining, for each command in the sequence of commands, semantic information. The sequence of commands includes a command with incomplete semantic information. The method further includes generating an abstract semantic tree (AST) with the semantic information and a placeholder for the incomplete semantic information, and manipulating the AST to generate a revised AST. The revised AST corresponds to a revised pipeline that reduces an execution time on the computing system. The method further includes executing the revised pipeline.

公开(公告)号：US11314759B2

公开(公告)日：2022-04-26

申请号：US16803944

申请日：2020-02-27

Applicant: Splunk Inc.

Inventor： Thomas Allan Haggie ,  Clint Sharp ,  Alexander Douglas James ,  David Ryan Marquardt

IPC: G06F16/00 ,  G06F16/248 ,  G06F16/22 ,  G06F16/25 ,  G06F16/28 ,  G06F16/901 ,  G06F16/951 ,  G06F16/242 ,  G06F16/2455 ,  G06F16/2458 ,  G06F16/835 ,  G06F16/9038 ,  G06F16/9535 ,  G06F16/903 ,  H04L67/025 ,  G06F3/0481 ,  G06T11/20 ,  H04L67/02 ,  H04L43/08

Abstract: The disclosed embodiments include a method performed by a data intake and query system. The method includes populating each metric including a measure value, cataloging metadata in an in-memory metrics catalog, where the metadata is related to the metrics. The method further includes receiving a search query including search criteria, evaluating the search query by applying the search criteria to the metadata of the metrics catalog to obtain results that satisfy the search criteria, and causing display, on a display device, of the results or data indicative of the results.

公开(公告)号：US11314758B2

公开(公告)日：2022-04-26

申请号：US16777592

申请日：2020-01-30

Applicant: Splunk Inc.

Inventor： David Ryan Marquardt ,  Hailun Yan ,  Christopher Pride ,  Vishal Patel

IPC: G06F16/00 ,  G06F16/248 ,  G06F16/22 ,  G06F16/25 ,  G06F16/28 ,  G06F16/901 ,  G06F16/951 ,  G06F16/242 ,  G06F16/2455 ,  G06F16/2458 ,  G06F16/835 ,  G06F16/9038 ,  G06F16/9535 ,  G06F16/903 ,  H04L67/025 ,  G06F3/0481 ,  G06T11/20 ,  H04L67/02 ,  H04L43/08

Abstract: The disclosed embodiments include a method performed by a data intake and query system to store and query metrics data. The method includes ingesting metrics, where each metric includes key values and numerical value indicative of a measured characteristic of a computing resource. The method further includes populating a first portion of a metric-series index (msidx) file with the key values and a second portion of the msidx file with numerical values indicative of a measured characteristic, where the first portion is distinct from the second portion. The method further includes receiving a query including criteria, evaluating the query by applying the criteria to the first portion of the msidx file to obtain query results indicative of metrics that satisfy the criteria, and displaying, on a display device, the query results or data indicative of the query results.

公开(公告)号：US11163738B2

公开(公告)日：2021-11-02

申请号：US16451450

申请日：2019-06-25

Applicant: SPLUNK INC.

Inventor： David Ryan Marquardt ,  Stephen Phillip Sorkin ,  Steve Yu Zhang

IPC: G06F7/00 ,  G06F16/00 ,  G06F16/22 ,  G06F16/248 ,  G06F16/28 ,  G06F16/951 ,  G06F16/2455 ,  G06F16/2453

Abstract: Embodiments are directed are towards the parallelization of collection queries. A method of parallelizing collection queries comprises providing a field searchable data store comprising a plurality of field searchable time stamped event records. The method further comprises receiving, at a search head, a collection query that references a field name that identifies portions of one or more event records to be summarized. Further, the method comprises determining if the collection query can be concurrently executed on a first plurality of indexers, wherein the search head is configured to communicate with the first plurality of indexers, and wherein each indexer of the first plurality of indexers comprises one or more field searchable time stamped event records. Responsive to an affirmative determination, the method also comprises determining a second plurality of indexers relevant to the collection query and executing the collection query to generate a respective summarization table at each indexer.