公开(公告)号：US20150180891A1

公开(公告)日：2015-06-25

申请号：US14135427

申请日：2013-12-19

Applicant: Splunk Inc.

Inventor： Mark SEWARD ,  John Robert COATES

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  G06F16/212 ,  G06F16/951 ,  H04L63/1425

Abstract: Systems and methods are provided for identifying network addresses and/or IDs of a deduplicated list among network data, machine data, and/or events derived from network data and/or machine data, and for identifying notable events by searching for the presence of network addresses and/or network IDs that are deduplicated across lists received from multiple external sources. One method includes receiving a plurality of lists of network locations, wherein each list is received from over a network, wherein each of the network locations includes a domain name or an IP address, and wherein at least two of the plurality of lists each include a same network location; aggregating the plurality of lists of network locations into a deduplicated list of unique network locations; and searching network data or machine data for a network location included in the deduplicated list of unique network locations.

Abstract translation: 系统和方法被提供用于识别网络数据，机器数据和/或从网络数据和/或机器数据导出的事件中的重复数据删除的列表的网络地址和/或ID，并且通过搜索网络的存在来识别显着的事件 在从多个外部源接收到的列表中进行重复数据删除的地址和/或网络ID。 一种方法包括接收多个网络位置列表，其中每个列表通过网络接收，其中每个网络位置包括域名或IP地址，并且其中多个列表中的至少两个列表包括 同一网络位置; 将多个网络位置列表聚合成唯一网络位置的重复数据删除列表; 以及搜索包含在唯一网络位置的重复数据删除列表中的网络位置的网络数据或机器数据。

公开(公告)号：US20150149879A1

公开(公告)日：2015-05-28

申请号：US14610668

申请日：2015-01-30

Applicant: Splunk Inc.

Inventor： Jesse Miller ,  Micah James Delfino ,  Marc Robichaud ,  Catherine Anne Hanson ,  David Carasso

IPC: G06F17/24

CPC classification number: G06F17/243 ,  G06F17/30551

Abstract: The technology disclosed relates to formulating and refining field extraction rules that are used at query time on raw data with a late-binding schema. The field extraction rules identify portions of the raw data, as well as their data types and hierarchical relationships. These extraction rules are executed against very large data sets not organized into relational structures that have not been processed by standard extraction or transformation methods. By using sample events, a focus on primary and secondary example events help formulate either a single extraction rule spanning multiple data formats, or multiple rules directed to distinct formats. Selection tools mark up the example events to indicate positive examples for the extraction rules, and to identify negative examples to avoid mistaken value selection. The extraction rules can be saved for query-time use, and can be incorporated into a data model for sets and subsets of event data.

Abstract translation: 所公开的技术涉及制定和提炼在查询时使用具有后期绑定模式的原始数据的字段提取规则。 字段提取规则识别原始数据的部分，以及它们的数据类型和层次关系。 这些提取规则是针对未组织成尚未通过标准提取或转换方法处理的关系结构的非常大的数据集执行的。 通过使用示例事件，关注主要和次要示例事件有助于制定跨多个数据格式的单个提取规则，或者针对不同格式的多个规则。 选择工具标记示例事件以指示提取规则的正例，并确定负面示例以避免错误的值选择。 提取规则可以保存以供查询时间使用，并且可以被并入事件数据的集合和子集的数据模型中。

公开(公告)号：US20150149480A1

公开(公告)日：2015-05-28

申请号：US14611170

申请日：2015-01-30

Applicant: Splunk Inc.

Inventor： Erik M. SWAN ,  R. David CARASSO ,  Robin Kumar DAS ,  Rory GREENE ,  Bradley HALL ,  Nicholas Christian MEALY ,  Brian Philip MURPHY ,  Stephen Phillip SORKIN ,  Andre David STECHERT ,  Michael Joseph BAUM

IPC: G06F17/30

CPC classification number: G06F17/30336 ,  G06F17/30321 ,  G06F17/30342 ,  G06F17/30353 ,  G06F17/30516 ,  G06F17/30528 ,  G06F17/3053 ,  G06F17/30551 ,  G06F17/30554 ,  G06F17/30864

Abstract: Methods and apparatus consistent with the invention provide the ability to organize, index, search, and present time series data based on searches. Time series data are sequences of time stamped records occurring in one or more usually continuous streams, representing some type of activity. In one embodiment, time series data is organized into discrete events with normalized time stamps and the events are indexed by time and keyword. A search is received and relevant event information is retrieved based in whole or in part on the time indexing mechanism, keyword indexing mechanism, or statistical indices calculated at the time of the search.

Abstract translation: 根据本发明的方法和设备提供了基于搜索来组织，索引，搜索和呈现时间序列数据的能力。 时间序列数据是在一个或多个通常连续的流中发生的时间戳记录的序列，表示某种类型的活动。 在一个实施例中，时间序列数据被组织成具有归一化时间戳的离散事件，并且事件由时间和关键字索引。 完全或部分地基于搜索时计算的时间索引机制，关键字索引机制或统计索引，检索相关的事件信息。

公开(公告)号：US20150149460A1

公开(公告)日：2015-05-28

申请号：US14611191

申请日：2015-01-31

Applicant: Splunk Inc.

Inventor： Michael Joseph Baum ,  R. David Carasso ,  Robin Kumar Das ,  Bradley Hall ,  Brian Phillip Murphy ,  Stephen Phillip Sorkin ,  Andre David Stechert ,  Erik M. Swan ,  Rory Greene ,  Nicholas Christian Mealy ,  Christina Frances Regina Noren

IPC: G06F17/30

CPC classification number: G06F17/30604 ,  G06F11/3476 ,  G06F17/2785 ,  G06F17/30368 ,  G06F17/30477 ,  G06F17/30507 ,  G06F17/30525 ,  G06F17/30551 ,  G06F17/30598 ,  G06F17/30619 ,  G06F17/30657 ,  G06F17/30705 ,  G06K9/6217 ,  H04L63/1425 ,  H04L63/20

Abstract: Methods and apparatus consistent with the invention provide the ability to organize and build understandings of machine data generated by a variety of information-processing environments. Machine data is a product of information-processing systems (e.g., activity logs, configuration files, messages, database records) and represents the evidence of particular events that have taken place and been recorded in raw data format. In one embodiment, machine data is turned into a machine data web by organizing machine data into events and then linking events together.

Abstract translation: 与本发明一致的方法和设备提供组织和构建由各种信息处理环境生成的机器数据的理解的能力。 机器数据是信息处理系统（例如，活动日志，配置文件，消息，数据库记录）的产物，并且表示已经发生并以原始数据格式记录的特定事件的证据。 在一个实施例中，机器数据通过将机器数据组织到事件中并将事件链接在一起而变成机器数据网。

公开(公告)号：US20150143220A1

公开(公告)日：2015-05-21

申请号：US14611093

申请日：2015-01-30

Applicant: Splunk Inc.

Inventor： R. David CARASSO ,  Micah James DELFINO ,  Johnvey HWANG

IPC: G06F17/24 ,  H04L29/08

CPC classification number: G06F16/34 ,  G06F3/0484 ,  G06F3/04842 ,  G06F16/242 ,  G06F16/2423 ,  G06F16/2477 ,  G06F17/24 ,  G06F17/243 ,  G06F17/28 ,  H04L67/10

Abstract: Embodiments are directed towards real time display of event records and extracted values based on at least one extraction rule, such as a regular expression. A user interface may be employed to enable a user to have an extraction rule automatically generate and/or to manually enter an extraction rule. The user may be enabled to manually edit a previously provided extraction rule, which may result in real time display of updated extracted values. The extraction rule may be utilized to extract values from each of a plurality of records, including event records of unstructured machine data. Statistics may be determined for each unique extracted value, and may be displayed to the user in real time. The user interface may also enable the user to select at least one unique extracted value to display those event records that include an extracted value that matches the selected value.

Abstract translation: 实施例涉及基于诸如正则表达式的至少一个提取规则来实时显示事件记录和提取的值。 可以使用用户界面来使用户能够自动生成提取规则和/或手动输入提取规则。 可以使用户手动编辑先前提供的提取规则，这可以导致更新的提取值的实时显示。 提取规则可以用于从多个记录中的每一个提取值，包括非结构化机器数据的事件记录。 可以针对每个唯一提取的值确定统计量，并且可以实时地向用户显示。 用户界面还可以使用户能够选择至少一个唯一的提取值来显示包括与所选择的值匹配的提取值的那些事件记录。

公开(公告)号：US20150142847A1

公开(公告)日：2015-05-21

申请号：US14611232

申请日：2015-01-31

Applicant: Splunk Inc.

Inventor： Alice Emily NEELS ,  Archana Sulochana GANAPATHI ,  Marc Robichaud ,  Stephen Phillip SORKIN ,  Steve Yu ZHANG

IPC: G06F17/30 ,  G06F17/24

CPC classification number: G06F17/30395 ,  G06F3/0482 ,  G06F17/248 ,  G06F17/30283 ,  G06F17/30424 ,  G06F17/30528 ,  G06F17/30554 ,  G06F17/30867

Abstract: Embodiments include generating data models that may give semantic meaning for unstructured or structured data that may include data generated and/or received by search engines, including a time series engine. A method includes generating a data model for data stored in a repository. Generating the data model includes generating an initial query string, executing the initial query string on the data, generating an initial result set based on the initial query string being executed on the data, determining one or more candidate fields from one or results of the initial result set, generating a candidate data model based on the one or more candidate fields, iteratively modifying the candidate data model until the candidate data model models the data, and using the candidate data model as the data model.

Abstract translation: 实施例包括生成可以给非结构化或结构化数据赋予语义意义的数据模型，其可以包括由搜索引擎（包括时间序列引擎）生成和/或接收的数据。 一种方法包括为存储在存储库中的数据生成数据模型。 生成数据模型包括生成初始查询字符串，对数据执行初始查询字符串，基于对数据执行的初始查询字符串生成初始结果集，从一个或多个初始查询字符串的结果确定一个或多个候选字段 生成基于一个或多个候选字段的候选数据模型，迭代地修改候选数据模型，直到候选数据模型对数据建模，并使用候选数据模型作为数据模型。

公开(公告)号：US20150142842A1

公开(公告)日：2015-05-21

申请号：US14611188

申请日：2015-01-31

Applicant: Splunk Inc.

Inventor： Michael Joseph Baum ,  R. David Carasso ,  Robin Kumar Das ,  Bradley Hall ,  Brian Phillip Murphy ,  Stephen Phillip Sorkin ,  Andre David Stechert ,  Erik M. Swan ,  Rory Greene ,  Nicholas Christian Mealy ,  Christina Frances Regina Noren

IPC: G06F17/30

CPC classification number: G06F17/30604 ,  G06F11/3476 ,  G06F17/2785 ,  G06F17/30368 ,  G06F17/30477 ,  G06F17/30507 ,  G06F17/30525 ,  G06F17/30551 ,  G06F17/30598 ,  G06F17/30619 ,  G06F17/30657 ,  G06F17/30705 ,  G06K9/6217 ,  H04L63/1425 ,  H04L63/20

Abstract: Methods and apparatus consistent with the invention provide the ability to organize and build understandings of machine data generated by a variety of information-processing environments. Machine data is a product of information-processing systems (e.g., activity logs, configuration files, messages, database records) and represents the evidence of particular events that have taken place and been recorded in raw data format. In one embodiment, machine data is turned into a machine data web by organizing machine data into events and then linking events together.

Abstract translation: 与本发明一致的方法和设备提供组织和构建由各种信息处理环境生成的机器数据的理解的能力。 机器数据是信息处理系统（例如，活动日志，配置文件，消息，数据库记录）的产物，并且表示已经发生并以原始数据格式记录的特定事件的证据。 在一个实施例中，机器数据通过将机器数据组织到事件中并将事件链接在一起而变成机器数据网。

公开(公告)号：US09037562B2

公开(公告)日：2015-05-19

申请号：US14303596

申请日：2014-06-12

Applicant: Splunk Inc.

Inventor： Robin Kumar Das ,  Ledio Ago ,  Declan Gerard Shanaghy ,  Gaurav Gupta

IPC: G06F17/30 ,  H04L29/06 ,  G06Q20/14

CPC classification number: H04L63/105 ,  G06F9/4887 ,  G06F9/5088 ,  G06F17/30091 ,  G06F17/30094 ,  G06F17/30117 ,  G06F17/30289 ,  G06F17/30321 ,  G06F17/30336 ,  G06F17/30864 ,  G06F17/3087 ,  G06F17/30876 ,  G06F17/30896 ,  G06F17/30946 ,  G06F21/6218 ,  G06Q20/145 ,  H04L12/1435 ,  H04L63/10 ,  H04L67/1097

Abstract: Embodiments are directed towards a system and method for a cloud-based front end that may abstract and enable access to the underlying cloud-hosted elements and objects that may be part of a multi-tenant application, such as a search application. Search objects may be employed to access indexed objects. An amount of indexed data accessible to a user may be based on an index storage limit selected by the user, such that data that exceeds the index storage limit may continue to be indexed. Also, one or more projects can be elastically scaled for a user to provide resources that may meet the specific needs of each project.

Abstract translation: 实施例涉及用于基于云的前端的系统和方法，该系统和方法可以抽象并使得能够访问可能是诸如搜索应用的多租户应用的一部分的基于云托管的元素和对象。 可以使用搜索对象来访问索引对象。 用户可访问的索引数据量可以基于用户选择的索引存储限制，使得超过索引存储限制的数据可以继续被索引。 此外，一个或多个项目可以弹性地缩放以供用户提供可满足每个项目的特定需求的资源。

公开(公告)号：US09031955B2

公开(公告)日：2015-05-12

申请号：US14168888

申请日：2014-01-30

Applicant: Splunk Inc.

Inventor： R. David Carasso ,  Micah James Delfino

IPC: G06F17/30 ,  G06F7/24

CPC classification number: G06F17/30563 ,  G06F3/0482 ,  G06F3/04842 ,  G06F7/24 ,  G06F17/30601 ,  G06F17/30705

Abstract: Embodiments are directed towards generating a representative sampling as a subset from a larger dataset that includes unstructured data. A graphical user interface enables a user to provide various data selection parameters, including specifying a data source and one or more subset types desired, including one or more of latest records, earliest records, diverse records, outlier records, and/or random records. Diverse and/or outlier subset types may be obtained by generating clusters from an initial selection of records obtained from the larger dataset. An iteration analysis is performed to determine whether a sufficient number of clusters and/or cluster types have been generated that exceed at least one threshold and when not exceeded, additional clustering is performed on additional records. From the resultant clusters, and/or other subtype results, a subset of records is obtained as the representative sampling subset.

Abstract translation: 实施例旨在从包括非结构化数据的较大数据集生成代表性采样作为子集。 图形用户界面使得用户能够提供各种数据选择参数，包括指定数据源和期望的一个或多个子集类型，包括最新记录，最早记录，不同记录，离群记录和/或随机记录中的一个或多个。 可以通过从从较大数据集获得的记录的初始选择生成聚类来获得不同的和/或离群子集类型。 执行迭代分析以确定是否已经生成了超过至少一个阈值的足够数量的集群和/或集群类型，并且当不超过时，对附加记录执行附加集群。 从所得到的集群和/或其他子类型结果中，获得记录的子集作为代表性抽样子集。

公开(公告)号：US20150089503A1

公开(公告)日：2015-03-26

申请号：US14529019

申请日：2014-10-30

Applicant: Splunk Inc.

Inventor： Brian Bingham ,  Tristan Fletcher

IPC: G06F9/455 ,  G06F11/34 ,  G06F11/32

CPC classification number: G06F9/45533 ,  G06F11/323 ,  G06F11/328 ,  G06F11/3409 ,  G06F2009/45591 ,  G06F2201/815

Abstract: The disclosed embodiments relate to a system for monitoring a virtual-machine environment. During operation, the system identifies a parent and a set of two or more child components that are related to the parent component in the virtual-machine environment. Next, the system determines a performance metric for each child component in the set of two or more child components. The system then determines a child-component performance state for each child component in the set of two or more child components based on the performance metric for the child component and a child-component state criterion. Finally, the system determines a parent state for the parent component based on the child-component performance state for each child component in the set of two or more child components and a parent-component state criterion, wherein the parent-component state criterion includes a threshold percentage or number of child components that have a specified state.

Abstract translation: 所公开的实施例涉及用于监视虚拟机环境的系统。 在操作期间，系统识别与虚拟机环境中的父组件相关联的父级和一组两个或多个子组件。 接下来，系统确定两个或多个子组件集合中每个子组件的性能度量。 然后，系统基于子组件的性能度量和子组件状态标准，确定两组或多组子组件中每个子组件的子组件性能状态。 最后，系统基于两组或多组子组件中的每个子组件的子组件性能状态和父组件状态标准来确定父组件的父状态，其中父组件状态标准包括 阈值百分比或具有指定状态的子组件的数量。