公开(公告)号：US09594814B2

公开(公告)日：2017-03-14

申请号：US14611089

申请日：2015-01-30

Applicant: Splunk Inc.

Inventor： Jesse Miller ,  Micah James Delfino ,  Marc Robichaud ,  David Carasso

IPC: G06F3/048 ,  G06F17/30 ,  G06F7/24 ,  G06F3/0484

CPC classification number: G06F17/24 ,  G06F3/04842 ,  G06F7/24 ,  G06F17/241 ,  G06F17/245 ,  G06F17/30551 ,  G06F17/30554 ,  G06F17/30994

Abstract: The technology disclosed relates to formulating and refining field extraction rules that are used at query time on raw data with a late-binding schema. The field extraction rules identify portions of the raw data, as well as their data types and hierarchical relationships. These extraction rules are executed against very large data sets not organized into relational structures that have not been processed by standard extraction or transformation methods. By using sample events, a focus on primary and secondary example events help formulate either a single extraction rule spanning multiple data formats, or multiple rules directed to distinct formats. Selection tools mark up the example events to indicate positive examples for the extraction rules, and to identify negative examples to avoid mistaken value selection. The extraction rules can be saved for query-time use, and can be incorporated into a data model for sets and subsets of event data.

Abstract translation: 所公开的技术涉及制定和提炼在查询时使用具有后期绑定模式的原始数据的字段提取规则。 字段提取规则识别原始数据的部分，以及它们的数据类型和层次关系。 这些提取规则是针对未组织成尚未通过标准提取或转换方法处理的关系结构的非常大的数据集执行的。 通过使用示例事件，关注主要和次要示例事件有助于制定跨多个数据格式的单个提取规则，或者针对不同格式的多个规则。 选择工具标记示例事件以指示提取规则的正例，并确定负面示例以避免错误的值选择。 提取规则可以保存以供查询时间使用，并且可以被并入事件数据的集合和子集的数据模型中。

公开(公告)号：US09582557B2

公开(公告)日：2017-02-28

申请号：US14700006

申请日：2015-04-29

Applicant: Splunk Inc.

Inventor： R. David Carasso ,  Micah James Delfino

IPC: G06F17/30 ,  G06F3/0482 ,  G06F3/0484

CPC classification number: G06F17/30563 ,  G06F3/0482 ,  G06F3/04842 ,  G06F7/24 ,  G06F17/30601 ,  G06F17/30705

Abstract: Embodiments are directed towards generating a representative sampling as a subset from a larger dataset that includes unstructured data. A graphical user interface enables a user to provide various data selection parameters, including specifying a data source and one or more subset types desired, including one or more of latest records, earliest records, diverse records, outlier records, and/or random records. Diverse and/or outlier subset types may be obtained by generating clusters from an initial selection of records obtained from the larger dataset. An iteration analysis is performed to determine whether a sufficient number of clusters and/or cluster types have been generated that exceed at least one threshold and when not exceeded, additional clustering is performed on additional records. From the resultant clusters, and/or other subtype results, a subset of records is obtained as the representative sampling subset.

Abstract translation: 实施例旨在从包括非结构化数据的较大数据集生成代表性采样作为子集。 图形用户界面使得用户能够提供各种数据选择参数，包括指定数据源和期望的一个或多个子集类型，包括最新记录，最早记录，不同记录，离群记录和/或随机记录中的一个或多个。 可以通过从从较大数据集获得的记录的初始选择生成聚类来获得不同的和/或离群子集类型。 执行迭代分析以确定是否已经生成了超过至少一个阈值的足够数量的集群和/或集群类型，并且当不超过时，对附加记录执行附加集群。 从所得到的集群和/或其他子类型结果中，获得记录的子集作为代表性抽样子集。

公开(公告)号：US20160342696A1

公开(公告)日：2016-11-24

申请号：US15224655

申请日：2016-07-31

Applicant: Splunk Inc.

Inventor： Mitchell Neuman Blank, JR. ,  Leonid Budchenko ,  David Carasso ,  Micah James Delfino ,  Johnvey Hwang ,  Stephen Phillip Sorkin

IPC: G06F17/30 ,  G06F3/0485 ,  G06F3/0482 ,  G06F17/27

CPC classification number: G06F17/30867 ,  G06F3/0482 ,  G06F3/04842 ,  G06F3/0485 ,  G06F17/2705 ,  G06F17/30321 ,  G06F17/30507 ,  G06F17/30551 ,  G06F17/30554 ,  G06F17/3056 ,  G06F17/30619 ,  G06F17/30864

Abstract: Embodiments are directed towards previewing results generated from indexing data raw data before the corresponding index data is added to an index store. Raw data may be received from a preview data source. After an initial set of configuration information may be established, the preview data may be submitted to an index processing pipeline. A previewing application may generate preview results based on the preview index data and the configuration information. The preview results may enable previewing how the data is being processed by the indexing application. If the preview results are not acceptable, the configuration information may be modified. The preview application enables modification of the configuration information until the generated preview results may be acceptable. If the configuration information is acceptable, the preview data may be processed and indexed in one or more index stores.

Abstract translation: 实施例针对在将对应的索引数据添加到索引存储之前预览从索引数据原始数据生成的结果。 可以从预览数据源接收原始数据。 在可以建立一组初始配置信息之后，可以将预览数据提交给索引处理流水线。 预览应用可以基于预览索引数据和配置信息生成预览结果。 预览结果可能可以预览索引应用程序如何处理数据。 如果预览结果不可接受，则可以修改配置信息。 预览应用程序可以修改配置信息，直到生成的预览结果可以接受。 如果配置信息是可接受的，则预览数据可以在一个或多个索引存储中被处理和索引。

公开(公告)号：US20150154269A1

公开(公告)日：2015-06-04

申请号：US14611089

申请日：2015-01-30

Applicant: Splunk Inc.

Inventor： Jesse Miller ,  Micah James Delfino ,  Marc Robichaud ,  David Carasso

IPC: G06F17/30 ,  G06F3/0484 ,  G06F7/24

CPC classification number: G06F17/24 ,  G06F3/04842 ,  G06F7/24 ,  G06F17/241 ,  G06F17/245 ,  G06F17/30551 ,  G06F17/30554 ,  G06F17/30994

Abstract: The technology disclosed relates to formulating and refining field extraction rules that are used at query time on raw data with a late-binding schema. The field extraction rules identify portions of the raw data, as well as their data types and hierarchical relationships. These extraction rules are executed against very large data sets not organized into relational structures that have not been processed by standard extraction or transformation methods. By using sample events, a focus on primary and secondary example events help formulate either a single extraction rule spanning multiple data formats, or multiple rules directed to distinct formats. Selection tools mark up the example events to indicate positive examples for the extraction rules, and to identify negative examples to avoid mistaken value selection. The extraction rules can be saved for query-time use, and can be incorporated into a data model for sets and subsets of event data.

Abstract translation: 所公开的技术涉及制定和提炼在查询时使用具有后期绑定模式的原始数据的字段提取规则。 字段提取规则识别原始数据的部分，以及它们的数据类型和层次关系。 这些提取规则是针对未组织成尚未通过标准提取或转换方法处理的关系结构的非常大的数据集执行的。 通过使用示例事件，关注主要和次要示例事件有助于制定跨多个数据格式的单个提取规则，或者针对不同格式的多个规则。 选择工具标记示例事件以指示提取规则的正例，并确定负面示例以避免错误的值选择。 提取规则可以保存以供查询时间使用，并且可以被并入事件数据的集合和子集的数据模型中。

公开(公告)号：US08751963B1

公开(公告)日：2014-06-10

申请号：US13748391

申请日：2013-01-23

Applicant: Splunk Inc.

Inventor： R. David Carasso ,  Micah James Delfino ,  Johnvey Hwang

IPC: G06F3/048 ,  G06F3/0481 ,  G06F9/44 ,  G06F3/0482

CPC classification number: G06F7/24 ,  G06F17/30551

Abstract: Embodiments are directed towards real time display of event records with an indication of previously provided extraction rules. A plurality of extraction rules may be provided to the system, such as automatically generated and/or user created extraction rules. These extraction rules may include regular expressions. A plurality of event records may be displayed to the user, such that text in a field defined by an extraction rule is emphasized in the display of the event record. The same emphasis may be provided for text in overlapping fields, or the emphasis may be somewhat different for different fields. The user interface may enable a user to select a portion of text of an event record, such as by rolling-over or clicking on an emphasized part of the event record. By selecting the portion of the event record, the interface may display each extraction rule associated with the selected portion.

Abstract translation: 实施例针对具有先前提供的提取规则的指示的事件记录的实时显示。 可以向系统提供多个提取规则，诸如自动生成和/或用户创建的提取规则。 这些提取规则可以包括正则表达式。 可以向用户显示多个事件记录，使得在事件记录的显示中强调由提取规则定义的字段中的文本。 对于重叠字段中的文本可以提供相同的重点，或者对于不同领域的重点可能有些不同。 用户界面可以使得用户能够选择事件记录的文本的一部分，例如通过滚动或点击事件记录的被强调部分。 通过选择事件记录的部分，界面可以显示与所选部分相关联的每个提取规则。

公开(公告)号：US08682906B1

公开(公告)日：2014-03-25

申请号：US13748313

申请日：2013-01-23

Applicant: Splunk Inc.

Inventor： R. David Carasso ,  Micah James Delfino ,  Johnvey Hwang

IPC: G06F17/30

CPC classification number: G06F17/30716 ,  G06F3/0484 ,  G06F3/04842 ,  G06F17/24 ,  G06F17/243 ,  G06F17/28 ,  G06F17/30389 ,  G06F17/30392 ,  G06F17/30551 ,  H04L67/10

Abstract: Embodiments are directed towards real time display of event records and extracted values based on at least one extraction rule, such as a regular expression. A user interface may be employed to enable a user to have an extraction rule automatically generate and/or to manually enter an extraction rule. The user may be enabled to manually edit a previously provided extraction rule, which may result in real time display of updated extracted values. The extraction rule may be utilized to extract values from each of a plurality of records, including event records of unstructured machine data. Statistics may be determined for each unique extracted value, and may be displayed to the user in real time. The user interface may also enable the user to select at least one unique extracted value to display those event records that include an extracted value that matches the selected value.

Abstract translation: 实施例涉及基于诸如正则表达式的至少一个提取规则来实时显示事件记录和提取的值。 可以使用用户界面来使用户能够自动生成提取规则和/或手动输入提取规则。 可以使用户手动编辑先前提供的提取规则，这可以导致更新的提取值的实时显示。 提取规则可以用于从多个记录中的每一个提取值，包括非结构化机器数据的事件记录。 可以针对每个唯一提取的值确定统计量，并且可以实时地向用户显示。 用户界面还可以使用户能够选择至少一个唯一的提取值来显示包括与所选择的值匹配的提取值的那些事件记录。

公开(公告)号：US08515963B1

公开(公告)日：2013-08-20

申请号：US13662337

申请日：2012-10-26

Applicant: Splunk Inc.

Inventor： Mitchell Neuman Blank, Jr. ,  Leonid Budchenko ,  R. David Carasso ,  Micah James Delfino ,  Johnvey Hwang ,  Stephen Phillip Sorkin ,  Eric Timothy Woo

IPC: G06F7/00 ,  G06F17/30

CPC classification number: G06F17/30867 ,  G06F3/0482 ,  G06F3/04842 ,  G06F3/0485 ,  G06F17/2705 ,  G06F17/30321 ,  G06F17/30507 ,  G06F17/30551 ,  G06F17/30554 ,  G06F17/3056 ,  G06F17/30619 ,  G06F17/30864

Abstract: Embodiments are directed towards previewing results generated from indexing data raw data before the corresponding index data is added to an index store. Raw data may be received from a preview data source. After an initial set of configuration information may be established, the preview data may be submitted to an index processing pipeline. A previewing application may generate preview results based on the preview index data and the configuration information. The preview results may enable previewing how the data is being processed by the indexing application. If the preview results are not acceptable, the configuration information may be modified. The preview application enables modification of the configuration information until the generated preview results may be acceptable. If the configuration information is acceptable, the preview data may be processed and indexed in one or more index stores.

Abstract translation: 实施例针对在将对应的索引数据添加到索引存储之前预览从索引数据原始数据生成的结果。 可以从预览数据源接收原始数据。 在可以建立一组初始配置信息之后，可以将预览数据提交给索引处理流水线。 预览应用可以基于预览索引数据和配置信息生成预览结果。 预览结果可能可以预览索引应用程序如何处理数据。 如果预览结果不可接受，则可以修改配置信息。 预览应用程序可以修改配置信息，直到生成的预览结果可以接受。 如果配置信息是可接受的，则预览数据可以在一个或多个索引存储中被处理和索引。

公开(公告)号：US11886502B2

公开(公告)日：2024-01-30

申请号：US16870233

申请日：2020-05-08

Applicant: Splunk Inc.

Inventor： Mitchell Neuman Blank, Jr. ,  Leonid Budchenko ,  David Carasso ,  Micah James Delfino ,  Johnvey Hwang ,  Stephen Phillip Sorkin ,  Eric Timothy Woo

IPC: G06F16/901 ,  G06F16/9535 ,  G06F16/248 ,  G06F16/25 ,  G06F16/31 ,  G06F16/951 ,  G06F16/22 ,  G06F16/2458 ,  G06F16/2455 ,  G06F40/205 ,  G06F3/04842 ,  G06F3/0482 ,  G06F3/0485 ,  G06V10/24 ,  G06V40/16

CPC classification number: G06F16/901 ,  G06F3/0482 ,  G06F3/0485 ,  G06F3/04842 ,  G06F16/2228 ,  G06F16/248 ,  G06F16/2477 ,  G06F16/24564 ,  G06F16/252 ,  G06F16/316 ,  G06F16/951 ,  G06F16/9535 ,  G06F40/205 ,  G06V10/245 ,  G06V40/161

Abstract: Embodiments are directed towards previewing results generated from indexing data raw data before the corresponding index data is added to an index store. Raw data may be received from a preview data source. After an initial set of configuration information may be established, the preview data may be submitted to an index processing pipeline. A previewing application may generate preview results based on the preview index data and the configuration information. The preview results may enable previewing how the data is being processed by the indexing application. If the preview results are not acceptable, the configuration information may be modified. The preview application enables modification of the configuration information until the generated preview results may be acceptable. If the configuration information is acceptable, the preview data may be processed and indexed in one or more index stores.

公开(公告)号：US11782678B1

公开(公告)日：2023-10-10

申请号：US17384467

申请日：2021-07-23

Applicant: Splunk Inc.

Inventor： R. David Carasso ,  Micah James Delfino ,  Johnvey Hwang

IPC: G06F3/048 ,  G06F7/24 ,  G06F16/2458

CPC classification number: G06F7/24 ,  G06F16/2477

Abstract: Embodiments are directed towards real time display of event records with an indication of previously provided extraction rules. A plurality of extraction rules may be provided to the system, such as automatically generated and/or user created extraction rules. These extraction rules may include regular expressions. A plurality of event records may be displayed to the user, such that text in a field defined by an extraction rule is emphasized in the display of the event record. The same emphasis may be provided for text in overlapping fields, or the emphasis may be somewhat different for different fields. The user interface may enable a user to select a portion of text of an event record, such as by rolling-over or clicking on an emphasized part of the event record. By selecting the portion of the event record, the interface may display each extraction rule associated with the selected portion.

公开(公告)号：US11709850B1

公开(公告)日：2023-07-25

申请号：US17443892

申请日：2021-07-28

Applicant: SPLUNK INC.

Inventor： R. David Carasso ,  Micah James Delfino

IPC: G06F17/00 ,  G06F16/2458 ,  G06F16/901 ,  G06F40/284

CPC classification number: G06F16/2477 ,  G06F16/9014 ,  G06F40/284

Abstract: Embodiments are directed towards a graphical user interface identify locations within event records with splittable timestamp information. A display of event records is provided using any of a variety of formats. A splittable timestamp selector allows a user to select one or more locations within event records as having time related information that may be split across the one or more locations, including, information based on date, time of day, day of the week, or other time information. Any of a plurality of mechanisms is used to associate the selected locations with the split timestamp information, including tags, labels, or header information within the event records. In other embodiments, a separate table, list, index, or the like may be generated that associates the selected locations with the split timestamp information. The split timestamp information may be used within extraction rules for selecting subsets or the event records.