公开(公告)号：US12038926B1

公开(公告)日：2024-07-16

申请号：US17163220

申请日：2021-01-29

Applicant: SPLUNK INC.

Inventor： Jay A. Pathak ,  Steve Yu Zhang

IPC: G06F16/2455 ,  G06F16/22

CPC classification number: G06F16/2455 ,  G06F16/2228

Abstract: A computer-implemented method of determining indexed fields at query time comprises mapping data from a first source type to indexed fields in batch form using a wildcard specifier. The method also comprises receiving a query to execute on a data set comprising data from the first source type and data from a second source type. Further, the method comprises transforming the query to execute on the data from the first source type separately from the data from the second source type. Additionally, the method comprises executing the query to operate on the data from the first source type using information associated with the indexed fields and to separately operate on the data from the second source type.

公开(公告)号：US11977544B2

公开(公告)日：2024-05-07

申请号：US17876404

申请日：2022-07-28

Applicant: Splunk Inc.

Inventor： David Ryan Marquardt ,  Karthikeyan Sabhanatarajan ,  Steve Yu Zhang

IPC: G06F16/20 ,  G06F16/22 ,  G06F16/2453 ,  G06F16/2458

CPC classification number: G06F16/24537 ,  G06F16/2228 ,  G06F16/2477

Abstract: Embodiments of the present disclosure provide techniques for using an inverted index in a pipelined search query. A field searchable data store is provided that comprises a plurality of event records, each event record comprising a time-stamped portion of raw machine data. Responsive to the reciept of an incoming search query, the search engine accesses an inverted index, wherein each entry in the inverted index comprises at least one field name, a corresponding at least one field value and a reference value associated with each field name and value pair that identifies a location in the data store where an associated event record is stored. Once the inverted index is accessed, it can be used to identify and search a subset of the plurality of event records, wherein the subset comprises one or more event records with corresponding reference values in the inverted index.

公开(公告)号：US20220365932A1

公开(公告)日：2022-11-17

申请号：US17876404

申请日：2022-07-28

Applicant: Splunk Inc.

Inventor： David Ryan Marquardt ,  Karthikeyan Sabhanatarajan ,  Steve Yu Zhang

IPC: G06F16/2453 ,  G06F16/2458 ,  G06F16/22

Abstract: Embodiments of the present disclosure provide techniques for using an inverted index in a pipelined search query. A field searchable data store is provided that comprises a plurality of event records, each event record comprising a time-stamped portion of raw machine data. Responsive to the reciept of an incoming search query, the search engine accesses an inverted index, wherein each entry in the inverted index comprises at least one field name, a corresponding at least one field value and a reference value associated with each field name and value pair that identifies a location in the data store where an associated event record is stored. Once the inverted index is accessed, it can be used to identify and search a subset of the plurality of event records, wherein the subset comprises one or more event records with corresponding reference values in the inverted index.

公开(公告)号：US11030173B1

公开(公告)日：2021-06-08

申请号：US16920187

申请日：2020-07-02

Applicant: Splunk Inc.

Inventor： Ledion Bitincka ,  Stephen Phillip Sorkin ,  Steve Yu Zhang

IPC: G06F16/22 ,  G06F16/245 ,  G06F16/901 ,  G06F16/27 ,  G06F16/248

Abstract: A method and system for managing searches of a data set that is partitioned based on a plurality of events. A structure of a search query may be analyzed to determine if logical computational actions performed on the data set is reducible. Data in each partition is analyzed to determine if at least a portion of the data in the partition is reducible. In response to a subsequent or reoccurring search request, intermediate summaries of reducible data and reducible search computations may be aggregated for each partition. Next, a search result may be generated based on at least one of the aggregated intermediate summaries, the aggregated reducible search computations, and a query of adhoc non-reducible data arranged in at least one of the plurality of partitions for the data set.

公开(公告)号：US20200034363A1

公开(公告)日：2020-01-30

申请号：US16591432

申请日：2019-10-02

Applicant: Splunk Inc.

Inventor： David Ryan Marquardt ,  Karthikeyan Sabhanatarajan ,  Steve Yu Zhang

IPC: G06F16/2453 ,  G06F16/2458 ,  G06F16/22

Abstract: Embodiments of the present disclosure provide techniques for using an inverted index in a pipelined search query. A field searchable data store is provided that comprises a plurality of event records, each event record comprising a time-stamped portion of raw machine data. Responsive to the receipt of an incoming search query, the search engine accesses an inverted index, wherein each entry in the inverted index comprises at least one field name, a corresponding at least one field value and a reference value associated with each field name and value pair that identifies a location in the data store where an associated event record is stored. Once the inverted index is accessed, it can be used to identify and search a subset of the plurality of event records, wherein the subset comprises one or more event records with corresponding reference values in the inverted index.

公开(公告)号：US10474674B2

公开(公告)日：2019-11-12

申请号：US15421293

申请日：2017-01-31

Applicant: Splunk Inc.

Inventor： David Ryan Marquardt ,  Karthikeyan Sabhanatarajan ,  Steve Yu Zhang

IPC: G06F7/00 ,  G06F16/2453

Abstract: Embodiments of the present disclosure provide techniques for using an inverted index in a pipelined search query. A field searchable data store is provided that comprises a plurality of event records, each event record comprising a time-stamped portion of raw machine data. Responsive to the reciept of an incoming search query, the search engine accesses an inverted index, wherein each entry in the inverted index comprises at least one field name, a corresponding at least one field value and a reference value associated with each field name and value pair that identifies a location in the data store where an associated event record is stored. Once the inverted index is accessed, it can be used to filter out a subset of the plurality of event records, wherein the subset comprises one or more event records with corresponding reference values in the inverted index.

公开(公告)号：US10339149B2

公开(公告)日：2019-07-02

申请号：US16041550

申请日：2018-07-20

Applicant: SPLUNK Inc.

Inventor： Steve Yu Zhang ,  Stephen Phillip Sorkin

IPC: G06F16/2457 ,  G06F16/22 ,  G06F16/24 ,  G06F16/182 ,  G06F16/248 ,  G06F16/33 ,  G06F16/951 ,  G06F16/23 ,  G06F16/2455 ,  G06F16/2458 ,  G06F16/9038 ,  G06F16/9535 ,  G06F16/9032 ,  H04L12/24 ,  H04L29/08

Abstract: A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.

公开(公告)号：US20190155811A1

公开(公告)日：2019-05-23

申请号：US16193781

申请日：2018-11-16

Applicant: Splunk Inc.

Inventor： Steve Yu Zhang ,  Stephen P. Sorkin

IPC: G06F16/2457 ,  G06F16/9032 ,  H04L12/24 ,  G06F16/2455 ,  G06F16/9535 ,  G06F16/9038 ,  G06F16/2458 ,  G06F16/23 ,  G06F16/951 ,  G06F16/33 ,  G06F16/248 ,  G06F16/182 ,  G06F16/24 ,  G06F16/22 ,  H04L29/08

Abstract: A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.

公开(公告)号：US10255310B2

公开(公告)日：2019-04-09

申请号：US14530678

申请日：2014-10-31

Applicant: Splunk Inc.

Inventor： Stephen P. Sorkin ,  Steve Yu Zhang ,  Ledion Bitincka

IPC: G06F17/30

Abstract: A method and system for managing searches of a data set that is partitioned based on a plurality of events. A structure of a search query may be analyzed to determine if logical computational actions performed on the data set is reducible. Data in each partition is analyzed to determine if at least a portion of the data in the partition is reducible. In response to a subsequent or reoccurring search request, intermediate summaries of reducible data and reducible search computations may be aggregated for each partition. Next, a search result may be generated based on at least one of the aggregated intermediate summaries, the aggregated reducible search computations, and a query of adhoc non-reducible data arranged in at least one of the plurality of partitions for the data set.

公开(公告)号：US20180329915A1

公开(公告)日：2018-11-15

申请号：US16041550

申请日：2018-07-20

Applicant: SPLUNK Inc.

Inventor： Steve Yu Zhang ,  Stephen Phillip Sorkin

IPC: G06F17/30 ,  H04L29/08 ,  H04L12/24

CPC classification number: G06F16/24578 ,  G06F16/182 ,  G06F16/22 ,  G06F16/2322 ,  G06F16/24 ,  G06F16/2455 ,  G06F16/24553 ,  G06F16/24554 ,  G06F16/24575 ,  G06F16/2471 ,  G06F16/2477 ,  G06F16/248 ,  G06F16/334 ,  G06F16/90328 ,  G06F16/9038 ,  G06F16/951 ,  G06F16/9535 ,  H04L41/0604 ,  H04L41/22 ,  H04L67/1097

Abstract: A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.