公开(公告)号：US08909642B2

公开(公告)日：2014-12-09

申请号：US13748306

申请日：2013-01-23

Applicant: Splunk Inc.

Inventor： R. David Carasso ,  Micah James Delfino ,  Johnvey Hwang

IPC: G06F17/30

CPC classification number: G06F17/271

Abstract: Embodiments are directed towards automatically generating extraction rules for extracting fields from event records. An extraction rule application receives field data describing the fields to be extracted (including one or more examples) and a collection of event records that may be a representative sample set from a larger set of events records. The extraction rule application generates extraction rules based on the event records and the field data. These extraction rules may be ranked using a determined quality score. Quality scores for extraction rules may be determined based on various metrics related to the operation of the extraction rules and the resultant extracted values. Preferred extraction rules may be determined by ranking the extraction rules based on their quality scores. Also, natural language expressions may be used to create, edit, or modify extraction rules.

Abstract translation: 实施例针对自动生成从事件记录中提取字段的提取规则。 提取规则应用程序接收描述要提取的字段（包括一个或多个示例）的字段数据以及可以是来自较大事件记录集合的代表性样本集合的事件记录的集合。 提取规则应用程序根据事件记录和字段数据生成提取规则。 这些提取规则可以使用确定的质量得分进行排名。 可以基于与提取规则的操作和所得到的提取值相关的各种度量来确定提取规则的质量分数。 可以通过基于它们的质量得分对提取规则进行排名来确定优选的提取规则。 此外，自然语言表达式可用于创建，编辑或修改提取规则。

公开(公告)号：US20140337354A1

公开(公告)日：2014-11-13

申请号：US14445001

申请日：2014-07-28

Applicant: Splunk Inc.

Inventor： Mitchell Neuman Blank, JR. ,  Leonid Budchenko ,  David Carasso ,  Micah James Delfino ,  Johnvey Hwang ,  Stephen Phillip Sorkin ,  Eric Timothy Woo

IPC: G06F17/30 ,  G06F3/0484

CPC classification number: G06F17/30867 ,  G06F3/0482 ,  G06F3/04842 ,  G06F3/0485 ,  G06F17/2705 ,  G06F17/30321 ,  G06F17/30507 ,  G06F17/30551 ,  G06F17/30554 ,  G06F17/3056 ,  G06F17/30619 ,  G06F17/30864

Abstract: Embodiments are directed towards previewing results generated from indexing data raw data before the corresponding index data is added to an index store. Raw data may be received from a preview data source. After an initial set of configuration information may be established, the preview data may be submitted to an index processing pipeline. A previewing application may generate preview results based on the preview index data and the configuration information. The preview results may enable previewing how the data is being processed by the indexing application. If the preview results are not acceptable, the configuration information may be modified. The preview application enables modification of the configuration information until the generated preview results may be acceptable. If the configuration information is acceptable, the preview data may be processed and indexed in one or more index stores.

Abstract translation: 实施例针对在将对应的索引数据添加到索引存储之前预览从索引数据原始数据生成的结果。 可以从预览数据源接收原始数据。 在可以建立一组初始配置信息之后，可以将预览数据提交给索引处理流水线。 预览应用可以基于预览索引数据和配置信息生成预览结果。 预览结果可能可以预览索引应用程序如何处理数据。 如果预览结果不可接受，则可以修改配置信息。 预览应用程序可以修改配置信息，直到生成的预览结果可以接受。 如果配置信息是可接受的，则预览数据可以在一个或多个索引存储中被处理和索引。

公开(公告)号：US20140208217A1

公开(公告)日：2014-07-24

申请号：US13747177

申请日：2013-01-22

Applicant: SPLUNK INC.

Inventor： R. David Carasso ,  Micah James Delfino

IPC: G06F3/048

CPC classification number: G06F16/2477 ,  G06F16/9014 ,  G06F17/277

Abstract: Embodiments are directed towards a graphical user interface to identify locations within event records with splittable timestamp information. A display of event records is provided using any of a variety of formats. A splittable timestamp selector allows a user to select one or more locations within event records as having time related information that may be split across the one or more locations, including, information based on date, time of day, day of the week, or other time information. Any of a plurality of mechanisms is used to associate the selected locations with the split timestamp information, including tags, labels, or header information within the event records. In other embodiments, a separate table, list, index, or the like may be generated that associates the selected locations with the split timestamp information. The split timestamp information may be used within extraction rules for selecting subsets of the event records.

Abstract translation: 实施例针对图形用户界面，以使用可拆分的时间戳信息来识别事件记录内的位置。 使用各种格式的任何一种提供事件记录的显示。 可拆分时间戳选择器允许用户选择事件记录中的一个或多个位置具有可以跨越一个或多个位置分割的时间相关信息，包括基于日期，时间，星期几或其他的信息 时间信息。 使用多个机制中的任一个来将所选择的位置与分组时间戳信息相关联，包括事件记录内的标签，标签或标题信息。 在其他实施例中，可以生成将所选择的位置与分割的时间戳信息相关联的单独的表，列表，索引等。 分割时间戳信息可以在提取规则中用于选择事件记录的子集。

公开(公告)号：US20140207792A1

公开(公告)日：2014-07-24

申请号：US13748306

申请日：2013-01-23

Applicant: SPLUNK INC.

Inventor： R. David Carasso ,  Micah James Delfino ,  Johnvey Hwang

IPC: G06F17/30

CPC classification number: G06F17/271

Abstract: Embodiments are directed towards automatically generating extraction rules for extracting fields from event records. An extraction rule application receives field data describing the fields to be extracted (including one or more examples) and a collection of event records that may be a representative sample set from a larger set of events records. The extraction rule application generates extraction rules based on the event records and the field data. These extraction rules may be ranked using a determined quality score. Quality scores for extraction rules may be determined based on various metrics related to the operation of the extraction rules and the resultant extracted values. Preferred extraction rules may be determined by ranking the extraction rules based on their quality scores. Also, natural language expressions may be used to create, edit, or modify extraction rules.

Abstract translation: 实施例针对自动生成从事件记录中提取字段的提取规则。 提取规则应用程序接收描述要提取的字段（包括一个或多个示例）的字段数据以及可以是来自较大事件记录集合的代表性样本集合的事件记录的集合。 提取规则应用程序根据事件记录和字段数据生成提取规则。 这些提取规则可以使用确定的质量得分进行排名。 可以基于与提取规则的操作和所得到的提取值相关的各种度量来确定提取规则的质量分数。 可以通过基于它们的质量得分对提取规则进行排名来确定优选的提取规则。 此外，自然语言表达式可用于创建，编辑或修改提取规则。

公开(公告)号：US20140207784A1

公开(公告)日：2014-07-24

申请号：US14168888

申请日：2014-01-30

Applicant: SPLUNK INC.

Inventor： R. David CARASSO ,  Micah James Delfino

IPC: G06F7/24 ,  G06F17/30

CPC classification number: G06F17/30563 ,  G06F3/0482 ,  G06F3/04842 ,  G06F7/24 ,  G06F17/30601 ,  G06F17/30705

Abstract: Embodiments are directed towards generating a representative sampling as a subset from a larger dataset that includes unstructured data. A graphical user interface enables a user to provide various data selection parameters, including specifying a data source and one or more subset types desired, including one or more of latest records, earliest records, diverse records, outlier records, and/or random records. Diverse and/or outlier subset types may be obtained by generating clusters from an initial selection of records obtained from the larger dataset. An iteration analysis is performed to determine whether a sufficient number of clusters and/or cluster types have been generated that exceed at least one threshold and when not exceeded, additional clustering is performed on additional records. From the resultant clusters, and/or other subtype results, a subset of records is obtained as the representative sampling subset.

Abstract translation: 实施例旨在从包括非结构化数据的较大数据集生成代表性采样作为子集。 图形用户界面使得用户能够提供各种数据选择参数，包括指定数据源和期望的一个或多个子集类型，包括最新记录，最早记录，不同记录，离群记录和/或随机记录中的一个或多个。 可以通过从从较大数据集获得的记录的初始选择生成聚类来获得不同的和/或离群子集类型。 执行迭代分析以确定是否已经生成了超过至少一个阈值的足够数量的集群和/或集群类型，并且当不超过时，对附加记录执行附加集群。 从所得到的集群和/或其他子类型结果中，获得记录的子集作为代表性抽样子集。