公开(公告)号：US10380122B2

公开(公告)日：2019-08-13

申请号：US14530689

申请日：2014-10-31

Applicant: Splunk Inc.

Inventor： Steve Yu Zhang ,  Stephen Phillip Sorkin

IPC: G06F16/22 ,  G06F16/23 ,  G06F16/24 ,  G06F16/33 ,  H04L12/24 ,  H04L29/08 ,  G06F16/182 ,  G06F16/248 ,  G06F16/951 ,  G06F16/2455 ,  G06F16/2457 ,  G06F16/2458 ,  G06F16/9032 ,  G06F16/9038 ,  G06F16/9535

Abstract: A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.

公开(公告)号：US20180218037A1

公开(公告)日：2018-08-02

申请号：US15421293

申请日：2017-01-31

Applicant: Splunk Inc.

Inventor： David Ryan Marquardt ,  Karthikeyan Sabhanatarajan ,  Steve Yu Zhang

IPC: G06F17/30

CPC classification number: G06F16/24537 ,  G06F16/2228 ,  G06F16/2477

Abstract: Embodiments of the present disclosure provide techniques for using an inverted index in a pipelined search query. A field searchable data store is provided that comprises a plurality of event records, each event record comprising a time-stamped portion of raw machine data. Responsive to the reciept of an incoming search query, the search engine accesses an inverted index, wherein each entry in the inverted index comprises at least one field name, a corresponding at least one field value and a reference value associated with each field name and value pair that identifies a location in the data store where an associated event record is stored. Once the inverted index is accessed, it can be used to filter out a subset of the plurality of event records, wherein the subset comprises one or more event records with corresponding reference values in the inverted index.

公开(公告)号：US20180004785A1

公开(公告)日：2018-01-04

申请号：US15705875

申请日：2017-09-15

Applicant: SPLUNK INC.

Inventor： David Ryan Marquardt ,  Stephen Phillip Sorkin ,  Steve Yu Zhang

IPC: G06F17/30

CPC classification number: G06F16/2228 ,  G06F16/00 ,  G06F16/24539 ,  G06F16/2455 ,  G06F16/248 ,  G06F16/284 ,  G06F16/951

Abstract: Embodiments are directed are towards the transparent summarization of events. Queries directed towards summarizing and reporting on event records may be received at a search head. Search heads may be associated with one more indexers containing event records. The search head may forward the query to the indexers the can resolve the query for concurrent execution. If a query is a collection query, indexers may generate summarization information based on event records located on the indexers. Event record fields included in the summarization information may be determined based on terms included in the collection query. If a query is a stats query, each indexer may generate a partial result set from previously generated summarization information, returning the partial result sets to the search head. Collection queries may be saved and scheduled to run and periodically update the summarization information.

公开(公告)号：US20170206185A1

公开(公告)日：2017-07-20

申请号：US15476899

申请日：2017-03-31

Applicant: Splunk Inc.

Inventor： Steve Yu Zhang

IPC: G06F17/18 ,  G06F17/30 ,  G06F7/544 ,  G06F7/483 ,  G06F7/22 ,  G06K9/62

CPC classification number: G06F17/18 ,  G06F7/22 ,  G06F7/483 ,  G06F7/544 ,  G06F17/30536 ,  G06K9/6222

Abstract: A method, system, and processor-readable storage medium are directed towards calculating approximate order statistics on a collection of real numbers. In one embodiment, the collection of real numbers is processed to create a digest comprising hierarchy of buckets. Each bucket is assigned a real number N having P digits of precision and ordinality O. The hierarchy is defined by grouping buckets into levels, where each level contains all buckets of a given ordinality. Each individual bucket in the hierarchy defines a range of numbers—all numbers that, after being truncated to that bucket's P digits of precision, are equal to that bucket's N. Each bucket additionally maintains a count of how many numbers have fallen within that bucket's range. Approximate order statistics may then be calculated by traversing the hierarchy and performing an operation on some or all of the ranges and counts associated with each bucket.

公开(公告)号：US20160342601A1

公开(公告)日：2016-11-24

申请号：US15224657

申请日：2016-07-31

Applicant: Splunk Inc.

Inventor： Steve Yu Zhang ,  Stephen Phillip Sorkin

IPC: G06F17/30

CPC classification number: G06F17/3053 ,  G06F17/30194 ,  G06F17/30312 ,  G06F17/30353 ,  G06F17/30386 ,  G06F17/30477 ,  G06F17/30483 ,  G06F17/30486 ,  G06F17/30528 ,  G06F17/30545 ,  G06F17/30551 ,  G06F17/30554 ,  G06F17/30675 ,  G06F17/30864 ,  G06F17/30867 ,  G06F17/30973 ,  G06F17/30991 ,  H04L41/0604 ,  H04L41/22 ,  H04L67/1097

Abstract: A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.

Abstract translation: 方法，系统和处理器可读存储介质被引导为生成从存储在多个分布式节点上的诸如事件数据的数据导出的报告。 在一个实施例中，使用“分割和征服”算法生成分析，使得每个分布式节点分析本地存储的事件数据，而聚合节点组合这些分析结果以生成报告。 在一个实施例中，每个分布式节点还将与分析结果相关联的事件数据引用的列表发送到聚合节点。 然后，聚合节点可以基于从每个分布式节点接收的事件数据参考的列表来生成数据引用的全局有序列表。 随后，响应于用户选择一系列全局事件数据，报告可以动态地从一个或多个分布式节点检索事件数据，以便根据全局顺序进行显示。

公开(公告)号：US09152682B2

公开(公告)日：2015-10-06

申请号：US14068651

申请日：2013-10-31

Applicant: Splunk Inc.

Inventor： Archana Sulochana Ganapathi ,  Alice Emily Neels ,  Marc Vincent Robichaud ,  Stephen Phillip Sorkin ,  Steve Yu Zhang

IPC: G06F17/30

CPC classification number: G06F17/30395 ,  G06F17/30424 ,  G06F17/30477 ,  G06F17/30554

Abstract: Embodiments are directed towards determining and tracking metadata for the generation of visualizations of requested data. A user may request data by providing a query that may be employed to search for the requested data. The query may include a plurality of commands, which may be employed in a pipeline to perform the search and to generate a table of the requested data. In some embodiments, each command may be executed to perform an action on a set of data. The execution of a command may generate one or more columns to append and/or insert into the table of requested data. Metadata for each generated column may be determined based on the actions performed by executing the commands. The table of requested data and the column metadata may be employed to generate and display a visualization of at least a portion of the requested data to a user.

Abstract translation: 实施例旨在确定和跟踪用于生成所请求数据的可视化的元数据。 用户可以通过提供可用于搜索所请求的数据的查询来请求数据。 该查询可以包括多个命令，其可以在流水线中用于执行搜索并生成所请求的数据的表。 在一些实施例中，可以执行每个命令以对一组数据执行动作。 命令的执行可以生成一个或多个列来附加和/或插入到所请求的数据的表中。 可以基于通过执行命令执行的动作来确定每个生成的列的元数据。 可以使用所请求的数据和列元数据的表来生成并向用户显示所请求的数据的至少一部分的可视化。

公开(公告)号：US09128980B2

公开(公告)日：2015-09-08

申请号：US14611232

申请日：2015-01-31

Applicant: Splunk Inc.

Inventor： Alice Emily Neels ,  Archana Sulochana Ganapathi ,  Marc Robichaud ,  Stephen Phillip Sorkin ,  Steve Yu Zhang

IPC: G06F17/30 ,  G06F17/24

CPC classification number: G06F17/30395 ,  G06F3/0482 ,  G06F17/248 ,  G06F17/30283 ,  G06F17/30424 ,  G06F17/30528 ,  G06F17/30554 ,  G06F17/30867

Abstract: Embodiments include generating data models that may give semantic meaning for unstructured or structured data that may include data generated and/or received by search engines, including a time series engine. A method includes generating a data model for data stored in a repository. Generating the data model includes generating an initial query string, executing the initial query string on the data, generating an initial result set based on the initial query string being executed on the data, determining one or more candidate fields from one or results of the initial result set, generating a candidate data model based on the one or more candidate fields, iteratively modifying the candidate data model until the candidate data model models the data, and using the candidate data model as the data model.

Abstract translation: 实施例包括生成可以给非结构化或结构化数据赋予语义意义的数据模型，其可以包括由搜索引擎（包括时间序列引擎）生成和/或接收的数据。 一种方法包括为存储在存储库中的数据生成数据模型。 生成数据模型包括生成初始查询字符串，对数据执行初始查询字符串，基于对数据执行的初始查询字符串生成初始结果集，从一个或多个初始查询字符串的结果确定一个或多个候选字段 生成基于一个或多个候选字段的候选数据模型，迭代地修改候选数据模型，直到候选数据模型对数据建模，并使用候选数据模型作为数据模型。

公开(公告)号：US08990245B2

公开(公告)日：2015-03-24

申请号：US14158421

申请日：2014-01-17

Applicant: Splunk Inc.

Inventor： Steve Yu Zhang ,  Stephen Phillip Sorkin

IPC: G06F7/00 ,  G06F17/30 ,  H04L12/24

CPC classification number: G06F17/3053 ,  G06F17/30194 ,  G06F17/30312 ,  G06F17/30353 ,  G06F17/30386 ,  G06F17/30477 ,  G06F17/30483 ,  G06F17/30486 ,  G06F17/30528 ,  G06F17/30545 ,  G06F17/30551 ,  G06F17/30554 ,  G06F17/30675 ,  G06F17/30864 ,  G06F17/30867 ,  G06F17/30973 ,  G06F17/30991 ,  H04L41/0604 ,  H04L41/22 ,  H04L67/1097

Abstract: A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.

Abstract translation: 方法，系统和处理器可读存储介质被引导为生成从存储在多个分布式节点上的诸如事件数据的数据导出的报告。 在一个实施例中，使用“分割和征服”算法生成分析，使得每个分布式节点分析本地存储的事件数据，而聚合节点组合这些分析结果以生成报告。 在一个实施例中，每个分布式节点还将与分析结果相关联的事件数据引用的列表发送到聚合节点。 然后，聚合节点可以基于从每个分布式节点接收的事件数据参考的列表来生成数据引用的全局有序列表。 随后，响应于用户选择一系列全局事件数据，报告可以动态地从一个或多个分布式节点检索事件数据，以便根据全局顺序进行显示。

公开(公告)号：US20150058353A1

公开(公告)日：2015-02-26

申请号：US14530678

申请日：2014-10-31

Applicant: Splunk Inc.

Inventor： Stephen P. Sorkin ,  Steve Yu Zhang ,  Ledion Bitincka

IPC: G06F17/30

CPC classification number: G06F17/30321 ,  G06F17/30424 ,  G06F17/30554 ,  G06F17/30584 ,  G06F17/30946

Abstract: A method and system for managing searches of a data set that is partitioned based on a plurality of events. A structure of a search query may be analyzed to determine if logical computational actions performed on the data set is reducible. Data in each partition is analyzed to determine if at least a portion of the data in the partition is reducible. In response to a subsequent or reoccurring search request, intermediate summaries of reducible data and reducible search computations may be aggregated for each partition. Next, a search result may be generated based on at least one of the aggregated intermediate summaries, the aggregated reducible search computations, and a query of adhoc non-reducible data arranged in at least one of the plurality of partitions for the data set.

Abstract translation: 一种用于管理基于多个事件划分的数据集的搜索的方法和系统。 可以分析搜索查询的结构以确定对数据集执行的逻辑计算动作是否可减少。 分析每个分区中的数据以确定分区中的数据的至少一部分是否可缩减。 响应于随后或重复出现的搜索请求，可以针对每个分区聚合可缩减数据和可缩减搜索计算的中间摘要。 接下来，可以基于聚合中间摘要，聚合可缩减搜索计算以及排列在用于数据集的多个分区中的至少一个分区中的adhoc不可还原数据的查询中的至少一个来生成搜索结果。

公开(公告)号：US20150058325A1

公开(公告)日：2015-02-26

申请号：US14530689

申请日：2014-10-31

Applicant: Splunk Inc.

Inventor： Steve Yu Zhang ,  Stephen P. Sorkin

IPC: G06F17/30

CPC classification number: G06F16/24578 ,  G06F16/182 ,  G06F16/22 ,  G06F16/2322 ,  G06F16/24 ,  G06F16/2455 ,  G06F16/24553 ,  G06F16/24554 ,  G06F16/24575 ,  G06F16/2471 ,  G06F16/2477 ,  G06F16/248 ,  G06F16/334 ,  G06F16/90328 ,  G06F16/9038 ,  G06F16/951 ,  G06F16/9535 ,  H04L41/0604 ,  H04L41/22 ,  H04L67/1097

Abstract: A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.

Abstract translation: 方法，系统和处理器可读存储介质被引导为生成从存储在多个分布式节点上的诸如事件数据的数据导出的报告。 在一个实施例中，使用“分割和征服”算法生成分析，使得每个分布式节点分析本地存储的事件数据，而聚合节点组合这些分析结果以生成报告。 在一个实施例中，每个分布式节点还将与分析结果相关联的事件数据引用的列表发送到聚合节点。 然后，聚合节点可以基于从每个分布式节点接收的事件数据参考的列表来生成数据引用的全局有序列表。 随后，响应于用户选择一系列全局事件数据，报告可以动态地从一个或多个分布式节点检索事件数据，以便根据全局顺序进行显示。