Methods and apparatus consistent with the invention provide the ability to organize, index, search, and present time series data based on searches. Time series data are sequences of time stamped records occurring in one or more usually continuous streams, representing some type of activity. In one e
Methods and apparatus consistent with the invention provide the ability to organize, index, search, and present time series data based on searches. Time series data are sequences of time stamped records occurring in one or more usually continuous streams, representing some type of activity. In one embodiment, time series data is organized into discrete events with normalized time stamps and the events are indexed by time and keyword. A search is received and relevant event information is retrieved based in whole or in part on the time indexing mechanism, keyword indexing mechanism, or statistical indices calculated at the time of the search.
대표청구항▼
1. A method for improving machine data analysis, comprising: creating a set of searchable events by segmenting raw time series machine data received from at least one data source in an information technology environment into searchable events, the raw time series machine data reflecting activity in
1. A method for improving machine data analysis, comprising: creating a set of searchable events by segmenting raw time series machine data received from at least one data source in an information technology environment into searchable events, the raw time series machine data reflecting activity in the information technology environment, each searchable event including at least a portion of the segmented raw time series machine data thereby allowing application of time-based search phrases across at least a portion of events in the set of searchable events to search the segmented raw time series machine data in the at least a portion of the events;detecting whether time information is present in the raw time series machine data of an event in the set of searchable events;in response to detecting that the time information is present in the event:extracting the time information from the raw time series machine data of the event; determining a time zone in the extracted time information; generating an offset by normalizing the extracted time information using the determined time zone;generating a time stamp based on the offset; andassociating the generated time stamp with the event, thereby enabling the event to be searched using the generated time stamp;in response to detecting that the time information is not present in the event:calculating a time stamp for the event using one or more stored time stamps, wherein the one or more stored time stamps are time stamps stored from one or more earlier processed events selected on a periodic basis in order to facilitate time stamp creation; andassociating the calculated time stamp with the event, thereby enabling the event to be searched using the created time stamp;wherein the method is performed by one or more computing devices. 2. The method of claim 1, wherein associating the generated time stamp further comprises modifying the time information in the event to match the generated time stamp. 3. The method of claim 1, further comprising: processing a search phrase;executing the search phrase across the set of searchable events. 4. The method of claim 1, further comprising: indexing the set of searchable events;processing a search phrase;executing the search phrase across the set of indexed searchable events. 5. The method of claim 1, further comprising: identifying a domain for the event;wherein the detecting whether time information is present in the event further comprises: determining a location of the time information within the raw time series machine data of the event using the identified domain. 6. The method of claim 1, wherein the raw time series machine data includes unstructured data. 7. An apparatus for improving machine data analysis, comprising: an event processor, implemented at least partially in hardware, that creates a set of searchable events by segmenting raw time series machine data received from at least one data source in an information technology environment into searchable events, the raw time series machine data reflecting activity in the information technology environment, each searchable event including at least a portion of the segmented raw time series machine data thereby allowing application of time-based search phrases across at least a portion of events in the set of searchable events to search the segmented raw time series machine data in the at least a portion of the events;wherein the event processor detects whether time information is present in the raw time series machine data of an event in the set of searchable events;in response to the event processor detecting that the time information is present in the event, the event processor:extracts the time information from the raw time series machine data of the event;determines a time zone in the extracted time information;generates an offset by normalizing the extracted time information using the determined time zone;generates a time stamp based on the offset; andassociates the generated time stamp with the event, thereby enabling the event to be searched using the generated time stamp;in response to the event processor detecting that the time information is not present in the event, the event processor:calculates a time stamp for the event using one or more stored time stamps, wherein the one or more stored time stamps are time stamps stored from one or more earlier processed events selected on a periodic basis in order to facilitate time stamp creation; andassociates the calculated time stamp with the event, thereby enabling the event to be searched using the created time stamp. 8. The apparatus of claim 7, wherein the event processor further: modifies the time information in the event to match the generated time stamp. 9. The apparatus of claim 7, wherein the event processor further: indexes the set of searchable events;processes a search phrase;executes the search phrase across the set of indexed searchable events. 10. The apparatus of claim 7, wherein the raw time series machine data includes unstructured data. 11. One or more non-transitory computer-readable storage media, storing one or more sequences of instructions for improving machine data analysis, which when executed by one or more processors cause performance of: creating a set of searchable events by segmenting raw time series machine data received from at least one data source in an information technology environment into searchable events, the raw time series machine data reflecting activity in the information technology environment, each searchable event including at least a portion of the segmented raw time series machine data thereby allowing application of time-based search phrases across at least a portion of events in the set of searchable events to search the segmented raw time series machine data in the at least a portion of the events;detecting whether time information is present in the raw time series machine data of an event in the set of searchable events;in response to detecting that the time information is present in the event:extracting the time information from the raw time series machine data of the event;determining a time zone in the extracted time information; generating an offset by normalizing the extracted time information using the determined time zone;generating a time stamp based on the offset; andassociating the generated time stamp with the event, thereby enabling the event to be searched using the generated time stamp;in response to detecting that the time information is not present in the event:calculating a time stamp for the event using one or more stored time stamps, wherein the one or more stored time stamps are time stamps stored from one or more earlier processed events selected on a periodic basis in order to facilitate time stamp creation; andassociating the calculated time stamp with the event, thereby enabling the event to be searched using the created time stamp. 12. The one or more non-transitory computer-readable storage media of claim 11, wherein associating the generated time stamp further comprises modifying the time information in the event to match the generated time stamp. 13. The one or more non-transitory computer-readable storage media of claim 11, further comprising: indexing the set of searchable events;processing a search phrase;executing the search phrase across the set of indexed searchable events. 14. The one or more non-transitory computer-readable storage media of claim 11, wherein the raw time series machine data includes unstructured data.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (54)
Njemanze, Hugh S.; Aguilar-Macias, Hector, Adjusting sensor time in a network security system.
Swan, Erik M.; Carasso, R. David; Das, Robin Kumar; Greene, Rory; Hall, Bradley; Mealy, Nicholas Christian; Murphy, Brian Philip; Sorkin, Stephen Phillip; Stechert, Andre David; Baum, Michael Joseph, Aggregation and display of search results from multi-criteria search queries on event data.
Reed Drummond Shattuck ; Heymann Peter Earnshaw ; Mushero Steven Mark ; Jones Kevin Benard ; Oberlander Jeffrey Todd, Computer-based communication system and method using metadata defining a control-structure.
Swan, Erik M.; Carasso, R. David; Das, Robin Kumar; Greene, Rory; Hall, Bradley; Mealy, Nicholas Christian; Murphy, Brian Philip; Sorkin, Stephen Phillip; Stechert, Andre David; Baum, Michael Joseph, Determining timestamps to be associated with events in machine data.
Ransil, Patrick W.; Martynov, Aleksey V.; Larson, James S.; Collette, James R.; Chu, Robert Wai-Chi; Saha, Partha, Method and apparatus for data partitioning and replication in a searchable data service.
Swan, Erik M.; Carasso, R. David; Das, Robin Kumar; Greene, Rory; Hall, Bradley; Mealy, Nicholas Christian; Murphy, Brian Philip; Sorkin, Stephen Phillip; Stechert, Andre David; Baum, Michael Joseph, Normalization of time stamps for event data.
Chen Ty-Foune,FRX ; Caudrelier Christian,FRX ; Espie Eric,FRX ; Reix Tony,FRX, Process and system for real-time monitoring of a data processing system for its administration and maintenance support in the operating phase.
Gerald D. Baulier ; Stephen M. Blott ; Benson L. Branch ; Thomas M. Cliff, Jr. ; Henry F. Korth ; Jonathan E. Polito ; Abraham Silberschatz ; Scott L. Speicher, Real-time event processing system for telecommunications and other applications.
Duyanovich,Linda M.; Gomez,Juan C.; Pollack,Kristal T.; Uttamchandani,Sandeep M., System and method for recording behavior history for abnormality detection.
Kolton Anthony D. (Chicago IL) Gamboa Ruben A. (Austin TX) Chimenti Danette S. (Austin TX), System for extracting historical market information with condition and attributed windows.
Baum, Michael Joseph; Carasso, R. David; Das, Robin Kumar; Greene, Rory; Hall, Bradley; Mealy, Nicholas Christian; Murphy, Brian Philip; Sorkin, Stephen Phillip; Stechert, Andre David; Swan, Erik M., Time series search engine.
Baum, Michael Joseph; Carasso, R. David; Das, Robin Kumar; Greene, Rory; Hall, Bradley; Mealy, Nicholas Christian; Murphy, Brian Philip; Sorkin, Stephen Phillip; Stechert, Andre David; Swan, Erik M., Time series search in primary and secondary memory.
Baum, Michael J.; Carasso, David; Das, Robin K.; Greene, Rory; Hall, Brad; Mealy, Nick; Murphy, Brian; Sorkin, Stephen; Stechert, Andre; Swan, Erik M., Time series search with interpolated time stamp.
Hernandez-Sherrington, Mauricio Antonio; Ho, Ching-Tien; Roth, Mary Ann; Yan, Lingling, Tolerant and extensible discovery of relationships in data using structural information and data analysis.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.