An event limited field picker for a search user interface is described. In one or more implementations, a service may operate to collect and store data as events each of which includes a portion of the data correlated with a point in time. Clients may use a search user interface perform searches by input of search criteria. Responsive to receiving search criteria, the service may operate to apply a late binding schema to extract events that match the search criteria and provide search results for display via the search user interface. The search user interface exposes an event limited field picker operable to make selections of fields with respect to individual events in a view of the search results. In response to receiving an indication of a fields selected via the picker, visibility of selected fields may be updated to control which field and values are included in different views.
G06F 16/25 - Integrating or interfacing systems involving database management systems
G06F 3/04817 - Interaction techniques based on graphical user interfaces [GUI] based on specific properties of the displayed interaction object or a metaphor-based environment, e.g. interaction with desktop elements like windows or icons, or assisted by a cursor's changing behaviour or appearance using icons
G06F 3/0482 - Interaction with lists of selectable items, e.g. menus
G06F 3/04842 - Selection of displayed objects or displayed text elements
Embodiments of the present disclosure provide techniques for performing searches of event records by leveraging reference values in an inverted index. A method of searching comprises accessing a query associated with a first set of event records in a field searchable data store, each event record comprising a time-stamped portion of raw machine data. The method further comprises evaluating the query and generating results for the query by accessing an inverted index, wherein each entry in the inverted index comprises at least one field, a corresponding at least one field value and a reference value that identifies a location in the field searchable data store where an associated event record is stored. The method further comprises performing a search to filter out a second set of event records and retrieving the second set of event records from the field searchable data store using reference values in the inverted index.
Embodiments of the present invention are directed to facilitating data preprocessing for machine learning. In accordance with aspects of the present disclosure, a training set of data is accessed. A preprocessing query specifying a set of preprocessing parameter values that indicate a manner in which to preprocess the training set of data is received. Based on the preprocessing query, a preprocessing operation is performed to preprocess the training set of data in accordance with the set of preprocessing parameter values to obtain a set of preprocessed data. The set of preprocessed data can be provided for presentation as a preview. Based on an acceptance of the set of preprocessed data, the set of preprocessed data is used to train a machine learning model that can be subsequently used to predict data.
Systems and methods are disclosed for associating summarizations of visualizations of a data set based on affinities between the summarizations. For a data set, a number of summarizations may be created that summarizes the data set in different ways. The summarizations may be linked, such that selecting a data element of a first summarization causes display of a second summarization. To assist in linking of summarizations, suggested linkings between summarizations can be determined based on affinities of the two summarizations. Affinities can reflect similarities in the data content of the two summarizations, such as an output of a first summarization being a valid input to the second summarization.
An instrumentation analysis system processes data streams received from servers executing instrumented software. The system determines a set of servers that satisfy a given criteria, for example, a set of servers with high resource utilization. The set of servers may be determined by the system based on triggers or specified by a user. The system analyzes properties of servers to determine a property that characterizes the set of servers. The property characterizing the servers is provided to users via a user interface or alerts for further analysis, for example, to analyze the cause of high resource utilization.
G06F 11/34 - Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation
G06F 11/36 - Preventing errors by testing or debugging of software
H04L 41/0686 - Additional information in the notification, e.g. enhancement of specific meta-data
H04L 43/0817 - Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
H04L 43/0876 - Network utilisation, e.g. volume of load or congestion level
Techniques are described for providing a highly available data ingestion system for ingesting machine data sent from remote data sources across potentially unreliable networks. To provide for highly available delivery of such data, a data intake and query system provides users with redundant sets of ingestion endpoints to which messages sent from users' computing environments can be delivered to the data intake and query system. Users' data sources, or data forwarding components configured to obtain and send data from one or more data sources, are then configured to encapsulate obtained machine data into discrete messages and to send copies of each message to two or more of the ingestion endpoints provisioned for a user. The ingestion endpoints receiving the messages implement a deduplication technique and provide only one copy of each message to a subsequent processing component (e.g., to an indexing subsystem for event generation, event indexing, etc.).
Described are techniques for accelerating streaming analytics jobs, which may be used for generating dashboards. The disclosed techniques can reduce overhead, such as in the form of processor usage, network usage, or the like, due to duplicative or overlapping requests for streaming analytics data by implementing a caching process in which analytics data is evaluated to determine if it is likely to be requested multiple times or by multiple users, caching the analytics data, and serving future requests for the same analytics data from the cache instead of requiring separate analytics jobs for each request.
H04L 43/0817 - Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
H04L 67/568 - Storing data temporarily at an intermediate stage, e.g. caching
8.
Computerized monitoring of a metric through execution of a search query, determining a root cause of the behavior, and providing a notification thereof
The disclosure includes methods and systems that perform operations of identifying a behavior of a metric, where the metric is associated with a node of included within a nodal graph displayed on a graphical user interface. Additionally, a root cause of the behavior is determined through automated, computerized analytics, which may include execution of a search query associated with the node, and a notification of the root cause may be provided via the graphical user interface. Additionally, the graphical user interface may be configured to receive user input that results in the generation of a nodal graph, where the user input includes placement of nodes on a display screen and edges representing a connection between two nodes, where the edges may represent a dependency between the nodes.
A process for ingesting raw machine data that reduces network and data intake and query system resources is described herein. For example, instead of routing the raw machine data to an intake ingestion buffer via a load balancer, a publisher may instead route metadata to the load balancer. The load balancer can use the metadata to identify an available virtual machine in the intake ingestion buffer. The load balancer can then provide to the publisher the public IP address of the available virtual machine. The publisher can communicate with the available virtual machine using the public IP address, and the available virtual machine can identify which virtual machine owns the topic related to the raw machine data. The publisher can then transmit raw machine data to the virtual machine that owns the topic.
A method comprises acquiring anomaly data including a plurality of anomalies detected from streaming data, wherein each of the anomalies relates to an entity on or associated with a computer network. The method determines a risk score of each of the anomalies, and adjusts the risk score of an anomaly according to a set of factors. The method further determines, for each of a plurality of sliding time windows of different lengths, an entity score of the entity in relation to the sliding time window, based on an aggregation of risk scores of all anomalies related to the entity that were detected within the sliding time window, where the entity score corresponds to a risk level associated with the entity. An action to prevent the entity from performing an operation can be determined and caused to occur based on the entity score.
Systems and methods are described for generation of a query using a non-textual input. For example, the query can be generated using a point and click input. A selection of a data source can be identified and an initial query can be automatically generated based on the selection of the data source. A graphical user interface can be displayed and populated with one or more selectable parameters based on the initial query. A selection of the one or more selectable parameters can be received as a non-textual input and a query can be automatically generated based on the selection. For example, a query for execution by a data intake and query system can be generated based on the selection. The query can be provided to the data intake and query system. The data intake and query system may then execute the query on a set of data.
A computerized method is disclosed including establishing communicative couplings with each of a first data intake and query system instance and a second data intake and query system instance, automating execution of a first search query on the first data intake and query system instance and a second search query on the second data intake and query system instance, and causing rendering of a graphical user interface that consolidates results from each of the first data intake and query system instance and the second data intake and query system instance. Additional operations may include obtaining a result of the first search query while preserving fields within the results of the first and second search queries extracted by the first data intake and query system instance and the second data intake and query system instance, respectively.
In some embodiments, a method may include display of a data summary view of a set of events that correspond to query results of a query. Each event of the set of events may include data items of a plurality of event attributes. In embodiments, the data summary view can include various summary reports. Each summary report can include summary entries and a summary graph that each present a summary of data items of a selected event attribute, of the plurality of event attributes. At least one summary report can include summary entries that are selectable by a user. The method may further include filtering the set of event, in response to, and based on, selection of one or more of the selectable summary entries by the user and updating of at least the first and second summary graphs to correspond to the filtered set of events.
G06F 3/0482 - Interaction with lists of selectable items, e.g. menus
G06F 3/0484 - Interaction techniques based on graphical user interfaces [GUI] for the control of specific functions or operations, e.g. selecting or manipulating an object, an image or a displayed text element, setting a parameter value or selecting a range
G06F 3/04842 - Selection of displayed objects or displayed text elements
G06F 16/00 - Information retrieval; Database structures therefor; File system structures therefor
A method for evaluating metrics associated with isolated execution environments utilized for synthetic monitoring of a web application and modifying the quantity of isolation execution environments hosted by a particular hosting service at a particular geographic location based on the metrics. The method can include receiving an instruction to monitor computing resources at the particular geographic location; obtaining configuration data for the particular geographic location; communicating a request to the particular hosting provider for an identification of a collection of isolated execution environments that are instantiated at the particular geographic location; obtaining metrics associated with the collection of isolated execution environments; evaluating the metrics against the set of scaling criteria; and/or generating an instruction for the particular hosting provider to modify the quantity of the collection of isolated execution environments.
This technology is directed to facilitating scalable and secure data collection. In particular, scalability of data collection is enabled in a secure manner by, among other things, abstracting a connector(s) to a pod(s) and/or container(s) that executes separate from other data-collecting functionality. For example, an execution manager can initiate deployment of a collect coordinator on a first pod associated with a first job and deployment of a first connector on a second pod associated with a second job separate from the first job of a container-managed platform. The collect coordinator can provide a data collection task to the first connector deployed on the second pod of the second job. The first connector can then obtain the set of data from the data source and provide the set of data to the collect coordinator for providing the set of data to a remote source.
A computerized method is disclosed that includes operations of obtaining network traffic data between a source device and a destination device, performing a regularity assessment of a first metric of the network traffic data across communication sessions of the source device and the destination device over a given time period by: determining an average of the first metric for each of the communication sessions; establishing an upper bound and a lower bound for the averages of the first metric over the given time period; determining a difference between the upper bound and the lower bound; comparing the difference between the upper bound and the lower bound to a mean of the first metric for each of the communication sessions over the given time period, and determining whether beaconing transmissions are present within the network traffic data based on the regularity assessment of the first metric.
The disclosed embodiments provide a system that processes network data. During operation, the system obtains, at a remote capture agent, a first protocol classification for a first packet flow captured by the remote capture agent. Next, the system uses configuration information associated with the first protocol classification to build a first event stream from the first packet flow at the remote capture agent, wherein the first event stream comprises time-series event data generated from network packets in the first packet flow based on the first protocol classification. The system then transmits the first event stream over a network for subsequent storage and processing of the first event stream by one or more components on the network.
In accordance with various embodiments of the present disclosure, a first instance of a data intake and query system (DIQS) may receive latency data that indicates latency states of second instances of the DIQS, the latency states indicative of latencies associated with processing of event data by the plurality of second instances. The first instance may then determine overall latency state of the first instance based, at least in part, on determining number or percentage of the first instance and the second instances of the DIQS having one or more particular latency states, and determining whether the number or percentage of the first instance and the f second instances of the DIQS having the one or more particular latency states is equal to or exceeds a threshold. The first instance may then present the overall latency state of the first instance.
Embodiments of the present disclosure are directed to an interactive development environment (IDE) interface that provides historical visualization of queries and query result information iteratively and intuitively. According to an embodiment of the present disclosure, a process is provided to generate visualizations of queries and processed query result information in a single, persistent, integrated display. Each query and resultant search data information is presented iteratively in chronological order, and maintain a persistent, viewable history of a search data exploration session.
Disclosed is a data fabric service system that can be implemented in a distributed computer network, such as a data intake and query system. The data index and query system can receive a search query and define a search scheme for applying the search query on distributed data storage systems including internal data storage and external data storage. The data index and query system may provide a portion of the search scheme to a search service of the data fabric service system, which can cause worker nodes of the data fabric service system to perform various functions—including applying the search query to the external data storage based on the portion of the search scheme in order to obtain search results.
G06F 16/25 - Integrating or interfacing systems involving database management systems
G06F 16/27 - Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
G06F 16/901 - Indexing; Data structures therefor; Storage structures
A method of tracking errors in a system comprising microservices comprises ingesting a plurality of spans generated by the microservices during a given duration of time. The method further comprises consolidating the plurality of spans associated with the given duration of time into a plurality of traces, wherein each trace comprises a subset of the plurality of spans that comprise a common trace identifier. For each trace, the method comprises: a) mapping a respective trace to one or more error stacks computed for the respective trace and to one or more attributes determined for the respective trace; and b) emitting each error stack computed from the respective trace with an associated pair of attributes. The method then comprises reducing duplicate pairs of error stack and associated attributes and maintaining a count for each pair of error stack and associated attributes.
An analysis system receives data streams generated by instances of instrumented software executing on external systems. The analysis system evaluates an expression using data values of the data streams over a plurality of time intervals. For example, the analysis system may aggregate data values of data streams for each time interval. The analysis system determines whether or not a data stream is considered for a time interval based on when the data value arrives during the time interval. The analysis system determines a maximum expected delay value for each data stream being processed. The analysis system evaluates the expression using data values that arrive before their maximum expected delay values. The analysis system also determines a failure threshold value for a data stream. If a data value of a data stream fails to arrive before the failure threshold value, the analysis system marks the data stream as dead.
A data intake and query system receives a message including raw machine via an internet protocol (IP) such as the hypertext transfer protocol (HTTP). The message includes a distinct payload portion and a distinct custom field portion. The payload portion includes raw machine data, while the custom field portion includes values for fields. An event that includes the raw machine data and the values is generated from the payload portion and the values are extracted from the custom field portion. The event is then stored such that the values are associated with the event.
Systems and methods are disclosed for authenticating a chunk of data identified in a query received by a data intake and query system. The data intake and query system receives a query that identifies a set of data and manner for processing the set of data, and identifies a chunk of data that is part of the set of data. The system generates a content identifier, such as a hash, of the chunk of data. The system further authenticates the chunk of data based on the generated content identifier and a content identifier stored by a distributed ledger system.
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
H04L 9/06 - Arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
25.
Generating a modified component for a data intake and query system using an isolated execution environment image
A control plane system can be used to manage or generated components in a shared computing resource environment. To generate a modified components, the control plane system can receive receiving configurations of a component. The configurations can include software versions and/or parameters for the component. Using the configurations, the control plane system can generate an image of a modified component, and communicate the image to a master node in the shared computing resource environment. The master node can provides one or more instances of the modified component for use based on the received image.
An actionable event collector in a server cluster receives information specifying an actionable event instance regarding an actionable event occurrence in the server cluster. The actionable event collector transmits a representation of the actionable event instance to an actionable event queue builder. The actionable event queue builder inserts the representation as an entry into an actionable event queue. The event action dispatcher processes the entry from the actionable event queue, wherein processing the entry comprises determining a responsive action for the entry and causing performance of the responsive action.
H04L 41/0631 - Management of faults, events, alarms or notifications using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
G06F 16/2458 - Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
G06F 9/451 - Execution arrangements for user interfaces
27.
Automated security, orchestration, automation, and response (SOAR) app generation based on application programming interface specification data
Described herein are techniques are provided for enabling a security orchestration, automation, and response (SOAR) service to automatically manage apps used to interface with an integrated security operations service and other related devices and services. Further described herein is a SOAR app generator service or application used to automate the creation of apps for a SOAR service based on application programming interfaces (API) specifications for related devices or services, as well as visual playbook editor interfaces for a SOAR service that enable the configuration of complex action input parameters including arrays and objects.
A computer-implemented method is disclosed that includes operations of parsing a query comprised of a sequence of operators to detect each operator of the sequence of operators, where the sequence of operators includes a machine learning (ML) operator representing a trained ML model. Additionally, a schema of the ML operator is determined through metadata. A filter or a projection is generated based on the schema of the ML operator, where the filter or projection is configured to reduce an amount of data retrieved upon application of the filter of the projection to an operator of the sequence of operators comprising the query. The schema of the ML operator indicates a schema of input data to be provided to the ML operator and a schema of output data to be provided by the ML operator following processing.
Operational machine components of an information technology (IT) or other microprocessor- or microcontroller-permeated environment generate disparate forms of machine data. Network connections are established between these components and processors of an automatic data intake and query system (DIQS). The DIQS conducts network transactions on a periodic and/or continuous basis with the machine components to receive the disparate data and ingest certain of the data as measurement entries of a DIQS metrics datastore that is searchable for DIQS query processing. The DIQS may receive search queries to process against the received and ingested data via an exposed network interface. In one example embodiment, a query building component conducts a user interface using a network attached client device. The query building component may elicit search criteria via the user interface using a natural language interface, construct a proper query therefrom, and present new information based on results returned from the DIQS.
An instrumentation analysis system processes data streams by executing instructions specified using a data stream language program. A user interface allows users to specify data stream language programs. The user interface presents widgets to the user to specify various components of a data stream language program, including a filter expression, an analytical function representing an aggregation or transformation, and so on. The user interface allows users to specify an expression based on results of previously specified data stream language programs. The instrumentation analysis system processes the data stream language programs specified by the user to generate a set of result data streams and plots the result data streams, for example, on a screen of a client device.
In various embodiments, a natural language (NL) application implements functionality that enables users to more effectively access various data storage systems based on NL requests. As described, the operations of the NL application are guided by, at least in part, on one or more templates and/or machine-learning models. Advantageously, the templates and/or machine-learning models provide a flexible framework that may be readily tailored to reduce the amount of time and user effort associated with processing NL requests and to increase the overall accuracy of NL application implementations.
Extended reality (XR) software application programs establish remote collaboration sessions in which a host device and one or more remote devices can interact. When initiating a remote collaboration session, an XR application in a host device determines a collaboration area. The collaboration area corresponds to a portion of a real-world environment that is shared by the host device with the one or more remote devices. In some embodiments, the collaboration area can be determined automatically and/or based on user input. The XR application causes sensors associated with the host device to scan the collaboration area. Then, the XR application transmits, to the one or more remote devices, a three-dimensional representation of the collaboration area for rendering in one or more remote XR environments.
Disclosed is a technique that can be performed by a server computer system. The technique can include obtaining data from each of multiple endpoint devices to form global data. The global data can be generated by the endpoint devices in accordance with local instructions in each of the endpoint devices. The technique further includes generating global instructions based on the global data and sending the global instructions to a particular endpoint device. The global instructions configure the particular endpoint device to perform a data analytic operation that analyzes events. The events can include raw data generated by a sensor of the particular endpoint device.
An information technology (IT) and security operations application enables the automatic assignment of incident events to analysts based on a variety of characteristics of the incident events to be assigned, the analysts and analyst teams, and other considerations. An IT and security operations application can perform the automatic assignment of incident events based at least in part on data indicating each analyst's knowledge of certain types of incidents, data indicating each analyst's efficiency at responding to certain types of incidents, and the like, where such data is automatically created and maintained by the application. In this manner, incident events can be efficiently assigned to analysts upon their receipt by the system without the need for a security team to constantly perform a cumbersome incident event assignment process based on a limited set of data, thereby improving analyst teams' ability to efficiently ensure the operation and security of IT environments for which the teams are responsible.
Embodiments are directed towards managing and tracking item identification of a plurality of items to determine if an item is a new or existing item, where an existing item has been previously processed. In some embodiments, two or more item identifiers may be generated. In one embodiment, generating the two or more item identifiers may include analyzing the item using a small item size characteristic, a compressed item, or for an identifier collision. The two or more item identifiers may be employed to determine if the item is a new or existing item. In one embodiment, the two or more item identifiers may be compared to a record about an existing item to determine if the item is a new or existing item. If the item is an existing item, then the item may be further processed to determine if the existing item has actually changed.
A method and system for managing searches of a data set that is partitioned based on a plurality of events. A structure of a search query may be analyzed to determine if logical computational actions performed on the data set is reducible. Data in each partition is analyzed to determine if at least a portion of the data in the partition is reducible. In response to a subsequent or reoccurring search request, intermediate summaries of reducible data and reducible search computations may be aggregated for each partition. Next, a search result may be generated based on at least one of the aggregated intermediate summaries, the aggregated reducible search computations, and a query of adhoc non-reducible data arranged in at least one of the plurality of partitions for the data set.
G06F 16/27 - Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
G06F 16/901 - Indexing; Data structures therefor; Storage structures
37.
Identifying leading indicators for target event prediction
Embodiments of the present invention are directed to facilitating event forecasting. In accordance with aspects of the present disclosure, a set of events determined from raw machine data is obtained. The events are analyzed to identify leading indicators that indicate a future occurrence of a target event, wherein the leading indicators occur during a search period of time the precedes a warning period of time, thereby providing time for an action to be performed prior to an occurrence of a predicted target event. At least one of the leading indicators is used to predict a target event. An event notification is provided indicating the prediction of the target event.
Techniques may include receiving a plurality of spans of trace data at a computing system during a first time period. The techniques may include storing the plurality of spans in a span partition of a data store. The data store can contain a plurality of span partitions with spans that are grouped in the partition by trace identifier. The device may include generating a timestamp partition, with an index of timestamps by trace identifiers, for the first time period. The techniques may include storing the timestamp partition in the data store. Also, the techniques may include identifying at least two timestamp partitions that correspond to a second time period that preceded the first time period. The techniques may include generating and storing a primary compacted timestamp partition by combining the at least two timestamp partitions.
Disclosed herein is a fraud analysis data reduction technique. When reviewing a large set of data for potential fraudulent action there is often too much data for a human to reasonably analyze. A technique to reduce the overall amount of data associates entities that have duplicate values stored in corresponding data elements with one another and removes those entities that do not have at least one duplicate value. The entities with duplicate values are entered into a node graph and analyzed for connected components. The connected components analysis and a duplicate threshold analysis provide usable results to identify fraudulent activity.
A computerized method is disclosed including operations of receiving a data stream, performing a changepoint detection resulting in a detection of changepoints in the data stream including: maintaining a listing of starting indices for each run within the data stream in a buffer of size L wherein each index of the listing has a run length probability representing a likelihood of being a changepoint, receiving a new data point within the data stream and adding a new index to the buffer resulting in the buffer having size L+1, calculating a posterior run length probability that the new data point is a changepoint, and removing an index from the listing that has a lowest run length probability thereby returning the buffer to size L, and responsive to determining the index removed from the listing does not correspond to the new data point, identifying a changepoint associated with the new data point.
Techniques are described for enabling an IT and security operations application to detect and remediate advanced persistent threats (APTs). The detection of APTs involves the execution of search queries to search event data that initially was associated with lower-severity activity or that otherwise did not initially rise to the level of actionable event data in the application. The execution of such search queries may thus generally be configured to search non-real-time event data, e.g., event data that outside of a current window of days or a week and instead searches and aggregates event data spanning time periods of many weeks, months, or years. Due the nature of APTs, analyses of historical event data spanning such relatively long periods of time may in the aggregate uncover the types of persistent activity associated with APTs that would otherwise go undetected based only on searches of more current, real-time event data.
A client device that includes a camera and an extended reality client application program is employed by a user in a physical space, such as an industrial or campus environment. The user aims the camera within the mobile device at a real-world asset, such as a computer system, classroom, or vehicle. The client device acquires a digital image via the camera and detects textual and/or pictorial content included in the acquired image that corresponds to one or more anchors. The client device queries a data intake and query system for asset content associated with the detected anchors. Upon receiving the asset content from the data intake and query system, the client device generates visualizations of the asset content and presents the visualizations via a display device.
Systems and methods are described for generation of queries for execution by a separate system. In order establish a connection with the separate system, credentials can be obtained. For example, the credentials may be based on a user identifier and/or a login identifier. Indices can be identified that correspond to the credentials and a query can be identified that includes a selection of at least one of the indices. For example, the query may identify a set of log data ingested and indexed by the separate system. A request that includes the query, the credentials, and a connection identifier can be communicated to the separate system. In response to the request, a set of data can be received from the separate system. The set of data can be provided to a computing device. For example, the set of data can be provided to a computing device providing the query.
Embodiments described herein are directed to facilitating management of collection agents. In one embodiment, a control request is provided to an agent service manager from an agent controller that manages collection agents that collect data. The agent controller and the collection agents operate on a computing machine remote from the agent service manager. In response to the control request, a control directive is received, the control directive including an agent event indicator indicating an agent event to be executed in association with a set of collection agents of the collection agents. Thereafter, execution of the agent event is initiated in association with each collection agent of the set of collection agents.
A method includes selecting, from content packs in a centralized content management system, a content pack to update in a data intake and query system. The content pack includes utility objects. For each utility object of at least a subset of the utility objects determining whether the utility object already exists in the data intake and query system, and loading the utility object to the data intake and query system when the utility object does not exist to obtain an updated utility object. The method further includes monitoring, by the data intake and query system, an endpoint of an endpoint type using the updated utility object.
Embodiments include generating data models that may give semantic meaning for unstructured or structured data that may include data generated and/or received by search engines, including a time series engine. A method includes generating a data model for data stored in a repository. Generating the data model includes generating an initial query string, executing the initial query string on the data, generating an initial result set based on the initial query string being executed on the data, determining one or more candidate fields from one or results of the initial result set, generating a candidate data model based on the one or more candidate fields, iteratively modifying the candidate data model until the candidate data model models the data, and using the candidate data model as the data model.
G06F 16/27 - Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
Various embodiments of the present application set forth a computer-implemented method that includes generating a first alert that includes one or more parameters, wherein the first notification is associated with the first alert, receiving, by a wearable device, a notification dashboard that includes at least a first visualization associated with a first notification, storing, by the wearable device, the notification dashboard in a notification cache, and in response to receiving a request associated with the first notification, retrieving the notification dashboard from the notification cache, and displaying at least a portion of the first visualization included in the notification dashboard on the wearable device.
A mobile device is fitted with a camera and an extended reality (XR) software application program executing on a processor within an XR system. Via the XR software application program, various techniques are performed for manipulating virtual objects in an XR environment. In a first technique, the XR software application program facilitates the movement of a virtual object from a first location to a second location. In a second technique, the XR software application program facilitates the rotation of a virtual object. In a third technique, the XR software application program facilitates the scaling of a virtual object along one or more axes.
G06T 19/00 - Manipulating 3D models or images for computer graphics
G06T 19/20 - Editing of 3D images, e.g. changing shapes or colours, aligning objects or positioning parts
G06F 3/0346 - Pointing devices displaced or positioned by the user; Accessories therefor with detection of the device orientation or free movement in a 3D space, e.g. 3D mice, 6-DOF [six degrees of freedom] pointers using gyroscopes, accelerometers or tilt-sensors
G06F 3/01 - Input arrangements or combined input and output arrangements for interaction between user and computer
G06F 3/04845 - Interaction techniques based on graphical user interfaces [GUI] for the control of specific functions or operations, e.g. selecting or manipulating an object, an image or a displayed text element, setting a parameter value or selecting a range for image manipulation, e.g. dragging, rotation, expansion or change of colour
50.
Managing subscriptions to resource updates made via a target interface
A wrapper layer over a target interface receives requests from client devices over a different interface, converts the requests into a format that is compatible with the target interface, and transmits each converted request over the target interface for processing by a service. The wrapper layer also processes a request by a client device to subscribe to a certain type of update made via the target interface by verifying that the client device is authorized to access a resource associated with that type of update and creating a subscription that identifies the client device and the type of update. When the wrapper layer subsequently receives a request corresponding to that type of update, the wrapper layer matches attributes of the request to the subscription by the client device and transmits a message notifying the client device of the request.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
H04L 67/12 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Various implementations set forth a computer-implemented method for scanning a three-dimensional (3D) environment. The method includes generating, in a first time interval, a first extended reality (XR) stream based on a first set of meshes representing a 3D environment, transmitting, to a remote device, the first XR stream for rendering a 3D representation of a first portion of the 3D environment in a remote XR environment, determining that the 3D environment has changed based on a second set of meshes representing the 3D environment and generated subsequent to the first time interval, generating a second XR stream based on the second set of meshes, and transmitting, to the remote device, the second XR stream for rendering a 3D representation of at least a portion of the changed 3D environment in the remote XR environment.
Systems and methods are described for monitoring indexing nodes, populating and maintaining a resource catalog with relevant information, receiving requests for indexing node availability or assignments, identifying indexing nodes that are available to process data, and/or communicating information relating to available indexing nodes. The system can maintain the resource catalog based on communications with each of the containerized indexing nodes. The system can receive, from a partition manager of a data intake and query system, a request for a containerized indexing node that the partition manager can assign to process data received by the partition manager. The system can identify an available containerized indexing node to process the data. The system can communicate, to the partition manager, an indexing node identifier associated with the available containerized indexing node.
An information technology (IT) and security operations application is described that enables cross-tenant analyses of data to derive insights that can be used to provide actionable information across the application including, for example, action recommendations, threat confidence scores, and other incident data enrichments. The generation and presentation of such information to users of an IT and security operations application can enable analyst teams to more efficiently and accurately respond to various types of incidents in IT environments, thereby improving the overall operation and security of the IT environments. Furthermore, because of the shared use of an IT and security operations application concurrently by any number of separate tenants, such cross-tenant analyses can be performed in near real-time and on an ongoing basis to deliver relevant insights.
Various embodiments of the present application set forth a computer-implemented method that includes generating, based on a resource file stored at an endpoint device, a credential data packet for authenticating with a first application executing in a first network, where the resource file includes a set of encryption keys associated with a plurality of applications including the first application, and where the credential data packet is encrypted with a device key signed by the endpoint device, and the credential data packet is signed by an endpoint device management (EDM) key extracted from the set of encryptions keys included in the resource file, sending, by the endpoint device, the credential data packet to the first application via a trusted communication channel, and receiving, by the endpoint device and in response to the credential data packet, an authorization packet from the first application via the trusted communication channel.
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
55.
Display screen or portion thereof having a graphical user interface with a time slider for a map
Various embodiments of the present application set forth a computer-implemented method that includes receiving, from a device, a natural-language (NL) request. The method further includes selecting, using the NL request, an intent from a set of intents, wherein the intent is associated with a pre-defined intent template, the pre-defined intent template including a set of property fields that are associated with one or more portions of the NL request. The method also includes determining, based on the NL request, a set of property field values for the set of property fields. The method further includes generating a query to be executed on a field-searchable data source, wherein the query is based on one or more property field values included in the set of property field values. The method also includes receiving, in response to the query, a result that includes a set of event field values. In addition, the method includes causing the device to display at least a portion of the result.
Systems and methods are disclosed for implementing a data processing workflow user interface for a streaming data processing system. The workflow is visually represented as a series of modules along with interconnections for the modules. Each module represents an operation on a streaming data object, such as a data transformation. The user interface enables selection of a workflow template based on a user-specified data source, and then allows the user to customize the workflow template by specifying additional operations to apply to data objects. The interface may show the user a preview of output data objects processed according to the customized workflow.
Dashboard evaluation includes receiving a dashboard code defining a dashboard that includes visualizations in a layout, rendering, in a graphical user interface (GUI) of a dashboard editing tool, the dashboard based on the dashboard code, and extracting, using the dashboard code, a data attribute of a data object represented by a visualization of the multiple visualizations. Dashboard evaluation further includes evaluating, by the dashboard editing tool, the visualization based on the data attribute to obtain a score, presenting, in the GUI of the dashboard editing tool, a recommendation based on the score failing to satisfy a first threshold, receiving, through the GUI of the dashboard editing tool and after presenting the recommendation, an edit to the dashboard code that adjusts the visualization, and storing, by the dashboard editing tool, the edit to the dashboard code.
Systems and methods ingest machine data including logs, metadata, and cost and usage information from multiple heterogeneous cloud services. The machine data is saved as events. An application retrieves the metadata, events, metrics, and logs and causes an easy to understand visual representation of costs, resource usage, and non-compliance for each of a client's cloud services. Further, the data across the client's multiple heterogeneous cloud services is normalized to provide visual representations that compare the costs, resource usage, and non-compliance across the client's multiple heterogeneous cloud services. Further, machine learning aspects of the application can provide recommendations and trend analysis for cloud service asset usage.
Machine data of an operating environment is conveyed by a network to a data intake and query system (DIQS) which reflects the machine data as timestamped entries of a field-searchable datastore. Monitoring functionality may search the machine data to identify notable event instances. A notable event processing system correlates the notable event instance to one or more triaging models which are executed against the notable event to produce a modeled result. Information of the received notable event and the modeled results are combined into an enhanced representation of a notable event instance. The enhanced representation conditions downstream processing to automatically perform or assist triaging of notable event instances to optimize application of computing resources to highest priority conditions in the operating environment.
H04L 41/0604 - Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
G06F 16/28 - Databases characterised by their database models, e.g. relational or object models
G06F 16/21 - Design, administration or maintenance of databases
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 41/069 - Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
H04L 41/5009 - Determining service level performance parameters or violations of service level contracts, e.g. violations of agreed response time or mean time between failures [MTBF]
H04L 41/0681 - Configuration of triggering conditions
G06Q 10/0639 - Performance analysis of employees; Performance analysis of enterprise or organisation operations
G06Q 10/20 - Administration of product repair or maintenance
A service monitoring system (SMS) transforms machine data from a monitored information technology (IT) environment into meaningful key performance indicators (KPIs) that each represents some measure of a service implemented by the environment on an ongoing basis. An overall health score for the service is determined from the KPIs and a prediction is made for a future health score. Data regarding a particular KPI and other KPIs is transformed to predicted future values for the particular KPI over a prediction window. Additionally, predicted future KPI scores may be used to determine a KPI impact score reflecting some measure of the degree to which the KPI, its related components, or processing related thereto, can influence the actual future health score. The KPI impact scores condition or direct the future operation of one or more SMS processes. Production of an impactor list identifying priority targets for interventive processing may be produced based at least on KPI impact scores and may also condition or direct the future operation of one or more SMS processes.
Techniques are described for enabling users of an information technology (IT) and security operations application to create highly reusable custom functions for playbooks. The creation and execution of playbooks using an IT and security operations application generally enables users to automate operations related to an IT environment responsive to the identification of various types of incidents or other triggering conditions. Users can create playbooks to automate operations such as, for example, modifying firewall settings, quarantining devices, restarting servers, etc., to improve users' ability to efficiently respond to various types of incidents operational issues that arise from time to time in IT environments.
Systems, methods, and software described herein provide enhancements for implementing security actions in a computing environment. In one example, a method of operating an advisement system to provide actions in a computing environment includes identifying a security incident in the computing environment, identifying a criticality rating for the asset, and obtaining enrichment information for the security incident from one or more internal or external sources. The method also provides identifying a severity rating for the security incident based on the enrichment information, and determining one or more security actions based on the enrichment information. The method further includes identifying effects of the one or more security actions on operations of the computing environment based on the criticality rating and the severity rating, and identifying a subset of the one or more security actions to respond to the security incident based on the effects.
An information technology (IT) and security operations application is described that stores data reflecting customizations that users make to GUIs displaying information about various types of incidents, and further uses such data to generate “popular” interface profiles indicating popular GUI modifications. The analysis of the GUI customizations data is performed using data associated with multiple tenants of the IT and security operations application to develop profiles that may represent a general consensus on a collection and arrangement of interface elements that enable analysts to efficiently respond to certain types of incidents. Users of the IT and security operations application can then optionally apply these popular interface profiles to various GUIs during their use of the application. Among other benefits, the ability to generate and provide popular interface profiles can help analysts and other users more efficiently investigate and respond to a wide variety of incidents within IT environments, thereby improving the operation and security of those environments.
G06F 3/04847 - Interaction techniques to control parameter settings, e.g. interaction with sliders or dials
G06F 3/0482 - Interaction with lists of selectable items, e.g. menus
G06F 16/335 - Filtering based on additional data, e.g. user or group profiles
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
Various embodiments of the present application set forth a computer-implemented method that includes receiving, by a trusted tunnel bridge and from a first application executing in a first network, a first encrypted data packet, where the first encrypted data packet includes an encrypted portion of data, and a destination device identifier (DDI). The method further includes determining, by the trusted tunnel bridge, a particular device in a second network and associated with the DDI included in the first encrypted data packet. The method further includes sending, by the trusted tunnel bridge directly to the particular device, the first encrypted data packet.
H04L 9/30 - Public key, i.e. encryption algorithm being computationally infeasible to invert and users' encryption keys not requiring secrecy
G06F 16/27 - Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
Systems and methods are disclosed for processing and executing queries in a data intake and query system. The data intake and query system receives a query identifying a set of data to be processed and a manner of processing the set of data. The data intake and query system identifies buckets that are to be searched and search nodes to execute the query. The data intake and query system maps the identified buckets to the search nodes and executes the query using the identified bucket and search nodes.
Techniques are disclosed for anomaly detection based on a predicted value. A search query can be executed over a period of time to produce values for a key performance indicator (KPI), the search query defining the KPI and deriving a value indicative of the performance of a service at a point in time or during a period of time, the value derived from machine data pertaining to one or more entities that provide the service. A graphical user interface (GUI) enabling a user to indicate a sensitivity setting can be displayed. A user input indicating the sensitivity setting can be received via the GUI. Zero or more of the values as anomalies can be identified in consideration of the sensitivity setting indicated by the user input.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
G06F 3/0488 - Interaction techniques based on graphical user interfaces [GUI] using specific features provided by the input device, e.g. functions controlled by the rotation of a mouse with dual sensing arrangements, or of the nature of the input device, e.g. tap gestures based on pressure sensed by a digitiser using a touch-screen or digitiser, e.g. input of commands through traced gestures
A custom use case framework in a computer analytics system is shown and described. The custom use case framework includes a custom model creation wizard interface that guides a user through submitting custom model parameters of a custom model definition. The computing system transforms custom model parameters of the custom model definition into a custom model. The custom model is executed in an analytics system. Thus, one or more embodiments provide a simplified method for a user to generate a custom model that is executable by a computer system.
First event data, indicative of a first activity on a computer network and second event data indicative of a second activity on the computer network, is received. A first machine learning anomaly detection model is applied to the first event data, by a real-time analysis engine operated by the threat indicator detection system in real time, to detect first anomaly data. A second machine learning anomaly detection model is applied to the first anomaly data and the second event data, by a batch analysis engine operated by the threat indicator detection system in a batch mode, to detect second anomaly data. A third anomaly is detected using an anomaly detection rule. The threat indictor system processes the first anomaly data, the second anomaly data, and the third anomaly data using a threat indicator model to identify a threat indicator associated with a potential security threat to the computer network.
In embodiments of field value search drill down, a search system exposes a search interface that displays one or more events returned as a search result set. A field-value pair can be emphasized in the field-value pairs of an event displayed in the search interface, and a menu is displayed with search options that are selectable to operate on the emphasized field-value pair of the event. The menu includes the search options to add search criteria of the emphasized field-value pair to a search command in a search bar of the search interface, exclude the search criteria of the emphasized field-value pair from a search, or create a new data search based on the emphasized field-value pair. A selection of one of the search options in the menu can be received, and the search command in the search bar is updated based on the search option that is selected.
G06F 40/18 - Editing, e.g. inserting or deleting using ruled lines of spreadsheets
G06V 10/22 - Image preprocessing by selection of a specific region containing or referencing a pattern; Locating or processing of specific regions to guide the detection or recognition
G06F 3/04847 - Interaction techniques to control parameter settings, e.g. interaction with sliders or dials
G06F 9/451 - Execution arrangements for user interfaces
72.
Generating metrics values at component levels of a monolithic application and of a microservice of a microservices-based architecture
Monitoring and troubleshooting tools provide the capability to visualize different levels of a client's application that is deployed as a suite of independent but cooperating services (e.g., an application that includes a monolithic application and a microservices-based application), collect values of monitored or tracked metrics at those different levels, and visualize values of the metrics at those levels. For example, metrics values can be generated for components of the monolithic application and/or for components of a microservice of the microservice-based application.
First one or more values are extracted from a plurality of events using a first extraction rule. The extracted first one or more values are assigned to a first field of the plurality of events as a first set of field-data item pairs. Second one or more values are extracted from the plurality of the events using a second extraction rule. The second extraction rule identifies the second one or more values and a field label corresponding to the second one or more values in the extracted first one or more values of the first set of field-data item pairs. The extracted second one or more values are assigned to a second field of the plurality of events as a second set of field-data item pairs. The field label extracted using the second extraction rule or a modified version thereof may be assigned to the second field.
Techniques for identifying attack behavior based on scripting language activity are disclosed. A security monitoring system generates a behavior profile for a first client device based on scripting language commands included in a first set of raw machine data received from the first client device, where the first client device is coupled to a network, and the first set of raw machine data is associated with network traffic received by or transmitted from the first client device. The security monitoring system analyzes a second set of raw machine data received from the first client device, where the second set of raw machine data is associated with subsequent network traffic received by or transmitted from the first client device. The security monitoring system detects an anomaly in the second set of raw machine data based on the behavior profile, and initiates a mitigation action in response to detecting the anomaly.
Systems, methods, and software described herein provide security actions based on related security threat communications. In one example, a method of operating an advisement system includes identifying a security threat within the computing environment, wherein the computing environment comprises a plurality of computing assets. The method further provides obtaining descriptor information for the security threat, and retrieving related communication interactions based on the descriptor information. The method also includes generating a response to the security threat based on the related communication interactions.
One or more processing devices cause display of a user interface that identifies a service definition representing a service, receive input identifying an entity, where the service is performed at least in part by the entity, and store the service definition representing the service in association with an entity definition representing the entity. The entity definition comprises information identifying data pertaining to the entity in a datastore of machine data that reflects activity in an information technology environment produced by a plurality of components of the information technology environment. The one or more processing devices receive input pertaining to a search definition representing a search producing a measure of the service, and store the search definition representing the search, where the search produces the measure of the service using at least a portion of the data pertaining to the entity.
H04L 41/5009 - Determining service level performance parameters or violations of service level contracts, e.g. violations of agreed response time or mean time between failures [MTBF]
G06F 11/34 - Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation
G06F 11/32 - Monitoring with visual indication of the functioning of the machine
G06Q 10/0637 - Strategic management or analysis, e.g. setting a goal or target of an organisation; Planning actions based on goals; Analysis or evaluation of effectiveness of goals
H04L 67/10 - Protocols in which an application is distributed across nodes in the network
G06F 3/04817 - Interaction techniques based on graphical user interfaces [GUI] based on specific properties of the displayed interaction object or a metaphor-based environment, e.g. interaction with desktop elements like windows or icons, or assisted by a cursor's changing behaviour or appearance using icons
G06F 3/0482 - Interaction with lists of selectable items, e.g. menus
G06F 3/0484 - Interaction techniques based on graphical user interfaces [GUI] for the control of specific functions or operations, e.g. selecting or manipulating an object, an image or a displayed text element, setting a parameter value or selecting a range
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
G06F 3/0481 - Interaction techniques based on graphical user interfaces [GUI] based on specific properties of the displayed interaction object or a metaphor-based environment, e.g. interaction with desktop elements like windows or icons, or assisted by a cursor's changing behaviour or appearance
G06F 3/04847 - Interaction techniques to control parameter settings, e.g. interaction with sliders or dials
H04L 41/0806 - Configuration setting for initial configuration or provisioning, e.g. plug-and-play
H04L 43/04 - Processing captured monitoring data, e.g. for logfile generation
Improved crawling and curation of data and metadata from diverse data sources is described. In some embodiments, improvements are achieved by interpreting the context, vocabulary and relationships of data element, to enable relational data search capability for users. The user querying process is improved by systematic identification of the data objects, context, and relationships across data objects and elements, aggregation methods and operators on the data objects and data elements as identified in the curation process. User query suggestions and recommendations can be adjusted based on the context, relationships between the data elements, user profile, and the data sources. When the user query is executed, the query text is translated into an equivalent of one or more query statements, such as SQL or PostGre statements, and the query is performed on the identified data sources. Results are assembled to present the answer in a meaningful visualization for the user query.
An example method of identification of related event groups for a service monitoring system includes: receiving a sample set of events from a service monitoring system; choosing, based the sample set of events, a set of fieldnames for defining factors; generating a plurality of event group definitions, wherein each event group definition of the plurality of event group definitions comprises a plurality of factors, wherein each factor of the plurality of factors is represented by a respective fieldname-value pair of an event of the sample set of events, wherein a fieldname of the respective fieldname-value pair is selected from the set of fieldnames; and determining, based on the plurality of event group definitions, one or more event groups for a plurality of events.
G06F 3/0482 - Interaction with lists of selectable items, e.g. menus
H04L 67/1097 - Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
G06F 40/177 - Editing, e.g. inserting or deleting using ruled lines
79.
Graphical user interface for presenting crash data
Various methods and systems for tracking incomplete purchases in correlation with application performance, such as application errors or crashes, are provided. In this regard, aspects of the invention facilitate monitoring transaction and application error events and analyzing data associated therewith to identify data indicating an impact of incomplete purchases in relation to an error(s) such that application performance can be improved. In various implementations, application data associated with an application installed on a mobile device is received. The application data is used to determine that an error that occurred in association with the application installed on the mobile device correlates with an incomplete monetary transaction initiated via the application. Based on the error correlating with the incomplete monetary transaction, a transaction attribute associated with the error is determined.
Systems and methods for decoding distributed ledger transactions by data intake and query systems. An example method includes: receiving a transaction of a distributed ledger, wherein the transaction includes transaction data and an identifier of an account of the distributed ledger; receiving a bytecode module, wherein the bytecode module is associated with the account of the distributed ledger; computing a bytecode digital fingerprint associated with the bytecode module; identifying, among a plurality of stored application binary interface (ABI) definitions, an ABI definition having an ABI digital fingerprint that matches the bytecode digital fingerprint; and producing decoded transaction data by decoding, using the identified ABI definition, the transaction data.
G06F 16/27 - Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
G06F 21/64 - Protecting data integrity, e.g. using checksums, certificates or signatures
H04L 9/06 - Arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
81.
Tracking event records across multiple search sessions
A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.
H04L 41/0604 - Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 67/1097 - Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
82.
Identifying buckets for query execution using a catalog of buckets
Systems and methods are disclosed for processing and executing queries in a data intake and query system. The data intake and query system receives a query identifying a set of data to be processed and a manner of processing the set of data. The data intake and query system uses a search node catalog to identify search nodes that are available to execute the query and uses a bucket catalog to identify buckets to be searched. The data intake and query system executes the query using the identified bucket and search nodes.
A device executes a visualization application program on a processor. Via the visualization application, a technique for visualizing data paths are performed. The technique includes receiving a data structure from a data intake and query system, where the data stream includes event stream data associated with the data path. The data path includes a set of entities, including an origin entity and a destination entity. The technique further includes generating visualizations of the origin entity, destination entity, and the event stream data. The visualization of the event stream data includes visualizations of events streaming between the visualization of the origin entity and visualization of the destination entity. The technique also includes causing the visualizations of the origin entity, destination entity, and the event stream data to be presented in an extended reality environment.
The disclosed embodiments provide a method and system for processing network data. During operation, the system obtains, at a remote capture agent, configuration information for the remote capture agent from a configuration server over a network. Next, the system uses the configuration information to configure the generation of event data from network data obtained from network packets at the remote capture agent. The system then uses the configuration information to configure transformation of the event data or the network data into transformed event data at the remote capture agent.
H04L 43/04 - Processing captured monitoring data, e.g. for logfile generation
H04L 41/0853 - Retrieval of network configuration; Tracking network configuration history by actively collecting configuration information or by backing up configuration information
H04L 41/046 - Network management architectures or arrangements comprising network management agents or mobile agents therefor
H04L 41/0816 - Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events
H04L 43/106 - Active monitoring, e.g. heartbeat, ping or trace-route using time related information in packets, e.g. by adding timestamps
85.
Aggregating metrics for workflows associated with a real user session
A method of aggregating metrics associated with a user interaction during a real user session comprises identifying a span comprising a tag associated with a workflow from ingested spans associated with the real user session, where the workflow comprises spans generated in response to the user interaction. The method also comprises identifying other spans associated with the workflow from the ingested spans. The method further comprises grouping the other spans associated with the workflow with the tagged span and aggregating metrics for the workflow over a duration of time.
A service monitoring system executing on one or more processors may have operations that are determined by control information. Control over the operation of the service monitoring system can be exerted through the use of a graphical interface. The graphical interface may present the control information of a new or existing correlation search definition for user interaction. The service monitoring system may maintain a data store of key performance indicator (KPI) data, where a KPI value in the data store is produced by a KPI-defining search query that derives the value from machine data associated with one or more entities that perform a monitored service. A correlation search definition of the service monitoring system determines how a search of the KPI data is conducted, how its data is evaluated to determine whether a triggering condition has been met, and, if so, determines what triggered action is to be initiated.
H04L 43/04 - Processing captured monitoring data, e.g. for logfile generation
H04L 41/5009 - Determining service level performance parameters or violations of service level contracts, e.g. violations of agreed response time or mean time between failures [MTBF]
H04L 41/50 - Network service management, e.g. ensuring proper service fulfilment according to agreements
G06F 3/0482 - Interaction with lists of selectable items, e.g. menus
H04L 41/0806 - Configuration setting for initial configuration or provisioning, e.g. plug-and-play
H04L 43/045 - Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 67/51 - Discovery or management thereof, e.g. service location protocol [SLP] or web services
G06F 16/9535 - Search customisation based on user profiles and personalisation
G06F 16/25 - Integrating or interfacing systems involving database management systems
G06F 3/04847 - Interaction techniques to control parameter settings, e.g. interaction with sliders or dials
G06F 3/0481 - Interaction techniques based on graphical user interfaces [GUI] based on specific properties of the displayed interaction object or a metaphor-based environment, e.g. interaction with desktop elements like windows or icons, or assisted by a cursor's changing behaviour or appearance
G06Q 10/0637 - Strategic management or analysis, e.g. setting a goal or target of an organisation; Planning actions based on goals; Analysis or evaluation of effectiveness of goals
G06F 16/901 - Indexing; Data structures therefor; Storage structures
G06F 3/04817 - Interaction techniques based on graphical user interfaces [GUI] based on specific properties of the displayed interaction object or a metaphor-based environment, e.g. interaction with desktop elements like windows or icons, or assisted by a cursor's changing behaviour or appearance using icons
G06F 16/26 - Visual data mining; Browsing structured data
G06F 3/0484 - Interaction techniques based on graphical user interfaces [GUI] for the control of specific functions or operations, e.g. selecting or manipulating an object, an image or a displayed text element, setting a parameter value or selecting a range
H04L 43/091 - Measuring contribution of individual network components to actual service level
H04L 43/55 - Testing of service level quality, e.g. simulating service usage
G06Q 10/0639 - Performance analysis of employees; Performance analysis of enterprise or organisation operations
H04L 67/10 - Protocols in which an application is distributed across nodes in the network
G06F 11/32 - Monitoring with visual indication of the functioning of the machine
G06T 11/20 - Drawing from basic elements, e.g. lines or circles
87.
Animated visualizations of network activity across network address spaces
Techniques and mechanisms are disclosed for generating visualizations which graphically depict network activity occurring between pairs of networked computing devices. The visualizations are based on data indicating the network activity, where the network activity can involve devices having any network addresses within an entire network address space (e.g., any address within the Internet Protocol version v4 (IPv4) or IPv6 network address space), or within some subset of an entire network address space. The ability to visualize high-level information related to network activity occurring across an entire network address space enables network analysts and other users to readily analyze characteristics of computer networks which otherwise might not be evident or difficult to obtain using other types of visualizations.
Embodiments are directed towards a system and method for a cloud-based front end that may abstract and enable access to the underlying cloud-hosted elements and objects that may be part of a multi-tenant application, such as a search application. Search objects may be employed to access indexed objects. An amount of indexed data accessible to a user may be based on an index storage limit selected by the user, such that data that exceeds the index storage limit may continue to be indexed. Also, one or more projects can be elastically scaled for a user to provide resources that may meet the specific needs of each project.
H04L 67/1097 - Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
G06F 9/48 - Program initiating; Program switching, e.g. by interrupt
G06F 9/50 - Allocation of resources, e.g. of the central processing unit [CPU]
89.
Data stream generation based on sourcetypes associated with messages
As described herein, a portion of machine data of a message may be analyzed to infer, using an inference model, a sourcetype of the message. The portion of machine data may be generated by one or more components in an information technology environment. Based on the inference, a set of extraction rules associated with the sourcetype may be selected. Each extraction rule may define criteria for identifying a sub-portion of text from the portion of machine data of the message to produce a value. The set of extraction rules may be applied to the portion of machine data of the message to produce a result set that indicates a number of values identified using the set of extraction rules. Based on the result set, at least one action may be performed on one or more of inference data associated with the inference model and one or more messages.
According to embodiments, a method for navigating clusters of a data structure includes gathering data from the data structure by instrumenting instances of application software executing on the data structure. The method also includes identifying clusters of the data structure based on the gathered data. The method also includes causing display of a cluster map of the data structure, the cluster map comprising a plurality of clusters, each cluster of the plurality of clusters comprising a plurality of nodes, each node of the plurality of nodes comprising a plurality of pods, each pod of the plurality of pods comprising a plurality of containers. The method also includes providing a status for each node, each pod, and each container of each cluster. The method also includes causing display of analysis of each cluster of the cluster map, the analysis comprising granular information for each cluster.
G06F 16/28 - Databases characterised by their database models, e.g. relational or object models
G06F 3/0484 - Interaction techniques based on graphical user interfaces [GUI] for the control of specific functions or operations, e.g. selecting or manipulating an object, an image or a displayed text element, setting a parameter value or selecting a range
G06F 3/0482 - Interaction with lists of selectable items, e.g. menus
91.
Generating extended reality views based on user-based filters
Various embodiments of the present application set forth a computer-implemented method comprising detecting a tag associated with a real-world object, determining a object identifier (ID) associated with the tag, determining a first user role associated with a user of an XR environment, receiving a set of values associated with the object ID and the user role from a data source, wherein the set of values is provided by the data source based on the object ID and on a query executed on raw machine data associated with the real-world object, and displaying, by a client device within the XR environment, a visualization that displays the set of values.
Techniques are described for enabling analysts and other users of an IT operations platform to identify certain data objects managed by the platform (for example, events, files, notes, actions results, etc.) as “evidence” when such data objects are believed to be of particular significance to an investigation or other matter. For example, an event generated based on data ingested from an anti-virus service and representing a security-related incident might include artifacts indicating an asset identifier, a hash value of a suspected malicious file, a file path on the infected endpoint, and so forth. An analyst can use various interfaces and interface elements of an IT operations platform to indicate which of such events and/or artifacts, if any, represent evidence in the context of the investigation that the analyst is conducting. In response, the IT operations platform can perform various automated actions.
A device that includes an extended reality application is employed by a user to access an extended reality environment. A selection of a first user interface object included in a plurality of user interface objects displayed in the extended reality environment is received via an input device associated with the extended reality environment. Each user interface object included in the plurality of user interface objects is associated with a different set of dashboard panels. At least a first portion of a first set of dashboard panels associated with the first user interface object is displayed in a foreground area of a workspace of the XR environment. The foreground area has a first depth relative to a user viewpoint within the XR environment. The workspace further comprises a background area having a second depth relative to the user viewpoint within the XR environment.
G06F 3/048 - Interaction techniques based on graphical user interfaces [GUI]
G06F 3/0484 - Interaction techniques based on graphical user interfaces [GUI] for the control of specific functions or operations, e.g. selecting or manipulating an object, an image or a displayed text element, setting a parameter value or selecting a range
G06F 3/0481 - Interaction techniques based on graphical user interfaces [GUI] based on specific properties of the displayed interaction object or a metaphor-based environment, e.g. interaction with desktop elements like windows or icons, or assisted by a cursor's changing behaviour or appearance
94.
Geofence-based object identification in an extended reality environment
A mobile device that includes a camera and an extended reality software application program is employed by a user in an operating environment, such as an industrial environment. One or more objects within a geofence may be identified. A device crosses within the geofence and acquires sensor data associated with an object within the geofence. The sensor data may include image data and/or audio data. The device or a server system may then determine an object identifier associated with the object based on a comparison of the sensor data with data associated with object identifiers corresponding to objects within the geofence. Based on the object identifier, data associated with the object are obtained. The data associated with the object may be presented via the device, such as an extended reality overlay over a view of the object in the device.
G06V 20/20 - Scenes; Scene-specific elements in augmented reality scenes
H04W 4/021 - Services related to particular areas, e.g. point of interest [POI] services, venue services or geofences
H04W 4/38 - Services specially adapted for particular environments, situations or purposes for collecting sensor information
G06F 16/583 - Retrieval characterised by using metadata, e.g. metadata not derived from the content or metadata generated manually using metadata automatically derived from the content
H04L 67/131 - Protocols for games, networked simulations or virtual reality
G06N 7/01 - Probabilistic graphical models, e.g. probabilistic networks
In various embodiments, a computer-implemented method comprises receiving an artifact manifest representing at least a portion of a shared session between a first application and at least a second application, where the artifact manifest identifies a set of data visualization artifacts that are generated by the first application, transmitting the artifact manifest to the second application, receiving, from the second application accessing the shared session, a modification to a first data visualization artifact in the set of data visualization artifacts, and causing, based on the modification, the first data visualization artifact to be updated by the first application.
G06F 16/26 - Visual data mining; Browsing structured data
G06T 11/20 - Drawing from basic elements, e.g. lines or circles
H04L 65/401 - Support for services or applications wherein the services involve a main real-time session and one or more additional parallel real-time or time sensitive sessions, e.g. white board sharing or spawning of a subconference
Based on a selection by a user of first one or more values of one or more events displayed in a graphical interface, an extraction rule is automatically determined that is capable of extracting a field label-value pair at least partially within at least the selected one or more values. An option is displayed that correspond to the determined extraction rule in the graphical interface. Based on the user selecting the option in the graphical interface, display is caused of second one or more values of one or more field label-value pairs extracted from the one or more events using the extraction rule. The one or more events may be displayed in a table format, and the first one or more value may be selected by the user selecting one or more cells, columns, or text portions in the table format.
Various embodiments of the present application set forth a computer-implemented method that includes transmitting, by a wearable device, a first request that includes a first set of parameters, receiving, by the wearable device, a first set of values based on the first set of parameters, wherein the first set of values are provided by a first data source, displaying, by the wearable device, a first dashboard that includes a first visualization associated with the first set of values, determining that a first physical interaction with a first physical input device associated with the wearable device occurred, and in response to the first physical interaction, causing the first visualization to display a first data value included in the first set of values.
G06F 3/03 - Arrangements for converting the position or the displacement of a member into a coded form
G04G 9/08 - Visual time or date indication means by building-up characters using a combination of indicating elements, e.g. by using multiplexing techniques
Techniques are described for providing users of a data intake and query system with pre-trained ML models capable of identifying malicious threats (e.g., malware, botnets, ransomware, etc.) in users' computing environments based on an analysis of Domain Name System (DNS) log data collected from DNS servers in users' environments. DNS log data is ingested by a data intake and query system and processed to obtain searchable timestamped event data. This event data can then be used as input to ML models provided by a security ML application described herein to detect potential occurrences of malicious activity within users' computing environments.
A computerized method is disclosed that includes operations of receiving one or more records, wherein each of the one or more records indicates a successful search query evaluation by at least one of a plurality edge devices, building a predictive analytics model based on the one or more records, wherein the predicative analytics model is configured to perform operations configured to predict enrichment data that is to be needed by one or more edge devices in the future during evaluation of a future search query, performing predictive analytics using the predictive analytics model to determine predictive enrichment data, and transmitting a first response packet to a first edge device, wherein the first response packet includes the predictive enrichment data. The records may include one or more of a data stream identifier, a search query, enrichment data that was required at a time the search query was evaluated.
H04L 41/0686 - Additional information in the notification, e.g. enhancement of specific meta-data
H04L 41/147 - Network analysis or design for predicting network behaviour
G06F 16/953 - Querying, e.g. by the use of web search engines
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
Implementations described herein identify and exploit opportunities for offloading search-time and/or index-time operations to programmed offloading hardware accelerators (POHAs). An event-based data intake and query system is implemented in an enterprise core that is in communication with the POHAs over network interfaces. The system receives search requests associated with search-time operations classified into off-loadable operations and non-off-loadable operations. Non-off-loadable operations are distributed to local processing resources, and off-loadable operations are distributed to the POHAs for offloaded processing. The system can post-process both the locally processed and offload-processed results to generate search results responsive to at least some of the received search requests.
