公开(公告)号：US11144521B2

公开(公告)日：2021-10-12

申请号：US16519615

申请日：2019-07-23

Applicant: SPLUNK INC.

Inventor： David Ryan Marquardt ,  Mitchell Neuman Blank, Jr. ,  Stephen Phillip Sorkin

IPC: G06F16/00 ,  G06F16/22 ,  G06F16/2453 ,  G06F16/33 ,  G06F16/242 ,  G06F16/248 ,  G06F16/28 ,  G06F16/31 ,  G06F16/338 ,  G06F16/23 ,  G06F16/2458 ,  G06F16/2455

Abstract: Embodiments are directed towards a method for searching data. The method comprises providing an inverted index that comprises at least one record, wherein the at least one record comprises at least one field name and a corresponding at least one field value. The at least one field name and corresponding value are extracted from time-stamped searchable events that are stored in a field searchable datastore and comprise portions of raw data. The at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored. The method further comprises receiving an incoming search query that references a field name and evaluating the incoming search query. Furthermore, responsive to the evaluating, the method comprises determining results for the incoming search query using the field searchable datastore or the inverted index.

公开(公告)号：US10409794B2

公开(公告)日：2019-09-10

申请号：US15421297

申请日：2017-01-31

Applicant: SPLUNK INC.

Inventor： David Ryan Marquardt ,  Mitchell Neuman Blank, Jr. ,  Stephen Phillip Sorkin

IPC: G06F16/00 ,  G06F16/22 ,  G06F16/2453 ,  G06F16/33 ,  G06F16/242 ,  G06F16/248 ,  G06F16/28 ,  G06F16/31 ,  G06F16/338 ,  G06F16/23 ,  G06F16/2458 ,  G06F16/2455

Abstract: Embodiments are directed towards a method for searching data. The method comprises generating an inverted index that comprises at least one record, wherein the at least one record comprises at least one field name and a corresponding at least one field value. The at least one field name and corresponding value are extracted from time-stamped searchable events that are stored in a field searchable datastore and comprise portions of raw data. The at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored. The method further comprises receiving an incoming search query that references a field name. Furthermore, the method comprises generating results to the incoming search query based on the field searchable datastore, wherein the field searchable datastore is directly searchable by the field name.

公开(公告)号：US20150339308A1

公开(公告)日：2015-11-26

申请号：US14815880

申请日：2015-07-31

Applicant: Splunk Inc.

Inventor： Sundar Rengarajan Vasan ,  Mitchell Neuman Blank, Jr. ,  Vishal Patel ,  Da Xu ,  Rama Gopalan

IPC: G06F17/30

CPC classification number: G06F17/30528 ,  G06F3/0617 ,  G06F3/065 ,  G06F3/067 ,  G06F11/20 ,  G06F11/2094 ,  G06F17/30241 ,  G06F17/30336 ,  G06F17/30575 ,  G06F17/30581 ,  G06F17/30867 ,  G06F17/3087 ,  H04L67/1097

Abstract: Techniques are described for managing data within a multi-site clustered data intake and query system. A data intake and query system as described herein generally refers to a system for collecting, retrieving, and analyzing data. In this context, a clustered data intake and query system generally refers to a system environment that is configured to provide data redundancy and other features that improve the availability of data stored by the system. For example, a clustered data intake and query system may be configured to store multiple copies of data stored by the system across multiple components such that recovery from a failure of one or more of the components is possible by using copies of the data stored elsewhere in the cluster.

Abstract translation: 描述了用于管理多站点群集数据采集和查询系统中的数据的技术。 本文所述的数据采集和查询系统通常是指用于收集，检索和分析数据的系统。 在这种情况下，集群数据采集和查询系统通常是指被配置为提供数据冗余和提高系统存储的数据的可用性的其他特征的系统环境。 例如，集群数据采集和查询系统可以被配置为存储由多个组件存储的系统的多个副本，以便可以通过使用其他地方存储的数据的副本来从一个或多个组件的故障中恢复 集群。

公开(公告)号：US08977638B2

公开(公告)日：2015-03-10

申请号：US14034220

申请日：2013-09-23

Applicant: Splunk Inc.

Inventor： Amritpal Singh Bath ,  Mitchell Neuman Blank, Jr. ,  Vishal Patel ,  Stephen Phillip Sorkin

IPC: G06F17/30

CPC classification number: G06F17/30144 ,  G06F17/3015 ,  G06F17/30286

Abstract: Embodiments are directed towards managing and tracking item identification of a plurality of items to determine if an item is a new or existing item, where an existing item has been previously processed. In some embodiments, two or more item identifiers may be generated. In one embodiment, generating the two or more item identifiers may include analyzing the item using a small item size characteristic, a compressed item, or for an identifier collision. The two or more item identifiers may be employed to determine if the item is a new or existing item. In one embodiment, the two or more item identifiers may be compared to a record about an existing item to determine if the item is a new or existing item. If the item is an existing item, then the item may be further processed to determine if the existing item has actually changed.

Abstract translation: 实施例涉及管理和跟踪多个项目的项目识别以确定项目是否是新的或现有的项目，其中已经预先处理了现有项目。 在一些实施例中，可以生成两个或多个项目标识符。 在一个实施例中，生成两个或多个项目标识符可以包括使用小项目尺寸特征，压缩项目或标识符冲突来分析项目。 可以使用两个或更多个项目标识符来确定该项目是新的还是现有的项目。 在一个实施例中，两个或多个项目标识符可以与关于现有项目的记录进行比较，以确定该项目是新项目还是现有项目。 如果项目是现有项目，则可以进一步处理该项目以确定现有项目是否已经实际改变。

公开(公告)号：US11599547B2

公开(公告)日：2023-03-07

申请号：US17230646

申请日：2021-04-14

Applicant: SPLUNK INC.

Inventor： Vishal Patel ,  Mitchell Neuman Blank, Jr. ,  Sundar Renegarajan Vasan ,  Stephen Phillip Sorkin

IPC: G06F16/2457 ,  G06F16/9537 ,  G06F16/9535 ,  G06F16/22 ,  G06F16/27 ,  G06F16/29 ,  H04L67/1097 ,  G06F11/20 ,  G06F3/06

Abstract: A method of data replication in a clustered computing environment comprises receiving, at a selected indexer within a plurality of indexers in a cluster, data from a forwarder indexer, wherein the selected indexer is designated as a primary indexer for the data, wherein the primary indexer has primary responsibility for responding to search queries pertaining to the data, wherein the cluster comprises a plurality of sites. The method further comprises receiving, at the selected indexer, data replication instructions, wherein the data replication instructions comprise a number of other indexers in the cluster for storing a replicated copy of the data and further comprise a number of sites from the plurality of sites across which to store a replicated copy of the data determined in accordance with a site replication factor.

公开(公告)号：US09753974B2

公开(公告)日：2017-09-05

申请号：US13662984

申请日：2012-10-29

Applicant: SPLUNK INC.

Inventor： David Ryan Marquardt ,  Mitchell Neuman Blank, Jr. ,  Stephen Phillip Sorkin

IPC: G06F17/30

CPC classification number: G06F17/30442 ,  G06F17/30315 ,  G06F17/30321 ,  G06F17/30353 ,  G06F17/30401 ,  G06F17/30551 ,  G06F17/30554 ,  G06F17/30589 ,  G06F17/30622 ,  G06F17/30634 ,  G06F17/30696

Abstract: Embodiments are directed towards receiving and processing search queries directed towards relatively large sets of data. The data is stored in a record based datastore. From the stored data, field names, corresponding field values, and posting values may be determined. Posting values may be employed to locate records in the datastore that include the field names and field values. The field names, field values, and posting values may be employed to generate a lexicon. If queries are received, a lexicon query processor may employ the lexicon separate from the datastore to generate responses to the received queries. Queries may include clauses that may be processed using the lexicon separate from the datastore, such as, where clause expressions, group-by clause expressions, aggregation functions, or the like. A time values array may be used to enable queries to process group-by-time expressions that may return results grouped into sub-sets based on time ranges.

公开(公告)号：US20140025655A1

公开(公告)日：2014-01-23

申请号：US14034220

申请日：2013-09-23

Applicant: Splunk Inc.

Inventor： Amritpal Singh Bath ,  Mitchell Neuman Blank, Jr. ,  Vishal Patel ,  Stephen Phillip Sorkin

IPC: G06F17/30

CPC classification number: G06F17/30144 ,  G06F17/3015 ,  G06F17/30286

Abstract: Embodiments are directed towards managing and tracking item identification of a plurality of items to determine if an item is a new or existing item, where an existing item has been previously processed. In some embodiments, two or more item identifiers may be generated. In one embodiment, generating the two or more item identifiers may include analyzing the item using a small item size characteristic, a compressed item, or for an identifier collision. The two or more item identifiers may be employed to determine if the item is a new or existing item. In one embodiment, the two or more item identifiers may be compared to a record about an existing item to determine if the item is a new or existing item. If the item is an existing item, then the item may be further processed to determine if the existing item has actually changed.

Abstract translation: 实施例涉及管理和跟踪多个项目的项目识别以确定项目是否是新的或现有的项目，其中已经预先处理了现有项目。 在一些实施例中，可以生成两个或多个项目标识符。 在一个实施例中，生成两个或多个项目标识符可以包括使用小项目尺寸特征，压缩项目或标识符冲突来分析项目。 可以使用两个或更多个项目标识符来确定该项目是新的还是现有的项目。 在一个实施例中，两个或多个项目标识符可以与关于现有项目的记录进行比较，以确定该项目是新项目还是现有项目。 如果项目是现有项目，则可以进一步处理该项目以确定现有项目是否已经实际改变。

公开(公告)号：US08515963B1

公开(公告)日：2013-08-20

申请号：US13662337

申请日：2012-10-26

Applicant: Splunk Inc.

Inventor： Mitchell Neuman Blank, Jr. ,  Leonid Budchenko ,  R. David Carasso ,  Micah James Delfino ,  Johnvey Hwang ,  Stephen Phillip Sorkin ,  Eric Timothy Woo

IPC: G06F7/00 ,  G06F17/30

CPC classification number: G06F17/30867 ,  G06F3/0482 ,  G06F3/04842 ,  G06F3/0485 ,  G06F17/2705 ,  G06F17/30321 ,  G06F17/30507 ,  G06F17/30551 ,  G06F17/30554 ,  G06F17/3056 ,  G06F17/30619 ,  G06F17/30864

Abstract: Embodiments are directed towards previewing results generated from indexing data raw data before the corresponding index data is added to an index store. Raw data may be received from a preview data source. After an initial set of configuration information may be established, the preview data may be submitted to an index processing pipeline. A previewing application may generate preview results based on the preview index data and the configuration information. The preview results may enable previewing how the data is being processed by the indexing application. If the preview results are not acceptable, the configuration information may be modified. The preview application enables modification of the configuration information until the generated preview results may be acceptable. If the configuration information is acceptable, the preview data may be processed and indexed in one or more index stores.

Abstract translation: 实施例针对在将对应的索引数据添加到索引存储之前预览从索引数据原始数据生成的结果。 可以从预览数据源接收原始数据。 在可以建立一组初始配置信息之后，可以将预览数据提交给索引处理流水线。 预览应用可以基于预览索引数据和配置信息生成预览结果。 预览结果可能可以预览索引应用程序如何处理数据。 如果预览结果不可接受，则可以修改配置信息。 预览应用程序可以修改配置信息，直到生成的预览结果可以接受。 如果配置信息是可接受的，则预览数据可以在一个或多个索引存储中被处理和索引。

公开(公告)号：US11003644B2

公开(公告)日：2021-05-11

申请号：US16424311

申请日：2019-05-28

Applicant: SPLUNK INC.

Inventor： David Ryan Marquardt ,  Mitchell Neuman Blank, Jr. ,  Stephen Phillip Sorkin

IPC: G06F16/00 ,  G06F16/22 ,  G06F16/2453 ,  G06F16/33 ,  G06F16/242 ,  G06F16/248 ,  G06F16/28 ,  G06F16/31 ,  G06F16/338 ,  G06F16/23 ,  G06F16/2458 ,  G06F16/2455

Abstract: Embodiments are directed towards a method for searching data. The method comprises generating an inverted index that comprises at least one record, wherein the at least one record comprises at least one field name and a corresponding at least one field value. The at least one field name and corresponding value are extracted from time-stamped searchable events that are stored in a field searchable datastore and comprise portions of raw data. The at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored. The method further comprises receiving an incoming search query that references a field name. Furthermore, the method comprises generating results to the incoming search query based on the field searchable datastore, wherein the field searchable datastore is directly searchable by the field name.

公开(公告)号：US10860537B2

公开(公告)日：2020-12-08

申请号：US15663652

申请日：2017-07-28

Applicant: Splunk Inc.

Inventor： Amritpal Singh Bath ,  Mitchell Neuman Blank, Jr. ,  Vishal Patel ,  Stephen Phillip Sorkin

IPC: G06F17/30 ,  G06F16/17 ,  G06F16/20 ,  G06F16/174

Abstract: Embodiments are directed towards managing and tracking item identification of a plurality of items to determine if an item is a new or existing item, where an existing item has been previously processed. In some embodiments, two or more item identifiers may be generated. In one embodiment, generating the two or more item identifiers may include analyzing the item using a small item size characteristic, a compressed item, or for an identifier collision. The two or more item identifiers may be employed to determine if the item is a new or existing item. In one embodiment, the two or more item identifiers may be compared to a record about an existing item to determine if the item is a new or existing item. If the item is an existing item, then the item may be further processed to determine if the existing item has actually changed.