Network security investigation workflow logging
US-2017031565-A1 · Feb 2, 2017 · US
User interface and process to generate journey instance based on one or more pivot identifiers and one or more step identifiers
US10776377B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10776377-B2 |
| Application number | US-201815936356-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 26, 2018 |
| Priority date | Mar 26, 2018 |
| Publication date | Sep 15, 2020 |
| Grant date | Sep 15, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and methods are disclosed for generating one or more journey instances from events having raw machine data associated with a timestamp. The system generates a user interface that includes field identifiers associated with the plurality events for selection as one or more pivot identifiers and one or more step identifiers. Based on the one or more pivot identifiers, the system identifies related events that share a common field value, and based on the one or more step identifiers, the system groups the related events into a subset of events. Using the subset of events the system builds a journey instance.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: causing display of a user interface that includes a plurality of field identifiers associated with a plurality of events that satisfy a query, each event of the plurality of events comprising raw machine data associated with a time stamp; receiving at least one pivot identifier; generating a plurality of sets of events from the plurality of events, wherein the plurality of sets of events are generated based on the at least one pivot identifier; receiving a step identifier; grouping each set of events of the plurality of sets of events into one or more subsets of events, wherein each set of events of the plurality of sets of events is grouped based on the step identifier; building a plurality of journey instances, wherein each journey instances is built based on an ordering of one or more step instances of a respective set of events of the plurality of sets of events, wherein a step instance of the one or more step instances represents a subset of events of the one or more subsets of events; and building a journey model based on the plurality of journey instances. 2. The method of claim 1 , wherein the plurality of field identifiers correspond to fields identified from one or more configuration files associated with the plurality of events. 3. The method of claim 1 , further comprising: accessing one or more configuration files associated with the plurality of events; and identifying a plurality of field definitions in the one or more configuration files, wherein the plurality of field identifiers included in the user interface are based on the plurality of field definitions in the one or more configuration files. 4. The method of claim 1 , wherein the plurality of field identifiers correspond to fields identified from one or more configuration files associated with the plurality of events, the method further comprising enabling identification, via the user interface, of one or more fields corresponding to the plurality of field identifiers as the at least one pivot identifier, the step identifier, or an attribute. 5. The method of claim 1 , further comprising: enabling, via a selection of one or more field identifiers of the plurality of field identifiers, selection of one or more fields associated with the plurality of events as the at least one pivot identifier or the step identifier; and based on a selection of a field identifier of the one or more field identifiers, causing display of a plurality of field values for a field associated with the field identifier. 6. The method of claim 1 , further comprising: enabling, via a selection of one or more field identifiers of the plurality of field identifiers, selection of one or more fields associated with the plurality of events as the at least one pivot identifier or the step identifier; and identifying a plurality of field values for a field associated with a selected field identifier based on an inverted index associated with the plurality of events; and causing display, on the user interface, of at least a portion of the plurality of field values. 7. The method of claim 1 , further comprising causing display of a visualization of a journey instance of the plurality of journey instances, wherein the visualization indicates the ordering of the one or more step instances used to build the journey instance. 8. The method of claim 1 , further comprising causing display of a visualization of a journey instance of the plurality of journey instances, wherein the visualization indicates a transition between the one or more step instances used to build the journey instance. 9. The method of claim 1 , f further comprising: causing display of a visualization of at least two of the plurality of journey instances. 10. The method of claim 1 , further comprising: filtering the plurality of journey instances to generate a filtered group of journey instances, wherein the plurality of journey instances are filtered based on an identification of a particular step, a particular transition to or from the particular step, or the particular transition to or from the particular step within a particular amount of time, wherein the particular step corresponds to one or more step instances used to build one or more of the plurality of journey instances; and causing display of a visualization of one or more of the filtered group of journey instances. 11. The method of claim 1 , further comprising: filtering the plurality of journey instances to generate a filtered group of journey instances, wherein the plurality of journey instances are filtered based on a particular sequence of step, wherein each journey instance of the filtered group of journey instances comprises a sequence of step instances that corresponds to the particular sequence of steps; and causing display of a visualization of the filtered group of journey instances. 12. The method of claim 1 , further comprising: receiving an identification of a particular step; filtering the plurality of sets of events to generate a filtered group of sets of events, wherein the plurality of sets of events are filtered based on the particular step, wherein a set of events of the filtered group of sets of events includes one or more step instances that correspond to the particular step, and wherein a journey instance of the plurality of journey instances corresponds to the set of events of the filtered group of sets of events. 13. The method of claim 1 , further comprising: receiving an identification of a particular step; filtering the plurality of sets of events to generate a filtered group of sets of events, wherein the plurality of sets of events are filtered based on the particular step, wherein a set of events of the filtered group of sets of events includes one or more step instances that occur after a step instance that corresponds to the particular step, and wherein a journey instance of the plurality of journey instances corresponds to the set of events of the filtered group of sets of events. 14. The method of claim 1 , further comprising: receiving an identification of a particular step; filtering the plurality of sets of events to generate a filtered group of sets of events, wherein the plurality of sets of events are filtered based on the particular step, wherein a set of events of the filtered group of sets of events includes one or more step instances that occur before a step instance that corresponds to the particular step, and wherein a journey instance of the plurality of journey instances corresponds to the set of events of the filtered group of sets of events. 15. The method of claim 1 , further comprising: receiving an identification of a particular step; filtering the plurality of sets of events to generate a filtered group of sets of events, wherein the plurality of sets of events are filtered based on the particular step, wherein a set of events of the filtered group of sets of events ends with a step instance that corresponds to the particular step, and wherein a journey instance of the plurality of journey instances corresponds to the set of events of the filtered group of sets of events. 16. The method of claim 1 , further comprising: receiving an identification of a particular step; filtering the plurality of sets of events to generate a filtered group of sets of events, wherein the plurality of sets of events are filtered based on the particular step, wherein a set of events of the filtered group of sets of events begins with a step instance that corresponds to the particular step, and wherein
Assignees
Inventors
Classifications
Search customisation based on user profiles and personalisation · CPC title
Visual data mining; Browsing structured data · CPC title
Clustering or classification · CPC title
Query execution · CPC title
Interaction with page-structured environments, e.g. book metaphor · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10776377B2 cover?
- Systems and methods are disclosed for generating one or more journey instances from events having raw machine data associated with a timestamp. The system generates a user interface that includes field identifiers associated with the plurality events for selection as one or more pivot identifiers and one or more step identifiers. Based on the one or more pivot identifiers, the system identifies…
- Who is the assignee on this patent?
- Splunk Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F16/248. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Sep 15 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).