Tactical query to continuous query conversion
US-2016154855-A1 · Jun 2, 2016 · US
Reproducing datasets generated by alert-triggering search queries
US11288231B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11288231-B2 |
| Application number | US-202016777357-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jan 30, 2020 |
| Priority date | Jul 9, 2014 |
| Publication date | Mar 29, 2022 |
| Grant date | Mar 29, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An example method for managing datasets produced by alert-triggering search queries may include producing a dataset by executing a search query on a portion of data associated with a time window defined relative to a current time. The method may further include responsive to determining that a portion of the dataset satisfies a condition defining an alert, generating an instance of the alert. The method may further include associating, by a memory data structure, the instance of the alert with an identifier of the query and a parameter specifying a time of execution of the query that has triggered the instance. The method may further include receiving a request for the dataset portion. The method may further include substituting, in a definition of the time window, the current time with the time parameter. The method may further include reproducing the dataset portion by re-executing the query using the time window.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: executing, by one or more processing devices, a search query on a portion of searchable data to produce a dataset comprising one or more results; determining that a throttling condition is satisfied, wherein the throttling condition suppresses triggering alert instances for a certain period of time for one or more data items identified by respective name-value pairs in the dataset; determining that a portion of the dataset satisfies a triggering condition defining an alert associated with the search query; generating, based on the throttling condition being satisfied and the triggering condition being satisfied, an instance of the alert; associating, using a memory data structure, the instance of the alert with an identifier of the search query and a time parameter specifying a time of execution of the search query that has triggered the instance of the alert; receiving, from a client computing device, a request for the portion of the dataset; determining that the portion of the dataset is not stored in a memory in a manner associating the portion of the dataset with the instance of the alert; reproducing the portion of the dataset by re-executing the search query in view of the time parameter. 2. The method of claim 1 , further comprising: storing, in the memory associated with the one or more processing devices, the portion of the dataset and an association of the stored portion of the dataset with the instance of the alert. 3. The method of claim 1 , further comprising: implementing a file retention policy with respect to datasets stored in the memory, wherein the file retention policy requires deleting certain datasets responsive to evaluating corresponding file retention conditions. 4. The method of claim 1 , further comprising: transmitting a copy of the portion of the dataset to the client computing device. 5. The method of claim 1 , further comprising associating the instance of the alert with an identifier of the triggering condition. 6. The method of claim 1 , wherein the searchable data includes time-stamped events having portions of raw machine data. 7. The method of claim 1 , further comprising: transmitting, to the client computing device, a notification of the instance of the alert. 8. The method of claim 1 , wherein the client computing device includes at least one of: a desktop computing device or a mobile computing device. 9. The method of claim 1 , wherein executing the search query on the portion of searchable data includes applying a late binding schema to the data, the late binding schema associated with one or more extraction rules defining one or more fields. 10. The method of claim 1 , wherein the portion of searchable data includes machine data generated by at least one of a server, a database, an application, or a network. 11. The method of claim 1 , wherein the search query is executed based on a schedule that is associated with the alert. 12. The method of claim 1 , wherein the triggering condition requires that the portion of the dataset includes a predetermined number of results. 13. The method of claim 1 , further comprising: preforming an action associated with the alert, wherein the action includes: sending an electronic mail message, creating a Really Simple Syndication (RSS) feed, executing a script, or causing visual display of the instance of the alert. 14. A computer system comprising: a memory; and one or more processing devices, coupled to the memory, to: execute a search query on a portion of searchable data to produce a dataset comprising one or more results; determine that a throttling condition is satisfied, wherein the throttling condition suppresses triggering alert instances for a certain period of time for one or more data items identified by respective name-value pairs in the dataset; determine that a portion of the dataset satisfies a triggering condition defining an alert associated with the search query; generate, based on the throttling condition being satisfied and the triggering condition being satisfied, an instance of the alert; associate, using a memory data structure, the instance of the alert with an identifier of the search query and a time parameter specifying a time of execution of the search query that has triggered the instance of the alert; receive, from a client computing device, a request for the portion of the dataset; determine that the portion of the dataset is not stored in the memory in a manner associating the portion of the dataset with the instance of the alert; reproduce the portion of the dataset by re-executing the search query in view of the time parameter. 15. The computer system of claim 14 , wherein the processing devices are further to: store, in the memory, the portion of the dataset and an association of the stored portion of the dataset with the instance of the alert. 16. The computer system of claim 14 , wherein the processing devices are further to: implement a file retention policy with respect to datasets stored in the memory, wherein the file retention policy requires deleting certain datasets responsive to evaluating corresponding file retention conditions. 17. The computer system of claim 14 , wherein the processing devices are further to: transmit a copy of the portion of the dataset to the client computing device. 18. The computer system of claim 14 , wherein the processing devices are further to: associate the instance of the alert with an identifier of the triggering condition. 19. The computer system of claim 14 , wherein the searchable data includes time-stamped events having portions of raw machine data. 20. The computer system of claim 14 , wherein the processing devices are further to: transmit, to the client computing device, a notification of the instance of the alert. 21. The computer system of claim 14 , wherein executing the search query on the portion of searchable data includes applying a late binding schema to the data, the late binding schema associated with one or more extraction rules defining one or more fields. 22. A computer-readable non-transitory storage medium comprising executable instructions that, when executed by a computer system, cause the computer system to: execute a search query on a portion of searchable data to produce a dataset comprising one or more results; determine that a throttling condition is satisfied, wherein the throttling condition suppresses triggering alert instances for a certain period of time for one or more data items identified by respective name-value pairs in the dataset; determine that a portion of the dataset satisfies a triggering condition defining an alert associated with the search query; generate, based on the throttling condition being satisfied and the triggering condition being satisfied, an instance of the alert; associate, using a memory data structure, the instance of the alert with an identifier of the search query and a time parameter specifying a time of execution of the search query that has triggered the instance of the alert; receive, from a client computing device, a request for the portion of the dataset; determine that the portion of the dataset is not stored in a memory in a manner associating the portion of the dataset with the instance of the alert; reproduce the portion of the dataset by re-executing the search query in view of the time parameter. 23. The computer-readable non-transi
Assignees
Inventors
Classifications
- G06F11/0727Primary
in a storage system, e.g. in a DASD or network based storage system (drivers for digital recording or reproducing units G06F3/06; circuits for error detection or correction within digital recording or reproducing units G11B20/18; for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS], H04L67/1097) · CPC title
- G06F16/125Primary
characterised by the use of retention policies (retention policies for HSM systems G06F16/185) · CPC title
Extract, transform and load [ETL] procedures, e.g. ETL data flows in data warehouses · CPC title
Query processing · CPC title
Status alarms (G08B21/02 takes precedence) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11288231B2 cover?
- An example method for managing datasets produced by alert-triggering search queries may include producing a dataset by executing a search query on a portion of data associated with a time window defined relative to a current time. The method may further include responsive to determining that a portion of the dataset satisfies a condition defining an alert, generating an instance of the alert. T…
- Who is the assignee on this patent?
- Splunk Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F11/0727. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 29 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).