Abstract: Analyzing log data, such as security log data and machine data, is disclosed. A baseline is built for a set of machine data. The baseline is built at least in part by determining a plurality of signature profiles for a plurality of respective time slices. An occurrence of an anomaly associated with the source of the machine data is determined. The occurrence is determined at least in part by determining that received machine data does not conform to the baseline within a threshold.

Abstract: Analyzing log data, such as security log data and machine data, is disclosed. A baseline is built for a set of machine data. The baseline is built at least in part by determining a plurality of signature profiles for a plurality of respective time slices. An occurrence of an anomaly associated with the source of the machine data is determined. The occurrence is determined at least in part by determining that received machine data does not conform to the baseline within a threshold.

Abstract: Analyzing log data, such as security log data and machine data, is disclosed. A baseline is built for a set of machine data. The baseline is built at least in part by determining a plurality of signature profiles for a plurality of respective time slices. An occurrence of an anomaly associated with the source of the machine data is determined. The occurrence is determined at least in part by determining that received machine data does not conform to the baseline within a threshold.

Abstract: Single-click delta analysis is disclosed. A user query of status information collected from one or more monitored devices is received from a user. In response to receiving an indication from the user to determine a variance between different portions of the collected status information, a target query and a baseline query are generated using the user query. The generated target query and the generated baseline query are performed, respectively, against data in a data store including the status information collected from the one or more monitored devices. A target set of status information results and a baseline set of status information results are obtained in response to performing, respectively, the generated target query and the generated baseline query. The obtained target and baseline sets of results are combined. Output indicative of a variance between the target and baseline sets of status information results is provided based at least in part on the combining.

Abstract: Single-click delta analysis is disclosed. A user query of status information collected from one or more monitored devices is received from a user. In response to receiving an indication from the user to determine a variance between different portions of the collected status information, a target query and a baseline query are generated using the user query. The generated target query and the generated baseline query are performed, respectively, against data in a data store including the status information collected from the one or more monitored devices. A target set of status information results and a baseline set of status information results are obtained in response to performing, respectively, the generated target query and the generated baseline query. The obtained target and baseline sets of results are combined. Output indicative of a variance between the target and baseline sets of status information results is provided based at least in part on the combining.

Abstract: Obfuscating data is disclosed. A processor identifies structured information in log data. The structured information is transformed in a manner that preserves the structure to form transformed raw data. The transformed raw data is sent to a remote analysis engine. The remote analysis engine receives a query and responds to the query by providing as results at least a portion of the transformed raw data. A processor is configured to de-transform the transformed raw data.

Abstract: The automatic selection and usage of a parser is disclosed. Raw data is obtained from a first remote device. At least a portion of the raw data is evaluated using a plurality of rules. A confidence measure is determined for at least some of the rules. An indication that the raw data pertains to a source is provided as output when the confidence measure exceeds a threshold.

Abstract: Single-click delta analysis is disclosed. A user query of status information collected from one or more monitored devices is received from a user. In response to receiving an indication from the user to determine a variance between different portions of the collected status information, a target query and a baseline query are generated using the user query. The generated target query and the generated baseline query are performed, respectively, against data in a data store including the status information collected from the one or more monitored devices. A target set of status information results and a baseline set of status information results are obtained in response to performing, respectively, the generated target query and the generated baseline query. The obtained target and baseline sets of results are combined. Output indicative of a variance between the target and baseline sets of status information results is provided based at least in part on the combining.

Abstract: Single-click delta analysis is disclosed. A user query of status information collected from one or more monitored devices is received from a user. In response to receiving an indication from the user to determine a variance between different portions of the collected status information, a target query and a baseline query are generated using the user query. The generated target query and the generated baseline query are performed, respectively, against data in a data store including the status information collected from the one or more monitored devices. A target set of status information results and a baseline set of status information results are obtained in response to performing, respectively, the generated target query and the generated baseline query. The obtained target and baseline sets of results are combined. Output indicative of a variance between the target and baseline sets of status information results is provided based at least in part on the combining.

Abstract: Automatically generating a parser is disclosed. Raw data is received from a first remote device. A determination that the raw data does not, within a predefined confidence measure, conform to any rules included in a set of rules is made. A clustering function is performed on the raw data. At least one parser rule is generated based on the clustering.

Abstract: Obfuscating data is disclosed. A processor identifies structured information in log data. The structured information is transformed in a manner that preserves the structure to form transformed raw data. The transformed raw data is sent to a remote analysis engine. The remote analysis engine receives a query and responds to the query by providing as results at least a portion of the transformed raw data. A processor is configured to de-transform the transformed raw data.

Abstract: Analyzing log data, such as security log data and machine data, is disclosed. A baseline is built for a set of machine data. The baseline is built at least in part by determining a plurality of signature profiles for a plurality of respective time slices. An occurrence of an anomaly associated with the source of the machine data is determined. The occurrence is determined at least in part by determining that received machine data does not conform to the baseline within a threshold.

Abstract: Single-click delta analysis is disclosed. A user query of status information collected from one or more monitored devices is received from a user. In response to receiving an indication from the user to determine a variance between different portions of the collected status information, a target query and a baseline query are generated using the user query. The generated target query and the generated baseline query are performed, respectively, against data in a data store including the status information collected from the one or more monitored devices. A target set of status information results and a baseline set of status information results are obtained in response to performing, respectively, the generated target query and the generated baseline query. The obtained target and baseline sets of results are combined. Output indicative of a variance between the target and baseline sets of status information results is provided based at least in part on the combining.

Abstract: Data collection and transmission is disclosed. A server is configured to receive, from a remote device, a message including raw information, and to parse at least a portion of the received raw information. The raw information is received by the system from an information reporting module interface of the remote device. The information reporting module of the remote device is configured to receive information from at least one separately installed information reporting module. A client device includes an information reporting module interface and a server interface. The client device is configured to receive configuration information from a remote server.

Abstract: Analyzing log data, such as security log data and event data, is disclosed. Log data is obtained. Portions of the log data are clustered into clusters of similar data portions. A signature for each cluster is generated. Comparison of subsequent log data with the signature indicates whether the subsequent log data belongs in the cluster.

Abstract: Obfuscating data is disclosed. A processor identifies structured information in log data. The structured information is transformed in a manner that preserves the structure to form transformed raw data. The transformed raw data is sent to a remote analysis engine. The remote analysis engine receives a query and responds to the query by providing as results at least a portion of the transformed raw data. A processor is configured to de-transform the transformed raw data.

Abstract: Automatically generating a parser is disclosed. Raw data is received from a first remote device. A determination that the raw data does not, within a predefined confidence measure, conform to any rules included in a set of rules is made. A clustering function is performed on the raw data. At least one parser rule is generated based on the clustering.

Abstract: Analyzing log data, such as security log data and event data, is disclosed. Log data is received. Portions of the log data are clustered into clusters of similar data portions. A signature for each cluster is generated. Comparison of subsequent log data with the signature indicates whether the subsequent log data belongs in the cluster.

Abstract: The automatic selection and usage of a parser is disclosed. Raw data is received from a first remote device. At least a portion of the raw data is evaluated using a plurality of rules. A confidence measure is determined for at least some of the rules. An indication that the raw data pertains to a source is provided as output when the confidence measure exceeds a threshold.

Abstract: Data collection and transmission is disclosed. A server is configured to receive, from a remote device, a message including raw information, and to parse at least a portion of the received raw information. The raw information is received by the system from an information reporting module interface of the remote device. The information reporting module of the remote device is configured to receive information from at least one separately installed information reporting module. A client device includes an information reporting module interface and a server interface. The client device is configured to receive configuration information from a remote server.