Abstract: An example method of entity lifecycle management in a service monitoring system includes: receiving, by a software application of a service monitoring system, a policy definition specifying an entity lifecycle management policy, wherein the entity lifecycle management policy defines management rules for a plurality of entities in the network environment, wherein each entity of the plurality of entities is represented by one of: a device, an application, a service, or a user account; identifying, by applying the entity lifecycle management policy to a plurality of active entities, one or more candidate entities for retirement; retiring at least a subset of the one or more candidate entities; and excluding the retired entities from the plurality of active entities, thus preventing the retired entities from interacting with other components of the service monitoring system.

Abstract: Embodiments are directed towards a system and method for a cloud-based front end that may abstract and enable access to the underlying cloud-hosted elements and objects that may be part of a multi-tenant application, such as a search application. Search objects may be employed to access indexed objects. An amount of indexed data accessible to a user may be based on an index storage limit selected by the user, such that data that exceeds the index storage limit may continue to be indexed. Also, one or more projects can be elastically scaled for a user to provide resources that may meet the specific needs of each project.

Abstract: A system and computer-implemented is provided for displaying a configurable metric relating to an environment in a graphical display along with a value of the metric calculated over a configurable time period. The metric is used to identify events of interest in the environment based on processing real time machine data from one or more sources. The configurable metric is selected and a corresponding value is calculated based on the events of interest over the configurable time period. The value of the metric may be continuously updated in real time based on receiving additional real-time machine data and displayed in a graphical interface as time progresses. Statistical trends in the value of the metric may also be determined over the configurable time period and displayed in the graphical interface as well as an indication if the value of the metric exceeds a configurable threshold value.

Abstract: Systems and methods are disclosed for processing data associated with isolated execution environments. A chunk of data associated with an isolated execution environment can include log data and non-log data. At least a portion of the log data can include log data generated by the isolated execution environment. The system can parse the chunk of data to identify the log data and the non-log data and extract at least a portion of the log data from the chunk of data. The extracted data can be further processed to generate one or more events.

Abstract: A method is disclosed that includes receiving, at a computing device, an event log including events derived from machine data, and determining a score by comparing an event from the event log with frequent patterns of features. Determining the score includes determining a length of a frequent pattern within the event in the event log and a count of occurrences of the frequent pattern within the events, determining a contribution of the frequent pattern based on the length and the count, determining a penalty for an unmatched feature of the first event based on a cardinality of the events, and averaging the contribution and the penalty to obtain the score. The method further includes issuing an alert identifying the first event as an anomaly using the first score and an anomaly score threshold.

Abstract: A data intake and query system processes and stores events, which are associated with token identifiers for tokens corresponding to data sources for the messages that the events are generated from. Thus, the data intake and query system can receive a request to provide analyses and visualizations regarding stored events associated with a particular component associated with a plurality of events, such as a data source for the messages from which the plurality of events are generated from. These requests and the resulting visualizations can be customized based on selected tokens and selected components.

Abstract: Systems and methods are disclosed for providing a multi-component application, including a first and second component. Functionality of the application may be easily and rapidly modified by modification to the first component, without requiring modification to the second component. The first component may be implemented locally at a client device, while the second component is implemented remotely. While modification of the second component may require privileges of a remote location, a user of a client device may modify the first component while maintaining interoperability and compatibility with the second component, thereby enabling the end user to modify functionality of the multi-component application. In some instances, different versions of a first component are provided, and an end user of a client device is enabled to specify which version of the first component should be used.

Abstract: Systems and methods are disclosed for monitoring features of a computing device of a distributed computing system using a self-monitoring module. The self-monitoring module can include multiple feature-specific monitoring modules and one or more parent nodes for the feature-specific monitoring modules. A feature-specific monitoring module can identify or detect a fault status change, such as a fault condition or fault resolution, for one or more features. Based on the identified fault conditions or fault resolutions, the feature-specific monitoring module can determine an internal status and communicate an updated status to a parent node.

Abstract: Systems and methods are described for improving data availability and/or resiliency of indexers of a data intake and query system. Due to a lag between the time at which data is received and the time at which the data is available for searching, the data intake and query system may receive a query indicating that received (but unavailable for search) data is to be included as part of the query. A cluster master can dynamically track what data is available for searching by different indexers and map the data to filter criteria using a bucket map identifier. When a search head receives a query, it can request a bucket map identifier from the cluster master and send the bucket map identifier to the indexers that will be executing the query. The indexers can use the bucket map identifier to request the individual buckets that they are assigned to search.

Abstract: A data processing platform generates visualizations for data streams to visually represent a portion of data in the data stream. The platform performs an analysis of a change in values of data contained in the data stream and generates, using a result of the analysis, metadata identifying an insight into the data in the data stream. The insight indicates a characteristic of the change in values. A natural language representation of the insight is generated using the metadata and output for display in association with the visualization.

Abstract: Embodiments of the present disclosure provide solutions for determining an elected search head captain is unqualified for the position, identifying a more qualified search head, and transferring the captain position to the more qualified search head. A method is provided that includes referencing qualification parameters in an elected search head captain, determining whether the newly elected search head captain is qualified for the position based on the parameters, identifying a more qualified search head to be the search head captain if the newly elected search head captain is determined to be unqualified for the position, and transferring the position of captain to the more qualified search head. The qualification parameters may include, for example, a pre-determined static flag set by an administrator of the search environment, and configuration replication status that corresponds to the most recent configuration state of the search head as recorded by the previous search head captain.

Abstract: A graphical user interface allows a customer to specify delimiters and/or patterns that occur in event data and indicate the presence of a particular field. The graphical user interface applies a customer's delimiter specifications directly to event data and displays the resulting event data in real time. Delimiter specifications may be saved as configuration settings and systems in a distributed setting may use the delimiter specifications to extract field values as the systems process raw data into event data. Extracted field values are used to accelerate search queries that a system receives.

Abstract: Embodiments are directed towards real time display of event records and extracted values based on at least one extraction rule, such as a regular expression. A user interface may be employed to enable a user to have an extraction rule automatically generate and/or to manually enter an extraction rule. The user may be enabled to manually edit a previously provided extraction rule, which may result in real time display of updated extracted values. The extraction rule may be utilized to extract values from each of a plurality of records, including event records of unstructured machine data. Statistics may be determined for each unique extracted value, and may be displayed to the user in real time. The user interface may also enable the user to select at least one unique extracted value to display those event records that include an extracted value that matches the selected value.

Abstract: A client device that includes a camera and an extended reality client application program is employed by a user in a physical space, such as an industrial or campus environment. The user aims the camera within the mobile device at a real-world asset, such as a computer system, classroom, or vehicle. The client device acquires a digital representation, comprising a 2D representation of a physical space and a depth map, and detects 3D objects included in the acquired representation that corresponds to one or more anchors. The client device queries a data intake and query system for asset content associated with the detected anchors. Upon receiving the asset content from the data intake and query system, the client device generates visualizations of the asset content and presents the visualizations via a display device.

Abstract: Described herein are techniques for integrating external sensors to an edge device, such as for ingesting data into a data intake and query system. The edge device has an internal message broker for communicating with internal (e.g., preconfigured, recognized) sensors, and an external message broker for communicating with external (e.g., customer-configured, otherwise unrecognized) sensors. The external message broker provides access to customer configuration of external sensors, but is logically quarantined from the internal message broker to prevent unwanted customer access to internal configurations. The internal and external message brokers interface only via a bridging service that transforms external sensor data into data based on customer-configurable transformations. The transformed data can be handled by the edge device and/or downstream components (e.g., a data intake and query system) in the same manner as internal sensor data.

Abstract: In accordance with some implementations of the present disclosure, a cityscape generator is disclosed herein that may generate a three-dimensional cityscape including at least one neighborhood that represents the at least one stack of the cloud computing system, the at least one neighborhood includes a cluster of nodes associated with a set of compute resources of the at least one stack. The cluster of nodes may be located within a subdivision of the at least one neighborhood and may include a plurality of worker nodes associated with compute resources that provide services and one or more administrative nodes associated with one or more compute resources that monitor and manage the compute resources associated with the worker nodes. The subdivision further includes a beacon to indicate overall health of the subdivision.

Abstract: Provided are systems and methods for verifying user credentials for performing a search. Verifying user credentials include receiving a search request at a search server, determining, at the search server, whether a set of user credentials of a user has been updated within a threshold period of time. The set of user credentials are received from an identity provider server and cached at the search server. Responsive to determining that the cached set of user credentials have not been updated within the threshold period of time, the identity provider server is queried for a current set of user credentials associated with the user. The current set of user credentials from the identity provider server, and used to determine that the user is authorized to perform the search. The search of the datastore is launched responsive to determining that the user is authorized.

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Abstract: A mobile device that includes a camera and an extended reality software application program is employed by a user in an operating environment, such as an industrial environment. One or more objects within a geofence may be identified. A device crosses within the geofence and acquires sensor data associated with an object within the geofence. The sensor data may include image data and/or audio data. The device or a server system may then determine an object identifier associated with the object based on a comparison of the sensor data with data associated with object identifiers corresponding to objects within the geofence. Based on the object identifier, data associated with the object are obtained. The data associated with the object may be presented via the device, such as an extended reality overlay over a view of the object in the device.