Abstract: A client device that includes a camera and an extended reality client application program is employed by a user in a physical space, such as an industrial or campus environment. The user aims the camera within the mobile device at a real-world asset, such as a computer system, classroom, or vehicle. The client device acquires a digital representation, comprising a 2D representation of a physical space and a depth map, and detects 3D objects included in the acquired representation that corresponds to one or more anchors. The client device queries a data intake and query system for asset content associated with the detected anchors. Upon receiving the asset content from the data intake and query system, the client device generates visualizations of the asset content and presents the visualizations via a display device.

Abstract: Provided are systems and methods for verifying user credentials for performing a search. Verifying user credentials include receiving a search request at a search server, determining, at the search server, whether a set of user credentials of a user has been updated within a threshold period of time. The set of user credentials are received from an identity provider server and cached at the search server. Responsive to determining that the cached set of user credentials have not been updated within the threshold period of time, the identity provider server is queried for a current set of user credentials associated with the user. The current set of user credentials from the identity provider server, and used to determine that the user is authorized to perform the search. The search of the datastore is launched responsive to determining that the user is authorized.

Abstract: Described herein are techniques for integrating external sensors to an edge device, such as for ingesting data into a data intake and query system. The edge device has an internal message broker for communicating with internal (e.g., preconfigured, recognized) sensors, and an external message broker for communicating with external (e.g., customer-configured, otherwise unrecognized) sensors. The external message broker provides access to customer configuration of external sensors, but is logically quarantined from the internal message broker to prevent unwanted customer access to internal configurations. The internal and external message brokers interface only via a bridging service that transforms external sensor data into data based on customer-configurable transformations. The transformed data can be handled by the edge device and/or downstream components (e.g., a data intake and query system) in the same manner as internal sensor data.

Abstract: A method comprises executing a user-to-user messaging application in a first computer system used by a user support agent. The user-to-user messaging application receives an input from the user support agent, where the input includes a command for triggering a test of a human-invocable operation of a service that operates on a first cloud-based computing platform. The user-to-user messaging application transmits the command from the first computer system to a web service hosted on a second cloud-based computing platform via a computer network, to invoke an API of the web service. The second cloud-based computing platform is remote from the first computer system. Invocation of the API by the web service initiates the test of the human-invocable operation of the cloud-based service that operates on the first cloud-based computing platform.

Abstract: Described herein are technologies that facilitate effective use (e.g., indexing and searching) of non-text machine data (e.g., audio/visual data) in an event-based machine-data intake and query system.

Abstract: Embodiments of the present invention are directed to enhancing extraction rules utilizing user feedback. In embodiments, a set of extraction rules relevant to an event set are provided for display. Thereafter, a selection of an extraction rule is received and, in response, a set of events matching the selected extraction rule is provided for display. A modification, for example provided by a user, in association with the extraction rule or the set of events is received. Such a modification is then used (e.g., via machine learning) to enhance extraction rules available for performing subsequent data extraction.

Abstract: A client device that includes a camera and an extended reality client application program is employed by a user in a physical space, such as an industrial or campus environment. The user aims the camera within the mobile device at a real-world asset, such as a computer system, classroom, or vehicle. The client device acquires a digital representation, comprising a 2D representation of a physical space and depth map, and detects 3D objects included in the acquired representation that corresponds to one or more anchors. The client device queries a data intake and query system for asset content associated with the detected anchors. Upon receiving the asset content from the data intake and query system, the client device generates visualizations of the asset content and presents the visualizations via a display device.

Abstract: In embodiments of statistics value chart interface cell mode drill down, a first interface displays in a table format that includes columns each with field values of an event field, and each column having a column heading of a different one of the event fields, and includes rows each with one or more of the field values, each field value in a row associated with a different one of the event fields, and having an aggregated metric that represents a number of events with field-value pairs that match all of the field values listed in a respective row and the corresponding event fields listed in the respective columns. A cell can be emphasized that includes one of the field values in a row that corresponds to one of the different event fields in a column, and in response, a menu displays options to transition to a second interface.

Abstract: Custom communication alert techniques are described. In one or more implementations, a triggering condition is detected by one or more computing devices that is found by searching data using one or more extraction rules of a late-binding schema. Responsive to the detection of the triggering condition of the alert, a communication is formed by the one or more computing devices that corresponds to the alert and that includes one or more tokens based on one or more values of the data taken from fields defined by the one or more extraction rules. The communication is caused to be transmitted by the one or more computing device via a network for receipt by at least one computing device of an intended recipient of the communication.

Abstract: Various embodiments of the present invention set forth techniques for monitoring risk in a computing system. The technique includes creating one or more risk objects, where each risk object of the one or more risk objects has a corresponding stored risk definition, the stored risk definition associating the risk object with raw machine data pertaining to the risk object, the raw machine data reflecting activity in an information technology (IT) environment. The technique further includes receiving a selection of a first risk object included in the one or more risk objects and receiving a first risk definition that corresponds to the first risk object. The technique further includes performing a search of the raw machine data according to the first risk definition, wherein a risk is identified based on the search of the raw machine data and performing an action based on identifying the risk.

Abstract: The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system causes for display, on a computer system, a graphical user interface (GUI) for obtaining configuration information for configuring the generation of time-series event data from network packets captured by one or more remote capture agents. Next, the system causes for display, in the GUI, a first set of user-interface elements for managing one or more ephemeral event streams that contain temporarily generated time-series event data from the network packets, wherein managing the one or more ephemeral event streams comprises modifying an end time for terminating the capture of time-series event data in an ephemeral event stream. The system then updates the configuration information based on input received through the first set of user-interface elements.

Abstract: According to embodiments, a method for virtual partitioning of data includes receiving a data stream comprising a plurality of traces, each trace comprising a plurality of spans from a plurality of users. The method also includes assigning the plurality of traces of the data stream to a plurality of virtual partitions based on each user of the plurality of users, each virtual partition of the plurality of virtual partitions comprising data of a user of the plurality of users. The method also includes scheduling at least a subset of the plurality of virtual partitions to at least one user partition of a shared topic, the at least one user partition comprising data from at least one virtual partition of at least one user of the plurality of users. The method also includes indexing each user partition of the shared topic based on each user and each virtual partition.

Abstract: Systems and methods are described for processing ingested data using an online machine learning algorithm as the data is being ingested. For example, the online machine learning algorithm can be an adaptive thresholding algorithm used to identify outliers in a moving window of data. As another example, the online machine learning algorithm can be a sequential outlier detector that detects anomalous sequences of logs or events. As another example, the online machine learning algorithm can be a sentiment analyzer that determines whether text has a positive, negative, or neutral sentiment. As another example, the online machine learning algorithm can be a drift detector that detects whether ingested data marks the start of a change in the distribution of a time-series.

Abstract: Embodiments of the present disclosure provide a method for performing search queries. The method comprises transmitting a list of active indexers in an indexer cluster from a cluster master for receipt by a first search head, wherein the cluster master is communicatively coupled with an indexer cluster comprising a plurality of indexers and the first search head. The method further comprises receiving a first slot request at the cluster master in response to a query from the first search head, wherein the first search head is operable to transmit the query to the active indexers for execution if granted the slot request. Further, the method comprises evaluating a plurality of policies to determine if the first slot request can be granted and responsive to a positive determination, transmitting an authorization token for a slot to the first search head.

Abstract: An example method of updating a client dashboarding component of an asset monitoring and reporting system comprises: identifying an update of a client dashboarding component of an asset monitoring and reporting system (AMRS), the client dashboarding component comprising one or more dynamic elements, each dynamic element associated with an asset node; receiving one or more search queries, each search query corresponding to a dynamic element of the one or more dynamic elements; modifying one or more dynamic elements of the client dashboarding component in accordance with the one or more search queries; and updating the client dashboarding component to reflect metric values associated with the modified dynamic elements.

Abstract: Described herein are systems, methods, and software to enhance the management of responses to incidents. In one example, a method of improving incident response comprises identifying an incident in an information technology (IT) environment associated with a first entity of a plurality of entities, and identifying action implementation information related to the incident. The method further anonymizes the action implementation information for the incident, and determines action suggestions based at least on the anonymized action implementation information.

Abstract: One embodiment of the present invention sets forth a technique for predicting fraud by correlating user behavior biometric data with one or more other types of data. The technique includes receiving cursor movement data generated via a client device and analyzing the cursor movement data based on a model to generate a result. The model may be generated based on cursor movement data associated with a first group of one or more users. The technique further includes receiving log data generated via the client device and determining, based on the result and the log data, that a user of the client device is not a member of the first group.

Abstract: Systems and methods are described for balancing workloads and reliably delivering data to a plurality of indexing systems in a data intake and query system. A topic-based indexing system load balancer may receive event data from various data sources, each of which may be associated with a topic. The event data may be entirely unparsed, unparsed but divided into events, or parsed into events. The topic-based indexing system load balancer may distribute the received event data on a per-topic or per-event basis to a set of indexing systems, and may distribute topics and events based on the volume received. Unparsed data may be divided into portions, and the topic-based indexing system load balancer may ensure that portions data associated with the same topic are delivered to the same indexer so that events split between two portions may be recombined and indexed.

Abstract: Systems and methods are disclosed for processing events having raw machine data associated with a timestamp using one or more pivot identifiers and one or more step identifiers to generate one or more journey instances. Based on the one or more pivot identifier field, the system can relate events that have a common field value for the pivot identifier field. Based on the one or more step identifiers, the system can group the related events into a subset of events. Using the subset of events, the system can build a journey instance.

Abstract: The present disclosure provides solutions for determining the divergence (delta) between the current and previous reference data structures for mutable data in a search head. A method is provided that includes updating a pre-existing lookup table in a search head, generating a delta file that identifies the divergence between the updated and previous lookup table, and distributing the delta file to other components in the search environment. The compatibility of the delta file is checked with the local instance of the lookup table in each search component, and the lookup table is applied if compatibility is determined. However, if the delta file is determined to not be compatible with the current version of a local lookup table in an indexer, the entire lookup table sent to the requesting indexer instead.