Abstract: Techniques are described for providing a highly available data ingestion system for ingesting machine data sent from remote data sources across potentially unreliable networks. To provide for highly available delivery of such data, a data intake and query system provides users with redundant sets of ingestion endpoints to which messages sent from users' computing environments can be delivered to the data intake and query system. Users' data sources, or data forwarding components configured to obtain and send data from one or more data sources, are then configured to encapsulate obtained machine data into discrete messages and to send copies of each message to two or more of the ingestion endpoints provisioned for a user. The ingestion endpoints receiving the messages implement a deduplication technique and provide only one copy of each message to a subsequent processing component (e.g., to an indexing subsystem for event generation, event indexing, etc.).

Abstract: Techniques are described for automating the configuration of a simple network management protocol (SNMP) manager device for enabling collection of SNMP data from one or more SNMP-enabled devices. Based upon SNMP object identifiers (OIDs) received from an SNMP-enabled device, processing is performed to map the OIDs to one or more SNMP management information bases (MIBs) corresponding to the OIDs. The identification of the OIDs and mapping the OIDs to one or more MIBs is performed in an automated manner and substantially free of any human or manual intervention. The identified one or more MIBs are then used to configure the SNMP manager to enable SNMP communications between the SNMP-enabled device and the SNMP manager. In certain implementations, the identified one or more MIBs are loaded into system memory by the SNMP manager.

Abstract: Systems and methods are described for generation of a query using a non-textual input. For example, the query can be generated using a point and click input. A selection of a data source can be identified and an initial query can be automatically generated based on the selection of the data source. A graphical user interface can be displayed and populated with one or more selectable parameters based on the initial query. A selection of the one or more selectable parameters can be received as a non-textual input and a query can be automatically generated based on the selection. For example, a query for execution by a data intake and query system can be generated based on the selection. The query can be provided to the data intake and query system. The data intake and query system may then execute the query on a set of data.

Abstract: The disclosure includes methods and systems that perform operations of identifying a behavior of a metric, where the metric is associated with a node of included within a nodal graph displayed on a graphical user interface. Additionally, a root cause of the behavior is determined through automated, computerized analytics, which may include execution of a search query associated with the node, and a notification of the root cause may be provided via the graphical user interface. Additionally, the graphical user interface may be configured to receive user input that results in the generation of a nodal graph, where the user input includes placement of nodes on a display screen and edges representing a connection between two nodes, where the edges may represent a dependency between the nodes.

Abstract: A computerized method is disclosed including establishing communicative couplings with each of a first data intake and query system instance and a second data intake and query system instance, automating execution of a first search query on the first data intake and query system instance and a second search query on the second data intake and query system instance, and causing rendering of a graphical user interface that consolidates results from each of the first data intake and query system instance and the second data intake and query system instance. Additional operations may include obtaining a result of the first search query while preserving fields within the results of the first and second search queries extracted by the first data intake and query system instance and the second data intake and query system instance, respectively.

Abstract: Methods and apparatus consistent with the invention provide the ability to organize, index, search, and present time series data based on searches. Time series data are sequences of time stamped records occurring in one or more usually continuous streams, representing some type of activity. In one embodiment, time series data is stored as discrete events time stamps. A search is received and relevant event information is retrieved based in whole or in part on the time stamp, a keyword indexing mechanism, or statistical indices calculated at the time of the search.

Abstract: A method comprises acquiring anomaly data including a plurality of anomalies detected from streaming data, wherein each of the anomalies relates to an entity on or associated with a computer network. The method determines a risk score of each of the anomalies, and adjusts the risk score of an anomaly according to a set of factors. The method further determines, for each of a plurality of sliding time windows of different lengths, an entity score of the entity in relation to the sliding time window, based on an aggregation of risk scores of all anomalies related to the entity that were detected within the sliding time window, where the entity score corresponds to a risk level associated with the entity. An action to prevent the entity from performing an operation can be determined and caused to occur based on the entity score.

Abstract: A process for ingesting raw machine data that reduces network and data intake and query system resources is described herein. For example, instead of routing the raw machine data to an intake ingestion buffer via a load balancer, a publisher may instead route metadata to the load balancer. The load balancer can use the metadata to identify an available virtual machine in the intake ingestion buffer. The load balancer can then provide to the publisher the public IP address of the available virtual machine. The publisher can communicate with the available virtual machine using the public IP address, and the available virtual machine can identify which virtual machine owns the topic related to the raw machine data. The publisher can then transmit raw machine data to the virtual machine that owns the topic.

Abstract: Embodiments are directed towards a method for searching data. The method comprises providing an inverted index that comprises at least one record, wherein the at least one record comprises at least one field name and a corresponding at least one field value. The at least one field name and corresponding value are extracted from time-stamped searchable events that are stored in a field searchable datastore and comprise portions of raw data. The at least one record further comprises a posting value that identifies a location in the field searchable datastore where an event associated with the at least one record is stored. The method further comprises evaluating an incoming search query that references a field name. Responsive to the evaluating, the method comprises determining results for the incoming search query by executing the incoming search query across the field searchable datastore or the inverted index.

Abstract: In some embodiments, a method may include display of a data summary view of a set of events that correspond to query results of a query. Each event of the set of events may include data items of a plurality of event attributes. In embodiments, the data summary view can include various summary reports. Each summary report can include summary entries and a summary graph that each present a summary of data items of a selected event attribute, of the plurality of event attributes. At least one summary report can include summary entries that are selectable by a user. The method may further include filtering the set of event, in response to, and based on, selection of one or more of the selectable summary entries by the user and updating of at least the first and second summary graphs to correspond to the filtered set of events.

Abstract: A method for evaluating metrics associated with isolated execution environments utilized for synthetic monitoring of a web application and modifying the quantity of isolation execution environments hosted by a particular hosting service at a particular geographic location based on the metrics. The method can include receiving an instruction to monitor computing resources at the particular geographic location; obtaining configuration data for the particular geographic location; communicating a request to the particular hosting provider for an identification of a collection of isolated execution environments that are instantiated at the particular geographic location; obtaining metrics associated with the collection of isolated execution environments; evaluating the metrics against the set of scaling criteria; and/or generating an instruction for the particular hosting provider to modify the quantity of the collection of isolated execution environments.

Abstract: A quality score for a computer application release is determined using a first number of unique users who have launched the computer application release on user devices and a second number of unique users who have encountered at least once an abnormal termination with the computer application release on user devices. Additionally or optionally, an application quality score can be computed for a computer application based on quality scores of computer application releases that represent different versions of the computer application. Additionally or optionally, a weighted application quality score can be computed for a computer application by further taking into consideration the average application quality score and popularity of a plurality of computer applications.

Abstract: The disclosed embodiments provide a system that processes network data. During operation, the system obtains, at a remote capture agent, a first protocol classification for a first packet flow captured by the remote capture agent. Next, the system uses configuration information associated with the first protocol classification to build a first event stream from the first packet flow at the remote capture agent, wherein the first event stream comprises time-series event data generated from network packets in the first packet flow based on the first protocol classification. The system then transmits the first event stream over a network for subsequent storage and processing of the first event stream by one or more components on the network.

Abstract: In accordance with various embodiments of the present disclosure, a first instance of a data intake and query system (DIQS) may receive latency data that indicates latency states of second instances of the DIQS, the latency states indicative of latencies associated with processing of event data by the plurality of second instances. The first instance may then determine overall latency state of the first instance based, at least in part, on determining number or percentage of the first instance and the second instances of the DIQS having one or more particular latency states, and determining whether the number or percentage of the first instance and the f second instances of the DIQS having the one or more particular latency states is equal to or exceeds a threshold. The first instance may then present the overall latency state of the first instance.

Abstract: A computerized method is disclosed that includes operations of obtaining network traffic data between a source device and a destination device, performing a regularity assessment of a first metric of the network traffic data across communication sessions of the source device and the destination device over a given time period by: determining an average of the first metric for each of the communication sessions; establishing an upper bound and a lower bound for the averages of the first metric over the given time period; determining a difference between the upper bound and the lower bound; comparing the difference between the upper bound and the lower bound to a mean of the first metric for each of the communication sessions over the given time period, and determining whether beaconing transmissions are present within the network traffic data based on the regularity assessment of the first metric.

Abstract: Techniques and mechanisms are disclosed to optimize the size of index files to improve use of storage space available to indexers and other components of a data intake and query system. Index files of a data intake and query system may include, among other data, a keyword portion containing mappings between keywords and location references to event data containing the keywords. Optimizing an amount of storage space used by index files may include removing, modifying and/or recreating various components of index files in response to detecting one or more storage conditions related to the event data indexed by the index files. The optimization of index files generally may attempt to manage a tradeoff between an efficiency with which search requests can be processed using the index files and an amount of storage space occupied by the index files.

Abstract: This technology is directed to facilitating scalable and secure data collection. In particular, scalability of data collection is enabled in a secure manner by, among other things, abstracting a connector(s) to a pod(s) and/or container(s) that executes separate from other data-collecting functionality. For example, an execution manager can initiate deployment of a collect coordinator on a first pod associated with a first job and deployment of a first connector on a second pod associated with a second job separate from the first job of a container-managed platform. The collect coordinator can provide a data collection task to the first connector deployed on the second pod of the second job. The first connector can then obtain the set of data from the data source and provide the set of data to the collect coordinator for providing the set of data to a remote source.

Abstract: Data intake and query system (DIQS) instances supporting applications including lower-tier, focused, work group oriented applications, are tailored to display the metrics for the needs of the user. An interface caused by operation of an entity monitoring system (EMS) operating in conjunction with the lower-tier DIQS displays the monitored entities as individual representations. The user selects a metric and a metric threshold. The EMS causes a display of an interface having a representation for each monitored entity. Each representation includes a metric value and indicates an entity status based on the metric value and the threshold. The user can dynamically change the threshold on the interface for easy visualization of aggregation of monitored entities to determine the performance of the infrastructure. The interface also provides the user with the ability to select an entity and click through to the entity analysis workspace for more detailed information.

Abstract: Embodiments of the present disclosure are directed to an interactive development environment (IDE) interface that provides historical visualization of queries and query result information iteratively and intuitively. According to an embodiment of the present disclosure, a process is provided to generate visualizations of queries and processed query result information in a single, persistent, integrated display. Each query and resultant search data information is presented iteratively in chronological order, and maintain a persistent, viewable history of a search data exploration session.

Abstract: An analysis system receives data streams generated by instances of instrumented software executing on external systems. The analysis system evaluates an expression using data values of the data streams over a plurality of time intervals. For example, the analysis system may aggregate data values of data streams for each time interval. The analysis system determines whether or not a data stream is considered for a time interval based on when the data value arrives during the time interval. The analysis system determines a maximum expected delay value for each data stream being processed. The analysis system evaluates the expression using data values that arrive before their maximum expected delay values. The analysis system also determines a failure threshold value for a data stream. If a data value of a data stream fails to arrive before the failure threshold value, the analysis system marks the data stream as dead.