Abstract: A system can collapse steps into an aggregate step to simplify analysis while maintaining underlying data that forms each of the steps collapsed into the aggregate step. The steps may or may not be related in a sequence or grouping of steps. The aggregate step may be a new step that comprises the data of the individual steps used to form the aggregate step. Alternatively, the aggregate step may be a virtual step that may reference or link to the steps used to form the aggregate step, but may not include the data itself. By forming aggregate steps, filtering and notification generation can be simplified. Further, extraneous data can be collapsed into a single aggregate step, which can be particularly advantageously when analyzing large data sets.

Abstract: Techniques are described for optimizing the display of hierarchically organized data by dynamically rendering portions visible within a display area of a web browser. Using a web page file corresponding to a web page that includes the display of a visual tree structure representing JavaScript Object Notation (JSON) data and client-side executable logic, an application running at the client device displays the web page including the visual tree structure and one or more first tree nodes corresponding to first JSON objects from a first portion of the JSON data. In response to input requesting display of one or more second JSON objects from a second portion of the JSON data not currently displayed in the visual tree structure, the application modifies one or more elements of the web page to update display of the visual tree structure to include one or more second tree nodes corresponding to the second JSON objects.

Abstract: A log-to-metrics transformation system includes a log-to-metrics application executing on a processor. The log-to-metrics transformation system receives a format associated with machine data, and further receives, via a first graphical control, a first set of metric identifiers corresponding to a first set of metrics associated with the machine data. The log-to-metrics transformation system generates a first set of mappings between the first set of metric identifiers and a first set of field values included in the machine data. The log-to-metrics transformation system stores the first set of mappings and an association with the format of the machine data. The log-to-metrics transformation system, based on the first set of mappings, causes the first set of field values to be extracted from the machine data. Further, a first metric included in the first set of metrics is determined based on at least a portion of the first set of field values.

Abstract: Systems, methods, and software described herein provide for managing service level agreements (SLAs) for security incidents in a computing environment. In one example, an advisement system identifies a rule set for a security incident based on enrichment information obtained for the security incident, wherein the rule set is associated with action recommendations to be taken against the incident. The advisement system further identifies a default SLA for the security incident based on the rule set, and obtains environmental characteristics related to the security incident. Based on the environmental characteristics, the advisement system determines a modified SLA for the security incident.

Abstract: Security related anomalies in the data related to network entities are identified, and a risk score is assigned to each entity based on the anomalies. Visualization data is generated for a color-coded interactive visualization. Generating the visualization data includes assigning each entity to a separate polygon to be displayed concurrently on a display screen; selecting a size of each polygon to indicate one of: a number of security related anomalies associated with the entity, or a risk level assigned to the entity, where the risk level is based on the risk score of the entity, and selecting a color of each polygon to indicate the other one of: the number of security related anomalies associated with the entity, or the risk level assigned to the entity; and causing, the color-coded interactive visualization to be displayed on a display device based on the visualization data.

Abstract: Provided are systems and methods for determining and displaying automatically binned information via a graphical user interface. A graphical user interface (GUI) may include a first graphical element representing a first metric value for a first time window and a second graphical element representing a second metric value for a second time window. An indication of a selection of the first time window may be received via the GUI. An updated GUI comprising a third graphical element representing a third metric value for the third time window and a fourth graphical element representing the fourth metric value for the fourth time window may be displayed, wherein the third time window and the fourth time window may be sub-ranges of the first time window.

Abstract: Systems and methods provide a platform of at least partially pre-defined panel templates that a user can select and manipulate to customize the visualization of data of interest within an interactive dashboard. Each panel template may be defined by a developer in advance to include a set of inputs, a query, and a visualization. Users may select pre-defined panel templates for inclusion in the dashboard, and then when the dashboard is actually displayed, use the set of inputs of a particular panel to specify criteria that may further define the corresponding query and/or the visualization of data produced by executing the query. An electronic dashboard is provided having a combination of available panel templates that may be selected and arranged according to a desired page layout or design. One or more reusable panel templates may be provided to a user of an enterprise application for data analysis and visualization.

Abstract: Embodiments of the disclosure are systems and methods for updating third party visualizations in response to a query. In one embodiment, a method is provided that includes receiving input data comprising events, where the events comprise time-stamped machine- generated data. The method also comprises receiving a modular visualization that includes a variable field associated with a visualization and instructions for rendering the visualization using the input data and the variable field. Further, the method comprises rendering the visualization based on the input data and a value associated with the variable field. Additionally, the method comprises updating the value of the variable field and obtaining updated input data using a search query that is generated using the updated value. The visualization is re-rendered based on the updated input data and the updated value.

Abstract: Disclosed is a data fabric service system that can be implemented in a distributed computer network, such as a data intake and query system. The data index and query system can receive a search query and define a search scheme for applying the search query on distributed data storage systems including internal data storage and external data storage. The data index and query system may provide a portion of the search scheme to a search service of the data fabric service system, which can cause worker nodes of the data fabric service system to perform various functions—including applying the search query to the external data storage based on the portion of the search scheme in order to obtain search results.

Abstract: A system processes data stream language expressions that combine result data streams from multiple data stream language sub-expressions. The system determines a set of fixed dimensions based on static analysis of the data stream language sub-expression. The system determines a union set representing a union of the sets of fixed dimensions. The system determines at execution time of the data stream language expression, a plurality of sets of data streams. Each set of data stream corresponds to a data stream language sub-expression from the plurality of data stream language expressions. The system correlates data streams across the plurality of sets of data streams based on the union set. The system determines result data streams for the data stream language expression by combining data values of correlated data streams.

Abstract: A process for analyzing an incident includes setting up an alert for a high error rate on a particular endpoint. Once the alert is triggered, a set of traces for transactions exhibiting errors on the offending endpoint is queried. All traces for other services/operations that include errors on the offending endpoint are also enumerated. A set of baseline transactions that involve the offending endpoint, but do not result in error may be utilized to determine whether the errors are always present, or are distinctive for certain offending transactions. All traces are ranked based on a statistic. Once the traces have been ranked, they may be traced down to a deepest/most terminal error. A set of transactions that correlate to the terminal error may also be analyzed to determine infrastructure causes.

Abstract: Techniques are described for providing a cloud data collector (CDC) application for managing the generation of infrastructure templates. The CDC application provides graphical user interfaces that enable a user to provide inputs indicating configurations of data to be ingested by the data intake and query system, each configuration including one or more user accounts, in addition to data sources and regions associated with data sources. Using the configurations provided as input to the CDC application, the CDC application generates an infrastructure template that can be used to configure the service provider network to provide the requested security data to the data intake and query system.

Abstract: One or more embodiments are directed multistage device clustering. A log including network traffic of multiple devices in a network is received. From the log, features of the devices are extracted and an aggregated feature matrix generated. A traffic behavior subset of the features in the aggregated feature matrix is selected, and a topic modeling algorithm applied thereto to obtain traffic behavior device groups. An application behavior subset of the features in the aggregated feature matrix is selected. On a per traffic behavior device group basis, the topic modeling algorithm is applied to the application behavior subset to obtain application behavior device subgroups. One or more devices are assigned to at least one of the plurality of application behavior device subgroups to obtain an assignment.

Abstract: Various implementations of the present application set forth a method comprising generating, three-dimensional data and two-dimensional data representing a physical space that includes a real-world asset, generating an adaptable three-dimensional (3D) representation of the physical space based on the two-dimensional and three-dimensional data, where the adaptable 3D representation includes a plurality of coordinates representing different positions in 3D coordinate space corresponding to the physical space, transforming the adaptable 3D representation into geometry data comprising a set of vertices, faces comprising edges between pairs of vertices, and texture data, transmitting the geometry data to a remote device, wherein the remote device, constructs, based on the geometry data, the adaptable 3D representation of the physical space for display at a location of the remote device in a remote environment, and modifies, based on an input, at least one of a dimension or a position of the adaptable 3D representa

Abstract: A computer-implemented method for analyzing spans and traces associated with a microservices-based application executing in a distributed computing environment comprises aggregating a plurality of ingested spans associated with one or more applications executing in the distributed computing environment into a plurality of traces, wherein each of the plurality of ingested spans is associated with a plurality of tags. The method further comprises comparing durations of a set of related traces of the plurality of traces to determine patterns for the plurality of tags and generating a histogram that represents a distribution of the durations of the set of related traces. The method also comprises providing alerts for one or more tags from the plurality of tags associated with traces having a duration above a threshold based on the distribution of the durations.

Abstract: A method of identifying a root cause of a failure for a trace within a microservices-based application includes determining if a root span of the trace is an error span resulting in an error experienced by a user at a front end of the microservices-based application. If the root span of the trace is an error span, the method analyzes a plurality of spans comprising the trace to determine if the trace comprises at least one leaf error span. If the trace comprises a single leaf error span, the method attributes the root cause of the failure in the trace to a service associated with the single leaf error span. If the trace comprises multiple leaf error spans the method attributes the root cause of the failure in the trace to a service associated with a leaf error span of the multiple leaf error spans comprising a latest starting timestamp.

Abstract: Systems and methods are described for a streaming data processing system that defers processing of some data based on a determined importance of the data. A streaming data processing system can ingest a data stream that contains multiple events, and can extract data field values from individual events and process the data field values to determine event importance. The streaming data processing system can then do further processing and indexing of high importance events, and can generate a storage prefix for each low importance event that determines where to store the low importance event in a data storage system. The streaming data processing system can then process queries by retrieving the indexed high importance events, and can extract the data field values from a high importance event to determine the storage prefix for retrieving corresponding low importance events from the data storage system.

Abstract: The disclosure provides implementations for determining whether domain name server (DNS) beaconing is present within a communication session. Some implementations provide a method that includes multiple analyses directed to analyzing each of a time-to-live (TTL) run length distribution for a plurality of DNS records within the communication session and analyzing whether the communication is comprised of at least a threshold number of transmissions. As used in the analyses, the communication session may be comprised of transmissions between a first source device and a first DNS. When DNS beaconing is detected within the communication session, some implementations of the disclosure provide for generating an alert to an administrator or other user.

Abstract: A mobile device is fitted with an extended reality (XR) software application program executing on a processor within an XR system, and optionally a camera. Via the XR software application program, various techniques are performed for interacting with a physical object via the XR environment. In particular, the XR software application program generates and displays visual representations of real-time metric data received from a data intake and query system along with auxiliary data received from an asset management system. In addition, the XR software application program detects user interactions with the XR environment. In response, the XR software application generates messages directed to the asset management system. The messages include commands to update the auxiliary data associated with the physical object.

Abstract: An event limited field picker for a search user interface is described. In one or more implementations, a service may operate to collect and store data as events each of which includes a portion of the data correlated with a point in time. Clients may use a search user interface perform searches by input of search criteria. Responsive to receiving search criteria, the service may operate to apply a late binding schema to extract events that match the search criteria and provide search results for display via the search user interface. The search user interface exposes an event limited field picker operable to make selections of fields with respect to individual events in a view of the search results. In response to receiving an indication of a fields selected via the picker, visibility of selected fields may be updated to control which field and values are included in different views.