Abstract: An instrumentation analysis system processes data streams by executing instructions specified using a data stream language program. A user interface allows users to specify data stream language programs. The user interface presents widgets to the user to specify various components of a data stream language program, including a filter expression, an analytical function representing an aggregation or transformation, and so on. The user interface allows users to specify an expression based on results of previously specified data stream language programs. The instrumentation analysis system processes the data stream language programs specified by the user to generate a set of result data streams and plots the result data streams, for example, on a screen of a client device.

Abstract: A method and system for managing searches of a data set that is partitioned based on a plurality of events. A structure of a search query may be analyzed to determine if logical computational actions performed on the data set is reducible. Data in each partition is analyzed to determine if at least a portion of the data in the partition is reducible. In response to a subsequent or reoccurring search request, intermediate summaries of reducible data and reducible search computations may be aggregated for each partition. Next, a search result may be generated based on at least one of the aggregated intermediate summaries, the aggregated reducible search computations, and a query of adhoc non-reducible data arranged in at least one of the plurality of partitions for the data set.

Abstract: Disclosed is a technique that can be performed by a server computer system. The technique can include obtaining data from each of multiple endpoint devices to form global data. The global data can be generated by the endpoint devices in accordance with local instructions in each of the endpoint devices. The technique further includes generating global instructions based on the global data and sending the global instructions to a particular endpoint device. The global instructions configure the particular endpoint device to perform a data analytic operation that analyzes events. The events can include raw data generated by a sensor of the particular endpoint device.

Abstract: Extended reality (XR) software application programs establish remote collaboration sessions in which a host device and one or more remote devices can interact. When initiating a remote collaboration session, an XR application in a host device determines a collaboration area. The collaboration area corresponds to a portion of a real-world environment that is shared by the host device with the one or more remote devices. In some embodiments, the collaboration area can be determined automatically and/or based on user input. The XR application causes sensors associated with the host device to scan the collaboration area. Then, the XR application transmits, to the one or more remote devices, a three-dimensional representation of the collaboration area for rendering in one or more remote XR environments.

Abstract: An information technology (IT) and security operations application enables the automatic assignment of incident events to analysts based on a variety of characteristics of the incident events to be assigned, the analysts and analyst teams, and other considerations. An IT and security operations application can perform the automatic assignment of incident events based at least in part on data indicating each analyst's knowledge of certain types of incidents, data indicating each analyst's efficiency at responding to certain types of incidents, and the like, where such data is automatically created and maintained by the application.

Abstract: Techniques may include receiving a plurality of spans of trace data at a computing system during a first time period. The techniques may include storing the plurality of spans in a span partition of a data store. The data store can contain a plurality of span partitions with spans that are grouped in the partition by trace identifier. The device may include generating a timestamp partition, with an index of timestamps by trace identifiers, for the first time period. The techniques may include storing the timestamp partition in the data store. Also, the techniques may include identifying at least two timestamp partitions that correspond to a second time period that preceded the first time period. The techniques may include generating and storing a primary compacted timestamp partition by combining the at least two timestamp partitions.

Abstract: Disclosed herein is a fraud analysis data reduction technique. When reviewing a large set of data for potential fraudulent action there is often too much data for a human to reasonably analyze. A technique to reduce the overall amount of data associates entities that have duplicate values stored in corresponding data elements with one another and removes those entities that do not have at least one duplicate value. The entities with duplicate values are entered into a node graph and analyzed for connected components. The connected components analysis and a duplicate threshold analysis provide usable results to identify fraudulent activity.

Abstract: A field extraction template simplifies the creation of field extraction rules by providing a user with a set of field names commonly assigned to a certain type of data, as well as guidance on how to extract values for those fields. These field extraction rules, in turn, facilitate access to certain “chunks” of the data, or to information derived from those chunks, through named fields. A field extraction template comprises at least a set of field names and ordering data for the field names. The ordering data indicates index positions that are associated with at least some of the field names. A delimiter is specified for splitting data items into arrays of chunks. The chunk of a data item that belongs to a given field name is the chunk whose position within the item's array of chunks is equivalent to the index position associated with the given field name.

Abstract: A computerized method is disclosed including operations of receiving a data stream, performing a changepoint detection resulting in a detection of changepoints in the data stream including: maintaining a listing of starting indices for each run within the data stream in a buffer of size L wherein each index of the listing has a run length probability representing a likelihood of being a changepoint, receiving a new data point within the data stream and adding a new index to the buffer resulting in the buffer having size L+1, calculating a posterior run length probability that the new data point is a changepoint, and removing an index from the listing that has a lowest run length probability thereby returning the buffer to size L, and responsive to determining the index removed from the listing does not correspond to the new data point, identifying a changepoint associated with the new data point.

Abstract: First one or more values are extracted from a plurality of events using a first extraction rule. The extracted first one or more values are assigned to a first field of the plurality of events as a first set of field-data item pairs and a field label is assigned to the first field. Second one or more values and a field label corresponding to the second one or more values are extracted from the plurality of the events using a second extraction rule, where the extracted field label corresponds to the assigned field label of the first field. The extracted second one or more values are assigned to a second field of the plurality of events as a second set of field-data item pairs, thereby distinguishing the extracted second one or more values from the extracted first one or more values.

Abstract: Systems and methods are described for generation of queries for execution by a separate system. In order establish a connection with the separate system, credentials can be obtained. For example, the credentials may be based on a user identifier and/or a login identifier. Indices can be identified that correspond to the credentials and a query can be identified that includes a selection of at least one of the indices. For example, the query may identify a set of log data ingested and indexed by the separate system. A request that includes the query, the credentials, and a connection identifier can be communicated to the separate system. In response to the request, a set of data can be received from the separate system. The set of data can be provided to a computing device. For example, the set of data can be provided to a computing device providing the query.

Abstract: A client device that includes a camera and an extended reality client application program is employed by a user in a physical space, such as an industrial or campus environment. The user aims the camera within the mobile device at a real-world asset, such as a computer system, classroom, or vehicle. The client device acquires a digital image via the camera and detects textual and/or pictorial content included in the acquired image that corresponds to one or more anchors. The client device queries a data intake and query system for asset content associated with the detected anchors. Upon receiving the asset content from the data intake and query system, the client device generates visualizations of the asset content and presents the visualizations via a display device.

Abstract: Embodiments described herein are directed to facilitating management of collection agents. In one embodiment, a control request is provided to an agent service manager from an agent controller that manages collection agents that collect data. The agent controller and the collection agents operate on a computing machine remote from the agent service manager. In response to the control request, a control directive is received, the control directive including an agent event indicator indicating an agent event to be executed in association with a set of collection agents of the collection agents. Thereafter, execution of the agent event is initiated in association with each collection agent of the set of collection agents.

Abstract: Techniques are described for enabling an IT and security operations application to detect and remediate advanced persistent threats (APTs). The detection of APTs involves the execution of search queries to search event data that initially was associated with lower-severity activity or that otherwise did not initially rise to the level of actionable event data in the application. The execution of such search queries may thus generally be configured to search non-real-time event data, e.g., event data that outside of a current window of days or a week and instead searches and aggregates event data spanning time periods of many weeks, months, or years. Due the nature of APTs, analyses of historical event data spanning such relatively long periods of time may in the aggregate uncover the types of persistent activity associated with APTs that would otherwise go undetected based only on searches of more current, real-time event data.

Abstract: Various embodiments of the present application set forth a computer-implemented method that includes generating a first alert that includes one or more parameters, wherein the first notification is associated with the first alert, receiving, by a wearable device, a notification dashboard that includes at least a first visualization associated with a first notification, storing, by the wearable device, the notification dashboard in a notification cache, and in response to receiving a request associated with the first notification, retrieving the notification dashboard from the notification cache, and displaying at least a portion of the first visualization included in the notification dashboard on the wearable device.

Abstract: An information technology (IT) and security operations application is described that enables cross-tenant analyses of data to derive insights that can be used to provide actionable information across the application including, for example, action recommendations, threat confidence scores, and other incident data enrichments. The generation and presentation of such information to users of an IT and security operations application can enable analyst teams to more efficiently and accurately respond to various types of incidents in IT environments, thereby improving the overall operation and security of the IT environments. Furthermore, because of the shared use of an IT and security operations application concurrently by any number of separate tenants, such cross-tenant analyses can be performed in near real-time and on an ongoing basis to deliver relevant insights.

Abstract: A mobile device is fitted with a camera and an extended reality (XR) software application program executing on a processor within an XR system. Via the XR software application program, various techniques are performed for manipulating virtual objects in an XR environment. In a first technique, the XR software application program facilitates the movement of a virtual object from a first location to a second location. In a second technique, the XR software application program facilitates the rotation of a virtual object. In a third technique, the XR software application program facilitates the scaling of a virtual object along one or more axes.

Abstract: Embodiments described herein facilitate enhancement of data model acceleration, including generating data model summaries and performing searches in an accelerated manner. In one implementation, obtaining a search query from a user device. A determination may be made to execute a search, in association with the search query, via an external computing service. As such, the search query, or a variant thereof, can be provided to the external computing service, wherein the external computing service executes the search using data model summaries stored in a remote data store that is separate from a set of events from which the data model summaries were generated. A set of search results are received from the external computing service, and such search results are provided to the user device.

Abstract: A method includes selecting, from content packs in a centralized content management system, a content pack to update in a data intake and query system. The content pack includes utility objects. For each utility object of at least a subset of the utility objects determining whether the utility object already exists in the data intake and query system, and loading the utility object to the data intake and query system when the utility object does not exist to obtain an updated utility object. The method further includes monitoring, by the data intake and query system, an endpoint of an endpoint type using the updated utility object.