Abstract: Systems and methods are described for improving data availability and/or resiliency of indexers of a data intake and query system. Due to a lag between the time at which data is received and the time at which the data is available for searching, the data intake and query system may receive a query indicating that received (but unavailable for search) data is to be included as part of the query. A cluster master can dynamically track what data is available for searching by different indexers and map the data to filter criteria using a bucket map identifier. When a search head receives a query, it can request a bucket map identifier from the cluster master and send the bucket map identifier to the indexers that will be executing the query. The indexers can use the bucket map identifier to request the individual buckets that they are assigned to search.

Abstract: Systems and methods are disclosed for processing data associated with isolated execution environments. A chunk of data associated with an isolated execution environment can include log data and non-log data. At least a portion of the log data can include log data generated by the isolated execution environment. The system can parse the chunk of data to identify the log data and the non-log data and extract at least a portion of the log data from the chunk of data. The extracted data can be further processed to generate one or more events.

Abstract: Systems and methods are disclosed for monitoring features of a computing device of a distributed computing system using a self-monitoring module. The self-monitoring module can include multiple feature-specific monitoring modules and one or more parent nodes for the feature-specific monitoring modules. A feature-specific monitoring module can identify or detect a fault status change, such as a fault condition or fault resolution, for one or more features. Based on the identified fault conditions or fault resolutions, the feature-specific monitoring module can determine an internal status and communicate an updated status to a parent node.

Abstract: Systems and methods are disclosed for providing a multi-component application, including a first and second component. Functionality of the application may be easily and rapidly modified by modification to the first component, without requiring modification to the second component. The first component may be implemented locally at a client device, while the second component is implemented remotely. While modification of the second component may require privileges of a remote location, a user of a client device may modify the first component while maintaining interoperability and compatibility with the second component, thereby enabling the end user to modify functionality of the multi-component application. In some instances, different versions of a first component are provided, and an end user of a client device is enabled to specify which version of the first component should be used.

Abstract: Embodiments are directed towards a system and method for a cloud-based front end that may abstract and enable access to the underlying cloud-hosted elements and objects that may be part of a multi-tenant application, such as a search application. Search objects may be employed to access indexed objects. An amount of indexed data accessible to a user may be based on an index storage limit selected by the user, such that data that exceeds the index storage limit may continue to be indexed. Also, one or more projects can be elastically scaled for a user to provide resources that may meet the specific needs of each project.

Abstract: A graphical user interface allows a customer to specify delimiters and/or patterns that occur in event data and indicate the presence of a particular field. The graphical user interface applies a customer's delimiter specifications directly to event data and displays the resulting event data in real time. Delimiter specifications may be saved as configuration settings and systems in a distributed setting may use the delimiter specifications to extract field values as the systems process raw data into event data. Extracted field values are used to accelerate search queries that a system receives.

Abstract: A mobile device that includes a camera and an extended reality software application program is employed by a user in an operating environment, such as an industrial environment. One or more objects within a geofence may be identified. A device crosses within the geofence and acquires sensor data associated with an object within the geofence. The sensor data may include image data and/or audio data. The device or a server system may then determine an object identifier associated with the object based on a comparison of the sensor data with data associated with object identifiers corresponding to objects within the geofence. Based on the object identifier, data associated with the object are obtained. The data associated with the object may be presented via the device, such as an extended reality overlay over a view of the object in the device.

Abstract: A client device that includes a camera and an extended reality client application program is employed by a user in a physical space, such as an industrial or campus environment. The user aims the camera within the mobile device at a real-world asset, such as a computer system, classroom, or vehicle. The client device acquires a digital representation, comprising a 2D representation of a physical space and a depth map, and detects 3D objects included in the acquired representation that corresponds to one or more anchors. The client device queries a data intake and query system for asset content associated with the detected anchors. Upon receiving the asset content from the data intake and query system, the client device generates visualizations of the asset content and presents the visualizations via a display device.

Abstract: Described herein are techniques for integrating external sensors to an edge device, such as for ingesting data into a data intake and query system. The edge device has an internal message broker for communicating with internal (e.g., preconfigured, recognized) sensors, and an external message broker for communicating with external (e.g., customer-configured, otherwise unrecognized) sensors. The external message broker provides access to customer configuration of external sensors, but is logically quarantined from the internal message broker to prevent unwanted customer access to internal configurations. The internal and external message brokers interface only via a bridging service that transforms external sensor data into data based on customer-configurable transformations. The transformed data can be handled by the edge device and/or downstream components (e.g., a data intake and query system) in the same manner as internal sensor data.

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Abstract: Embodiments are directed towards real time display of event records and extracted values based on at least one extraction rule, such as a regular expression. A user interface may be employed to enable a user to have an extraction rule automatically generate and/or to manually enter an extraction rule. The user may be enabled to manually edit a previously provided extraction rule, which may result in real time display of updated extracted values. The extraction rule may be utilized to extract values from each of a plurality of records, including event records of unstructured machine data. Statistics may be determined for each unique extracted value, and may be displayed to the user in real time. The user interface may also enable the user to select at least one unique extracted value to display those event records that include an extracted value that matches the selected value.

Abstract: In accordance with some implementations of the present disclosure, a cityscape generator is disclosed herein that may generate a three-dimensional cityscape including at least one neighborhood that represents the at least one stack of the cloud computing system, the at least one neighborhood includes a cluster of nodes associated with a set of compute resources of the at least one stack. The cluster of nodes may be located within a subdivision of the at least one neighborhood and may include a plurality of worker nodes associated with compute resources that provide services and one or more administrative nodes associated with one or more compute resources that monitor and manage the compute resources associated with the worker nodes. The subdivision further includes a beacon to indicate overall health of the subdivision.

Abstract: Provided are systems and methods for verifying user credentials for performing a search. Verifying user credentials include receiving a search request at a search server, determining, at the search server, whether a set of user credentials of a user has been updated within a threshold period of time. The set of user credentials are received from an identity provider server and cached at the search server. Responsive to determining that the cached set of user credentials have not been updated within the threshold period of time, the identity provider server is queried for a current set of user credentials associated with the user. The current set of user credentials from the identity provider server, and used to determine that the user is authorized to perform the search. The search of the datastore is launched responsive to determining that the user is authorized.

Abstract: Embodiments of the present disclosure provide solutions for determining an elected search head captain is unqualified for the position, identifying a more qualified search head, and transferring the captain position to the more qualified search head. A method is provided that includes referencing qualification parameters in an elected search head captain, determining whether the newly elected search head captain is qualified for the position based on the parameters, identifying a more qualified search head to be the search head captain if the newly elected search head captain is determined to be unqualified for the position, and transferring the position of captain to the more qualified search head. The qualification parameters may include, for example, a pre-determined static flag set by an administrator of the search environment, and configuration replication status that corresponds to the most recent configuration state of the search head as recorded by the previous search head captain.

Abstract: A method comprises executing a user-to-user messaging application in a first computer system used by a user support agent. The user-to-user messaging application receives an input from the user support agent, where the input includes a command for triggering a test of a human-invocable operation of a service that operates on a first cloud-based computing platform. The user-to-user messaging application transmits the command from the first computer system to a web service hosted on a second cloud-based computing platform via a computer network, to invoke an API of the web service. The second cloud-based computing platform is remote from the first computer system. Invocation of the API by the web service initiates the test of the human-invocable operation of the cloud-based service that operates on the first cloud-based computing platform.

Abstract: Embodiments of the present invention are directed to enhancing extraction rules utilizing user feedback. In embodiments, a set of extraction rules relevant to an event set are provided for display. Thereafter, a selection of an extraction rule is received and, in response, a set of events matching the selected extraction rule is provided for display. A modification, for example provided by a user, in association with the extraction rule or the set of events is received. Such a modification is then used (e.g., via machine learning) to enhance extraction rules available for performing subsequent data extraction.

Abstract: Custom communication alert techniques are described. In one or more implementations, a triggering condition is detected by one or more computing devices that is found by searching data using one or more extraction rules of a late-binding schema. Responsive to the detection of the triggering condition of the alert, a communication is formed by the one or more computing devices that corresponds to the alert and that includes one or more tokens based on one or more values of the data taken from fields defined by the one or more extraction rules. The communication is caused to be transmitted by the one or more computing device via a network for receipt by at least one computing device of an intended recipient of the communication.

Abstract: Various embodiments of the present invention set forth techniques for monitoring risk in a computing system. The technique includes creating one or more risk objects, where each risk object of the one or more risk objects has a corresponding stored risk definition, the stored risk definition associating the risk object with raw machine data pertaining to the risk object, the raw machine data reflecting activity in an information technology (IT) environment. The technique further includes receiving a selection of a first risk object included in the one or more risk objects and receiving a first risk definition that corresponds to the first risk object. The technique further includes performing a search of the raw machine data according to the first risk definition, wherein a risk is identified based on the search of the raw machine data and performing an action based on identifying the risk.

Abstract: According to embodiments, a method for virtual partitioning of data includes receiving a data stream comprising a plurality of traces, each trace comprising a plurality of spans from a plurality of users. The method also includes assigning the plurality of traces of the data stream to a plurality of virtual partitions based on each user of the plurality of users, each virtual partition of the plurality of virtual partitions comprising data of a user of the plurality of users. The method also includes scheduling at least a subset of the plurality of virtual partitions to at least one user partition of a shared topic, the at least one user partition comprising data from at least one virtual partition of at least one user of the plurality of users. The method also includes indexing each user partition of the shared topic based on each user and each virtual partition.

Abstract: Described herein are technologies that facilitate effective use (e.g., indexing and searching) of non-text machine data (e.g., audio/visual data) in an event-based machine-data intake and query system.