Abstract: The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system causes for display, on a computer system, a graphical user interface (GUI) for obtaining configuration information for configuring the generation of time-series event data from network packets captured by one or more remote capture agents. Next, the system causes for display, in the GUI, a first set of user-interface elements for managing one or more ephemeral event streams that contain temporarily generated time-series event data from the network packets, wherein managing the one or more ephemeral event streams comprises modifying an end time for terminating the capture of time-series event data in an ephemeral event stream. The system then updates the configuration information based on input received through the first set of user-interface elements.

Abstract: A client device that includes a camera and an extended reality client application program is employed by a user in a physical space, such as an industrial or campus environment. The user aims the camera within the mobile device at a real-world asset, such as a computer system, classroom, or vehicle. The client device acquires a digital representation, comprising a 2D representation of a physical space and depth map, and detects 3D objects included in the acquired representation that corresponds to one or more anchors. The client device queries a data intake and query system for asset content associated with the detected anchors. Upon receiving the asset content from the data intake and query system, the client device generates visualizations of the asset content and presents the visualizations via a display device.

Abstract: Described herein are technologies that facilitate effective use (e.g., indexing and searching) of non-text machine data (e.g., audio/visual data) in an event-based machine-data intake and query system.

Abstract: One embodiment of the present invention sets forth a technique for predicting fraud by correlating user behavior biometric data with one or more other types of data. The technique includes receiving cursor movement data generated via a client device and analyzing the cursor movement data based on a model to generate a result. The model may be generated based on cursor movement data associated with a first group of one or more users. The technique further includes receiving log data generated via the client device and determining, based on the result and the log data, that a user of the client device is not a member of the first group.

Abstract: Systems and methods are described for processing ingested data using an online machine learning algorithm as the data is being ingested. For example, the online machine learning algorithm can be an adaptive thresholding algorithm used to identify outliers in a moving window of data. As another example, the online machine learning algorithm can be a sequential outlier detector that detects anomalous sequences of logs or events. As another example, the online machine learning algorithm can be a sentiment analyzer that determines whether text has a positive, negative, or neutral sentiment. As another example, the online machine learning algorithm can be a drift detector that detects whether ingested data marks the start of a change in the distribution of a time-series.

Abstract: Systems and methods are described for balancing workloads and reliably delivering data to a plurality of indexing systems in a data intake and query system. A topic-based indexing system load balancer may receive event data from various data sources, each of which may be associated with a topic. The event data may be entirely unparsed, unparsed but divided into events, or parsed into events. The topic-based indexing system load balancer may distribute the received event data on a per-topic or per-event basis to a set of indexing systems, and may distribute topics and events based on the volume received. Unparsed data may be divided into portions, and the topic-based indexing system load balancer may ensure that portions data associated with the same topic are delivered to the same indexer so that events split between two portions may be recombined and indexed.

Abstract: Techniques are described for optimizing the display of hierarchically organized data by dynamically rendering portions visible within a display area of a web browser. Using a web page file corresponding to a web page that includes the display of a visual tree structure representing JavaScript Object Notation (JSON) data and client-side executable logic, an application running at the client device displays the web page including the visual tree structure and one or more first tree nodes corresponding to first JSON objects from a first portion of the JSON data. In response to input requesting display of one or more second JSON objects from a second portion of the JSON data not currently displayed in the visual tree structure, the application modifies one or more elements of the web page to update display of the visual tree structure to include one or more second tree nodes corresponding to the second JSON objects.

Abstract: Embodiments of the present disclosure provide a method for performing search queries. The method comprises transmitting a list of active indexers in an indexer cluster from a cluster master for receipt by a first search head, wherein the cluster master is communicatively coupled with an indexer cluster comprising a plurality of indexers and the first search head. The method further comprises receiving a first slot request at the cluster master in response to a query from the first search head, wherein the first search head is operable to transmit the query to the active indexers for execution if granted the slot request. Further, the method comprises evaluating a plurality of policies to determine if the first slot request can be granted and responsive to a positive determination, transmitting an authorization token for a slot to the first search head.

Abstract: Systems and methods are disclosed for processing events having raw machine data associated with a timestamp using one or more pivot identifiers and one or more step identifiers to generate one or more journey instances. Based on the one or more pivot identifier field, the system can relate events that have a common field value for the pivot identifier field. Based on the one or more step identifiers, the system can group the related events into a subset of events. Using the subset of events, the system can build a journey instance.

Abstract: An example method of updating a client dashboarding component of an asset monitoring and reporting system comprises: identifying an update of a client dashboarding component of an asset monitoring and reporting system (AMRS), the client dashboarding component comprising one or more dynamic elements, each dynamic element associated with an asset node; receiving one or more search queries, each search query corresponding to a dynamic element of the one or more dynamic elements; modifying one or more dynamic elements of the client dashboarding component in accordance with the one or more search queries; and updating the client dashboarding component to reflect metric values associated with the modified dynamic elements.

Abstract: Described herein are systems, methods, and software to enhance the management of responses to incidents. In one example, a method of improving incident response comprises identifying an incident in an information technology (IT) environment associated with a first entity of a plurality of entities, and identifying action implementation information related to the incident. The method further anonymizes the action implementation information for the incident, and determines action suggestions based at least on the anonymized action implementation information.

Abstract: The present disclosure provides solutions for determining the divergence (delta) between the current and previous reference data structures for mutable data in a search head. A method is provided that includes updating a pre-existing lookup table in a search head, generating a delta file that identifies the divergence between the updated and previous lookup table, and distributing the delta file to other components in the search environment. The compatibility of the delta file is checked with the local instance of the lookup table in each search component, and the lookup table is applied if compatibility is determined. However, if the delta file is determined to not be compatible with the current version of a local lookup table in an indexer, the entire lookup table sent to the requesting indexer instead.

Abstract: A system can collapse steps into an aggregate step to simplify analysis while maintaining underlying data that forms each of the steps collapsed into the aggregate step. The steps may or may not be related in a sequence or grouping of steps. The aggregate step may be a new step that comprises the data of the individual steps used to form the aggregate step. Alternatively, the aggregate step may be a virtual step that may reference or link to the steps used to form the aggregate step, but may not include the data itself. By forming aggregate steps, filtering and notification generation can be simplified. Further, extraneous data can be collapsed into a single aggregate step, which can be particularly advantageously when analyzing large data sets.

Abstract: Security related anomalies in the data related to network entities are identified, and a risk score is assigned to each entity based on the anomalies. Visualization data is generated for a color-coded interactive visualization. Generating the visualization data includes assigning each entity to a separate polygon to be displayed concurrently on a display screen; selecting a size of each polygon to indicate one of: a number of security related anomalies associated with the entity, or a risk level assigned to the entity, where the risk level is based on the risk score of the entity, and selecting a color of each polygon to indicate the other one of: the number of security related anomalies associated with the entity, or the risk level assigned to the entity; and causing, the color-coded interactive visualization to be displayed on a display device based on the visualization data.

Abstract: Systems, methods, and software described herein provide for managing service level agreements (SLAs) for security incidents in a computing environment. In one example, an advisement system identifies a rule set for a security incident based on enrichment information obtained for the security incident, wherein the rule set is associated with action recommendations to be taken against the incident. The advisement system further identifies a default SLA for the security incident based on the rule set, and obtains environmental characteristics related to the security incident. Based on the environmental characteristics, the advisement system determines a modified SLA for the security incident.

Abstract: A log-to-metrics transformation system includes a log-to-metrics application executing on a processor. The log-to-metrics transformation system receives a format associated with machine data, and further receives, via a first graphical control, a first set of metric identifiers corresponding to a first set of metrics associated with the machine data. The log-to-metrics transformation system generates a first set of mappings between the first set of metric identifiers and a first set of field values included in the machine data. The log-to-metrics transformation system stores the first set of mappings and an association with the format of the machine data. The log-to-metrics transformation system, based on the first set of mappings, causes the first set of field values to be extracted from the machine data. Further, a first metric included in the first set of metrics is determined based on at least a portion of the first set of field values.

Abstract: A system processes data stream language expressions that combine result data streams from multiple data stream language sub-expressions. The system determines a set of fixed dimensions based on static analysis of the data stream language sub-expression. The system determines a union set representing a union of the sets of fixed dimensions. The system determines at execution time of the data stream language expression, a plurality of sets of data streams. Each set of data stream corresponds to a data stream language sub-expression from the plurality of data stream language expressions. The system correlates data streams across the plurality of sets of data streams based on the union set. The system determines result data streams for the data stream language expression by combining data values of correlated data streams.

Abstract: Embodiments of the disclosure are systems and methods for updating third party visualizations in response to a query. In one embodiment, a method is provided that includes receiving input data comprising events, where the events comprise time-stamped machine- generated data. The method also comprises receiving a modular visualization that includes a variable field associated with a visualization and instructions for rendering the visualization using the input data and the variable field. Further, the method comprises rendering the visualization based on the input data and a value associated with the variable field. Additionally, the method comprises updating the value of the variable field and obtaining updated input data using a search query that is generated using the updated value. The visualization is re-rendered based on the updated input data and the updated value.

Abstract: A process for analyzing an incident includes setting up an alert for a high error rate on a particular endpoint. Once the alert is triggered, a set of traces for transactions exhibiting errors on the offending endpoint is queried. All traces for other services/operations that include errors on the offending endpoint are also enumerated. A set of baseline transactions that involve the offending endpoint, but do not result in error may be utilized to determine whether the errors are always present, or are distinctive for certain offending transactions. All traces are ranked based on a statistic. Once the traces have been ranked, they may be traced down to a deepest/most terminal error. A set of transactions that correlate to the terminal error may also be analyzed to determine infrastructure causes.

Abstract: Techniques are described for providing a cloud data collector (CDC) application for managing the generation of infrastructure templates. The CDC application provides graphical user interfaces that enable a user to provide inputs indicating configurations of data to be ingested by the data intake and query system, each configuration including one or more user accounts, in addition to data sources and regions associated with data sources. Using the configurations provided as input to the CDC application, the CDC application generates an infrastructure template that can be used to configure the service provider network to provide the requested security data to the data intake and query system.