Abstract: A multitenant deployment includes a computing cluster that executes multiple containerized instances of a software application. Each containerized instance is associated with one or more datastores that can be assigned to different tenants. A registry store maintains a mapping between tenants and datastores, thereby allowing a registry manager to properly route tenant requests to the correct datastores. A capacity manager tracks tenant usage of datastores in the registry store and then scales computing resources for each tenant in proportion to usage. The capacity manager also migrates tenant resources in response to catastrophic failures or upgrades. In this fashion, the multitenant deployment can adapt a single-tenant software application for multi-tenancy in a manner that is both transparent and secure for the tenant.

Abstract: Systems and methods are described for reducing execution time of a query that references external data systems. The system can determine an external data system is capable of processing one or more map or reduce phases of a map-reduce operation. When it is determined that the external data system can process a map or reduce phase, associated operations may be reassigned from the system to the external data system reducing the processing resources used by the system to response to the query and, in some cases, speeding up performance of the query.

Abstract: Systems and methods are described for a implementing a streaming data processing system that includes a pool of pre-configured resources and a pool of dedicated resources. The streaming data processing system can implement a processing pipeline using compute resources. The pool of pre-configured resources can support previews of processing pipelines for a plurality of users and the pool of dedicated resources can support full deployments of processing pipelines for a particular user. The streaming data processing system can implement a preview of a processing pipeline using a pre-configured resource of the pool of pre-configured resources. Further, the streaming data processing system can implement the processing pipeline using a dedicated resource of the pool of dedicated resources. The streaming data processing system can provision the dedicated resource and deploy the processing pipeline using the dedicated resource.

Abstract: Systems and methods are described for a query conversion system to convert a first query string from a first version of a query language to a second version of the query language. The query conversion system may be associated with a tokenizer and parser, code converter, compatibility library, and a query formatter. The tokenizer and parser may tokenize and parse a query string to create a first node tree with commands. The code converter may parse the first node tree while using the compatibility library to convert the commands and generate a second node tree. The query formatter may create a second query string executable by the second version of the query language.

Abstract: A system generates a user interface that enables a user to generate a chart from one or more statements of a data processing package. Via one or more user interactions with the user interface, the system may receive one or more chart parameters for a chart. Using a statement from the data processing package and the one or more chart parameters, the system may generate an additional statement and append the generated statement to the data processing package to form an enriched data processing package. The system may communicate the enriched data processing package to a search service for execution. The system may display the results in an interactive chart.

Abstract: Provided are systems and methods for determining and displaying service performance information via a graphical user interface. A method can include visually rendering a service-level dashboard reflecting performance of a service and presenting a visual indication of health of each component service and a list of events each corresponding to a change in performance of one of the component services. The method can further include responsive to receiving, via a graphical user interface (GUI), a selection of a component service, visually rendering a system-level dashboard reflecting performance of the selected component-level service, wherein the component service is performed by one or more machines, and wherein the system-level dashboard presents the machines and one or more events each corresponding to a change in performance of one of the machines.

Abstract: Techniques are described for enabling a cloud-based IT and security operations application to execute playbooks containing custom code in a manner that mitigates types of risk related to the misuse of cloud-based resources and security of user data. Users use a client application to create and modify playbooks and, upon receiving input to save a playbook, the client application determines whether the playbook includes custom code. If the client application determines that the playbook includes custom code, the client application establishes a connection with a proxy application (also referred to as an “automation broker”) running in the user's own on-premises network and sends a representation of the playbook to the proxy application. The client application further sends to the IT and security operations application an identifier of the playbook and an indication that the playbook (or the custom code portions of the playbook) is stored within the user's on-premises network.

Abstract: A method of generating metrics data associated with a microservices-based application comprises ingesting a plurality of spans and mapping an ingested span of the plurality of spans to a span identity, wherein the span identity comprises a tuple of information identifying a type of span associated with the span identity, wherein the tuple of information comprises user-configured dimensions. The method further comprises grouping the ingested span by the span identity, wherein the ingested span is grouped with other spans from the plurality of spans comprising a same span identity. The method also comprises computing metrics associated with the span identity and using the metrics to generate a stream of metric data associated with the span identity.

Abstract: Techniques promote monitoring of hypervisor systems by presenting dynamic representations of hypervisor architectures that include performance indicators. A reviewer can interact with the representation to progressively view select lower-level performance indicators. Higher level performance indicators can be determined based on lower level state assessments. A reviewer can also view historical performance metrics and indicators, which can aid in understanding which configuration changes or system usages may have led to sub-optimal performance.

Abstract: A computerized method is disclosed for automated handling of data ingestion anomalies. The method features operations of detecting a data ingestion anomaly and determining a cause for the data ingestion anomaly. The causal determination may be conducted by at least (i) determining features of an anomalous data ingestion volume, (ii) training a second data model, after a first data model being used to detect the data ingestion anomaly, with data sets consistent with the determined features, (iii) applying the second data model to predict whether a data ingestion sub-volume is anomalous, (iv) obtaining system state information during ingestion of the anomalous data ingestion sub-volume, and (v) determining the cause of the anomalous data ingestion volume based on the system state information.

Abstract: The disclosed embodiments provide a method and system for processing network data. During operation, the system obtains, at a remote capture agent, configuration information for the remote capture agent from a configuration server over a network. Next, the system uses the configuration information to configure the generation of event data from network data obtained from network packets at the remote capture agent. The system then uses the configuration information to configure transformation of the event data or the network data into transformed event data at the remote capture agent.

Abstract: Disclosed is a data fabric service system that can be implemented in a distributed computer network, such as a data intake and query system. The data index and query system can receive a search query and define a search scheme for applying the search query on distributed data storage systems including internal data storage and external data storage. The data index and query system may provide a portion of the search scheme to a search service of the data fabric service system, which can cause worker nodes of the data fabric service system to perform various functions—including applying the search query to the external data storage based on the portion of the search scheme in order to obtain search results.

Abstract: The disclosed embodiments provide a method and system for processing network data. During operation, the system obtains one or more event streams from one or more remote capture agents over one or more networks, wherein the one or more event streams include event data generated from network packets captured by the one or more remote capture agents. Next, the system applies one or more transformations to the one or more event streams to obtain transformed event data from the event data. The system then enables querying of the transformed event data.

Abstract: Techniques, which may be embodied herein as systems, computing devices, methods, algorithms, software, code, computer readable media, or the like, are described herein for comparing a set of metrics generated during a simulated user interaction with a website to metrics generated by observing real user interactions with the website. Simulated user interactions with a website can be used to diagnose a website's performance issues, but it can be difficult to determine whether the simulated interactions reflect the experience of real users. In addition, the simulated user interactions can be challenging to contextualize because the number of observed real user interactions may significantly outnumber the simulated interactions. A graphical user interface can help with the interpretation of these website interactions by using the real user interactions to properly contextualize the simulated results.

Abstract: Systems and methods are described for extracting data fields from logs ingested in a data processing pipeline or otherwise stored. For example, a log can be applied as an input to an artificial intelligence model trained to infer a log sourcetype of logs, and the artificial intelligence model can output an inferred log sourcetype of the log. The inferred log sourcetype can be used to select another artificial intelligence model trained to extract data fields from logs having the inferred log sourcetype, and the log can then be applied as an input to the other artificial intelligence model. The other artificial intelligence model may then output one or more data fields extracted from the log.

Abstract: Systems and methods are described for scheduling a query for execution. The system receives and parses a query to identify one or more portions of the query. The system determines a resource allocation for each portion of the query, and determines an availability of compute resources for the different portions of the query. Based on the resource allocation and the availability of compute resources, the system schedules the query.

Abstract: A system generates a user interface that enables a user to modify time ranges associated with search-related statements of a data processing package. Via one or more user interactions with the user interface, the system may receive a modified time range for the statement. The modified time range may be appended to the data processing package to form an enriched data processing package. The system may communicate the enriched data processing package to a search service for execution. The system may display the results in the user interface.

Abstract: Systems and methods are disclosed for providing a multi-component application, including a first and second component, and a first and second server. The first component may be implemented at the first server, while a second component may be implemented at a client device. An end user of a client device may request access to metadata stored on the second server that is utilized by the second component to implement the multi-component application. The end user may authenticate with the first component. The first component may then communicate with the second server to authenticate the end user to the second server, thereby granting the end user access to the second server without having to reauthenticate to the second server.

Abstract: Resegmenting chunks of data for load balancing is disclosed. A plurality of first chunks of data is received. The plurality of first chunks of data includes one or more entries that include raw data produced by a component of an information technology environment and that reflects activity in the information technology environment. The plurality of first chunks of data is resegmented into a plurality of second chunks of data based on a source type of the plurality of first chunks. A first subset of the plurality of second chunks of data is distributed to a first indexer of a set of indexers. An occurrence of a trigger event is determined, and in response to the trigger event, a second subset of the plurality of second chunks of data is distributed to a second indexer of the set of indexers.

Abstract: A method includes displaying events that correspond to search results of a search query, the events comprising data items of event attributes, the events displayed in a table. The table includes columns corresponding to an event attribute, rows corresponding events, cells populated data items, and interactive regions corresponding to at least one data item and selectable to add one or more commands to the search query. A reference event attribute is determined based on an analysis of a data object. A supplemental column corresponding to a supplemental event attribute is added to the table based on the reference event attribute. Supplemental interactive regions are added to the table and correspond to supplemental data items.