Abstract: A computer implemented system is described for assigning executable jobs to pipeline sets, whereby the jobs may be network based computer jobs. The assigning includes generating a weight for each pipeline set of multiple pipeline sets to obtain multiple weights. Generating a weight includes obtaining duty cycle metrics for pipeline software threads in the pipeline set. The duty cycle metrics include a measure of an amount of time that a corresponding pipeline thread is executing and actively processing data. Generating the weight further includes determining the weight for the pipeline set based at least in part on the duty cycle metrics. The method further includes assigning a job request to a target pipeline set selected from the pipeline sets according to a weighted random algorithm, wherein the weighted random algorithm uses the weights.

Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. Source data at the server group is received from at least one of the one or more source network nodes via the respective network connections and transformed, by the indexer server, to timestamped data entries of machine data. A model management server detects data constraints for a security model that include a data element used by the security model and an availability requirement set. Using the timestamped data entries, the data constraints are validated, and the validation used to determine a data availability assessment of the security model.

Abstract: Various implementations of the present application set forth a method comprising generating, based on first sensor data captured by a depth sensor on a mobile device, three-dimensional data representing a physical space that includes a real-world asset, generating, based on second sensor data captured by an image sensor on the mobile device, two-dimensional data representing the physical space, combining, based on a correlation the three-dimensional data and the two-dimensional data, the two-dimensional data and the three-dimensional data into an extended reality (XR) stream, where the XR stream includes a digital representation of the real-world asset, and transmitting, to a remote device, the XR stream for rendering at least a portion of the digital representation of the real-world asset in a remote XR environment.

Abstract: Embodiments of the present disclosure provide for trace and span sampling and analysis for instrumented software. Each span may be annotated with one or more tags that provide context about an executed task, such as a user instrumenting the software, a document involved in a request, an infrastructure element used in servicing a request, etc. A sampler may perform tail-based sampling of traces comprising spans. The sampler may select a portion of the traces having selected features and send them to an analyzer. The analyzer may receive the selected traces and determine whether the selected traces are indicative of configuration problems for the instrumented software. An alert may be generated based on identified configuration problems.

Abstract: Embodiments are directed towards generating a representative sampling as a subset from a larger dataset that includes unstructured data. A graphical user interface enables a user to provide various data selection parameters, including specifying a data source and one or more subset types desired, including one or more of latest records, earliest records, diverse records, outlier records, and/or random records. Diverse and/or outlier subset types may be obtained by generating clusters from an initial selection of records obtained from the larger dataset. An iteration analysis is performed to determine whether a sufficient number of clusters and/or cluster types have been generated that exceed at least one threshold and when not exceeded, additional clustering is performed on additional records. From the resultant clusters, and/or other subtype results, a subset of records is obtained as the representative sampling subset.

Abstract: Embodiments of the present invention are directed to facilitating detection of suspicious access to resources. In accordance with aspects of the present disclosure, an access graph is generated. The access graph contains access data that includes observed accesses between entities and resources. Access scores can be determined for entity-resource pairs in the access graph by applying a set of access rules to the entity-resource pairs in the access graph. The access scores indicate an extent of relatedness between the corresponding entity and resource. Thereafter, the access scores can be used to train a probabilistic prediction model that predicts suspiciousness of accesses between entities and resources.

Abstract: Various implementations of the present application set forth a method comprising generating three-dimensional data and two-dimensional data representing a physical space that includes a real-world asset, generating an extended-reality (XR) stream representing a remote collaboration session between a host device and a set of remote devices, where the XR stream includes a combination of the three-dimensional data and the two-dimensional data, a set of augmented-reality (AR) elements associated with the real-world asset, and a set of performed actions associated with a portion of the digital representation or at least one AR element, serializing the XR stream into a set of serialized chunks, transmitting the serialized chunks to the remote devices, where the remote devices recreate the XR stream in a set of remote XR environments, and transmitting the serialized chunks to a remote storage device, where a device subsequently retrieves the serialized chunks to replay the remote collaboration session.

Abstract: A computerized method is disclosed including operations of receiving a plurality of request texts, and for each request text of the plurality of request texts: performing a pre-processing operation, performing a first text similarity procedure or a second text similarity procedure that each result in a determination of a most similar request text in a knowledge base, wherein the second text similarity procedure includes performance of word embedding operations, determining a degree of similarity between the current request text and the most similar request text, when the degree of similarity satisfies a similarity threshold comparison, associating an answer associated with the most request text with the current text request, and when the degree of similar does not satisfy the similarity threshold comparison, flagging the current request text or associating a placeholder answer with the current request text. Performing pre-processing may include removing stop words and punctuation and creating tokenized text.

Abstract: Systems and methods are disclosed for making space available in a local storage of a data intake and query system. A cache manager of the data intake and query system may determine an amount of storage space of a local data store that is available for use to perform a query. The cache manager may then use one or more eviction policies associated with content stored at the local data store to purge content items to evict from the local storage. The system may then retrieve content for performing the query from a remote storage and store the retrieved content at the local storage.

Abstract: A multitenant deployment includes a computing cluster that executes multiple containerized instances of a software application. Each containerized instance is associated with one or more datastores that can be assigned to different tenants. A registry store maintains a mapping between tenants and datastores, thereby allowing a registry manager to properly route tenant requests to the correct datastores. A capacity manager tracks tenant usage of datastores in the registry store and then scales computing resources for each tenant in proportion to usage. The capacity manager also migrates tenant resources in response to catastrophic failures or upgrades. In this fashion, the multitenant deployment can adapt a single-tenant software application for multi-tenancy in a manner that is both transparent and secure for the tenant.

Abstract: Generating anonymized data from events are disclosed. Via a graphical user interface (GUI), an output dataset mode for an anonymized output dataset is received. The output dataset mode is stored or an active stream. The output dataset mode in anonymization configuration information. An anonymized output dataset is produced in accordance with the anonymization configuration information, where the output dataset comprises information related to at least a portion of a plurality of events, wherein the plurality of events each comprise a timestamp and a portion of machine data. Further, the GUI to displays the anonymized output dataset.

Abstract: Various embodiments describe multi-site cluster-based data intake and query systems, including cloud-based data intake and query systems. Using a hybrid search system that includes cloud-based data intake and query systems working in concert with so-called “on-premises” data intake and query systems can promote the scalability of search functionality. In addition, the hybrid search system can enable data isolation in a manner in which sensitive data is maintained “on premises” and information or data that is not sensitive can be moved to the cloud-based system. Further, the cloud-based system can enable efficient leveraging of data that may already exist in the cloud.

Abstract: A method to provide an interface for asset tee determination includes performing a search of data, the search including user-supplied criteria information, causing display of results of the search, receiving user input providing classifications for the results of the search, the classifications indicating asset identifier and asset parent identifier fields in the results of the search, identifying, based on the user input and the results of the search, a plurality of unique assets identifiers and corresponding asset parent identifiers, and automatically generating a computer representation of an asset hierarchy comprising an asset node for each asset identifier, an asset parent node for each asset parent identifier, and a representation of hierarchical relationships between asset nodes and asset parent nodes.

Abstract: Techniques are described for enabling users to add custom code function blocks and multi-prompt blocks to customizable playbooks that can be executed by an orchestration, automation, and response (OAR) platform. At a high level, a playbook comprises computer program code and possibly other data that can be executed by an OAR platform to carry out an automated set of actions. A playbook is comprised of one or more functions or codeblocks, where each codeblock contains program code that performs defined functionality when the codeblock is encountered during execution of the playbook of which it is a part. For example, a first codeblock may implement an action that is performed relative to one or more IT assets, another codeblock might filter data generated by the first codeblock in some manner, and so forth.

Abstract: A service monitoring system (SMS) produces key performance indicator (KPI) scores that indicate the performance of a service. To produce the KPI scores, the SMS may process the data for a large number of machine entities that perform the service. This data can be processed on a per-entity basis to produce a per-entity KPI score representing the contribution of a particular machine to the overall KPI. The per-entity KPI scores can be transformed to statistical representations which can be visualized as a distribution stream graph. The visualization may be presented with interactive aspects. Automatic entity definitions may also be generated based on content derived from the processed data.

Abstract: Systems, methods, and software described herein provide enhancements for implementing security actions in a computing environment. In one example, a method of operating an advisement system to provide actions in a computing environment includes identifying a security incident in the computing environment, identifying a criticality rating for the asset, and obtaining enrichment information for the security incident from one or more internal or external sources. The method also provides identifying a severity rating for the security incident based on the enrichment information, and determining one or more security actions based on the enrichment information. The method further includes identifying effects of the one or more security actions on operations of the computing environment based on the criticality rating and the severity rating, and identifying a subset of the one or more security actions to respond to the security incident based on the effects.

Abstract: Various implementations of the present application set forth a computer-implemented method comprising obtaining, by a low-power hub device, a first set of data published by an edge device, where the low-power hub device subscribes to at least a subset of data published by the edge device, generating, by the low-power hub device, a second set of data from the first set of data by inputting the first set of data into a machine learning (ML) model executing on the low-power hub device, and transmitting the second set of data to a remote server computer system.

Abstract: Systems, methods, and computer-readable media are disclosed for generating and providing journey flow visualizations. In one computer-implemented embodiments, a data intake and query system can be used to generate and provide journey flow visualizations. In operation, a set of journey instances associated with a journey having a set of steps is obtained. Thereafter, a journey flow visualization that represents flow paths for the set of journey instances is generated, for example, by a data intake and query system. The generation of the journey flow visualization includes, for each node representing a corresponding step of the journey, determining a flow level based on a shortest distance among the set of journey instances between the corresponding step and a journey start. The generation of the journey flow visualization further includes, for each node, determining an in-level position within the flow level based on positions of nodes in a higher flow level.

Abstract: A method of performing error analysis in a system comprising microservices comprises identifying a root cause error span from among a plurality of error spans for a trace, wherein an error span is a span that returns an error to a microservice that generates the span, and wherein a root cause error span is an error span associated with an error originating microservice. The method further comprises determining a call path associated with the root cause error span, where the call path comprises a chain of spans starting at the root cause error span, and where each subsequent span in the chain is a parent span of a prior span. Subsequently the method comprises mapping each span in the chain to a span error frame to create an error stack and rendering an image of the error stack.