Abstract: A method of analyzing a performance of a microservices-based application comprises generating a plurality of traces from a plurality of spans associated with the microservices-based application. The method also comprises generating a plurality of data sets each associated with a respective analysis mode of a plurality of analysis modes using the plurality of traces, wherein each analysis mode extracts a different level of detail for analyzing the performance of the services in the application from the plurality of spans. Further, the method comprises selecting, based on a first user query, a first analysis mode from the plurality of analysis modes for generating a response to the first user query. The method also comprises accessing a data set of the plurality of data sets that is associated with the first analysis mode and generating the response to the first user query using the data set associated with the first analysis mode.

Abstract: Methods and systems for determining event probabilities and anomalous events are provided. In one implementation, a method includes: receiving source data, where the source data is configured as a plurality of events with associated timestamps; searching the source data, where the searching provides a search result including N events from the plurality of events, where N is an integer greater than one, where each event of the N events includes a plurality of field values, where at least one event of the N events can include one or more categorical field values and one or more numerical field values; and for an event of the N events, determining a probability of occurrence for each field value of the plurality of field values; and using probabilities determined for the plurality of field values, determining a probability of occurrence for the event.

Abstract: In response to receiving a selection of an option to discover uninstrumented entities within a monitored environment, information retrieved from monitoring agents currently installed on instrumented entities within a system is analyzed to discover additional entities within the system that are connected to the instrumented entities. Each of these discovered entities is analyzed to determine whether a monitoring agent is able to be installed within the entity; if installation is possible, such installation is automatically performed (or a guided manual installation is implemented utilizing an interface). After a monitoring agent is installed within a discovered entity, information is retrieved from that monitoring agent may be used to discover additional entities within the system that are connected to that discovered entity. In this way, an iterative discovery of all entities within a system may be performed. Results of this iterative discovery may be presented via an interface.

Abstract: Systems, methods, and software described herein provide security actions based on the current state of a security threat. In one example, a method of operating an advisement system in a computing environment with a plurality of computing assets includes identifying a security threat within the computing environment. The method further includes, in response to identifying the security threat, obtaining state information for the security threat within the computing environment, and determining a current state for the security threat within the computing environment. The method also provides obtaining enrichment information for the security threat and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.

Abstract: Data (e.g., security data) is presented at increasing levels of detail in a drill down on graphical displays. The data can be retrieved pursuant to a request, such as a search. A first graphical display corresponds to a first level of the detail. A first actionable graphic is displayed, which, when activated, presents a second graphical display with more detail. Thus, nested graphical displays are provided. The detailed data may be retrieved in response to a search, with only the high-level data graphically displayed first, with the additional data and stored templates be ready to instantly produce the nested, detailed charts upon use activation.

Abstract: Systems and methods for presenting and sorting summaries of alerts triggered by search queries in data aggregation and analysis systems. An example method may comprise: causing, by one or more processing devices, one or more alert summaries to be displayed, each alert summary corresponding to an alert and representing one or more instances of the alert, the alert defined by a search query and a triggering condition; wherein an instance of the alert corresponds to a particular dataset that (i) is generated by executing the search query over time-series data falling within a particular time range in a set of time ranges over which the search query has been instructed to search, and (ii) satisfies the triggering condition for the alert; wherein an alert summary includes an indication of at least one of: a total count of alert instances generated by the alert, or a count of alert instances generated by the alert that have not been viewed by a user.

Abstract: An information technology (IT) operations platform is described that enables users to execute one or more executable actions from a set of executable actions presented in a prioritized order based on historical data. In response to identifying an occurrence of a type of incident in an IT environment, the IT operations platform generates a workbook based on a customizable workbook template. The customizable workbook template includes a plurality of tasks grouped into a plurality of phases for responding to occurrences of the type of incident, and each task of the plurality of tasks is associated with a respective set of suggested executable actions for completing the corresponding task. The IT operations platform then causes the display of a graphical user interface (GUI) including a representation of the workbook, including interface elements representing the respective set of suggested executable actions displayed in the prioritized order.

Abstract: A first feature (e.g., chart or table) includes a reference to a dynamic pointer. Independently, the pointer is defined to point to a second feature (e.g., a query). The first feature is automatically updated to reflect a current value of the second feature. The reference to the pointer and pointer definition are recorded in a central registry, and changes to the pointer or second feature automatically cause the first feature to be updated to reflect the change. A mapping between features can be generated using the registry and can identify interrelationships to a developer. Further, changes in the registry can be tracked, such that a developer can view changes pertaining to a particular time period and/or feature of interest (e.g., corresponding to an operation problem).

Abstract: Automated discovery of relationships between entities within an IT environment. A technique is performed by a relationship module that performs a discovery search for entity relationships to produce a set of relationship search results. The relationship module then generates a set of relationship definitions from the set of relationship search results which are stored to a relationship collection in a data store. A technique for automatically updating entity and relationship definitions and removing outdated entity and relationship definitions stored to a data store. An update module automatically updates entity and relationship definitions at predetermined time intervals. The update history in each definition is also modified to reflect the update process. A retire module automatically removes outdated definitions using the update history in each definition.

Abstract: Embodiments of the present invention are directed to facilitating efficient message queueing. In particular, embodiments herein describe, among other things, a redelivery monitor used to monitor when to redeliver messages, or tasks, for reprocessing based on expiration of a redelivery deadline. In this regard, markers indicating processing states for tasks being processed are read by the redelivery monitor. When the processing state indicates that processing is ongoing, the redelivery deadline is extended such that a message or task is not redelivered for processing while the message or task is being processed.

Abstract: A method of rendering a graphical user interface (GUI) comprising an application topology graph for a microservice architecture comprises generating a plurality of traces from a first plurality of spans generated by instrumented services in the architecture and generating generate a second plurality of spans for uninstrumented services using information extracted from the first plurality of spans. The method further comprises grouping the second plurality of spans with the plurality of traces. Subsequently, the method comprises traversing the traces and collecting a plurality of span pairs from the plurality of traces, wherein each pair of the span pairs is associated with a call between two services. The method also comprises aggregating information across the plurality of span pairs to reduce duplicative information associated with multiple occurrences of a same span pair from the plurality of span pairs.

Abstract: Techniques for scheduling search queries in a computing environment are disclosed. A search query scheduling system associates a first set of queries with a first skew tolerance, the first set of queries scheduled to be performed during a first period, where the first skew tolerance is based on a duration of the first period. The search query scheduling system reschedules a first subset of search queries included in the first set of queries by skewing the first subset of search queries over a first portion of the first period based on the first skew tolerance.

Abstract: A scheduler manages execution of a plurality of data-collection jobs, assigns individual jobs to specific forwarders in a set of forwarders, and generates and transmits tokens (e.g., pairs of data-collection tasks and target sources) to assigned forwarders. The forwarder uses the tokens, along with stored information applicable across jobs, to collect data from the target source and forward it onto an indexer for processing. For example, the indexer can then break a data stream into discrete events, extract a timestamp from each event and index (e.g., store) the event based on the timestamp. The scheduler can monitor forwarders' job performance, such that it can use the performance to influence subsequent job assignments. Thus, data-collection jobs can be efficiently assigned to and executed by a group of forwarders, where the group can potentially be diverse and dynamic in size.

Abstract: The disclosure relates to certain system and method embodiments for generating reports from unstructured data. In one embodiment, a method can include identifying events matching criteria of an initial search query (each of the events including a portion of raw machine data that is associated with a time), identifying a set of fields, each field defined for one or more of the identified events, causing display of an interactive graphical user interface (GUI) that includes one or more interactive elements enabling a user to define a report for providing information relating to the matching events (each interactive element enabling processing or presentation of information in the matching events using one or more fields in the identified set of fields), receiving, via the GUI, a report definition indicating how to report information relating to the matching events, and generating, based on the report definition, a report including information relating to the matching events.

Abstract: A computerized method is disclosed for storing data using a persistent queue. The computerized method includes operations of obtaining machine data from a remote electronic device, providing the machine data to a persistent queue component, wherein the persistent queue component organizes the machine data for storage on a first data store and storing a copy of the organized machine data in the first data store, and responsive to completion of the storing of the copy of the organized machine data. Further operations include transmitting an acknowledgement communication to the remote electronic device indicating storage of the copy of the machine data in the first data store, processing the machine data for storage, and responsive to completion of the storing of the processed machine data in a second data store, deleting the copy of the machine data from the first data store. The persistent queue component may include a socket server.

Abstract: A computer-implemented method is disclosed that includes operations of receiving document to be classified, performing pre-processing operations on the document resulting in generation of a tokenized document, performing word embedding operations on the tokenized document resulting in generation of a vectorized document, performing text similarity operations on the vectorized document and each of one or more vectorized topics resulting in a set of one or more similarity scores, wherein a first similarity score indicates a level of similarity between the vectorized document and a first vectorized topic, and wherein each vectorized topic represents one of a predetermined set of topics and classifying the document into one of the predetermined set of topics based on the set of one or more similarity scores. Performing the word embedding operations includes mapping each token of the remaining subset to a multi-dimensional vector, with each multi-dimensional vector representing a semantic meaning of a token.

Abstract: The disclosed embodiments relate to a system that updates a context that facilitates evaluating qualitative search terms for an attribute during query processing. During operation, the system extracts a value for the attribute from each data item. Next, the system updates the context based on the extracted attribute values, wherein the context includes a concept-mapping for one or more qualitative search terms applied to the attribute, and wherein each concept-mapping associates a given attribute value with a compatibility index that indicates a compatibility between the given attribute value and a corresponding qualitative search term.

Abstract: Techniques and mechanisms are disclosed enabling efficient collection of forensic data from client devices, also referred to herein as endpoint devices, of a networked computer system. Embodiments described herein further enable correlating forensic data with other types of non-forensic data from other data sources. A network security application described herein further enables generating various dashboards, visualizations, and other interfaces for managing forensic data collection, and displaying information related to collected forensic data and information related to identified correlations between items of forensic data and other items of non-forensic data.