Abstract: Methods and apparatus consistent with the invention provide the ability to organize and build understandings of machine data generated by a variety of information-processing environments. Machine data is a product of information-processing systems (e.g., activity logs, configuration files, messages, database records) and represents the evidence of particular events that have taken place and been recorded in raw data format. In one embodiment, machine data is turned into a machine data web by organizing machine data into events and then linking events together.

Abstract: Cascading payload replication to target compute nodes is disclosed. Cascading payload replication can be accomplished using a two-stage operation for a replication operation. In the first stage, a plan is generated and distributed for the replication operation. The plan includes an assignment of compute nodes to tree nodes in a tree hierarchy. In the second phase, the payload is distributed according to the plan. The plan is different for at least two replication operations. Thus, the cascading payload replication is adaptable to changing target compute nodes and provides for load balancing.

Abstract: Systems and methods are described for tuning parameter values of a processing pipeline in a streaming data processing system. In order to determine an optimal set of parameter values for a particular processing pipeline, a processing pipeline can be implemented with different sets of parameter values. A performance metric can be measured for each implementation to measure the performance of the processing pipeline with regards to a particular set of parameter values. The performance metrics for each implementation can be compared in order to determine optimal performance metrics. The processing pipeline can be implemented based on an optimal set of parameter values that correspond to the optimal performance metrics.

Abstract: Embodiments are directed to facilitating identifying seasonal frequencies. In particular, a set of candidate seasonal frequencies associated with a time series data set are determined based on ACF peaks identified in association with a representation of the time series data set. Thereafter, the filters are applied to analyze the candidate seasonal frequencies and update the candidate seasonal frequencies by removing any candidate seasonal frequencies that fail a filter. An example filter can include comparing ACF peaks with peaks associated with SDF peaks. Thereafter, a candidate seasonal frequency of the updated candidate seasonal frequencies can be identified as a seasonal frequency for the time series data set, and such a seasonal frequency can be provided (e.g., to a user or another process) for use in performing data analysis.

Abstract: Systems and methods are disclosed for receiving, at a first data intake and query system, a query that includes an indication to process data managed by another data intake and query system. The first data intake and query system identifies a second data intake and query system that manages the data to be processed and generates a subquery for execution by the second data intake and query system, generates instructions for one or more worker nodes to receive and process results of the subquery from the second data intake and query system, and instructs the worker nodes to provide results of the processing to the first data intake and query system.

Abstract: Systems and methods are disclosed for processing and executing queries in a data intake and query system. The data intake and query system receives a query identifying a set of data to be processed and a manner of processing the set of data. The data intake and query system parses the query and uses a metadata catalog to dynamically identify configuration parameters of datasets and/or rules associated with the query. The identified configuration parameters are communicated to a query processing component of the data intake and query system for use in executing the query.

Abstract: Systems and methods are described for training an artificial intelligence model to extract one or more data fields from a log. For example, the artificial intelligence model may be a neural network. The neural network may be trained using training data obtained by iterating through a plurality of logs using active learning, and selecting a subset of the logs in the plurality to be labeled by a user. For example, the selected subset of logs may be logs that are not similar to other logs already labeled by a user. The user may be prompted to label the selected subset of logs to identify one or more data fields to extract. Once the selected subset of logs are labeled, these labeled logs can be used as the training data to train the neural network.

Abstract: Systems, methods, and software described herein enhances how security actions are implemented within a computing environment. In one example, a method of implementing security actions for a computing environment comprising a plurality of computing assets includes identifying a security action in a command language for the computing environment. The method further provides identifying one or more computing assets related to the security action, and obtaining hardware and software characteristics for the one or more computing assets. The method also includes translating the security action in the command language to one or more action procedures based on the hardware and software characteristics, and initiating implementation of the one or more action procedures in the one or more computing assets.

Abstract: Described herein are systems, methods, and software to enhance incident response for an information technology (IT) environment. In one implementation, an incident service identifies an incident in the IT environment and determines a correlation between the incident and other incidents in the IT environment. Once correlated, the incident service aggregates incident data of the incident with incident data of the other incidents and generates a summary using the aggregated incident data.

Abstract: Systems and methods are disclosed for annotating a metadata catalog in a data intake and query system based on a query received by the data intake and query system. The metadata catalog can store information about datasets associated with the data intake and query system, including dataset configuration records of the datasets, which can be used to process queries for execution by the data intake and query system. The data intake and query system can receive a query identifying a set of data to be processed and a manner of processing the set of data. The data intake and query system can parse the query to identify datasets and/or data fields associated with the query. Based on the identified datasets and/or fields, the data intake and query system can generate one or more annotations, and use the annotations to update the metadata catalog.

Abstract: Systems and methods include causing presentation of a first cluster in association with an event of the first cluster, the first cluster from a first set of clusters of events. Each event includes a time stamp and event data. Based on the presentation of the first cluster, an extraction rule corresponding to the event of the first cluster is received from a user. Similarities in the event data between the events are determined based on the received extraction rule. The events are grouped into a second set of clusters based on the determined similarities. Presentation is caused of a second cluster in association with an event of the second cluster, where the second cluster is from the second set of clusters.

Abstract: A mobile device executes an augmented reality (AR) software application that detects an orientation of a client device. The AR software application projects a line from a reference position on the client device to a physical object. The AR software application identifies a first location on the physical object that intersects with the line. The AR software application determines an x-coordinate and a y-coordinate of a portion of the physical object included in an image displayed on the client device based on the first location. The AR software application receives a z-coordinate of the portion of the physical object. In response to receiving user input via the client device, the AR software application anchors an augmented reality object at a second location that corresponds to the x-coordinate, the y-coordinate, and the z-coordinate. The orientation of the augmented reality object corresponds to the orientation of the client device.

Abstract: A lateral movement application identifies lateral movement (LM) candidates that potentially represent a security threat. Security platforms generate event data when performing security-related functions, such as authenticating a user account. The disclosed technology enables greatly increased accuracy identification of lateral movement (LM) candidates by, for example, refining a population of LM candidates based on an analysis of a time constrained graph in which nodes represent entities, and edges between nodes represent a time sequence of login or other association activities between the entities. The graph is created based on an analysis of the event data, including time sequences of the event data.

Abstract: A method is disclosed that includes receiving, at a computing device, an event log including events derived from machine data, and determining a score by comparing an event from the event log with frequent patterns of features. Determining the score includes determining a length of a frequent pattern within the event in the event log and a count of occurrences of the frequent pattern within the events, determining a contribution of the frequent pattern based on the length and the count, determining a penalty for an unmatched feature of the first event based on a cardinality of the events, and averaging the contribution and the penalty to obtain the score. The method further includes issuing an alert identifying the first event as an anomaly using the first score and an anomaly score threshold.

Abstract: Systems, methods, and software described herein provide for identifying recommended feature sets for new security applications. In one example, a method of providing recommended feature sets for a new security application includes identifying a request for the new security application, and determining a classification for the new security application. The method further provides identifying related applications to the new security application based on the classification, and identifying a feature set for the new security application based on features provided in the related applications.

Abstract: An analysis system receives a time series. The data values of the time series correspond to a metric describing a characteristic of the computing system that changes over time. The analysis system stores a statistic value that represents the stationarity of the time series. In response to receiving a most recent value, the analysis system assigns the most recent value as the leading value in a window before retrieving the trailing value of the window. The analysis system updates the statistic value to add an influence of the most recent value and remove an influence of the trailing value. If the statistic value is less than a threshold, the analysis system determines that the time series is stationary. In response to determining the time series is stationary, the analysis system assigns an alert to the metric. The analysis system detects an anomaly in the metric based on the assigned alert.

Abstract: Systems and methods are described for customizable data streams in a streaming data processing system. Routing criteria for the customizable data streams are defined by a user, an automated process, or any other process. The routing criteria can be defined using graphical controls. The streaming data processing system uses the routing criteria to determine data that should be used to populate a particular data stream. Further, processing pipelines are customized such that a particular processing pipeline can obtain data from a particular user defined data stream and write data to a particular user defined data stream. Data is routed through the user defined data streams and customized processing pipelines based on a data route. A data route for a set of data may include multiple user defined data streams and multiple processing pipelines. The data route can include a loop of processing pipelines and data streams.

Abstract: One or more processing devices derive values indicative of various aspects of how a particular service in an information technology (IT) environment is performing at a point in time or for a period of time. The values are derived by a search query over machine data associated with the one or more entities that provide the service. The one or more processing devices define and apply time varying static thresholds in respect to the values. A user (e.g., IT manager) may be enabled to manipulate or define multiple sets of KPI thresholds that vary over time.

Abstract: Various implementations or examples set forth a method for scanning a three-dimensional (3D) environment. The method includes generating, based on sensor data captured by a depth sensor on a device, a 3D mesh representing a physical space; dividing the 3D mesh into a plurality of sub-meshes, wherein each of the plurality of sub-meshes comprises a corresponding set of vertices and a corresponding set of faces comprising edges between pairs of vertices; determining that at least a portion of a first sub-mesh in the plurality of sub-meshes is in a current frame captured by an image sensor on the device; and updating the 3D mesh by texturing the at least a portion of the first sub-mesh with one or more pixels in the current frame onto which the first sub-mesh is projected.