Abstract: Ingest health monitoring includes receiving an event stream of events in a data intake and query system to store on at least one storage system and obtaining an event from the event stream. Ingest health monitoring further includes transmitting the event to a selected ingest module queue for the event, updating an output rate indicator counter for the selected ingest module queue when failure to store the event in the ingest module queue occurs, obtaining the event from the selected ingest module queue, processing the event to generate a file for the event, and transmitting the file to the at least one storage system. Ingest health monitoring further includes updating the write failure indicator counter for a storage system of the at least one storage system when failure to transmit to the storage system occurs and updating the user interface based on the output rate indicator counter and the write failure indicator counter.

Abstract: A client device that includes a camera and an extended reality client application program is employed by a user in a physical space, such as an industrial or campus environment. The user aims the camera within the mobile device at a real-world asset, such as a computer system, classroom, or vehicle. The client device acquires a digital image via the camera and detects textual and/or pictorial content included in the acquired image that corresponds to one or more anchors. The client device queries a data intake and query system for asset content associated with the detected anchors. Upon receiving the asset content from the data intake and query system, the client device generates visualizations of the asset content and presents the visualizations via a display device.

Abstract: A computerized method is disclosed that includes operations of training a machine learning model using a labeled training set of data, wherein the machine learning model is configured to classify domain name server (DNS) records, obtaining DNS record data including at least a first DNS Txt record, applying the trained machine learning model to the first DNS Txt record to classify the first DNS Txt record and responsive to the classification of the first DNS Txt record, generating a flag for a system administrator. The trained machine learning model may classify the first DNS Txt record using logistic regression. In some instances, applying the trained machine learning model to the first DNS Txt record includes performing a tokenizing operation on the first DNS Txt record to generate a tokenized first DNS Txt record.

Abstract: Medication security and healthcare privacy analytics systems are described that enable users to search for and process stored healthcare environment data. The medication security and healthcare privacy analytics systems receive and correlate data from a plurality of data sources, including medication dispensing systems, healthcare employee records, and patient records. The medication security and healthcare privacy analytics systems generate a plurality of feature vectors from processed healthcare environment data. The visualizations are created using datasets generated by clustering algorithms and can indicate those feature vectors from the plurality of feature vectors whose data indicate anomalous interactions with various systems (e.g., indicative of unexpected or non-customary events).

Abstract: A computerized method is disclosed for automated handling of data ingestion anomalies. The method features training a data model based on a first volume of data associated with a first time period. Thereafter, using the data model, a predictive analysis is conducted on a second volume of data associated with a second time period subsequent to the first time period to produce a predicted data ingestion volume. After, a correlative analysis between the predicted data ingestion volume and an actual data ingestion volume during the second time period is conducted to produce a prediction error. A notification is generated based on the prediction error.

Abstract: An improved data intake and query system that can perform and display ingest-time and search-time field extraction, redaction, copy, and/or categorization is described herein. As described herein, ingest-time field extraction, redaction, copy, and/or categorization may refer to field or field value extraction, redaction, copy, and/or categorization that is performed by a log observer system of the data intake and query system on raw machine data as the raw machine data is ingested or received from a publisher. As described herein, search-time field extraction, redaction, copy, and/or categorization may refer to field or field value extraction, redaction, copy, and/or categorization that is performed by the log observer system and/or other components of the improved data intake and query system on historical raw machine data that has already been ingested and indexed by the improved data intake and query system.

Abstract: Techniques are described for automatically identifying and configuring IT and security application connectors relevant to users' IT environment by obtaining and analyzing data reflecting activity within an IT environment. The identification of types of assets within an IT environment may be based on analyzing a “source type” field included in events associated with the IT environment, where the source type field included in each event provides an indication of a type of device or service to which the event relates. The values stored in the source type field of events associated with a user's IT environment might indicate, for example, the presence of various types of computing devices, software applications, network devices, and so forth. Based on the identification of types of assets present in an IT environment, an IT and security operations application automatically configures corresponding connectors for those types of assets.

Abstract: Various embodiments of the present application set forth a computer-implemented method that includes receiving a device identifier associated with a sensor device, wherein the device identifier is receivable from a location proximal to the sensor device, assigning the device identifier to a first application executing in a first network, wherein data from the sensor device is transmitted to the first application, and transmitting, to a server, an indication of the assignment of the device identifier to the first application, wherein the server stores the assignment in conjunction with a security configuration associated with the sensor device.

Abstract: Systems, methods, and software described herein provide security actions based on the current state of a security threat. In one example, a method of operating an advisement system in a computing environment with a plurality of computing assets includes identifying a security threat within the computing environment. The method further includes, in response to identifying the security threat, obtaining state information for the security threat within the computing environment, and determining a current state for the security threat within the computing environment. The method also provides obtaining enrichment information for the security threat and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.

Abstract: A performance monitoring system (PMS 102) displays a list of example URLs that matched a URL grouping rule used to group URLs. For a rule configured for a customer of the PMS, the example matched URLs are selected by the PMS from a candidate set of URLs identified from data associated with that customer. The PMS receives information identifying a Uniform Resource Locator (URL) grouping rule displayed in a graphical user interface (GUI). The PMS identified a list of candidate URLs occurring in the stored data. The PMS then identifies, from the list of candidate URLs, a set of matched URLs, the set of matched URLs including one or more URLs from the list of candidate URLs that matched the URL grouping rule. The PMS then causes at least one URL from the set of matched URLs to be displayed on the GUI.

Abstract: An instrumentation analysis system processes data streams by executing instructions specified using a data stream language program. The data stream language allows users to specify a search condition using a find block for identifying the set of data streams processed by the data stream language program. The set of identified data streams may change dynamically. The data stream language allows users to group data streams into sets of data streams based on distinct values of one or more metadata attributes associated with the input data streams. The data stream language allows users to specify a threshold block for determining whether data values of input data streams are outside boundaries specified using low/high thresholds. The elements of the set of data streams input to the threshold block can dynamically change. The low/high threshold values can be specified as data streams and can dynamically change.

Abstract: Data intake and query system (DIQS) instances supporting applications including lower-tier, focused, work group oriented applications may be tailored to meet the specific needs of the users. Rather than offer pre-configured options, the DIQS-based application offers the user the ability to customize data collection before deploying the collectors for specified host entities within an IT environment. Once the user selects the metrics and/or log sources for data collection at a custom interface, the lower-tier DIQS generates custom script operable to establish collection of the source data having the selected metrics and events associated with selected log sources from the specified host entities. The user can display and analyze the collected data.

Abstract: The technology presented herein improves incident handling in an IT environment. In a particular example, a method provides identifying a first incident in the IT environment. From incident handling information that indicates how a plurality of previous incidents were handled by one or more users, the method provides identifying first information of the incident handling information corresponding to one or more first previous incidents of the plurality of previous incidents that are similar to the first incident. The method further provides determining a suggested course of action from the first information and presenting the suggested course of action to a user of the information technology environment.

Abstract: A computer-implemented method of determining indexed fields at query time comprises mapping data from a first source type to indexed fields in batch form using a wildcard specifier. The method also comprises receiving a query to execute on a data set comprising data from the first source type and data from a second source type. Further, the method comprises transforming the query to execute on the data from the first source type separately from the data from the second source type. Additionally, the method comprises executing the query to operate on the data from the first source type using information associated with the indexed fields and to separately operate on the data from the second source type.

Abstract: A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

Abstract: Systems and methods are described for processing ingested data, detecting anomalies in the ingested data, and providing explanations of a possible cause of the detected anomalies as the data is being ingested. For example, a token or field in the ingested data may have an anomalous value. Tokens or fields from another portion of the ingested data can be extracted and analyzed to determine whether there is any correlation between the values of the extracted tokens or fields and the anomalous token or field having an anomalous value. If a correlation is detected, this information can be surfaced to a user.

Abstract: The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system causes for display a graphical user interface (GUI) for configuring the generation of time-series event data from network packets captured by one or more remote capture agents. Next, the system causes for display, in the GUI, a first set of user-interface elements containing a set of statistics associated with one or more event streams that comprise the time-series event data. The system then causes for display, in the GUI, one or more graphs comprising one or more values from the set of statistics. Finally, the system causes for display, in the GUI, a value of a statistic from the set of statistics based on a position of a cursor over the one or more graphs.

Abstract: An example method of content pack management by a service monitoring system includes: receiving a plurality of object identifiers, each object identifier referencing a corresponding object installed in an instance of a service monitoring system; performing a partial backup of the instance of a service monitoring system, wherein the partial backup comprises a plurality of objects referenced by the plurality of object identifiers; converting the partial backup into a plurality of object definitions in a predefined format; and packaging the plurality of object definitions into a content pack.

Abstract: Systems and methods are disclosed for performing multiple queries in a single graphical user interface (GUI) displayed in a client browser. The client browser causes the display of a first user interface field in a first area of the GUI, where the first user interface field can be used to enter or edit a first query. The client browser also causes first query results generated by a data intake and query system executing the first query to be displayed in the first area. The client browser further causes the display of a second user interface field in a second area of the GUI, where the second user interface field can be used to enter or edit a second query. The client browser also causes second query results generated by the data intake and query system executing the second query to be displayed in the second area.

Abstract: A method for performing disaster recovery in a clustered environment comprises identifying, at a master device, a first indexer from a set of indexers to serve as a primary indexer for responding to queries pertaining to a subset of data. The method also comprises assigning, at the master device, a generation identifier indicating that the first indexer is the primary indexer for the subset of data. Responsive to an event prompting a change in a primary indexer designation for the subset of data, the method comprises identifying, at the master device, a second indexer from the set of indexers to serve as the primary indexer for responding to queries pertaining to the subset of data. Further, the method comprises assigning, at the master device, a new generation identifier indicating that the second indexer is the primary indexer for the subset of data.