Abstract: A computerized method is disclosed for grouping alerts and providing remediation recommendation. The method includes receiving the alert to be assigned to an existing open issue or a newly created issue, wherein an issue is a grouping of one or more alerts, assigning the alert to either a first existing open issue or the newly created issue by determining a weighted sum of the distance between the feature vectors of the alert and each existing open issue, determining a weighted sum of the distance between the feature vectors of the alert and each closed issue, and generating a user interface that illustrates an assignment of the alert and at least one of (i) a closed issue having a shortest distance to the alert or (ii) recommended remediation efforts associated with the closed issue having the shortest distance to the alert.

Abstract: Information retrieved from monitoring agents currently installed on instrumented entities within a system is analyzed to discover additional entities within the system that are connected to the instrumented entities. Each of these discovered entities is analyzed to determine whether a monitoring agent is able to be installed within the entity; if installation is possible, such installation is automatically performed (or a guided manual installation is implemented utilizing an interface). After a monitoring agent is installed within a discovered entity, information is retrieved from that monitoring agent and is used to discover additional entities within the system that are connected to that discovered entity. In this way, an iterative discovery of all entities within a system may be performed.

Abstract: A graphical user interface (GUI) includes multiple data visualizations and an adjustable graphical user control. The data underlying the data visualizations are timestamped, and the graphical user control enables a user to select a time interval. When a time interval is selected or modified via the graphical user control, the multiple data visualizations update automatically in real time to reflect data that correspond to the currently selected time interval.

Abstract: A computer system displays a graphical user interface (GUI) that includes data visualizations corresponding to data having timestamps within a time interval. A first type of input signal is mapped to a second type of input signal. The first type of input signal is associated with an input device communicatively coupled to the computer system. The second type of input signal is configured to operate a graphical user control of the GUI. Before mapping, the first type of input signal is configured to perform a function that is different from operation of the graphical user control. After receiving an input signal of the first type, an input signal of the second type is applied to the graphical user control based on the mapping. The time interval is adjusted, and the data visualizations are updated automatically to correspond to updated data having timestamps within the adjusted time interval.

Abstract: The disclosed embodiments include a method performed by a data intake and query system. The method includes receiving a search query by a search head, defining a search process for applying the search query to indexers, delegating a first portion of the search process to indexers and a second portion of the search process to intermediary node(s) communicatively coupled to the search head and the indexers. The first portion can define a search scope for obtaining partial search results of the indexers and the second portion can define operations for combining the partial search results by the intermediary node(s) to produce a combination of the partial search results. The search head then receives the combination of the partial search results, and outputs final search results for the search query, where the final search results are based on the combination of the partial search results.

Abstract: A schema consistency mechanism monitors data ingested by a data intake and query system for changes to the structure, or data schema, associated with the data. A schema consistency monitor obtains data from a data source (or, more generally, from any number of separate data sources) at a plurality of points in time. The data is analyzed to determine whether a first portion of the data received at a first point in time conforms to a first data schema and that a second portion of the data received at a second point in time conforms to a second data schema that is different from the first data schema (thereby indicating a change to the associated data schema). A graphical user interface (GUI) can be generated that includes indications of identified changes to one or more data schemas associated with data.

Abstract: Multiple storage system event handling includes obtaining multiple events for storage on multiple storage systems. For each of the multiple events, field values from each event are extracted. The field values are matched to configurations of the storage systems to identify a subset of the storage system having a matching configuration. The event is transmitted to the subset. The multiple events are transmitted to heterogeneous subsets.

Abstract: Systems, methods, and software described herein provide for validating security actions before they are implemented in a computing network. In one example, a computing network may include a plurality of computing assets that provide a variety of different operations. During the operations of the network, administration systems may generate and provide security actions to prevent or mitigate the effect of a security threat on the network. However, prior to implementing the security actions within the network, computing assets may exchange security parameters with the administration systems to verify that the security actions are authentic.

Abstract: A data intake and query system can generate local data enrichment objects and receive federated data enrichment objects from another data intake and query system. In response to receiving a query, the data intake and query system can determine whether the query is subquery of a federated query. If the query is a subquery, the data intake and query system can use the federated data enrichment objects to execute the query.

Abstract: Systems and methods are described for display of metric data and log data in a graphical user interface. Metric data can be ingested from a first data source via a first ingestion path and log data can be ingested from a second data source via a second ingestion path. The first data source and the second data source may be distinct, disparate data sources and the first ingestion path and the second ingestion path may be distinct, disparate ingestion paths. The metric data can be displayed in a first area of the graphical user interface and the log data can be displayed in a second area of the graphical user interface. Input can be received identifying a selection of a portion of the metric data for display and the log data can be filtered based on the selection to identify a portion of the log data for display.

Abstract: Embodiments are directed are towards a method for generating a query response, which comprises creating two or more partitions of event records from raw data stored in a data store, wherein each event record in the two or more partitions of event records includes a portion of the raw data and is associated with a time stamp derived from the raw data. The method also comprises generating a summarization table for each partition of the two or more partitions that: (a) identifies a field value comprising a value that corresponds to an associated field extracted from a respective event record; and (b) for the field value, includes a posting value to the respective event record within a respective partition. The method further comprises generating partial results for a received query using summarization tables in the partitions and generating a response to the query by combining the partial results.

Abstract: A method includes causing display to a user of at least one event of a first result set from a first pipelined search on events at an event source. Each event comprises a time stamp and a portion of machine data. A selection of a command is received from the user. The selection is to extend the first pipelined search with the selected command in a second pipelined search. The system selects between the first result set and the event source for execution of the second pipelined search based on an analysis of the selected command and at least one command of the first pipelined search. Based on the selecting being of the first result set, display to the user is caused of at least one event of a second result set from the execution of the second pipelined search on the first result set.

Abstract: A computerized method is disclosed for retraining machine learning models based on user feedback. The method includes receiving user feedback indicating a change is to be made to an assignment of one or more alerts, wherein the one or more alerts were assigned by a machine learning model implementing a distance metric, wherein an issue is a grouping of at least one alert, constructing a convex optimization procedure to minimize an adjustment of weights of the distance metric, retraining the machine learning model by adjusting the weights of the distance metric in accordance with the convex optimization procedure, and evaluating one or more subsequently received alert using the retrained machine learning model. Changes to be made to the assignment include any of merging of two issues, splitting of two issues based on time or an alert field, or reassignment of an alert from a first issue to a second issue.

Abstract: A graphical user interface (GUI) for presentation of network security risk and threat information is disclosed. A listing is generated of incidents identified by use of event data obtained from a networked computing environment. A particular incident is determined to be associated with a risk object, wherein a risk object is a component of the networked computing environment. The listing is populated with a name associated with the risk object. Risk events associated with the incident are determined, wherein each risk event contributes to a risk score for the incident. The risk score indicates a potential security issue associated with the risk object. The listing is populated with the risk score and a summary of the events. An action is associated with the listing, for triggering display of additional information associated with the risk object. The listing can be displayed in a first display screen of the GUI.

Abstract: Embodiments are directed towards real time display of event records and extracted values based on at least one extraction rule, such as a regular expression. A user interface may be employed to enable a user to have an extraction rule automatically generate and/or to manually enter an extraction rule. The user may be enabled to manually edit a previously provided extraction rule, which may result in real time display of updated extracted values. The extraction rule may be utilized to extract values from each of a plurality of records, including event records of unstructured machine data. Statistics may be determined for each unique extracted value, and may be displayed to the user in real time. The user interface may also enable the user to select at least one unique extracted value to display those event records that include an extracted value that matches the selected value.

Abstract: Ingest health monitoring includes receiving an event stream of events in a data intake and query system to store on at least one storage system and obtaining an event from the event stream. Ingest health monitoring further includes transmitting the event to a selected ingest module queue for the event, updating an output rate indicator counter for the selected ingest module queue when failure to store the event in the ingest module queue occurs, obtaining the event from the selected ingest module queue, processing the event to generate a file for the event, and transmitting the file to the at least one storage system. Ingest health monitoring further includes updating the write failure indicator counter for a storage system of the at least one storage system when failure to transmit to the storage system occurs and updating the user interface based on the output rate indicator counter and the write failure indicator counter.

Abstract: A client device that includes a camera and an extended reality client application program is employed by a user in a physical space, such as an industrial or campus environment. The user aims the camera within the mobile device at a real-world asset, such as a computer system, classroom, or vehicle. The client device acquires a digital image via the camera and detects textual and/or pictorial content included in the acquired image that corresponds to one or more anchors. The client device queries a data intake and query system for asset content associated with the detected anchors. Upon receiving the asset content from the data intake and query system, the client device generates visualizations of the asset content and presents the visualizations via a display device.

Abstract: A computerized method is disclosed that includes operations of training a machine learning model using a labeled training set of data, wherein the machine learning model is configured to classify domain name server (DNS) records, obtaining DNS record data including at least a first DNS Txt record, applying the trained machine learning model to the first DNS Txt record to classify the first DNS Txt record and responsive to the classification of the first DNS Txt record, generating a flag for a system administrator. The trained machine learning model may classify the first DNS Txt record using logistic regression. In some instances, applying the trained machine learning model to the first DNS Txt record includes performing a tokenizing operation on the first DNS Txt record to generate a tokenized first DNS Txt record.

Abstract: Medication security and healthcare privacy analytics systems are described that enable users to search for and process stored healthcare environment data. The medication security and healthcare privacy analytics systems receive and correlate data from a plurality of data sources, including medication dispensing systems, healthcare employee records, and patient records. The medication security and healthcare privacy analytics systems generate a plurality of feature vectors from processed healthcare environment data. The visualizations are created using datasets generated by clustering algorithms and can indicate those feature vectors from the plurality of feature vectors whose data indicate anomalous interactions with various systems (e.g., indicative of unexpected or non-customary events).

Abstract: A computerized method is disclosed for automated handling of data ingestion anomalies. The method features training a data model based on a first volume of data associated with a first time period. Thereafter, using the data model, a predictive analysis is conducted on a second volume of data associated with a second time period subsequent to the first time period to produce a predicted data ingestion volume. After, a correlative analysis between the predicted data ingestion volume and an actual data ingestion volume during the second time period is conducted to produce a prediction error. A notification is generated based on the prediction error.