Abstract: A service monitoring system executing on one or more processors may have operations that are determined by control information. Control over the operation of the service monitoring system can be exerted through the use of a graphical interface. The graphical interface may present the control information of a new or existing correlation search definition for user interaction. The service monitoring system may maintain a data store of key performance indicator (KPI) data, where a KPI value in the data store is produced by a KPI-defining search query that derives the value from machine data associated with one or more entities that perform a monitored service. A correlation search definition of the service monitoring system determines how a search of the KPI data is conducted, how its data is evaluated to determine whether a triggering condition has been met, and, if so, determines what triggered action is to be initiated.

Abstract: As described herein, a portion of machine data of a message may be analyzed to infer, using an inference model, a sourcetype of the message. The portion of machine data may be generated by one or more components in an information technology environment. Based on the inference, a set of extraction rules associated with the sourcetype may be selected. Each extraction rule may define criteria for identifying a sub-portion of text from the portion of machine data of the message to produce a value. The set of extraction rules may be applied to the portion of machine data of the message to produce a result set that indicates a number of values identified using the set of extraction rules. Based on the result set, at least one action may be performed on one or more of inference data associated with the inference model and one or more messages.

Abstract: According to embodiments, a method for navigating clusters of a data structure includes gathering data from the data structure by instrumenting instances of application software executing on the data structure. The method also includes identifying clusters of the data structure based on the gathered data. The method also includes causing display of a cluster map of the data structure, the cluster map comprising a plurality of clusters, each cluster of the plurality of clusters comprising a plurality of nodes, each node of the plurality of nodes comprising a plurality of pods, each pod of the plurality of pods comprising a plurality of containers. The method also includes providing a status for each node, each pod, and each container of each cluster. The method also includes causing display of analysis of each cluster of the cluster map, the analysis comprising granular information for each cluster.

Abstract: A mobile device that includes a camera and an extended reality software application program is employed by a user in an operating environment, such as an industrial environment. One or more objects within a geofence may be identified. A device crosses within the geofence and acquires sensor data associated with an object within the geofence. The sensor data may include image data and/or audio data. The device or a server system may then determine an object identifier associated with the object based on a comparison of the sensor data with data associated with object identifiers corresponding to objects within the geofence. Based on the object identifier, data associated with the object are obtained. The data associated with the object may be presented via the device, such as an extended reality overlay over a view of the object in the device.

Abstract: In various embodiments, a computer-implemented method comprises receiving an artifact manifest representing at least a portion of a shared session between a first application and at least a second application, where the artifact manifest identifies a set of data visualization artifacts that are generated by the first application, transmitting the artifact manifest to the second application, receiving, from the second application accessing the shared session, a modification to a first data visualization artifact in the set of data visualization artifacts, and causing, based on the modification, the first data visualization artifact to be updated by the first application.

Abstract: Various implementations set forth a computer-implemented method for scanning a three-dimensional (3D) environment. The method includes generating, in a first time interval, a first extended reality (XR) stream based on a first set of meshes representing a 3D environment, transmitting, to a remote device, the first XR stream for rendering a 3D representation of a first portion of the 3D environment in a remote XR environment, determining that the 3D environment has changed based on a second set of meshes representing the 3D environment and generated subsequent to the first time interval, generating a second XR stream based on the second set of meshes, and transmitting, to the remote device, the second XR stream for rendering a 3D representation of at least a portion of the changed 3D environment in the remote XR environment.

Abstract: One or more lower-tier system monitoring components are installed and operated prior to installing a higher-tier system monitoring component. A lower-tier system may be an individual server, network device, or local area network. A higher-tier system may include an enterprise or organization wide network or service that includes at least a part of the lower-tier system. Once the higher-tier system monitoring component is installed, the higher-tier and lower-tier system monitoring components use an interface to operate with one another to form a single larger instance of an organization wide monitoring system. The combination of the higher-tier system monitoring component and the one or more lower-tier system operating components performs monitoring aspects of the overall information technology environment based at least in part on machine data produced and made searchable to provide monitoring results.

Abstract: Embodiments of the present disclosure provide techniques for efficiently and accurately performing propagation of search-head specific configuration customizations across multiple individual configuration files of search heads of a cluster for a consistent user experience. The cluster of search heads may be synchronized such that the search heads operate to receive the configuration or knowledge object customizations from one or more clients from a central or lead search head. To reduce the amount of data that is transferred during propagation, the list of configuration or knowledge object customizations maintained in each search head is filtered from the list of the lead search head until a divergence point is determined. Once determined and communicated to the lead search head, the lead search head sends the configuration and knowledge object customization data that is absent from the internal list of the member search head.

Abstract: Based on a selection by a user of first one or more values of one or more events displayed in a graphical interface, an extraction rule is automatically determined that is capable of extracting a field label-value pair at least partially within at least the selected one or more values. An option is displayed that correspond to the determined extraction rule in the graphical interface. Based on the user selecting the option in the graphical interface, display is caused of second one or more values of one or more field label-value pairs extracted from the one or more events using the extraction rule. The one or more events may be displayed in a table format, and the first one or more value may be selected by the user selecting one or more cells, columns, or text portions in the table format.

Abstract: A computerized method is disclosed that includes operations of receiving one or more records, wherein each of the one or more records indicates a successful search query evaluation by at least one of a plurality edge devices, building a predictive analytics model based on the one or more records, wherein the predicative analytics model is configured to perform operations configured to predict enrichment data that is to be needed by one or more edge devices in the future during evaluation of a future search query, performing predictive analytics using the predictive analytics model to determine predictive enrichment data, and transmitting a first response packet to a first edge device, wherein the first response packet includes the predictive enrichment data. The records may include one or more of a data stream identifier, a search query, enrichment data that was required at a time the search query was evaluated.

Abstract: Embodiments described herein facilitate enhancement of data model acceleration, including generating data model summaries and performing searches in an accelerated manner. In one implementation, a set of events are indexed, each of the events having a corresponding index time representing a time at which the event was indexed in an indexer. Index time parameters including an index earliest time indicating a first index time at which to begin generating a data model summary and an index latest time indicating a second index time at which to complete generating the data model summary are obtained. Thereafter, a data model summary is generated. Such a data model summary summarizes events having corresponding index times between the index earliest time and the index latest time. The data model summary is provided to a remote data store that is separate from the indexer at which at least a portion of the events were indexed.

Abstract: Techniques are described for providing users of a data intake and query system with pre-trained ML models capable of identifying malicious threats (e.g., malware, botnets, ransomware, etc.) in users' computing environments based on an analysis of Domain Name System (DNS) log data collected from DNS servers in users' environments. DNS log data is ingested by a data intake and query system and processed to obtain searchable timestamped event data. This event data can then be used as input to ML models provided by a security ML application described herein to detect potential occurrences of malicious activity within users' computing environments.

Abstract: Various embodiments of the present application set forth a computer-implemented method that includes transmitting, by a wearable device, a first request that includes a first set of parameters, receiving, by the wearable device, a first set of values based on the first set of parameters, wherein the first set of values are provided by a first data source, displaying, by the wearable device, a first dashboard that includes a first visualization associated with the first set of values, determining that a first physical interaction with a first physical input device associated with the wearable device occurred, and in response to the first physical interaction, causing the first visualization to display a first data value included in the first set of values.

Abstract: Embodiments of the present invention are directed to identifying related data, in particular, data associated with different source types. In embodiments, a first source type related to a second source type associated with a search query is identified. Field set pairs are identified from a first data set associated with the first source type and a second data set associated with the second source type. Each field set pair can include one field set associated with the first source type and another field set associated with the second source type. For each field set pair, an extent of similarity is determined between the corresponding field sets. Based on the extent of similarities between the corresponding field sets, at least one pair of related field sets is identified. An indication of the at least one pair of related field sets is provided, for example, for presentation to a user.

Abstract: A time series is created that measures a remaining budget amount for a given time period, where the budget amount indicates a maximum number of occurrences of an event allowed for the given time period. More specifically, the given time period is divided into multiple time intervals. For each time interval, a number of occurrences of the event are calculated and detracted from the remaining budget amount to determine a remaining budget amount at the end of the time interval. These time values and associated remaining budget amounts are used to create the time series. This time series may be monitored in real-time, and actions may be taken to avoid future occurrences of the event in response to determining that the remaining budget amount falls below a threshold.

Abstract: A deployment manager executing in a distributed computing environment generates a user behavior analytics (UBA) deployment to process structured event data. The deployment manager configures a streaming cluster to perform streaming processing on real-time data and configures a batch cluster to perform batch processing on aggregated data. A configuration manager executing in the distributed computing environment interoperates with the deployment manager to update the UBA deployment with user-provided code and configurations that define streaming and batch models, among other things. In this manner, the deployment manager provides a scalable UBA deployment that can be customized, via the configuration manager, by a user.

Abstract: Systems and methods are disclosed for implementing a data stream correlation user interface. The data stream correlation user interface enables users to view information from two sets of records, and identify fields in the two sets of records that can be matched together to “glue” together multiple records. For example, a user may specify that values in an “AcctID” field in one set of records can be matched to values in an “Account_ID” field of a second set of records. Additional identifying fields may be selected, such that multiple values can be chained together. The system can match the records of multiple sets together using designated fields, enabling users to view how many records from one set have a corresponding record in another set.

Abstract: A system receives a time series of data values from instrumented software executing on an external system. Each data value corresponds to a metric of the external system. The system stores a level value representing a current estimate of the time series and a trend value representing a trend in the time series. The level and trend values are based on data in a window having a trailing value. In response to receiving a most recent value, the system updates the level value and the trend value to add an influence of the most recent value and remove an influence of the trailing value. The system forecasts based on the updated level and trend values, and in response to determining that the forecast indicates the potential resource shortage event, takes action.

Abstract: A computer-implemented method of determining indexed fields at query time comprises indexing time-stamped events ingested from a plurality of source types. The time-stamped searchable events compare portions of raw data. The method also comprises generating an index containing each keyword in the time-stamped searchable events and an associated location reference of a respective event in which the keyword appears. Further, the method comprises generating a fields metadata file identifying indexed fields in the time-stamped searchable events for each source type. The fields metadata file comprises reference values for accessing indexed fields associated with each source type from the index. The method also comprises accessing the fields metadata file to identify the indexed fields associated with each source type prior to executing a query.

Abstract: Disclosed is a technique that can be performed by an electronic device. The electronic device can generate time-stamped events, extract training data from the time-stamped events, and send the training data over a network to a remote computer. The electronic device can receive model data generated by the remote computer from the training data by use of a machine learning process, update a local model of the electronic device based on the received model data, and generate an output by processing locally sourced data of the electronic device with the updated local model.