Abstract: A performance monitoring system (PMS 102) displays a list of example URLs that matched a URL grouping rule used to group URLs. For a rule configured for a customer of the PMS, the example matched URLs are selected by the PMS from a candidate set of URLs identified from data associated with that customer. The PMS receives information identifying a Uniform Resource Locator (URL) grouping rule displayed in a graphical user interface (GUI). The PMS identified a list of candidate URLs occurring in the stored data. The PMS then identifies, from the list of candidate URLs, a set of matched URLs, the set of matched URLs including one or more URLs from the list of candidate URLs that matched the URL grouping rule. The PMS then causes at least one URL from the set of matched URLs to be displayed on the GUI.

Abstract: Data intake and query system (DIQS) instances supporting applications including lower-tier, focused, work group oriented applications may be tailored to meet the specific needs of the users. Rather than offer pre-configured options, the DIQS-based application offers the user the ability to customize data collection before deploying the collectors for specified host entities within an IT environment. Once the user selects the metrics and/or log sources for data collection at a custom interface, the lower-tier DIQS generates custom script operable to establish collection of the source data having the selected metrics and events associated with selected log sources from the specified host entities. The user can display and analyze the collected data.

Abstract: Systems and methods are described for processing ingested data, detecting anomalies in the ingested data, and providing explanations of a possible cause of the detected anomalies as the data is being ingested. For example, a token or field in the ingested data may have an anomalous value. Tokens or fields from another portion of the ingested data can be extracted and analyzed to determine whether there is any correlation between the values of the extracted tokens or fields and the anomalous token or field having an anomalous value. If a correlation is detected, this information can be surfaced to a user.

Abstract: A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

Abstract: Systems and methods are disclosed for performing multiple queries in a single graphical user interface (GUI) displayed in a client browser. The client browser causes the display of a first user interface field in a first area of the GUI, where the first user interface field can be used to enter or edit a first query. The client browser also causes first query results generated by a data intake and query system executing the first query to be displayed in the first area. The client browser further causes the display of a second user interface field in a second area of the GUI, where the second user interface field can be used to enter or edit a second query. The client browser also causes second query results generated by the data intake and query system executing the second query to be displayed in the second area.

Abstract: A method for performing disaster recovery in a clustered environment comprises identifying, at a master device, a first indexer from a set of indexers to serve as a primary indexer for responding to queries pertaining to a subset of data. The method also comprises assigning, at the master device, a generation identifier indicating that the first indexer is the primary indexer for the subset of data. Responsive to an event prompting a change in a primary indexer designation for the subset of data, the method comprises identifying, at the master device, a second indexer from the set of indexers to serve as the primary indexer for responding to queries pertaining to the subset of data. Further, the method comprises assigning, at the master device, a new generation identifier indicating that the second indexer is the primary indexer for the subset of data.

Abstract: Described herein are improvements for generating courses of action for an information technology (IT) environment. In one example, a method includes identifying a first course of action for responding to an incident type in an information technology environment and generating a simulated incident associated with the incident type. The method further includes initiating performance of the first course of action based on the generation of the simulated incident. The method also includes, upon reaching a particular step of the first course of action that prevents the performance of the first course of action from proceeding, providing a first simulated result that allows the performance of the first course of action to proceed.

Abstract: The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system causes for display a graphical user interface (GUI) for configuring the generation of time-series event data from network packets captured by one or more remote capture agents. Next, the system causes for display, in the GUI, a first set of user-interface elements containing a set of statistics associated with one or more event streams that comprise the time-series event data. The system then causes for display, in the GUI, one or more graphs comprising one or more values from the set of statistics. Finally, the system causes for display, in the GUI, a value of a statistic from the set of statistics based on a position of a cursor over the one or more graphs.

Abstract: An example method of content pack management by a service monitoring system includes: receiving a plurality of object identifiers, each object identifier referencing a corresponding object installed in an instance of a service monitoring system; performing a partial backup of the instance of a service monitoring system, wherein the partial backup comprises a plurality of objects referenced by the plurality of object identifiers; converting the partial backup into a plurality of object definitions in a predefined format; and packaging the plurality of object definitions into a content pack.

Abstract: A process for facilitating autoscaling in a stateful system is described herein. In embodiments, a set of metrics associated with a set of components of a stateful service is obtained. The set of metrics may generally indicate a utilization or a load of each of the components of the set of components (e.g., message managers and/or data stores). Thereafter, it is determined to initiate a scaling event at the stateful service in association with the set of components of the stateful service based on at least a portion of the set of metrics attaining a metric threshold indicating a threshold value for determining whether to scale stateful service components. A scaling request can then be provided to the stateful service to initiate the scaling event at the stateful service in association with the set of components of the stateful service.

Abstract: Systems, methods, and computer readable media are disclosed for generating and providing concurrent journey visualizations associated with different journey definitions. In computer-implemented embodiments, a data intake and query system, or a journey visualization computing tool, can be used to generate and provide concurrent representations corresponding with different journey definitions. In operation, a set of journey instances associated with a journey having a set of steps is obtained. Each step may be associated with at least one event that includes raw machine data produced by a component of an information technology environment. Upon obtaining different journey definitions specifying filters to apply to the set of journey instances, the data intake and query system can generate journey visualizations in accordance with the journey definitions.

Abstract: Various embodiments set forth a computer-implemented method of displaying content of a visualization environment, comprising receiving, by a display controller coupled to a display device included in a plurality of display devices, a configuration that includes a display mode and identifies a dashboard to be displayed, determining a position of the display device relative to positions of other display devices, retrieving a set of values associated with the dashboard, where the set of values is provided by a remote data source based on a query executed on raw machine data associated with the dashboard, determining, based on the position, at least a portion of the dashboard to display in the display device, and causing, by the display controller, the display device to display at least a portion of the set of values within at least the portion of the dashboard.

Abstract: A data intake and query system can manage the search of large amounts of data using one or more processing nodes. When a new processing node is added or becomes available, the node coordinator can reassign duties from one or more processing nodes to the new processing node. The node coordinator can initially assign the new processing node one or more groups of data for backup purposes. At a later time, the node coordinator can reassign the new processing node to the one or more groups of data for searching purposes.

Abstract: A list of command entries is displayed in a search interface, each of the command entries representing one or more commands of a plurality of commands of a search query. The list of command entries are displayed in a sequence corresponding to the plurality of commands of the search query. Based on a user interaction with a designated command entry in the displayed list of command entries, the displayed list of command entries is modified with respect to the designated command. Furthermore, the search query is automatically modified with respect to the corresponding one or more commands represented by the designated command entry. The modification can include causing the designated command entry to be removed from or reordered in the displayed list of command entries and the automatic modification cam include causing the corresponding one or more commands to be removed from or reordered in the search query.

Abstract: An example method of entity lifecycle management in a service monitoring system includes: receiving, by a software application of a service monitoring system, a policy definition specifying an entity lifecycle management policy, wherein the entity lifecycle management policy defines management rules for a plurality of entities in a network environment, wherein each entity of the plurality of entities is represented by one of: a device, an application, a service, or a user account; identifying, by applying the entity lifecycle management policy, one or more candidate entities for retirement; identifying, as retired entities, at least a subset of the one or more candidate entities; and excluding the retired entities from a plurality of active entities, thus preventing the retired entities from interacting with other components of the service monitoring system; and determining a value of a key performance indicator (KPI) reflecting an aspect of performance of the service, wherein the KPI is defined by a search q

Abstract: Systems and methods are described for unified processing of indexed and streaming data. A system enables users to query indexed data or specify processing pipelines to be applied to streaming data. In some instances, a user may specify a query intended to be run against indexed data, but may specify criteria that includes not-yet-indexed data (e.g., a future time frame). The system may convert the query into a data processing pipeline applied to not-yet-indexed data, thus increasing the efficiency of the system. Similarly, in some instances, a user may specify a data processing pipeline to be applied to a data stream, but specify criteria including data items outside the data stream. For example, a user may wish to apply the pipeline retroactively, to data items that have already exited the data stream. The system can convert the pipeline into a query against indexed data to satisfy the users processing requirements.

Abstract: Described are systems, methods, and techniques for collecting, analyzing, processing, and storing time series data and for evaluating and dynamically estimating a resolution of one or more streams of data points and updating an output resolution. Responsive to receiving a stream of data points, a data resolution can be derived and an output resolution can be set to a first value. When a change to the data resolution is detected, the output resolution can be changed, modifying a frequency at which output data points are generated and/or transmitted. In some instances, a detector can be implemented to trigger an alert responsive to ingested data points corresponding with triggering parameters. An output resolution for the detector can be dynamically modified based on dynamically detecting a change to the data resolution of the stream of data.

Abstract: Techniques are described for providing a machine learning (ML) data analytics application including guided ML workflows that facilitate the end-to-end training and use of various types of ML models, where such guided workflows may also be referred to as ML “experiments.” One such model is an outlier detection model to assist in the monitoring of computer network traffic and computer performance. For example, the ML data analytics application may generate an outlier detection model using user-identified data from a data source and parameter information. The generates outlier detection model can include distribution functions of distribution types selected from a plurality of distribution types by a distribution fitting algorithm.

Abstract: Systems and methods are disclosed for processing and executing queries in a data intake and query system. The data intake and query system receives raw machine data at an indexing system, and stores at least a portion of the raw machine data in buckets using containerized indexing nodes instantiated in a containerized environment. The data intake and query system stores the buckets in a shared storage system.

Abstract: Described are systems, methods, and techniques for collecting, analyzing, processing, and storing time series data and for evaluating and dynamically estimating a resolution of one or more streams of data points and updating an output resolution. Responsive to receiving a stream of data points, a data resolution can be derived and an output resolution can be set to a first value. When a change to the data resolution is detected, the output resolution can be changed, modifying a frequency at which output data points are generated and/or transmitted. In some instances, a detector can be implemented to trigger an alert responsive to ingested data points corresponding with triggering parameters. An output resolution for the detector can be dynamically modified based on dynamically detecting a change to the data resolution of the stream of data.