Abstract: Determining a set of extraction rules include clustering event segments into at least a first group of event segments, and determining, using first field data in the first group of event segments, a first set of extraction rules for extracting the first field data from each event segment of the first group of event segments. A determination is made that the first set of extraction rules fails to successfully extract all of the first field data. Responsive to the determination, the event segments are re-clustered into at least a second group of event segments and a third group of event segments until a successful set of extraction rules are identified. The successful set of extraction rules are stored in computer memory.

Abstract: This document discloses methods and systems for cohort identification. The methods and systems include improved calculations to perform cohort identification and practical applications of the improved calculations. Specifically, the systems and methods described herein may utilize key components that include enhancements of existing cohort clustering techniques with regard to selecting a number of cohort input dimensions, normalizing input data using a logarithm kernel-function, treatment of categorical data with mutually exclusive and not-mutually exclusive values, methods and visualization tool to determine appropriate number of cohorts, methods and visualization tool to compare cohorts extracted from different input dimensions, and methods to quantify the difference in cohorts.

Abstract: Various embodiments of the present invention set forth techniques for monitoring risk in a computing system. The technique includes creating one or more risk objects, where each risk object of the one or more risk objects has a corresponding stored risk definition, the stored risk definition associating the risk object with raw machine data pertaining to the risk object, the raw machine data reflecting activity in an information technology (IT) environment. The technique further includes receiving a selection of a first risk object included in the one or more risk objects and receiving a first risk definition that corresponds to the first risk object. The technique further includes performing a search of the raw machine data according to the first risk definition, wherein a risk is identified based on the search of the raw machine data and performing an action based on identifying the risk.

Abstract: Described herein are techniques for concurrently visualizing real user's session data with a playback of a user's experience during a session. The disclosed techniques can correlate session data collected in response to interactions with an application during a user's session with session recreation data generated by the application and recorded during the user's session. The correlations between the session data and the recreation data can be used to render and control a recreation of the user's experience during the session concurrently with a visualization of the session data.

Abstract: A computerized method is disclosed that includes operations of receiving incoming data including event data, extracting entities from the event data based on a graph ontology, generating a graph-based dense representation of each graph entity according to the graph ontology, wherein the graph-dense representations are stored in a vector database, computing relatedness scores between each of the entities, generating a listing of events related to a selected event, wherein the listing of events is ordered by corresponding relatedness scores, generating a graphical user interface illustrating the listing of events related to the selected event, and causing rendering of the graphical user interface on a display screen of a network device. Generating the graph-based dense representations may include training a graph neural network model on a corpus of metapaths to produce node embeddings.

Abstract: Implementations of this disclosure provide an anomaly detection system that automatically tunes parameters of a forecasting detector that detects anomalies in a metric time series. The anomaly detection system may implement a three-stage process where a first stage tunes a historical window parameter, a second stage tunes a current window parameter, and a third stage tunes the number of standard deviation different from historical mean required to trigger an alert. The tuned historical window length determined by the first stage may be provided to the second stage as input. Both the tuned historical window length and the tuned current window length may be provided to the third stage as input as use in determining the tuned number of standard deviations.