Abstract: Single-click delta analysis is disclosed. A user query of status information collected from one or more monitored devices is received from a user. In response to receiving an indication from the user to determine a variance between different portions of the collected status information, a target query and a baseline query are generated using the user query. The generated target query and the generated baseline query are performed, respectively, against data in a data store including the status information collected from the one or more monitored devices. A target set of status information results and a baseline set of status information results are obtained in response to performing, respectively, the generated target query and the generated baseline query. The obtained target and baseline sets of results are combined. Output indicative of a variance between the target and baseline sets of status information results is provided based at least in part on the combining.

Abstract: Automatically generating a parser is disclosed. Raw data is received from a first remote device. A determination that the raw data does not, within a predefined confidence measure, conform to any rules included in a set of rules is made. A clustering function is performed on the raw data. At least one parser rule is generated based on the clustering.

Abstract: A processing device receives a first query comprising a first field value and a first time period. The processing device performs a first search of a data store to identify a first plurality of events having the first time period and at least one field that comprises the first field value. The processing device generates a first search object comprising the first field value. The processing device generates a search event comprising the first field value and a reference to the first search object. An event entry for the first search event is then written to the data store. Future searches may return both the first search event and other events.

Abstract: Obfuscating data is disclosed. A processor identifies structured information in log data. The structured information is transformed in a manner that preserves the structure to form transformed raw data. The transformed raw data is sent to a remote analysis engine. The remote analysis engine receives a query and responds to the query by providing as results at least a portion of the transformed raw data. A processor is configured to de-transform the transformed raw data.

Abstract: Analyzing log data, such as security log data and machine data, is disclosed. A baseline is built for a set of machine data. The baseline is built at least in part by determining a plurality of signature profiles for a plurality of respective time slices. An occurrence of an anomaly associated with the source of the machine data is determined. The occurrence is determined at least in part by determining that received machine data does not conform to the baseline within a threshold.

Abstract: A processing device receives a query comprising a first field value and a time period. The processing device performs a first search of a data store using the first field value to identify a first plurality of events having the time period and a field that comprises the first field value. The processing device determines, for one of the plurality of events, a second field value of a second field that is specified in a first context definition, the second field having an assigned field type. The processing device automatically performs a second search of the data store using the additional field value to identify a second plurality of events having the time period and the additional field value. Information from the first plurality of events and the second plurality of events is aggregated, and a response to the query is generated that comprises the aggregated information.

Abstract: A processing device receives a plurality of discrete log entries from a first data store and generates an event for each discrete log entry that satisfies a criterion. To generate an event the processing device determines a source type associated with a discrete log entry, parses the discrete log entry based on the source type, determines a plurality of fields of the discrete log entry, identifies a subset of the plurality of fields, wherein one or more fields in the subset are to be used as link keys for linking together events, and assigns a field type to each field in the subset of the plurality of fields. The processing device additionally writes a plurality of event entries for the event into a second data store. A separate event entry is written for each field of the subset of the plurality of fields having an assigned field type.

Abstract: Data collection and transmission is disclosed. A server is configured to receive, from a remote device, a message including raw information, and to parse at least a portion of the received raw information. The raw information is received by the system from an information reporting module interface of the remote device. The information reporting module of the remote device is configured to receive information from at least one separately installed information reporting module. A client device includes an information reporting module interface and a server interface. The client device is configured to receive configuration information from a remote server.

Abstract: Analyzing log data, such as security log data and event data, is disclosed. Log data is obtained. Portions of the log data are clustered into clusters of similar data portions. A signature for each cluster is generated. Comparison of subsequent log data with the signature indicates whether the subsequent log data belongs in the cluster.

Abstract: Obfuscating data is disclosed. A processor identifies structured information in log data. The structured information is transformed in a manner that preserves the structure to form transformed raw data. The transformed raw data is sent to a remote analysis engine. The remote analysis engine receives a query and responds to the query by providing as results at least a portion of the transformed raw data. A processor is configured to de-transform the transformed raw data.

Abstract: Automatically generating a parser is disclosed. Raw data is received from a first remote device. A determination that the raw data does not, within a predefined confidence measure, conform to any rules included in a set of rules is made. A clustering function is performed on the raw data. At least one parser rule is generated based on the clustering.

Abstract: Analyzing log data, such as security log data and event data, is disclosed. Log data is received. Portions of the log data are clustered into clusters of similar data portions. A signature for each cluster is generated. Comparison of subsequent log data with the signature indicates whether the subsequent log data belongs in the cluster.

Abstract: The automatic selection and usage of a parser is disclosed. Raw data is received from a first remote device. At least a portion of the raw data is evaluated using a plurality of rules. A confidence measure is determined for at least some of the rules. An indication that the raw data pertains to a source is provided as output when the confidence measure exceeds a threshold.

Abstract: Data collection and transmission is disclosed. A server is configured to receive, from a remote device, a message including raw information, and to parse at least a portion of the received raw information. The raw information is received by the system from an information reporting module interface of the remote device. The information reporting module of the remote device is configured to receive information from at least one separately installed information reporting module. A client device includes an information reporting module interface and a server interface. The client device is configured to receive configuration information from a remote server.

Abstract: Automatically generating a parser is disclosed. Raw data is received from a first remote device. A determination that the raw data does not, within a predefined confidence measure, conform to any rules included in a set of rules is made. A clustering function is performed on the raw data. At least one parser rule is generated based on the clustering.

Abstract: Obfuscating data is disclosed. A processor identifies structured information in log data. The structured information is transformed in a manner that preserves the structure to form transformed raw data. The transformed raw data is sent to a remote analysis engine. The remote analysis engine receives a query and responds to the query by providing as results at least a portion of the transformed raw data. A processor is configured to de-transform the transformed raw data.