Abstract: Single-click delta analysis is disclosed. A user query of status information collected from one or more monitored devices is received from a user. In response to receiving an indication from the user to determine a variance between different portions of the collected status information, a target query and a baseline query are generated using the user query. The generated target query and the generated baseline query are performed, respectively, against data in a data store including the status information collected from the one or more monitored devices. A target set of status information results and a baseline set of status information results are obtained in response to performing, respectively, the generated target query and the generated baseline query. The obtained target and baseline sets of results are combined. Output indicative of a variance between the target and baseline sets of status information results is provided based at least in part on the combining.

Abstract: Single-click delta analysis is disclosed. A user query of status information collected from one or more monitored devices is received from a user. In response to receiving an indication from the user to determine a variance between different portions of the collected status information, a target query and a baseline query are generated using the user query. The generated target query and the generated baseline query are performed, respectively, against data in a data store including the status information collected from the one or more monitored devices. A target set of status information results and a baseline set of status information results are obtained in response to performing, respectively, the generated target query and the generated baseline query. The obtained target and baseline sets of results are combined. Output indicative of a variance between the target and baseline sets of status information results is provided based at least in part on the combining.

Abstract: Automatically generating a parser is disclosed. Raw data is received from a first remote device. A determination that the raw data does not, within a predefined confidence measure, conform to any rules included in a set of rules is made. A clustering function is performed on the raw data. At least one parser rule is generated based on the clustering.

Abstract: Obfuscating data is disclosed. A processor identifies structured information in log data. The structured information is transformed in a manner that preserves the structure to form transformed raw data. The transformed raw data is sent to a remote analysis engine. The remote analysis engine receives a query and responds to the query by providing as results at least a portion of the transformed raw data. A processor is configured to de-transform the transformed raw data.

Abstract: Analyzing log data, such as security log data and machine data, is disclosed. A baseline is built for a set of machine data. The baseline is built at least in part by determining a plurality of signature profiles for a plurality of respective time slices. An occurrence of an anomaly associated with the source of the machine data is determined. The occurrence is determined at least in part by determining that received machine data does not conform to the baseline within a threshold.

Abstract: Querying of time-aware metrics time series includes receiving a query, the query comprising a set of query metadata and a query time range. It further includes, based at least in part on the set of query metadata and the query time range, selecting a time series from a plurality of metrics time series. Each metrics time series in the plurality of metrics time series is associated with a set of metadata and an active interval of time. A set of metadata associated with the selected time series matches the set of query metadata, and an active interval of time associated with the selected metrics time series intersects with the query time range. The selected metrics time series is returned.

Abstract: A technique for logs to metrics synthesis is disclosed. A log message is received. It is determined that the received log message should be translated into a metrics data point. In response to determining that the received log message should be translated into a metrics data point, the metrics data point is generated using the received log message, the generated metrics data point comprising a timestamp, a metric name, a metric value, and a set of metadata key-value pairs. A time series in which to insert the metrics data point generated using the received log message is identified. The generated metrics data point is inserted into the identified time series.

Abstract: Data enrichment and augmentation is disclosed. Machine data comprising at least one of a log message and a metrics data point is received. The received machine data comprises an identifier of an instance of a virtual machine. Based at least in part on the identifier of the instance of the virtual machine, a query for tags associated with the instance of the virtual machine is performed. At least one key-value pair is generated based at least in part on tags received in response to the query performed based at least in part on the identifier of the instance of the virtual machine. The received machine data is augmented with the at least one key-value pair generated based at least in part on the tags received in response to the query based at least in part on the identifier of the instance of the virtual machine.

Abstract: Key name synthesis is disclosed. A metrics data point is received. Based at least in part on a translation statement, at least a portion of the received metrics data point is associated with a key specified by the translation statement such that the specified key and the associated at least portion of the received metrics data point form a key-value pair. The key-value pair is associated with the received metrics data point.

Abstract: Single-click delta analysis is disclosed. A user query of status information collected from one or more monitored devices is received from a user. In response to receiving an indication from the user to determine a variance between different portions of the collected status information, a target query and a baseline query are generated using the user query. The generated target query and the generated baseline query are performed, respectively, against data in a data store including the status information collected from the one or more monitored devices. A target set of status information results and a baseline set of status information results are obtained in response to performing, respectively, the generated target query and the generated baseline query. The obtained target and baseline sets of results are combined. Output indicative of a variance between the target and baseline sets of status information results is provided based at least in part on the combining.

Abstract: Automatic partitioning is disclosed. A set of previously run queries is obtained. The set of previously run queries is analyzed to determine one or more query fragments from the set of previously run queries. One or more partitions are generated at least in part by using the obtained query fragments.

Abstract: Data collection and transmission is disclosed. A server is configured to receive, from a remote device, a message including raw information, and to parse at least a portion of the received raw information. The raw information is received by the system from an information reporting module interface of the remote device. The information reporting module of the remote device is configured to receive information from at least one separately installed information reporting module. A client device includes an information reporting module interface and a server interface. The client device is configured to receive configuration information from a remote server.

Abstract: Analyzing log data, such as security log data and event data, is disclosed. Log data is obtained. Portions of the log data are clustered into clusters of similar data portions. A signature for each cluster is generated. Comparison of subsequent log data with the signature indicates whether the subsequent log data belongs in the cluster.

Abstract: Obfuscating data is disclosed. A processor identifies structured information in log data. The structured information is transformed in a manner that preserves the structure to form transformed raw data. The transformed raw data is sent to a remote analysis engine. The remote analysis engine receives a query and responds to the query by providing as results at least a portion of the transformed raw data. A processor is configured to de-transform the transformed raw data.

Abstract: Automatically generating a parser is disclosed. Raw data is received from a first remote device. A determination that the raw data does not, within a predefined confidence measure, conform to any rules included in a set of rules is made. A clustering function is performed on the raw data. At least one parser rule is generated based on the clustering.

Abstract: Analyzing log data, such as security log data and event data, is disclosed. Log data is received. Portions of the log data are clustered into clusters of similar data portions. A signature for each cluster is generated. Comparison of subsequent log data with the signature indicates whether the subsequent log data belongs in the cluster.

Abstract: The automatic selection and usage of a parser is disclosed. Raw data is received from a first remote device. At least a portion of the raw data is evaluated using a plurality of rules. A confidence measure is determined for at least some of the rules. An indication that the raw data pertains to a source is provided as output when the confidence measure exceeds a threshold.

Abstract: Data collection and transmission is disclosed. A server is configured to receive, from a remote device, a message including raw information, and to parse at least a portion of the received raw information. The raw information is received by the system from an information reporting module interface of the remote device. The information reporting module of the remote device is configured to receive information from at least one separately installed information reporting module. A client device includes an information reporting module interface and a server interface. The client device is configured to receive configuration information from a remote server.

Abstract: Automatically generating a parser is disclosed. Raw data is received from a first remote device. A determination that the raw data does not, within a predefined confidence measure, conform to any rules included in a set of rules is made. A clustering function is performed on the raw data. At least one parser rule is generated based on the clustering.

Abstract: Obfuscating data is disclosed. A processor identifies structured information in log data. The structured information is transformed in a manner that preserves the structure to form transformed raw data. The transformed raw data is sent to a remote analysis engine. The remote analysis engine receives a query and responds to the query by providing as results at least a portion of the transformed raw data. A processor is configured to de-transform the transformed raw data.