Abstract: Methods, systems, and computer programs are presented to generate response information for an alert. One method includes an operation for detecting an alert based on incoming log data or metric data and for calculating information for panels to be presented on a response-alert page. Calculating the information includes calculating first performance values for a period associated with the alert, calculating second performance values for a background period where the alert condition was not present, and calculating a difference between the first performance values and the second performance values. Further, the method includes an operation for selecting, based on the difference, relevant performance values for presentation in one of the panels. The response-alert page is presented with at least one of the panels based on the selected relevant performance values.

Abstract: Querying of time-aware metrics time series includes receiving a query, the query comprising a set of query metadata and a query time range. It further includes, based at least in part on the set of query metadata and the query time range, selecting a time series from a plurality of metrics time series. Each metrics time series in the plurality of metrics time series is associated with a set of metadata and an active interval of time. A set of metadata associated with the selected time series matches the set of query metadata, and an active interval of time associated with the selected metrics time series intersects with the query time range. The selected metrics time series is returned.

Abstract: Key name synthesis is disclosed. A metrics data point is received. Based at least in part on a translation statement, at least a portion of the received metrics data point is associated with a key specified by the translation statement such that the specified key and the associated at least portion of the received metrics data point form a key-value pair. The key-value pair is associated with the received metrics data point.

Abstract: Analyzing log data, such as security log data and machine data, is disclosed. A baseline is built for a set of machine data. The baseline is built at least in part by determining a plurality of signature profiles for a plurality of respective time slices. An occurrence of an anomaly associated with the source of the machine data is determined. The occurrence is determined at least in part by determining that received machine data does not conform to the baseline within a threshold.

Abstract: Clustering structured log data by key schema includes receiving a raw log message. At least a portion of the raw log message comprises structured machine data including a set of key-value pairs. It further includes receiving a map of keys to values. It further includes using the received map of keys to values to determine a key schema of the structured machine data. The key schema is associated with a corresponding cluster. It further includes associating the raw log message with the cluster corresponding to the determined key schema.

Abstract: Clustering structured log data by key-values includes receiving, via a user interface, a request to apply an operator to cluster log messages according to values for keys associated with the request. At least a portion of each log message comprises structured machine data including a set of key-value pairs. The method further includes receiving a log message and determining whether to include the log message in a cluster based at least in part on an evaluation of values in the structured machine data of the log message for the keys associated with the request. The cluster is included in a set of clusters. Each cluster in the set is associated with a different combination of values for the keys associated with the request. The method further includes providing, via the user interface, information associated with the cluster.

Abstract: Clustering structured log data by key-values includes receiving, via a user interface, a request to apply an operator to cluster a set of raw log messages according to values for a set of keys associated with the request. At least a portion of each raw log message comprises structured machine data including a set of key-value pairs. It further includes receiving a raw log message in the set of raw log messages. It further includes determining whether to include the raw log message in a cluster based at least in part on an evaluation of values in the structured machine data of the raw log message for the set of keys associated with the request. The cluster is included in a plurality of clusters. Each cluster in the plurality is associated with a different combination of values for the set of keys associated with the request. It further includes providing, via the user interface, information associated with the cluster.

Abstract: Logs to metrics synthesis includes receiving a log message. It further includes translating the log message into a metrics data point comprising a timestamp, a metric name, a metric value, and a set of metadata key-value pairs. It further includes determining a time series in which to insert the metrics data point into which the log message was translated. It further includes inserting the metrics data point into the determined time series. It further includes updating a metadata catalog based at least in part on the metrics data point.

Abstract: Key name synthesis is disclosed. A metrics data point is received. Based at least in part on a translation statement, at least a portion of the received metrics data point is associated with a key specified by the translation statement such that the specified key and the associated at least portion of the received metrics data point form a key-value pair. The key-value pair is associated with the received metrics data point.

Abstract: Key name synthesis is disclosed. A metrics data point is received. Based at least in part on a translation statement, at least a portion of the received metrics data point is associated with a key specified by the translation statement such that the specified key and the associated at least portion of the received metrics data point form a key-value pair. The key-value pair is associated with the received metrics data point.

Abstract: Data enrichment and augmentation is disclosed. Machine data comprising at least one of a log message and a metrics data point is received. The received machine data comprises an identifier of an instance of a virtual machine. Based at least in part on the identifier of the instance of the virtual machine, a query for tags associated with the instance of the virtual machine is performed. At least one key-value pair is generated based at least in part on tags received in response to the query performed based at least in part on the identifier of the instance of the virtual machine. The received machine data is augmented with the at least one key-value pair generated based at least in part on the tags received in response to the query based at least in part on the identifier of the instance of the virtual machine.

Abstract: Clustering structured log data by key schema includes receiving a raw log message. At least a portion of the raw log message comprises structured machine data including a set of key-value pairs. It further includes receiving a map of keys to values. It further includes using the received map of keys to values to determine a key schema of the structured machine data. The key schema is associated with a corresponding cluster. It further includes associating the raw log message with the cluster corresponding to the determined key schema.

Abstract: Data enrichment and augmentation is disclosed. Machine data comprising at least one of a log message and a metrics data point is received. The received machine data comprises an identifier of an instance of a virtual machine. Based at least in part on the identifier of the instance of the virtual machine, a query for tags associated with the instance of the virtual machine is performed. At least one key-value pair is generated based at least in part on tags received in response to the query performed based at least in part on the identifier of the instance of the virtual machine. The received machine data is augmented with the at least one key-value pair generated based at least in part on the tags received in response to the query based at least in part on the identifier of the instance of the virtual machine.

Abstract: Analyzing log data, such as security log data and machine data, is disclosed. A baseline is built for a set of machine data. The baseline is built at least in part by determining a plurality of signature profiles for a plurality of respective time slices. An occurrence of an anomaly associated with the source of the machine data is determined. The occurrence is determined at least in part by determining that received machine data does not conform to the baseline within a threshold.

Abstract: Clustering structured log data by key schema includes receiving a raw log message. At least a portion of the raw log message comprises structured machine data including a set of key-value pairs. It further includes receiving a map of keys to values. It further includes using the received map of keys to values to determine a key schema of the structured machine data. The key schema is associated with a corresponding cluster. It further includes associating the raw log message with the cluster corresponding to the determined key schema.

Abstract: Analyzing log data, such as security log data and machine data, is disclosed. A baseline is built for a set of machine data. The baseline is built at least in part by determining a plurality of signature profiles for a plurality of respective time slices. An occurrence of an anomaly associated with the source of the machine data is determined. The occurrence is determined at least in part by determining that received machine data does not conform to the baseline within a threshold.

Abstract: Querying of time-aware metrics time series includes receiving a query, the query comprising a set of query metadata and a query time range. It further includes, based at least in part on the set of query metadata and the query time range, selecting a time series from a plurality of metrics time series. Each metrics time series in the plurality of metrics time series is associated with a set of metadata and an active interval of time. A set of metadata associated with the selected time series matches the set of query metadata, and an active interval of time associated with the selected metrics time series intersects with the query time range. The selected metrics time series is returned.

Abstract: Clustering structured log data by key schema includes receiving a raw log message. At least a portion of the raw log message comprises structured machine data including a set of key-value pairs. It further includes receiving a map of keys to values. It further includes using the received map of keys to values to determine a key schema of the structured machine data. The key schema is associated with a corresponding cluster. It further includes associating the raw log message with the cluster corresponding to the determined key schema.

Abstract: Clustering structured log data by key-values includes receiving, via a user interface, a request to apply an operator to cluster a set of raw log messages according to values for a set of keys associated with the request. At least a portion of each raw log message comprises structured machine data including a set of key-value pairs. It further includes receiving a raw log message in the set of raw log messages. It further includes determining whether to include the raw log message in a cluster based at least in part on an evaluation of values in the structured machine data of the raw log message for the set of keys associated with the request. The cluster is included in a plurality of clusters. Each cluster in the plurality is associated with a different combination of values for the set of keys associated with the request.

Abstract: Querying of time-aware metrics time series includes receiving a query, the query comprising a set of query metadata and a query time range. It further includes, based at least in part on the set of query metadata and the query time range, selecting a time series from a plurality of metrics time series. Each metrics time series in the plurality of metrics time series is associated with a set of metadata and an active interval of time. A set of metadata associated with the selected time series matches the set of query metadata, and an active interval of time associated with the selected metrics time series intersects with the query time range. The selected metrics time series is returned.