Abstract: A field extraction template simplifies the creation of field extraction rules by providing a user with a set of field names commonly assigned to a certain type of data, as well as guidance on how to extract values for those fields. These field extraction rules, in turn, facilitate access to certain “chunks” of the data, or to information derived from those chunks, through named fields. A field extraction template comprises at least a set of field names and ordering data for the field names. The ordering data indicates index positions that are associated with at least some of the field names. A delimiter is specified for splitting data items into arrays of chunks. The chunk of a data item that belongs to a given field name is the chunk whose position within the item's array of chunks is equivalent to the index position associated with the given field name.

Abstract: One or more processing devices cause display of a user interface that identifies a service definition representing a service, receive input identifying an entity, where the service is performed at least in part by the entity, and store the service definition representing the service in association with an entity definition representing the entity. The entity definition comprises information identifying data pertaining to the entity in a datastore of machine data that reflects activity in an information technology environment produced by a plurality of components of the information technology environment. The one or more processing devices receive input pertaining to a search definition representing a search producing a measure of the service, and store the search definition representing the search, where the search produces the measure of the service using at least a portion of the data pertaining to the entity.

Abstract: Techniques and mechanisms are disclosed for configuring actions to be performed by a network security application in response to the detection of potential security incidents, and for causing a network security application to report on the performance of those actions. For example, users may use such a network security application to configure one or more “modular alerts.” As used herein, a modular alert generally represents a component of a network security application which enables users to specify security modular alert actions to be performed in response to the detection of defined triggering conditions, and which further enables tracking information related to the performance of modular alert actions and reporting on the performance of those actions.

Abstract: A field extraction template simplifies the creation of field extraction rules by providing a user with a set of field names commonly assigned to a certain type of data, as well as guidance on how to extract values for those fields. These field extraction rules, in turn, facilitate access to certain “chunks” of the data, or to information derived from those chunks, through named fields. A field extraction template comprises at least a set of field names and ordering data for the field names. The ordering data indicates index positions that are associated with at least some of the field names. A delimiter is specified for splitting data items into arrays of chunks. The chunk of a data item that belongs to a given field name is the chunk whose position within the item's array of chunks is equivalent to the index position associated with the given field name.

Abstract: A field extraction template simplifies the creation of field extraction rules by providing a user with a set of field names commonly assigned to a certain type of data, as well as guidance on how to extract values for those fields. These field extraction rules, in turn, facilitate access to certain “chunks” of the data, or to information derived from those chunks, through named fields. A field extraction template comprises at least a set of field names and ordering data for the field names. The ordering data indicates index positions that are associated with at least some of the field names. A delimiter is specified for splitting data items into arrays of chunks. The chunk of a data item that belongs to a given field name is the chunk whose position within the item's array of chunks is equivalent to the index position associated with the given field name.

Abstract: The operation of an automatic data input and query system is controlled by well-defined control data. The system exposes user interfaces enabling an administrator to interact with control data to modify the ongoing operation of the system. Certain control data determines the collection and treatment of data from various technology sources. A robust control interface is provided enabling the efficient and reliable adding on of new technology data sources. Once established, control data for a new technology data source may be packaged in a form for archiving or distribution. The system may support the export and import of such packages. Such packages may be created independently of the system.

Abstract: Determining a set of extraction rules include clustering event segments into at least a first group of event segments, and determining, using first field data in the first group of event segments, a first set of extraction rules for extracting the first field data from each event segment of the first group of event segments. A determination is made that the first set of extraction rules fails to successfully extract all of the first field data. Responsive to the determination, the event segments are re-clustered into at least a second group of event segments and a third group of event segments until a successful set of extraction rules are identified. The successful set of extraction rules are stored in computer memory.

Abstract: The operation of an automatic data input and query system is controlled by well-defined control data. The system exposes user interfaces enabling an administrator to interact with control data to modify the ongoing operation of the system. Certain control data determines the collection and treatment of data from various technology sources. A robust control interface is provided enabling the efficient and reliable adding on of new technology data sources. Once established, control data for a new technology data source may be packaged in a form for archiving or distribution. The system may support the export and import of such packages. Such packages may be created independently of the system.

Abstract: The operation of an automatic data input and query system is controlled by well-defined control data. Certain control data may relate to data schemas and direct operations performed by the system to extract fields from machine data. Automatic methods may determine proper field extraction control information by analyzing a sample of data from a source, breaking the sample data into event segments, classifying the segments into groups based on a measure of similarity, determining an operable extraction rule for each group, and storing the resulting extraction model. Data patterns known by the system can be leveraged to perform the event breaking and field identification for the classifying. Embodiments may provide a user interface to view, interact with, and approve the computer-generated extraction model.

Abstract: Systems and methods are provided for identifying network addresses and/or IDs of a deduplicated list among network data, machine data, and/or events derived from network data and/or machine data, and for identifying notable events by searching for the presence of network addresses and/or network IDs that are deduplicated across lists received from multiple external sources. One method includes receiving a plurality of lists of network locations, wherein each list is received from over a network, wherein each of the network locations includes a domain name or an IP address, and wherein at least two of the plurality of lists each include a same network location; aggregating the plurality of lists of network locations into a deduplicated list of unique network locations; and searching network data or machine data for a network location included in the deduplicated list of unique network locations.

Abstract: Techniques and mechanisms are disclosed for configuring actions to be performed by a network security application in response to the detection of potential security incidents, and for causing a network security application to report on the performance of those actions. For example, users may use such a network security application to configure one or more “modular alerts.” As used herein, a modular alert generally represents a component of a network security application which enables users to specify security modular alert actions to be performed in response to the detection of defined triggering conditions, and which further enables tracking information related to the performance of modular alert actions and reporting on the performance of those actions.

Abstract: One or more processing devices create one or more entity definitions that each associate an entity with machine data pertaining to that entity and create a service definition for a service provided by one or more entities. The service definition includes an entity definition for each of the one or more entities. The one or more processing devices create one or more search queries that each produce a value derived from the machine data identified in one or more of the entity definitions included in the service definition. Each value is indicative of how the service is performing at a point in time or during a period of time and may be a key performance indicator for the service.

Abstract: Techniques and mechanisms are disclosed for configuring actions to be performed by a network security application in response to the detection of potential security incidents, and for causing a network security application to report on the performance of those actions. For example, users may use such a network security application to configure one or more “modular alerts.” As used herein, a modular alert generally represents a component of a network security application which enables users to specify security modular alert actions to be performed in response to the detection of defined triggering conditions, and which further enables tracking information related to the performance of modular alert actions and reporting on the performance of those actions.

Abstract: One or more processing devices create one or more entity definitions that each associate an entity with machine data pertaining to that entity and create a service definition for a service provided by one or more entities. The service definition includes an entity definition for each of the one or more entities. The one or more processing devices create one or more key performance indicators (KPIs). Each KPI is defined by a search query that produces a value derived from the machine data identified in one or more of the entity definitions included in the service definition. Each value is indicative of how the service is performing at a point in time or during a period of time.

Abstract: Systems and methods are provided for identifying network addresses and/or IDs of a deduplicated list among network data, machine data, and/or events derived from network data and/or machine data, and for identifying notable events by searching for the presence of network addresses and/or network IDs that are deduplicated across lists received from multiple external sources. One method includes receiving a plurality of lists of network locations, wherein each list is received from over a network, wherein each of the network locations includes a domain name or an IP address, and wherein at least two of the plurality of lists each include a same network location; aggregating the plurality of lists of network locations into a deduplicated list of unique network locations; and searching network data or machine data for a network location included in the deduplicated list of unique network locations.

Abstract: A field extraction template simplifies the creation of field extraction rules by providing a user with a set of field names commonly assigned to a certain type of data, as well as guidance on how to extract values for those fields. These field extraction rules, in turn, facilitate access to certain “chunks” of the data, or to information derived from those chunks, through named fields. A field extraction template comprises at least a set of field names and ordering data for the field names. The ordering data indicates index positions that are associated with at least some of the field names. A delimiter is specified for splitting data items into arrays of chunks. The chunk of a data item that belongs to a given field name is the chunk whose position within the item's array of chunks is equivalent to the index position associated with the given field name.

Abstract: Techniques and mechanisms are disclosed for configuring actions to be performed by a network security application in response to the detection of potential security incidents, and for causing a network security application to report on the performance of those actions. For example, users may use such a network security application to configure one or more “modular alerts.” As used herein, a modular alert generally represents a component of a network security application which enables users to specify security modular alert actions to be performed in response to the detection of defined triggering conditions, and which further enables tracking information related to the performance of modular alert actions and reporting on the performance of those actions.

Abstract: A field extraction template simplifies the creation of field extraction rules by providing a user with a set of field names commonly assigned to a certain type of data, as well as guidance on how to extract values for those fields. These field extraction rules, in turn, facilitate access to certain “chunks” of the data, or to information derived from those chunks, through named fields. A field extraction template comprises at least a set of field names and ordering data for the field names. The ordering data indicates index positions that are associated with at least some of the field names. A delimiter is specified for splitting data items into arrays of chunks. The chunk of a data item that belongs to a given field name is the chunk whose position within the item's array of chunks is equivalent to the index position associated with the given field name.

Abstract: One or more processing devices create one or more entity definitions that each associate an entity with machine data pertaining to that entity and create a service definition for a service provided by one or more entities. The service definition includes an entity definition for each of the one or more entities. The one or more processing devices create one or more key performance indicators (KPIs). Each KPI is defined by a search query that produces a value derived from the machine data identified in one or more of the entity definitions included in the service definition. Each value is indicative of how the service is performing at a point in time or during a period of time.

Abstract: The operation of an automatic data input and query system is controlled by well-defined control data. The system exposes user interfaces enabling an administrator to interact with control data to modify the ongoing operation of the system. Certain control data determines the collection and treatment of data from various technology sources. A robust control interface is provided enabling the efficient and reliable adding on of new technology data sources. Once established, control data for a new technology data source may be packaged in a form for archiving or distribution. The system may support the export and import of such packages. Such packages may be created independently of the system.