Abstract: Machine data of an operating environment is conveyed by a network to a data intake and query system (DIQS) which reflects the machine data as timestamped entries of a field-searchable datastore. Monitoring functionality may search the machine data to identify notable event instances. A notable event processing system correlates the notable event instance to one or more triaging models which are executed against the notable event to produce a modeled result. Information of the received notable event and the modeled results are combined into an enhanced representation of a notable event instance. The enhanced representation conditions downstream processing to automatically perform or assist triaging of notable event instances to optimize application of computing resources to highest priority conditions in the operating environment.

Abstract: As described herein, a portion of machine data of a message may be analyzed to infer, using an inference model, a sourcetype of the message. The portion of machine data may be generated by one or more components in an information technology environment. Based on the inference, a set of extraction rules associated with the sourcetype may be selected. Each extraction rule may define criteria for identifying a sub-portion of text from the portion of machine data of the message to produce a value. The set of extraction rules may be applied to the portion of machine data of the message to produce a result set that indicates a number of values identified using the set of extraction rules. Based on the result set, at least one action may be performed on one or more of inference data associated with the inference model and one or more messages.

Abstract: As described herein, a portion of machine data of a message may be analyzed to infer, using an inference model, a sourcetype of the message. The portion of machine data may be generated by one or more components in an information technology environment. Based on the inference, a set of extraction rules associated with the sourcetype may be selected. Each extraction rule may define criteria for identifying a sub-portion of text from the portion of machine data of the message to produce a value. The set of extraction rules may be applied to the portion of machine data of the message to produce a result set that indicates a number of values identified using the set of extraction rules. Based on the result set, at least one action may be performed on one or more of inference data associated with the inference model and one or more messages.

Abstract: A computerized method is disclosed for generating a prioritized listing of alerts based on scoring by a machine learning model and retraining the model based on user feedback. Operations of the method include receiving a plurality of alerts, generating a score for each of the plurality of alerts through evaluation of each of the plurality of alerts by a machine learning model, generating a prioritized listing of the plurality of alerts based on the generated scores, receiving user feedback on the prioritized listing, retraining the machine learning model based on the user feedback by generating a set of labeled alert pairs, wherein a labeled alert pair includes a first alert, a second alert, and an indication as to which of the first alert or the second alert is a higher priority in accordance with the user feedback, and evaluating subsequently received alerts with the retrained machine learning model.

Abstract: Systems and methods are described for training an artificial intelligence model to infer a log sourcetype of a log. For example, logs may have different log sourcetypes, and logs having the same log sourcetypes may have different messagetypes. The artificial intelligence model may be a machine learning model, and can be trained using training data that includes logs with known log sourcetypes. Each log can be tokenized, filtered, converted into a vector, and applied to a machine learning model as an input to perform the training. The machine learning model may output an inferred log sourcetype, which can be compared with the known log sourcetype to update model parameters to improve the machine learning model accuracy. The trained machine learning model may be trained to infer a log sourcetype of a log regardless of the messagetype of the log.

Abstract: Systems and methods are described for training an artificial intelligence model to extract one or more data fields from a log. For example, the artificial intelligence model may be a neural network. The neural network may be trained using training data obtained by iterating through a plurality of logs using active learning, and selecting a subset of the logs in the plurality to be labeled by a user. For example, the selected subset of logs may be logs that are not similar to other logs already labeled by a user. The user may be prompted to label the selected subset of logs to identify one or more data fields to extract. Once the selected subset of logs are labeled, these labeled logs can be used as the training data to train the neural network.

Abstract: Machine data of an operating environment is conveyed by a network to a data intake and query system (DIQS) which reflects the machine data as timestamped entries of a field-searchable datastore. Monitoring functionality may search the machine data to identify notable event instances. A notable event processing system correlates the notable event instance to one or more triaging models which are executed against the notable event to produce a modeled result. Information of the received notable event and the modeled results are combined into an enhanced representation of a notable event instance. The enhanced representation conditions downstream processing to automatically perform or assist triaging of notable event instances to optimize application of computing resources to highest priority conditions in the operating environment.

Abstract: A computerized method of diagnosing a mislabeling of a source type of a received event. The method comprising operations of receiving an event by a source type analysis logic with a data index and query system, wherein the event includes a portion of raw machine data and is associated with a specific point in time, obtaining an original source type assigned to the event and one or more predicted source types. The one or more predicted source types are determined by analysis of a data representation of the event in view of training data and the training data includes a plurality of data representations corresponding to known source types. Additionally, the computerized method also includes an operation of, determining whether the event has been mislabeled and in response to determining the event has been mislabeled, diagnosing a source of the mislabeling.

Abstract: Messages of a first data stream may be accessed from an ingestion buffer in communication with a streaming data processor to receive data from the first data stream. At the streaming data processor and using an inference model, a sourcetype associated with one or more messages from the first data stream may be determined. The one or more messages may include a portion of machine data. Using the streaming data processor, a second data stream may be generated from the first data stream. The second data stream may include a subset of messages from the first data stream. A message of the subset of messages may be included in the second data stream based on a condition associated with the sourcetype for the message. At least one processing operation may be performed on at least one of the subset of messages from the second data stream.

Abstract: Machine data of an operating environment is conveyed by a network to a data intake and query system (DIQS) which reflects the machine data as timestamped entries of a field-searchable datastore. Monitoring functionality may search the machine data to identify notable event instances. A notable event processing system correlates the notable event instance to one or more triaging models which are executed against the notable event to produce a modeled result. Information of the received notable event and the modeled results are combined into an enhanced representation of a notable event instance. The enhanced representation conditions downstream processing to automatically perform or assist triaging of notable event instances to optimize application of computing resources to highest priority conditions in the operating environment.

Abstract: Network connections are established between machines of an operating environment to be monitored and a server group of a data intake and query system (DIQS). Data reflecting machine and component operations of the environment is conveyed via the network to the DIQS where it is reflected as timestamped entries in a field-searchable datastore. Monitoring components may search the datastore and identify and record instances of notable events. Triaging models are selectively applied against the notable event instances to produce an enhanced notable event instance representation with modeled results effective to automatically perform or assist in triaging the notable events so they are dispatched in an optimal, effective, and efficient, manner.

Abstract: Messages of a first data stream may be accessed from an ingestion buffer in communication with a streaming data processor to receive data from the first data stream. At the streaming data processor and using an inference model, a sourcetype associated with one or more messages from the first data stream may be determined. The one or more messages may include a portion of machine data. Using the streaming data processor, a second data stream may be generated from the first data stream. The second data stream may include a subset of messages from the first data stream. A message of the subset of messages may be included in the second data stream based on a condition associated with the sourcetype for the message. At least one processing operation may be performed on at least one of the subset of messages from the second data stream.

Abstract: As described herein, a portion of machine data of a message may be analyzed to infer, using an inference model, a sourcetype of the message. The portion of machine data may be generated by one or more components in an information technology environment. Based on the inference, a set of extraction rules associated with the sourcetype may be selected. Each extraction rule may define criteria for identifying a sub-portion of text from the portion of machine data of the message to produce a value. The set of extraction rules may be applied to the portion of machine data of the message to produce a result set that indicates a number of values identified using the set of extraction rules. Based on the result set, at least one action may be performed on one or more of inference data associated with the inference model and one or more messages.

Abstract: Machine data of an operating environment is conveyed by a network to a data intake and query system (DIQS) which reflects the machine data as timestamped entries of a field-searchable datastore. Monitoring functionality may search the machine data to identify notable event instances. A notable event processing system correlates the notable event instance to one or more triaging models which are executed against the notable event to produce a modeled result. Information of the received notable event and the modeled results are combined into an enhanced representation of a notable event instance. The enhanced representation conditions downstream processing to automatically perform or assist triaging of notable event instances to optimize application of computing resources to highest priority conditions in the operating environment.

Abstract: Network connections are established between machines of an operating environment to be monitored and a server group of a data intake and query system (DIQS). Data reflecting machine and component operations of the environment is conveyed via the network to the DIQS where it is reflected as timestamped entries in a field-searchable datastore. Monitoring components may search the datastore and identify and record instances of notable events. Triaging models are selectively applied against the notable event instances to produce an enhanced notable event instance representation with modeled results effective to automatically perform or assist in triaging the notable events so they are dispatched in an optimal, effective, and efficient, manner.