US 11,940,967 B2
Query handling using a field searchable datastore or an inverted index
David Ryan Marquardt, San Francisco, CA (US); Mitchell Neuman Blank, Jr., San Francisco, CA (US); and Stephen Phillip Sorkin, San Francisco, CA (US)
Assigned to SPLUNK INC., San Francisco, CA (US)
Filed by SPLUNK INC., San Francisco, CA (US)
Filed on Jun. 30, 2021, as Appl. No. 17/364,617.
Application 17/364,617 is a continuation of application No. 16/519,615, filed on Jul. 23, 2019, granted, now 11,144,521.
Application 16/519,615 is a continuation of application No. 15/421,127, filed on Jan. 31, 2017, granted, now 10,402,384, issued on Sep. 3, 2019.
Application 15/421,127 is a continuation of application No. 13/662,984, filed on Oct. 29, 2012, granted, now 9,753,974, issued on Sep. 5, 2017.
Application 13/662,984 is a continuation of application No. 13/475,798, filed on May 18, 2012, granted, now 8,516,008, issued on Aug. 20, 2013.
Prior Publication US 2021/0326316 A1, Oct. 21, 2021
Int. Cl. G06F 16/00 (2019.01); G06F 16/22 (2019.01); G06F 16/23 (2019.01); G06F 16/242 (2019.01); G06F 16/2453 (2019.01); G06F 16/2455 (2019.01); G06F 16/2458 (2019.01); G06F 16/248 (2019.01); G06F 16/28 (2019.01); G06F 16/31 (2019.01); G06F 16/33 (2019.01); G06F 16/338 (2019.01)
CPC G06F 16/221 (2019.01) [G06F 16/2228 (2019.01); G06F 16/2322 (2019.01); G06F 16/243 (2019.01); G06F 16/2453 (2019.01); G06F 16/2455 (2019.01); G06F 16/2477 (2019.01); G06F 16/248 (2019.01); G06F 16/282 (2019.01); G06F 16/319 (2019.01); G06F 16/33 (2019.01); G06F 16/338 (2019.01)] 18 Claims
OG exemplary drawing
 
1. A method for searching data, the method comprising:
providing an inverted index that comprises at least one record comprising at least one field name and a corresponding at least one field value extracted from time-stamped searchable events, wherein the at least one record comprises a posting value that identifies a location in a record datastore where an event associated with the at least one record is stored, and wherein the time-stamped searchable events comprise portions of raw machine data and are stored in the record datastore;
evaluating an incoming search query that references a field name and comprises commands directed towards searching data from the record datastore, wherein the field name in the incoming search query is defined by a regular expression rule, wherein the regular expression rule comprises instructions for parsing a value associated with the field name out of at least one of the time-stamped searchable events; and
responsive to the evaluating, determining results for the incoming search query by executing the incoming search query across either the record datastore or the inverted index, or both the record datastore and the inverted index, wherein the inverted index is employed separately from the record datastore to generate a response to the incoming search query.