| CPC H04L 63/1425 (2013.01) [G06F 9/4498 (2018.02); G06F 16/951 (2019.01); H04L 63/145 (2013.01); H04L 63/1416 (2013.01); G06F 3/0482 (2013.01); G06T 11/206 (2013.01); G06T 2200/24 (2013.01)] | 16 Claims |
|
1. A computer-implemented method comprising:
identifying a plurality of notable events by executing a plurality of correlation searches against timestamped event data stored by a data intake and query system;
identifying a plurality of meta-notable events by determining that a plurality of sets of notable events from the plurality of notable events satisfy a meta-notable event rule, wherein the meta-notable event rule defines:
a plurality of notable event states, wherein a notable event state of the plurality of notable event states corresponds to a correlation search of the plurality of correlation searches, and
a plurality of transition rules, wherein a transition rule of the plurality of transition rules defines criteria for transitioning between two notable event states of the plurality of notable event states; and
causing display of a graphical representation of a notable event from the plurality of notable events, wherein the graphical representation of the notable event includes an indication that the notable event is included in at least two of the plurality of meta-notable events, and wherein the indication comprises a display of two or more inbound edges or two or more outbound edges connecting the graphical representation of the notable event to graphical representations of other notable events from the plurality of notable events.
|