	US 11,755,635 B2
	Presentation and sorting of summaries of alert instances triggered by search queries
Qianjie Zhong, Shanghai (CN); Yue Ni, Shanghai (CN); Ting Wang, Shanghai (CN); Dawei Li, Shanghai (CN); Nick Filippi, Atherton, CA (US); and Xianqin Ma, Shanghai (CN)
Assigned to Splunk Inc., San Francisco, CA (US)
Appl. No. 14/396,366
Filed by Splunk Inc., San Francisco, CA (US); Qianjie Zhong, Shanghai (CN); Yue Ni, Shanghai (CN); Ting Wang, Shanghai (CN); Dawei Li, Shanghai (CN); Nick Filippi, Atherton, CA (US); and Xianqin Ma, Shanghai (CN)
PCT Filed Jul. 9, 2014, PCT No. PCT/CN2014/081909 § 371(c)(1), (2) Date Oct. 22, 2014, PCT Pub. No. WO2016/004593, PCT Pub. Date Jan. 14, 2016.
Prior Publication US 2016/0253415 A1, Sep. 1, 2016
Int. Cl. G06F 16/34 (2019.01); G06F 16/338 (2019.01); G06F 16/33 (2019.01); G06F 16/2455 (2019.01); G06F 11/07 (2006.01); G06F 3/04842 (2022.01); G06F 9/54 (2006.01)

CPC G06F 16/345 (2019.01) [G06F 3/04842 (2013.01); G06F 9/542 (2013.01); G06F 11/0721 (2013.01); G06F 11/0766 (2013.01); G06F 16/24565 (2019.01); G06F 16/338 (2019.01); G06F 16/3331 (2019.01)]

26 Claims

1. A method, comprising:

causing, by one or more processing devices, one or more alert summaries to be displayed in a sorted order according to unviewed instance counts of the alert summaries, each alert summary corresponding to an alert and representing one or more instances of the alert, the alert defined by a search query and a triggering condition, wherein an instance of the alert is generated when a particular dataset that (i) is generated by executing the search query over time-series data falling within a particular time range in a set of time ranges over which the search query has been instructed to search, (ii) satisfies the triggering condition for the alert, wherein determining whether the particular dataset satisfies the triggering condition for the alert includes comparing a number of data items in the particular dataset with a threshold value;

for each alert summary, maintaining a corresponding unviewed instance count of alert instances that have not been viewed, by tracking accesses of the alert by a plurality of client computing devices and decrementing the unviewed instance count responsive to receiving a notification from at least one client computing device of the plurality of client computing devices;

responsive to determining that an unviewed instance count associated with an alert summary has changed and a throttling condition, specifying a period of time for suppressing providing notification of alert instances following a transmission of a notification of a previous alert instance, has been satisfied, causing the unviewed instance count to be displayed in a visual association with the alert summary;

causing to be displayed one or more alert instances represented by a particular displayed alert summary;

receiving a selection of a particular displayed alert instance; and

based on the selection of the alert instance, causing to be displayed a portion of a dataset, generated by executing the search query over time-series data falling within the particular time range over which the search query has been instructed to search, that caused generation of the selected alert instance.