US 12,032,629 B2
Anomaly and outlier explanation generation for data ingested to a data intake and query system
Ram Sriharsha, Oakland, CA (US)
Assigned to Splunk Inc., San Francisco, CA (US)
Filed by Splunk Inc., San Francisco, CA (US)
Filed on Jul. 27, 2022, as Appl. No. 17/874,751.
Application 17/874,751 is a continuation of application No. 16/779,460, filed on Jan. 31, 2020, granted, now 11,475,024.
Claims priority of provisional application 62/923,437, filed on Oct. 18, 2019.
Prior Publication US 2022/0358124 A1, Nov. 10, 2022
Int. Cl. G06F 16/2458 (2019.01); G06F 9/38 (2018.01); G06F 9/54 (2006.01); G06F 16/14 (2019.01); G06F 16/16 (2019.01); G06F 16/22 (2019.01); G06F 16/23 (2019.01); G06F 16/242 (2019.01); G06F 16/2453 (2019.01); G06F 16/2455 (2019.01); G06F 16/28 (2019.01); G06F 16/901 (2019.01); G06F 17/16 (2006.01); G06F 17/18 (2006.01); G06F 18/21 (2023.01); G06F 18/214 (2023.01); G06N 20/00 (2019.01); G06N 20/20 (2019.01)
CPC G06F 16/901 (2019.01) [G06F 9/3885 (2013.01); G06F 9/544 (2013.01); G06F 16/144 (2019.01); G06F 16/156 (2019.01); G06F 16/168 (2019.01); G06F 16/2246 (2019.01); G06F 16/23 (2019.01); G06F 16/2379 (2019.01); G06F 16/242 (2019.01); G06F 16/24534 (2019.01); G06F 16/24568 (2019.01); G06F 16/2465 (2019.01); G06F 16/285 (2019.01); G06F 17/16 (2013.01); G06F 17/18 (2013.01); G06F 18/2148 (2023.01); G06F 18/2185 (2023.01); G06N 20/00 (2019.01); G06N 20/20 (2019.01); G06F 16/22 (2019.01); G06F 16/2264 (2019.01); G06F 16/2282 (2019.01)] 20 Claims
OG exemplary drawing
 
1. A method, comprising:
as implemented by a component in a data processing pipeline,
obtaining a plurality of raw machine data elements, wherein each raw machine data element in the plurality comprises a plurality of positions that are each separated by a delimiter, and
wherein each raw machine data element in the plurality comprises a string in each respective position;
extracting a first string in a first position in the plurality of positions from a first raw machine data element in the plurality of raw machine data elements, the first raw machine data element generated by one or more components in an information technology environment;
comparing the first string to a second string in a data pattern in a first position;
determining that the first string extracted from the first raw machine data element is anomalous in response to the first string being different than the second string;
extracting a third string in the first position in a second raw machine data element in the plurality of raw machine data elements;
comparing the third string to the second string;
determining that the third string extracted from the second raw machine data element is anomalous in response to the third string being different than the second string;
determining that a second position in the plurality of positions in a third raw machine data element in the plurality of raw machine data elements will have a first range of values if a fifth string in the first position in the third raw machine data element is different than the second string based on the first and second raw machine data elements; and
causing display of information indicating a correlation between the first range of values and the fifth string being anomalous by being different than the second string.