US 12,130,866 B1
Creating a correlation search
Lucas Murphey, Wadsworth, IL (US); and David Hazekamp, Tinley Park, IL (US)
Assigned to Splunk, Inc., San Francisco, CA (US)
Filed by Splunk Inc., San Francisco, CA (US)
Filed on Dec. 7, 2020, as Appl. No. 17/114,423.
Application 17/114,423 is a continuation of application No. 15/688,323, filed on Aug. 28, 2017, granted, now 10,860,655.
Application 15/688,323 is a continuation of application No. 14/448,081, filed on Jul. 31, 2014, abandoned.
Claims priority of provisional application 62/027,242, filed on Jul. 21, 2014.
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 16/30 (2019.01); G06F 16/903 (2019.01); G06F 16/9032 (2019.01); G06F 16/906 (2019.01); G06F 16/907 (2019.01)
CPC G06F 16/90335 (2019.01) [G06F 16/9032 (2019.01); G06F 16/906 (2019.01); G06F 16/907 (2019.01)] 20 Claims
OG exemplary drawing
 
1. A computer-implemented method comprising:
receiving, via a graphical user interface (GUI), a user input pertaining to a definition of a search query for a correlation search of a data store, the data store comprising time-stamped events that each include machine data reflecting activity in an information technology environment and produced by a component of the information technology environment;
causing display in the GUI of a dataset that has been produced by executing the search query;
receiving, via the GUI, first user input that identifies one or more fields of the dataset produced by executing the search query, wherein the first user input further defines a triggering condition to be evaluated based on aggregated statistics of values of the one or more fields of the dataset produced by executing the search query;
receiving, via the GUI, second user input identifying, for a throttling condition, a time period and a value for each of one or more specified dataset fields, wherein the throttling condition is satisfied when the dataset produced by the search query includes the identified value in each of the one or more specified dataset fields;
receiving, via the GUI, third user input identifying one or more actions to be performed when the triggering condition, which is evaluated based on the aggregated statistics of the values of the one or more fields of the dataset produced by executing the search query, is satisfied, wherein evaluation of the triggering condition based on the aggregated statistics of the values of the one or more fields of the dataset produced by executing the search query is suppressed for the identified time period when the dataset produced by the search query satisfies the throttling condition;
automatically generating, using search processing language, a statement to define the search query and the triggering condition;
executing the search processing language to generate the dataset produced by the search query and to evaluate the triggering condition;
causing display, in the GUI, of results of the execution of the search processing language; and
in view of the results of the execution of the search processing language, causing generation of the correlation search using the search query, the triggering condition, and the one or more actions, the correlation search comprising updated search processing language having the search query and a processing command for criteria on which the triggering condition is based.