Determination and display of the number of unique values for a field defined for events in a distributed data store

摘要

A method, system, and processor-readable storage medium are directed towards generating a report derived from data, such as event data, stored on a plurality of distributed nodes. In one embodiment the analysis is generated using a “divide and conquer” algorithm, such that each distributed node analyzes locally stored event data while an aggregating node combines these analysis results to generate the report. In one embodiment, each distributed node also transmits a list of event data references associated with the analysis result to the aggregating node. The aggregating node may then generate a global ordered list of data references based on the list of event data references received from each distributed node. Subsequently, in response to a user selection of a range of global event data, the report may dynamically retrieve event data from one or more distributed nodes for display according to the global order.

主权项

1. A computer-implemented method, comprising:
receiving a query including a criterion for searching a set of events stored across a plurality of distributed machines, wherein each distributed machine has access to search a subgroup of the stored set of events, wherein each distributed machine has access to search a subgroup different than subgroups that other distributed machines have access to search, and wherein each event is associated with a timestamp; in response to receiving the query, directing the plurality of distributed machines to search, in respective subgroups to which they have access, for events responsive to the query; receiving from the distributed machines information about values for a field that are extracted from the events responsive to the query; synthesizing the information about the values for the field to determine a number corresponding to how many unique values exist for the field in the events responsive to the query; displaying a field name representing the field and the number corresponding to how many unique values exist for the field in a field picker, wherein the field picker lists a plurality of field names corresponding to fields defined for the events responsive to the query; displaying information about a subset of the events that are both responsive to the query and that meet a criterion for a field corresponding to a field name selected from the list of the plurality of field names.