Time series search engine

摘要

Methods and apparatus consistent with the invention provide the ability to organize, index, search, and present time series data based on searches. Time series data are sequences of time stamped records occurring in one or more usually continuous streams, representing some type of activity. In one embodiment, time series data is organized into discrete events with normalized time stamps and the events are indexed by time and keyword. A search is received and relevant event information is retrieved based in whole or in part on the time indexing mechanism, keyword indexing mechanism, or statistical indices calculated at the time of the search.

主权项

1. A method for building a searchable data store, comprising:
repeatedly generating buckets in memory to receive events,
respective buckets designated with time spans to receive the events based on event time stamps, andmaintaining a record of designated time spans assigned to respective buckets for time keyed event retrieval; electronically receiving machine data produced by devices in an information processing environment, separating the machine data into events at boundaries between contiguous portions of the machine data, applying the time stamps to the events, and inserting a respective event into a respective bucket based at least in part on a respective applied time stamp; wherein the machine data included in the events includes textual data; wherein the events are indexed; wherein applying the respective time stamp to the respective event includes applying an extraction rule to extract time information to use as the time stamp from the textual data included in the respective event; wherein the respective bucket receiving the respective event is a hot bucket; and advancing a filled hot bucket to warm bucket status that does not accept further events; wherein at least events in warm buckets are searchable.