Splunk Inc.
Efficient detection of alert states within unstructured event data based on evaluation of structured data set

Abstract:

Systems and methods are disclosed for efficiently detecting alert states within unstructured event data. Alert states are illustratively defined as occurring when a threshold number of journey instances are present within the unstructured event data, each journey instance representing a series of events within the event data representing steps within a pre-defined journey. Detecting journey instances within unstructured event data can require significant computational resources, and thus attempting to detect alert states directly from unstructured event data can lead to inefficiencies. Embodiments of this disclosure enable a structured data set of journey instances to be generated from unstructured event data, and for the structured data set to be evaluated based on criteria of multiple alert states. By utilizing a single structured data set to support evaluation based on multiple alert states, detecting alert states from unstructured event data is rendered more efficient.