diff --git a/docs/search/copilot.md b/docs/search/copilot.md index 4ad5d84c51..f9c16b0e89 100644 --- a/docs/search/copilot.md +++ b/docs/search/copilot.md @@ -1,6 +1,7 @@ --- id: copilot title: Sumo Logic Copilot - Feature Preview +sidebar_label: Copilot - Preview description: Streamline your log analysis with Sumo Logic Copilot, our AI-based assistant designed to simplify log analysis by allowing you to ask questions in plain English and providing search suggestions without the need to write log queries. keywords: - copilot @@ -10,17 +11,13 @@ keywords: - ml --- - - - - import Iframe from 'react-iframe'; import useBaseUrl from '@docusaurus/useBaseUrl';

Preview Release

This is a Preview release. To learn more, contact your Sumo Logic account executive. -Sumo Logic Copilot is an AI-powered assistant that accelerates investigations and troubleshooting in logs by allowing you to ask questions in plain English and get contextual suggestions, helping first responders get to answers faster. +Sumo Logic Copilot is our AI-powered assistant that accelerates investigations and troubleshooting in logs by allowing you to ask questions in plain English and get contextual suggestions, helping first responders get to answers faster. With its intuitive interface, Copilot automatically generates log searches from natural language queries, helping you quickly investigate performance issues, anomalies, and security threats. It also guides you through investigations step-by-step with AI-driven suggestions to refine your results for faster, more accurate resolutions. Overall, Copilot enhances incident resolution with expert level insights. @@ -38,25 +35,27 @@ With its intuitive interface, Copilot automatically generates log searches from ### Key features -Copilot reduces manual effort by combining prebuilt insights with natural language query analysis. +Copilot accelerates incident response by combining prebuilt contextual insights with natural language queries and enhancing time to insights for users across your organization. With sub-3-second response times with over 90% translation accuracy for most queries, Copilot ensures fast and dependable results for supported log sources. -* **Natural language queries**. Ask questions in plain English—no need to enter query syntax. -* **Contextual suggestions**. Automated suggestions to accelerate your workflow. -* **Conversation history**. Save and resume any troubleshooting session without losing context. -* **Auto-visualize**. Copilot renders charts based on search results automatically. These charts can be added to dashboards from within Copilot. +* **Natural language queries**. Ask questions in plain English. +* **Contextual suggestions**. Get suggestions relevant to your troubleshooting and investigations context. +* **Conversation history**. Save and resume troubleshooting or investigation sessions without losing context. +* **Auto-visualize**. Copilot automatically generates charts from search results, which you can add directly to dashboards. +* **Log compatibility**. Copilot supports structured logs, semi-structured logs (partial JSON), and unstructured logs (e.g., Palo Alto Firewall) when Field Extraction Rules (FERs) are applied. This ensures valuable insights across a variety of log formats. +* **Enhanced query experience**. Auto-complete to streamline natural language queries. -## Security compliance and legal +## Security and compliance Copilot leverages foundational models available through Amazon Bedrock. As a result, our Copilot compliance and security posture are inherited from Amazon Bedrock. For detailed information, refer to the following Amazon Bedrock security and compliance resources: * [Security in Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/security.html) * [Amazon Bedrock Security and Privacy](https://aws.amazon.com/bedrock/security-compliance/) -Additionally, all aspects of our service, including Copilot, adhere to the security and compliance requirements outlined in our [service agreement](https://www.sumologic.com/service-agreement) or in individually negotiated contracts. +Additionally, all aspects of our service, including Copilot, adhere to the security and compliance requirements outlined in our [service agreement](https://www.sumologic.com/service-agreement) or in individually negotiated contracts. ### Who benefits from Copilot? -Copilot is ideal for: +Copilot is ideal for users of all skill levels: * **On-call engineers**. Accelerate time to resolution by surfacing key troubleshooting insights. * **Security engineers**. Obtain security insights rapidly for faster security incident resolution. @@ -69,38 +68,66 @@ In this section, you'll learn the recommended workflow for using Copilot effecti To start using Copilot: -From the [**Classic UI**](/docs/get-started/sumo-logic-ui-classic), navigate to the **Copilot** tab on the Sumo Logic home page.
Copilot tab +From the [**Classic UI**](/docs/get-started/sumo-logic-ui-classic), navigate to the **Copilot** tab.
Copilot tab -From the [**New UI**](/docs/get-started/sumo-logic-ui), click **Copilot** in the left nav.
Copilot tab +From the [**New UI**](/docs/get-started/sumo-logic-ui), click **Copilot** in the left nav.
Copilot tab ### Step 2: Review the auto-selected source -Review the auto-selected **Source Category** and adjust it if needed. The source category is selected based on Copilot’s assessment of user intent. You can also type a source expression in the box. In either approach, you are defining the scope of your exploration. In this example, we'll select a source for AWS WAF. +Review the auto-selected **Source Category** and adjust it if needed. The source category is selected based on Copilot’s assessment of user intent. You can also type a source expression in the box. In either approach, you are defining the scope of your exploration. In this example, we'll select a source for AWS WAF. For indexes, type `_index=`. Copilot source category ### Step 3: Execute a Suggestion -Click on any of the prebuilt **Suggestions** prompts to launch your investigation. These AI-curated natural language insights are tailored to the specific data source you've chosen. +Click on any of the prebuilt **Suggestions** prompts to launch your investigation. These AI-curated natural language insights are tailored to the specific source you've chosen. In this example, we'll click `Count the number of log entries by the collector ID`. This translates the insight to a log query and renders results. Copilot time period -

+#### Ask a question -
-Manual entry (not recommended) +In the **Ask Something...** field, you can manually enter a natural language prompt similar to the prebuilt ones under **Suggestions**. In addition, use autocompletions if appropriate. Type a work in the search bar to trigger completions based on the keyword. -In the **Ask Something...** field, you can manually enter a natural language prompt similar to the prebuilt ones under **Suggestions**. + Copilot time period Broad questions may not yield accurate results. For best outcomes, frame your queries around a small, well-defined problem. If Copilot is unable to translate your prompt into a query, it will display "Failed translation". -Break your questions into smaller, specific prompts to help Copilot provide more accurate answers.
Copilot time period -
+Break your questions into smaller, specific requirements to help Copilot provide more accurate answers.
Copilot time period + + + +Copilot is built on [Sumo Logic search query language](/docs/search/search-query-language). Below are key functions you can call using natural language prompts: + +* `Count logs by` [field(s)] +* `Group logs by` [field(s)] +* `Sort by` [field(s)] [in descending order] +* `Percentage breakdown in` [field] `values` +* `Find` [stat] `for` [field] (max, min, standard deviation, etc.) +* `Filter by` [field] `contains` [keyword] + :::note + Keyword searches are case-sensitive + ::: +* `Apply logreduce to logs` + +Additional prompts can trigger more advanced activities (e.g., mapping network activity against CrowdStrike): + +* `Analyze risk and severity of network activity` +* `Identify top application categories accessed` +##### Tips and tricks + +* **Start with a broad query**. Begin with a query like `Show me the most recent logs` to understand the structure and available fields in your logs. +* **Clarify field names**. If fields have similar names and cause confusion, explicitly specify the field (e.g., ``) to improve accuracy. +* **Experiment with phrasing**. Try multiple variations of a query to provide context and receive more relevant suggestions. +* **Include time for timeslicing**. When timeslicing data, include the term `time` in your query. For example: `Count requests, every 1m, different code challenges and user used during login attempts by time`. #### Time range @@ -119,9 +146,9 @@ The following rules are used to deduce chart type: * If both latitude and longitude fields exist, it returns a MAP chart type. * If there is only one field and one record, it returns an SVP chart type. Example query: `(_sourceCategory=ic/linux/gcp) | count by %"_sourcename" | count` * If a `sort` operator is present and there are string fields, it returns a TABLE. Given that there is a `sort` operator, probably the user is interested in `count`. Query: `(_sourceCategory=ic/linux/gcp) | count by %"_sourcename" | sort by _count` -* If there is a `_timeslice` field, it returns LINE chart type if there are numeric fields or a TABLE chart type if there are string fields. +* If there is a `_timeslice` field, it returns a LINE chart type if there are numeric fields or a TABLE chart type if there are string fields. * If there is one string field, one numeric field, and record count is less than 6, it returns a PIE chart type. Query: `(_sourceCategory=ic/linux/gcp) | count by %"_sourcename"`. -* If there is one string field, less than 3 numeric field, and record count is less than 20, it returns a LINE chart. +* If there is one string field, less than 3 numeric fields, and record count is less than 20, it returns a LINE chart. * If none of the above conditions are met, it defaults to returning a TABLE chart type. If required, select your preferred chart type, such as **Table**, **Bar**, **Column**, or **Line** view to visualize your results. You can also click **Add to Dashboard** to export an AI-generated dashboard for root cause analysis. @@ -132,20 +159,6 @@ If required, select your preferred chart type, such as **Table**, **Bar**, **Col You can manually edit your log search query code if needed. -
-JSON Syntax Rules - -* Copilot supports querying JSON logs only. It cannot be used to query unstructured data, metrics, or traces. To retrieve a list of `_sourceCategories` with JSON data, use the following query: - ```sql - _sourceCategory=* "{" "}" - | limit 10000 | logreduce keys noaggregate - | count by _sourceCategory, _schema - | where _schema != "unknown" - | sum(_count) by _sourceCategory - ``` -* If your log query contains a mix of JSON and non-JSON formatting (i.e., a log file is partially JSON), you can isolate the JSON portion by adding `{` to the source expression to trigger **Suggestions**.
Copilot JSON formatting -
- 1. Click in the code editor field and edit your search. Not familiar with Sumo Logic query language? See [Search Query Language](/docs/search/search-query-language) to learn more.
Copilot time period 1. When you're done, press Enter or click the search button.
Copilot time period @@ -153,6 +166,22 @@ You can manually edit your log search query code if needed. To save space, you can use the **Hide Log Query** icon to collapse the log query code.
Copilot time period ::: +#### Compatible Log Formats + +Copilot querying is compatible with JSON logs, partial JSON logs, and unstructured logs with Field Extraction Rules. It cannot be used to query metrics or trace telemetry. + +To retrieve a list of `_sourceCategories` with JSON data, use the following query: + +```sql +_sourceCategory=* "{" "}" +| limit 10000 | logreduce keys noaggregate +| count by _sourceCategory, _schema +| where _schema != "unknown" +| sum(_count) by _sourceCategory +``` + +If your log query contains a mix of JSON and non-JSON formatting (i.e., a log file is partially JSON), you can isolate the JSON portion by adding `{` to the source expression to trigger **Suggestions**.
Copilot JSON formatting + #### History Often, users work on multiple incidents at the same time. To view Copilot interactions related to these incidents, click **History**.
Copilot History @@ -165,7 +194,7 @@ Second, you can resume from a specific query in a conversation by clicking on th #### New Conversation -To start a new exploration, click **New Conversation**.
Copilot new conversation +To start a fresh exploration, click **New Conversation**. This clears your current session and allows you to begin with a clean slate.
Copilot new conversation ### Step 4: Open in Log Search @@ -204,7 +233,7 @@ You are a SecOps engineer who uses [Cloud SIEM](/docs/cse/). You are worried abo 1. In Copilot, you type the source for Cloud SIEM network records: ``` - * _index=sec_record_network + _index=sec_record_network ``` 1. You know what you are looking for. So, you ask: ``` @@ -216,7 +245,7 @@ You are a SecOps engineer who uses [Cloud SIEM](/docs/cse/). You are worried abo Count logs by action. Sort the results. versus the previous 1h ``` Notice the system translated the suggestion to a log query and rendered results as a bar graph with no user input.
Copilot tab -1. Switching to table view, you notice “Malicious” in the search results. So, you add in `Filter results by action contains Malicious` to the query: +1. Switching to table view, you notice "Malicious” in the search results. So, you add in `Filter results by action contains Malicious` to the query: ``` Count logs by action. Sort the results. Filter results by action contains Malicious. ``` @@ -233,6 +262,10 @@ You are a SecOps engineer who uses [Cloud SIEM](/docs/cse/). You are worried abo To summarize, you conclude there is malicious activity originating from certain users who need to be investigated further. +## Role Based Access Control + +Role Based Access Control is not supported for contextual suggestions and autocompletions. It is possible for a user who is blocked by [log search RBAC](/docs/manage/users-roles/roles/construct-search-filter-for-role/) to view suggestions or completions for unpermitted source expressions. However, they will not be executed by the search and will see the error: `""`. + ## Feedback We want your feedback! Let us know what you think by clicking the thumbs up or thumbs down icon and entering the context of your query. diff --git a/sidebars.ts b/sidebars.ts index e45509e381..9dce30781d 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -1324,6 +1324,7 @@ module.exports = { }, ], }, + 'search/copilot', { type: 'category', label: 'Search Query Language', diff --git a/static/img/search/copilot/copilot-tab-new.png b/static/img/search/copilot/copilot-tab-new.png index f7b6a4dd23..fa565d9f95 100644 Binary files a/static/img/search/copilot/copilot-tab-new.png and b/static/img/search/copilot/copilot-tab-new.png differ diff --git a/static/img/search/copilot/copilot-tab.png b/static/img/search/copilot/copilot-tab.png index 62760a84d1..79b0488ebc 100644 Binary files a/static/img/search/copilot/copilot-tab.png and b/static/img/search/copilot/copilot-tab.png differ