[DOCS-8989][DOCS-12774][DOCS-12512] Improve Log Explorer and monitoring documentation (#34549)

* [DOCS-8989] Add prominent links to Log Explorer documentation

Add clearer pointers to comprehensive Log Explorer documentation in the
Getting Started with Logs page. Users reported difficulty finding
documentation about all Log Explorer features.

Changes:
- Add direct link to Log Explorer docs in introduction
- Add bulleted list highlighting key Log Explorer features (search,
  analytics, visualizations, saved views, export)
- Add closing note pointing to comprehensive documentation

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* [DOCS-12774] Clarify query_window and avg usage in anomaly monitors

Improve anomaly monitor API documentation based on user feedback about
confusion with query parameters.

Changes:
- Clarify query_window parameter: Explicitly state it controls
  visualization time range in notifications, not alert evaluation
- Add explanation for dual use of avg in example query: One aggregates
  anomaly data points for graphs, the other aggregates the metric
  across nodes before anomaly detection

User feedback: Confusion about query_window behavior and why avg
appears twice in the query without clear explanation.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* [DOCS-12512] Clarify when to use @ prefix in log search syntax

Add explanation for when the @ prefix is required versus optional in log
attribute searches based on user feedback.

Changes:
- Add "Reserved attributes" subsection explaining that reserved attributes
  (host, source, status, service, trace_id, message) do not require @ prefix
- Provide examples of searching reserved attributes without @
- Clarify that all other custom attributes require the @ prefix
- Link to reserved attributes documentation

User feedback: "Doesn't explain when to use @ and when not to. Why do we
use an @ for @http.response_time:foo but not service:foo?"

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Apply suggestions from code review

* Update content/en/logs/explorer/search_syntax.md

* Apply suggestions from code review

Co-authored-by: May Lee <may.lee@datadoghq.com>

* Update content/en/getting_started/logs/_index.md

Co-authored-by: May Lee <may.lee@datadoghq.com>

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-authored-by: May Lee <may.lee@datadoghq.com>

Author: 3 people

content/en/getting_started/logs/_index.md

@@ -113,6 +113,15 @@ Aggregate your logs into `Fields` and visualize as **Top List** to see your top
 
 {{< img src="/getting_started/logs/top-list-view-2024.png" alt="A top list in the Log Explorer">}}
 
+The Log Explorer offers the following features for log troubleshooting and exploration:
+- [Advanced search and filtering][31] with facets and queries
+- [Log Analytics][17] for grouping logs into patterns and aggregating data
+- [Visualizations][28] to display log data in various formats
+- [Saved Views][29] to save and share your search configurations
+- [Export options][30] to reuse your queries in different contexts
+
+For detailed information about all Log Explorer features, see the [Log Explorer documentation][16].
+
 ## What's next?
 
 Once a logging source is configured, and your logs are available in the Log Explorer, you can begin to explore a few other areas of log management.
@@ -168,3 +177,7 @@ Once a logging source is configured, and your logs are available in the Log Expl
 [25]: /logs/guide/best-practices-for-log-management/
 [26]: /logs/guide/getting-started-lwl/
 [27]: /logs/guide/logs-rbac/
+[28]: /logs/explorer/visualize/
+[29]: /logs/explorer/saved_views/
+[30]: /logs/explorer/export/
+[31]: /logs/explorer/search_syntax/

content/en/logs/explorer/search_syntax.md

@@ -92,6 +92,16 @@ For instance, if your attribute name is **url** and you want to filter on the **
 @url:www.datadoghq.com
 ```
 
+### Reserved attributes
+
+[Reserved attributes][8] such as `host`, `source`, `status`, `service`, `trace_id`, and `message` do not require the `@` prefix. You can search these attributes directly:
+
+```
+service:web-app
+status:error
+host:i-1234567890abcdef0
+```
+
 
 **Notes**:
 
@@ -224,3 +234,4 @@ Calculated fields function like log attributes and can be used for search, aggre
 [5]: /getting_started/tagging/#tags-best-practices
 [6]: /logs/explorer/saved_views/
 [7]: /logs/explorer/facets/#facet-panel
+[8]: /logs/log_configuration/attributes_naming_convention/#reserved-attributes

content/en/monitors/types/anomaly.md

@@ -180,7 +180,7 @@ avg(<query_window>):anomalies(<metric_query>, '<algorithm>', <deviations>, direc
 ```
 
 `query_window`
-: A timeframe like `last_4h` or `last_7d`. The time window displayed in graphs in notifications. Must be at least as large as the `alert_window` and is recommended to be around 5 times the `alert_window`.
+: A time frame like `last_4h` or `last_7d`. This parameter controls the time range of data shown in notification graphs. The `query_window` determines how much historical data appears in the visualization but does not affect alert evaluation. Datadog recommends the `query_window` to be around five times the `alert_window` to provide additional context. **Note**: The `query_window` must be at least as large as the `alert_window`. 
 
 `metric_query`
 : A standard Datadog metric query (for example, `sum:trace.flask.request.hits{service:web-app}.as_count()`).
@@ -215,6 +215,10 @@ Below is an example query for an anomaly detection monitor, which alerts when th
 avg(last_1h):anomalies(avg:system.cpu.system{name:cassandra}, 'basic', 3, direction='above', alert_window='last_5m', interval=20, count_default_zero='true') >= 1
 ```
 
+This query uses `avg` in two places:
+- `avg(last_1h)` - Aggregates anomaly data points over the query window for notification graphs
+- `avg:system.cpu.system{name:cassandra}` - Aggregates the CPU metric across Cassandra nodes before anomaly detection
+
 ### `options`
 
 Most of the properties under `options` in the request body are the same as for other query alerts, except for `thresholds` and `threshold_windows`.