You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/search/mobot-multiturn-beta.md
+65-26Lines changed: 65 additions & 26 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -42,6 +42,20 @@ Select **Query Agent** to get help with Sumo Logic log search queries.
42
42
43
43
<img src={useBaseUrl('img/search/mobot/query-agent-select.png')} alt="Query Agent button selected in the Mobot UI" style={{border: '1px solid gray'}} width="600" />
44
44
45
+
Query Agent builds on the query translation foundation of the previous [Copilot experience](/docs/search/mobot), with significant improvements:
46
+
47
+
* Core improvements:
48
+
***Conversational flow**. Refine queries through natural follow-up questions without losing context. Each refinement builds on the last, so you can iterate toward the insight you need.
49
+
***Improved accuracy**. Translations to Sumo Query Language are more reliable, especially for data sources with active dashboards.
50
+
***Smarter error handling**. Instead of generic errors, Query Agent provides clear messages and actionable suggestions for next steps.
51
+
* Advanced features:
52
+
***Dashboard-aware translations via RAG**. Query Agent learns from dashboards opened in your org in the last 90 days to better interpret intent. This improves understanding of field names, data structure, and common queries, resulting in more accurate translations, especially for unstructured logs.
53
+
***Automatic source detection**. Let Query Agent choose a data source based on your question, or enter one yourself for more control.
54
+
***Clarifications when needed**. If your request is ambiguous, Query Agent asks follow-up questions to narrow intent rather than guessing.
55
+
* Enhanced workflow:
56
+
***Guided exploration**. Intent cards summarize your current goal, and suggestion cards offer refinements you can apply with a click.
57
+
***Integrated interface**. A conversation pane shows your prompts and refinements, with queries rendered directly in the editor, live results, and the ability to branch or revisit past conversations.
58
+
45
59
import Iframe from 'react-iframe';
46
60
47
61
:::sumo Micro Lesson
@@ -60,54 +74,79 @@ import Iframe from 'react-iframe';
60
74
61
75
:::
62
76
63
-
Query Agent builds on the query translation foundation of the previous Copilot experience, with significant improvements:
64
-
65
-
Core improvements:
66
-
-**Conversational flow**. Refine queries through natural follow-up questions without losing context. Each refinement builds on the last, so you can iterate toward the insight you need.
67
-
-**Improved accuracy**. Translations to Sumo Query Language are more reliable, especially for data sources with active dashboards.
68
-
-**Smarter error handling**. Instead of generic errors, Query Agent provides clear messages and actionable suggestions for next steps.
69
-
70
-
Advanced features:
71
-
-**Dashboard-aware translations via RAG**. Query Agent learns from dashboards opened in your org in the last 90 days to better interpret intent. This improves understanding of field names, data structure, and common queries, resulting in more accurate translations, especially for unstructured logs.
72
-
-**Automatic source detection**. Let Query Agent choose a data source based on your question, or enter one yourself for more control.
73
-
-**Clarifications when needed**. If your request is ambiguous, Query Agent asks follow-up questions to narrow intent rather than guessing.
74
-
75
-
Enhanced workflow:
76
-
-**Guided exploration**. Intent cards summarize your current goal, and suggestion cards offer refinements you can apply with a click.
77
-
-**Integrated interface**. A conversation pane shows your prompts and refinements, with queries rendered directly in the editor, live results, and the ability to branch or revisit past conversations.
78
-
79
-
### Example workflow
77
+
### Example workflow: Observability
80
78
81
79
The steps below outline a typical conversational interaction pattern. You can apply the same approach to different logs, events, or dimensions. This type of investigation typically only takes a few minutes.
82
80
83
-
#### Step 1: Ask your initial question
81
+
#### Ask your initial question
84
82
85
83
Use natural language to ask what you're looking for. For better results, include the name of the data source you're querying and any related fields or values. If you don't select a source, Query Agent chooses one automatically based on your question. You can override it by typing the source name directly or choosing from the **Auto Source Selection** dropdown.
86
84
87
85
For example, if you enter a broad question like "Show me AWS CloudTrail errors", your query will translate to Sumo Logic query language (something like `(_source="AWS CloudTrail") "error"`) and an intent card appears in the conversation pane summarizing your goal. Query Agent then surfaces suggestion cards with related refinements you can click. You'll also see an option to open your query in Log Search.
88
86
89
-
#### Step 2: Narrow the scope
87
+
#### Narrow the scope
90
88
91
89
After you click a follow-up suggestion or type a refinement, Query Agent refreshes the results and updates the intent card and query to reflect the new focus. With each refinement, Query Agent adjusts the query, applies the changes, and renders a visual chart.
92
90
93
91
For example, clicking a suggestion like "Show me trend of errors each minute" would apply a timeslice to group the results over time.
94
92
95
-
#### Step 3: Drill into causes
93
+
#### Drill into causes
96
94
97
95
As you go, Query Agent presents new suggestions to help you pivot into related questions, such as analyzing trends of event reasons or identifying top namespaces. The intent card expands each time to include the new scope, and results show additional details.
98
96
99
97
For example, you could refine further by clicking a suggestion like "Show the count of error logs per minute, grouped by error code".
100
98
101
-
#### Step 4: Request a trend over time
99
+
#### Request a trend over time
102
100
103
101
If you type a time period, Query Agent would apply a timeslice to group results over time. For example, if you type "Show the trend over 24 hours", results would be divided into 1-hour buckets.
104
102
105
103
#### Next steps
106
104
107
-
In just a few conversational turns, you went from a broad question to a detailed analysis showing error trends grouped by error code over time.
105
+
In just a few conversational turns, we went from a broad question to a detailed analysis showing error trends grouped by error code over time.
108
106
109
107
From here, you can continue refining or explore different angles like [switching the chart type](/docs/search/mobot/#chart-type), [opening the query in Log Search](/docs/search/mobot/#step-4-open-in-log-search), [adjusting the time range](/docs/search/mobot/#time-range), [editing the query logic](/docs/search/mobot/#edit-query-code), or [starting over with a new chat](/docs/search/mobot/#new-conversation).
110
108
109
+
110
+
### Example workflow: Security investigation
111
+
112
+
The steps below outline a typical conversational interaction pattern for investigating a security incident. You can apply the same approach to different security scenarios.
113
+
114
+
#### Step 1: Ask your initial question
115
+
116
+
Use natural language to ask what you're looking for. For better results, include the name of the data source you're querying and any related fields or values. If you don't select a source, Query Agent chooses one automatically based on your question.
117
+
118
+
For example, if you enter "Show me recent user-service logs", Query Agent selects the correct source category and returns recent events. An intent card appears in the conversation pane summarizing your goal. Query Agent then surfaces suggestion cards with related refinements you can click.
119
+
120
+
#### Step 2: Identify patterns
121
+
122
+
After you click a follow-up suggestion or type a refinement, Query Agent refreshes the results and updates the intent card and query to reflect the new focus. With each refinement, Query Agent adjusts the query, applies the changes, and renders a visual chart.
123
+
124
+
For example, asking "What's the request volume by service?" would aggregate traffic by service. Query Agent might surface that user-service has 3× higher requests than baseline, while other services remain healthy—suggesting a traffic surge on one service.
125
+
126
+
#### Step 3: Analyze geographic distribution
127
+
128
+
As you go, Query Agent presents new suggestions to help you pivot into related questions. The intent card expands each time to include the new scope, and results show additional details.
129
+
130
+
For example, asking "Where are these requests coming from?" would aggregate by geography. Query Agent might reveal that 80% of requests originate from France, with elevated activity from China, Netherlands, and India—a geographic clustering pattern consistent with coordinated attacks.
131
+
132
+
#### Step 4: Examine error patterns and sources
133
+
134
+
Query Agent maintains context from previous questions, so you can continue refining without repeating filters. For example, asking "What status codes are returned by the register API?" would show that over 85% of requests are failing with 503 errors. Following up with "Which IPs are behind these 503 errors?" reveals that two IPs account for over 97% of the failed traffic.
135
+
136
+
#### Step 5: Validate with threat intelligence
137
+
138
+
You can enrich findings by asking Query Agent to cross-reference with external data. For example, "Check these IPs against threat intel" would reveal if the source IPs are flagged as known malicious actors, confirming whether the incident is an attack or organic load.
139
+
140
+
#### Next steps
141
+
142
+
In just a few conversational turns, we went from an initial alert to confirming a DDoS attack with:
143
+
* Identified affected services and APIs
144
+
* Traced attack origin to specific geographic regions and IPs
145
+
* Validated malicious actors using threat intelligence
146
+
* Quantified impact on latency and error rates
147
+
148
+
From here, you can continue refining or take action like blocking malicious IPs, [opening the query in Log Search](/docs/search/mobot/#step-4-open-in-log-search), [adjusting the time range](/docs/search/mobot/#time-range), [editing the query logic](/docs/search/mobot/#edit-query-code), or [starting over with a new chat](/docs/search/mobot/#new-conversation).
149
+
111
150
### Tips for better answers
112
151
113
152
Get the most out of Query Agent by following these tips:
@@ -169,10 +208,10 @@ Select **Knowledge Agent** to get help using Sumo Logic.
169
208
Knowledge Agent is your in-platform assistant for learning how to use Sumo Logic. Ask questions about Sumo Logic and get clear answers sourced directly from our official documentation without leaving your workflow.
170
209
171
210
**Example questions:**
172
-
- "How do I add a collector for AWS CloudTrail?"
173
-
- "What's the difference between a scheduled search and a real-time alert?"
174
-
- "Why isn't my collector sending data?"
175
-
- "What are the API endpoints for Sumo Logic?"
211
+
* "How do I add a collector for AWS CloudTrail?"
212
+
* "What's the difference between a scheduled search and a real-time alert?"
213
+
* "Why isn't my collector sending data?"
214
+
* "What are the API endpoints for Sumo Logic?"
176
215
177
216
Knowledge Agent maintains conversation context for 24 hours, so you can ask follow-up questions naturally without starting over.
0 commit comments