Merge branch 'main' into copilot-ga-final

Author: kimsauce

docs/api/search-job.md

@@ -66,21 +66,19 @@ So, a 404 status is generated in these two situations:
 
 You can start requesting results asynchronously while the job is running and page through partial results while the job is in progress.
 
-
-
 ## Search Job Result Limits
 
 | Data Tier | Non-aggregate Search |
 | :- | :- |
-| Continuous | Can return up to 10M records and 100K messages per search. |
-| Frequent  | Can return up to 10M records and 100K messages per search. |
-| Infrequent  | Can return up to 10M records and 100K messages per search. |
+| Continuous | Can return up to 100K messages per search. |
+| Frequent  | Can return up to 100K messages per search. |
+| Infrequent  | Can return up to 100K messages per search. |
 
 :::info
-Flex Licensing model can return up to 10M records and 100K messages per search.
+Flex Licensing model can return up to 100K messages per search.
 :::
 
-If you need more results, you'll need to break up your search into several searches that span smaller blocks of the time range needed. For example, if your search runs for a week and returns 70 million records, consider breaking it into at least seven searches, each spanning a day.
+If you need more results, you'll need to break up your search into several searches that span smaller blocks of the time range needed.
 
 ## Rate limit throttling  
 
@@ -110,10 +108,9 @@ The following figure shows the process flow for search jobs.
 2. **Response.** Sumo Logic responds with a job ID. If there’s a problem with the request, an error code is provided (see the list of error codes following the figure).
 3. **Request.** Use the job ID to request search status. This needs to be done at least every 20-30 seconds so the search session is not canceled due to inactivity.
 4. **Response.** Sumo Logic responds with job status. An error code (404) is returned if the request could not be completed. The status includes the current state of the search job (gathering results, done executing, etc.). It also includes the message and record counts based on how many results have already been found while executing the search. For non-aggregation queries, only the number of messages is reported. For aggregation queries, the number of records produced is also reported. The search job status provides access to an implicitly generated histogram of the distribution of found messages over the time range specified for the search job. During and after execution, the API can be used to request available messages and records in a paging fashion.
-5. **Request.** You request results. It’s not necessary for the search to be complete for the user to request results; the process works asynchronously. You can repeat the request as often as needed to keep seeing updated results, keeping in mind the rate limits. The Search Job API can return up to 10M records and 100K messages per search.
+5. **Request.** You request results. It’s not necessary for the search to be complete for the user to request results; the process works asynchronously. You can repeat the request as often as needed to keep seeing updated results, keeping in mind the rate limits. The Search Job API can return 100K messages per search.
 6. **Response.** Sumo Logic delivers JSON-formatted search results as requested. The API can deliver partial results that the user can start paging through, even as new results continue to come in. If there’s a problem with the results, an error code is provided (see the list of error codes following the figure).
 
-
 ## Errors
 
 **Generic errors that apply to all APIs**

docs/search/copilot.md

@@ -23,15 +23,15 @@ Sumo Logic Copilot is our AI-powered assistant that accelerates investigations a
 With its intuitive interface, Copilot automatically generates log searches from natural language queries, helping you quickly investigate performance issues, anomalies, and security threats. It also guides you through investigations step-by-step with AI-driven suggestions to refine your results for faster, more accurate resolutions. Overall, Copilot enhances incident resolution with expert level insights.
 
 <Iframe url="https://www.youtube.com/embed/yaeepHSaNKk?rel=0"
-        width="854px"
-        height="480px"
-        id="myId"
-        className="video-container"
-        display="initial"
-        position="relative"
-        allow="accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture"
-        allowfullscreen
-        />
+     width="854px"
+     height="480px"
+     id="myId"
+     className="video-container"
+     display="initial"
+     position="relative"
+     allow="accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture"
+     allowfullscreen
+     />
 
 
 ## Key features
@@ -41,7 +41,7 @@ Copilot accelerates incident response by combining prebuilt contextual insights
 * **Natural language queries**. Ask questions in plain English.
 * **Contextual suggestions**. Get suggestions relevant to your troubleshooting and investigations context.
 * **Conversation history**. Save and resume troubleshooting or investigation sessions without losing context.
-* **Auto-visualize**. Copilot automatically generates charts from search results, which you can add directly to dashboards.
+* **Auto-visualize**. Copilot automatically generates charts from search results, which you can add directly to dashboards, reducing time and effort in data interpretation.
 * **Log compatibility**. Copilot supports structured logs, semi-structured logs (partial JSON), and unstructured logs (e.g., Palo Alto Firewall) when Field Extraction Rules (FERs) are applied. This ensures valuable insights across a variety of log formats.
 * **Enhanced query experience**. Auto-complete to streamline natural language queries.
 
@@ -60,6 +60,9 @@ Copilot is ideal for users of all skill levels:
 
 * **On-call engineers**. Accelerate time to resolution by surfacing key troubleshooting insights.
 * **Security engineers**. Obtain security insights rapidly for faster security incident resolution.
+* **Early career professionals**. Simplifies troubleshooting with natural language queries, making incident resolution accessible to those unfamiliar with query syntax.
+* **Practitioners**. Speeds up workflows with auto-complete and context-aware suggestions for frequent tasks.
+* **Experts**. Provides IDE-style assistance for crafting complex queries efficiently.
 
 ## How to use Copilot
 
@@ -93,6 +96,10 @@ In this example, we'll click `Count the number of log entries by the collector I
 
 In the **Ask Something...** field, you can manually enter a natural language prompt similar to the prebuilt ones under **Suggestions**. In addition, use autocompletions if appropriate. Type a word in the search bar to trigger completions based on the keyword.
 
+<img src={useBaseUrl('img/search/copilot/manual-entry.png')} alt="Copilot time period" style={{border: '1px solid gray'}} width="600" />
+
+#### Video: Autocomplete in action
+
 <Iframe url="https://player.vimeo.com/video/1034043268?badge=0&amp;autopause=0&amp;player_id=0&amp;app_id=58479"
      width="854px"
      height="480px"
@@ -104,19 +111,23 @@ In the **Ask Something...** field, you can manually enter a natural language pro
      allowfullscreen
      />
 
-
-<img src={useBaseUrl('img/search/copilot/manual-entry.png')} alt="Copilot time period" style={{border: '1px solid gray'}} width="600" />
-
 Broad questions may not yield accurate results. For best outcomes, frame your queries around a small, well-defined problem. If Copilot is unable to translate your prompt into a query, it will display "Failed translation".
 
 Break your questions into smaller, specific requirements to help Copilot provide more accurate answers.<br/><img src={useBaseUrl('img/search/copilot/copilot-periods.gif')} alt="Copilot time period" style={{border: '1px solid gray'}} width="700" />
 
-##### Tips and tricks
+<!-- TO DO
+##### Autocompletion for natural language
+see https://drive.google.com/file/d/10XUn4DQD3K91V3Qf5heCizkHJneTaBJ7/view?usp=sharing
+--->
+
+#### Tips and tricks
 
 * **Start with a broad query**. Begin with a query like `Show me the most recent logs` to understand the structure and available fields in your logs.  
 * **Disambiguate field names**. If fields have similar names and cause confusion, explicitly specify the field (e.g., `<field_name>`) to improve accuracy.  
 * **Experiment with phrasing**. Try multiple variations of a query to provide context and receive more relevant suggestions.  
 * **Include time or variations to add `timeslice` as a dimension**. When timeslicing data, include the term `time` in your query. For example: `Count requests, every 1m, different code challenges and user used during login attempts by time`.
+* **Explore context-aware suggestions**. Use prompts like `Calculate 95th percentile latency` or `Visualize request volumes over time` to quickly surface key metrics.
+* **Detect malicious activity**. Try queries like `Count register requests by 503 status code, IP, and threat confidence` to uncover potential DDoS attacks.
 
 Below are examples of how you can phrase queries if the autocompletions and contextual suggestions are not relevant to you:
 
@@ -130,6 +141,23 @@ Below are examples of how you can phrase queries if the autocompletions and cont
    :::
 * `Apply logreduce to logs`
 
+More examples:
+
+* Detecting malicious activity:
+   ```
+   Count logs by action. Sort the results.
+   Filter results by action contains Malicious.
+   ```
+* Advanced analysis with users and URLs:
+   ```
+   Count logs by action, url, user.
+   Sort the results. Filter results by action contains Malicious.
+   ```  
+* Root cause analysis for latency:
+   ```
+   Calculate 95th percentile latency by service and API.
+   ```
+
 Additional prompts can trigger more advanced activities (e.g., mapping network activity against CrowdStrike):
 
 * `Analyze risk and severity of network activity`
@@ -165,7 +193,7 @@ If required, select your preferred chart type, such as **Table**, **Bar**, **Col
 
 You can manually edit your log search query code if needed.
 
-1. Click in the code editor field and edit your search. Not familiar with Sumo Logic query language? See [Search Query Language](/docs/search/search-query-language) to learn more.<br/><img src={useBaseUrl('img/search/copilot/code-editor.png')} alt="Copilot time period" style={{border: '1px solid gray'}} width="500" />
+1. Click in the code editor field and edit your search. New to Sumo Logic query language? Learn more in the [Search Query Language](/docs/search/search-query-language) guide.<br/><img src={useBaseUrl('img/search/copilot/code-editor.png')} alt="Copilot time period" style={{border: '1px solid gray'}} width="500" />
 1. When you're done, press Enter or click the search button.<br/><img src={useBaseUrl('img/search/copilot/play.png')} alt="Copilot time period" style={{border: '1px solid gray'}} width="500" />
 
 :::tip
@@ -190,13 +218,15 @@ If your log query contains a mix of JSON and non-JSON formatting (i.e., a log fi
 
 #### History
 
-Often, users work on multiple incidents at the same time. To view Copilot interactions related to these incidents, click **History**.<br/><img src={useBaseUrl('img/search/copilot/history.png')} alt="Copilot History" style={{border: '1px solid gray'}} width="700" />
+Conversation History saves all previous queries and suggestions, allowing you to backtrack and refine your investigation. For example, if a status code analysis yields inconclusive results, revisit earlier queries to explore other hypotheses.
 
-You can resume a conversation in two ways:
+This functionality comes in handy when you're working on multiple incidents at the same time. To view Copilot interactions related to an incident, click **History**.
+<br/><img src={useBaseUrl('img/search/copilot/history.png')} alt="Copilot History" style={{border: '1px solid gray'}} width="700" />
 
-First, the Resume conversation icon picks up from the last query in a conversation.<br/><img src={useBaseUrl('img/search/copilot/resume-convo-history1.png')} alt="Copilot History" style={{border: '1px solid gray'}} width="700" />
+You can resume a conversation in two ways:
 
-Second, you can resume from a specific query in a conversation by clicking on the row in the conversation history and then clicking on the gray area on the right side, as shown below.<br/><img src={useBaseUrl('img/search/copilot/resume-convo-history2.png')} alt="Copilot History" style={{border: '1px solid gray'}} width="700" />
+* Click the **Resume conversation** icon to pick up from the last query in a conversation.<br/><img src={useBaseUrl('img/search/copilot/resume-convo-history1.png')} alt="Copilot History" style={{border: '1px solid gray'}} width="600" />
+* Click on the row in the conversation history, and then click the gray area on the right side to resume from a specific query in a conversation.<br/><img src={useBaseUrl('img/search/copilot/resume-convo-history2.png')} alt="Copilot History" style={{border: '1px solid gray'}} width="600" />
 
 #### New Conversation