diff --git a/docs/search/copilot.md b/docs/search/copilot.md index be134a0653..4c8c2ccb40 100644 --- a/docs/search/copilot.md +++ b/docs/search/copilot.md @@ -1,7 +1,6 @@ --- id: copilot title: Sumo Logic Copilot - Feature Preview -sidebar_label: Copilot 🤖 description: Streamline your log analysis with Sumo Logic Copilot, our AI-based assistant designed to simplify log analysis by allowing you to ask questions in plain English and providing search suggestions without the need to write log queries. keywords: - copilot @@ -21,28 +20,25 @@ import useBaseUrl from '@docusaurus/useBaseUrl';

Preview Release

This is a Preview release. To learn more, contact your Sumo Logic account executive. -Sumo Logic Copilot is an AI-based assistant designed to simplify log analysis by allowing you to ask questions in plain English and providing search suggestions without the need to write log queries. +Sumo Logic Copilot is an AI-powered assistant that accelerates investigations and troubleshooting in logs by allowing you to ask questions in plain English and get contextual suggestions, helping first responders get answers faster. + +With its intuitive interface, Copilot automatically generates log searches from natural language queries, helping you quickly investigate performance issues, anomalies, and security threats. It also guides you through investigations step-by-step with AI-driven suggestions to refine your results for faster, more accurate resolutions. Overall, Copilot enhances incident resolution with expert level insights. ### Key features -* **AI-curated insights**. Get customized insights tailored to your data. -* **Natural language queries**. Ask questions in plain English. -* **Pre-built insights**. Utilize pre-built insights to accelerate your workflow. -* **Root cause analysis**. Quickly identify the root cause of issues with AI assistance. +Copilot reduces manual effort by combining prebuilt insights with natural language query analysis. + +* **Natural language queries**. Ask questions in plain English—no need to enter query syntax. +* **Contextual suggestions**. Automated suggestions to accelerate your workflow. +* **Conversation history**. Save and resume any troubleshooting session without losing context. +* **Auto-visualize**. Copilot renders charts based on search results automatically. These charts can be added to dashboards from within Copilot. ### Who benefits from Copilot? Copilot is ideal for: -* **On-call engineers**. Accelerate time to resolution for application insights. -* **Security engineers**. Quickly obtain security insights. - -### How Copilot helps - -Copilot combines pre-built insights with the ability to ask questions of your logs in natural English, helping you to: - -* **Find root causes faster**. Use AI to quickly pinpoint issues. -* **Enhance efficiency**. Streamline the log analysis process. +* **On-call engineers**. Accelerate time to resolution by surfacing key troubleshooting insights. +* **Security engineers**. Obtain security insights rapidly for faster security incident resolution. ## How to use Copilot @@ -50,112 +46,138 @@ In this section, you'll learn the recommended workflow for using Copilot effecti ### Step 1: Open Copilot -To start using Copilot, navigate to the **Copilot** tab on the Sumo Logic home page. - -Copilot tab +To start using Copilot: -### Step 2: Select a source category +From the [**Classic UI**](/docs/get-started/sumo-logic-ui-classic), navigate to the **Copilot** tab on the Sumo Logic home page.
Copilot tab -Click **Select Source Category** - the source expression box - and type/select the data source of the log messages you want to investigate. +From the [**New UI**](/docs/get-started/sumo-logic-ui), click **Copilot** in the left nav.
Copilot tab -Copilot source category - -### Step 3: Execute a prompt +### Step 2: Review the auto-selected source -#### Suggestions (recommended) +Review the auto-selected **Source Category** and adjust it if needed. The source category is selected based on Copilot’s assessment of user intent. You can also type a source expression in the box. In either approach, you are defining the scope of your exploration. In this example, we'll select a source for AWS WAF. -Under **Suggestions** > **Explore**, click on any of the prebuilt suggested prompts to start your investigation. For example: +Copilot source category -Copilot time period +### Step 3: Execute a Suggestion -#### Manual entry +Click on any of the prebuilt **Suggestions** prompts to launch your investigation. These AI-curated natural language insights are tailored to the specific data source you've chosen. -:::tip -Because manually typing an AI prompt requires careful precision for optimal performance, we recommend clicking the prebuilt [Suggestions](#suggestions-recommended) prompts, which have been proven effective through extensive testing. -::: +In this example, we'll click `Count the number of log entries by the collector ID`. This translates the insight to a log query and renders results. -In the **Ask Something...** field, enter a natural language query prompt similar to the ones under **Suggestions** > **Explore**. +Copilot time period -You'll need to be very specific. Broad questions do not return good results. When your question is framed as a query about a small, well-defined problem, Copilot answers more accurately. +

-:::note -If the statement in the **Ask Something...** field can't be translated into a query, this field will say "Failed translation". -::: +
+Manual entry (not recommended) -### Step 4: Refine your investigation +In the **Ask Something...** field, you can manually enter a natural language prompt similar to the prebuilt ones under **Suggestions**. -After executing a prompt, you'll see your current investigation summarized in plain text in the **Ask Something...** field. You can use these natural language query prompt ideas to launch and/or refine investigations. +Copilot time period -Optionally, follow any of the below steps to refine your search. +Broad questions may not yield accurate results. For best outcomes, frame your queries around a small, well-defined problem. If Copilot is unable to translate your prompt into a query, it will display "Failed translation". -#### Refine +Break your questions into smaller, specific prompts to help Copilot provide more accurate answers.
Copilot time period +
-Click any of the **Suggestions** > **Refine** prompts to apply suggested refinements to your existing investigation. -Copilot time period +#### Time range -##### Progressive refinement +By default, Copilot searches run with a 15-minute time range. If your search returns no results, consider expanding the time range. -As a best practice, start with a simple prompt, verify the query translation, and refine it gradually. For example: +1. Click the clock icon and select your desired time range from the dropdown.
Copilot time period +1. Click the search button.
Copilot search button -1. Initial prompt. `Count of logs grouped by type`. -1. Refinement. `Count of logs grouped by type, reason, kind, name`. -1. Next refinement. `Count of logs grouped by type, reason, kind, name. Filter Logs where reason is FailedScheduling`. -1. Further refinement. `Count of logs grouped by type, reason, kind, name. Filter logs where reason is FailedScheduling. Filter logs that contain redis-cluster in name. Sort the results by count`. +#### Chart type -:::tip +Copilot will automatically attempt to visualize your data. For example, a query like `Top ip by geo` will trigger a geo lookup and display the results on a map: -
-Express your chain of thought to the AI by breaking up your prompt into smaller problems that the AI can answer more accurately. Click here to see an example. +Copilot chart types -Copilot time period +The following rules are used to deduce chart type: +* If both latitude and longitude fields exist, it returns a MAP chart type. +* If there is only one field and one record, it returns an SVP chart type. Example query: `(_sourceCategory=ic/linux/gcp) | count by %"_sourcename" | count` +* If a `sort` operator is present and there are string fields, it returns a TABLE. Given that there is a `sort` operator, probably the user is interested in `count`. Query: `(_sourceCategory=ic/linux/gcp) | count by %"_sourcename" | sort by _count` +* If there is a `_timeslice` field, it returns LINE chart type if there are numeric fields or a TABLE chart type if there are string fields. +* If there is one string field, one numeric field, and record count is less than 6, it returns a PIE chart type. Query: `(_sourceCategory=ic/linux/gcp) | count by %"_sourcename"`. +* If there is one string field, less than 3 numeric field, and record count is less than 20, it returns a LINE chart. +* If none of the above conditions are met, it defaults to returning a TABLE chart type. -
+If required, select your preferred chart type, such as **Table**, **Bar**, **Column**, or **Line** view to visualize your results. You can also click **Add to Dashboard** to export an AI-generated dashboard for root cause analysis. -::: +Copilot chart types #### Edit query code -If needed, you can edit your log search query code. +You can manually edit your log search query code if needed. -1. Click **Show Log Query** to show the current investigation as a log query.
Copilot time period -1. Click in the code editor field and edit your search. Not familiar with Sumo Logic query language? See [Search Query Language](/docs/search/search-query-language) to learn more.
Copilot time period - :::note JSON formatting - If your log query contains a mix JSON and non-JSON formatting, add `{` to the source expression to trigger **Suggestions**.
Copilot JSON formatting - ::: -1. When you're done, click the **Play** icon.
Copilot time period +
+JSON Syntax Rules - :::warning Limitations - Copilot supports querying JSON logs only. You cannot use Copilot to query unstructured data, metrics, or traces. To get a list of `_sourceCategories` with JSON data, use the below query: - ``` +* Copilot supports querying JSON logs only. It cannot be used to query unstructured data, metrics, or traces. To retrieve a list of `_sourceCategories` with JSON data, use the following query: + ```sql _sourceCategory=* "{" "}" | limit 10000 | logreduce keys noaggregate | count by _sourceCategory, _schema | where _schema != "unknown" | sum(_count) by _sourceCategory ``` - ::: +* If your log query contains a mix of JSON and non-JSON formatting (i.e., a log file is partially JSON), you can isolate the JSON portion by adding `{` to the source expression to trigger **Suggestions**.
Copilot JSON formatting +
-#### Chart type +1. Click in the code editor field and edit your search. Not familiar with Sumo Logic query language? See [Search Query Language](/docs/search/search-query-language) to learn more.
Copilot time period +1. When you're done, press Enter or click the search button.
Copilot time period + +:::tip +To save space, you can use the **Hide Log Query** icon to collapse the log query code.
Copilot time period +::: -Select your preferred chart type, such as **Table**, **Bar**, **Column**, or **Line** view, to visualize your results. +#### History -Copilot chart types +Often, users work on multiple incidents at the same time. To view Copilot interactions related to these incidents, click **History**.
Copilot History -#### Time range +You can resume a conversation in two ways: -1. Click the clock icon and select your desired time range from the dropdown.
Copilot time period -1. Click the search button.
Copilot search button +First, the Resume conversation icon picks up from the last query in a conversation.
Copilot History + +Second, you can resume from a specific query in a conversation by clicking on the row in the conversation history and then clicking on the gray area on the right side, as shown below.
Copilot History + +#### New Conversation -### Step 5: Open in Log Search +To start a new exploration, click **New Conversation**.
Copilot new conversation -Click the **Open in Log Search** icon (insert pic), which will copy your query from Copilot over to a new Log Search, allowing you to utilize all of Sumo Logic's search functionality. You can continue investigating, save the search, and remediate. -Copilot open in log search +### Step 4: Open in Log Search -If you'd like to start over and begin a new investigation, click the **New Conversation** icon.
Copilot new conversation +Click the **Open in Log Search** icon, which will copy your query from Copilot over to a new log search, allowing you to utilize all of Sumo Logic's search functionality. You can continue investigating, save the search, and remediate. -## Copilot example for Cloud SIEM +Copilot open in log search + + + +## Example queries + +### Observability + + + +In the video, Copilot is used to investigate a security issue involving the potential leak of AWS CloudTrail access keys outside the organization. + +The video demonstrates how to use Copilot to analyze AWS CloudTrail data, review AI-curated suggestions, refine searches using natural language prompts, and generate an AI-driven dashboard for root cause analysis and sharing. + +