diff --git a/docs/search/copilot.md b/docs/search/copilot.md index be134a0653..4c8c2ccb40 100644 --- a/docs/search/copilot.md +++ b/docs/search/copilot.md @@ -1,7 +1,6 @@ --- id: copilot title: Sumo Logic Copilot - Feature Preview -sidebar_label: Copilot 🤖 description: Streamline your log analysis with Sumo Logic Copilot, our AI-based assistant designed to simplify log analysis by allowing you to ask questions in plain English and providing search suggestions without the need to write log queries. keywords: - copilot @@ -21,28 +20,25 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
This is a Preview release. To learn more, contact your Sumo Logic account executive. -Sumo Logic Copilot is an AI-based assistant designed to simplify log analysis by allowing you to ask questions in plain English and providing search suggestions without the need to write log queries. +Sumo Logic Copilot is an AI-powered assistant that accelerates investigations and troubleshooting in logs by allowing you to ask questions in plain English and get contextual suggestions, helping first responders get answers faster. + +With its intuitive interface, Copilot automatically generates log searches from natural language queries, helping you quickly investigate performance issues, anomalies, and security threats. It also guides you through investigations step-by-step with AI-driven suggestions to refine your results for faster, more accurate resolutions. Overall, Copilot enhances incident resolution with expert level insights. ### Key features -* **AI-curated insights**. Get customized insights tailored to your data. -* **Natural language queries**. Ask questions in plain English. -* **Pre-built insights**. Utilize pre-built insights to accelerate your workflow. -* **Root cause analysis**. Quickly identify the root cause of issues with AI assistance. +Copilot reduces manual effort by combining prebuilt insights with natural language query analysis. + +* **Natural language queries**. Ask questions in plain English—no need to enter query syntax. +* **Contextual suggestions**. Automated suggestions to accelerate your workflow. +* **Conversation history**. Save and resume any troubleshooting session without losing context. +* **Auto-visualize**. Copilot renders charts based on search results automatically. These charts can be added to dashboards from within Copilot. ### Who benefits from Copilot? Copilot is ideal for: -* **On-call engineers**. Accelerate time to resolution for application insights. -* **Security engineers**. Quickly obtain security insights. - -### How Copilot helps - -Copilot combines pre-built insights with the ability to ask questions of your logs in natural English, helping you to: - -* **Find root causes faster**. Use AI to quickly pinpoint issues. -* **Enhance efficiency**. Streamline the log analysis process. +* **On-call engineers**. Accelerate time to resolution by surfacing key troubleshooting insights. +* **Security engineers**. Obtain security insights rapidly for faster security incident resolution. ## How to use Copilot @@ -50,112 +46,138 @@ In this section, you'll learn the recommended workflow for using Copilot effecti ### Step 1: Open Copilot -To start using Copilot, navigate to the **Copilot** tab on the Sumo Logic home page. - -
+To start using Copilot:
-### Step 2: Select a source category
+From the [**Classic UI**](/docs/get-started/sumo-logic-ui-classic), navigate to the **Copilot** tab on the Sumo Logic home page.
-Click **Select Source Category** - the source expression box - and type/select the data source of the log messages you want to investigate.
+From the [**New UI**](/docs/get-started/sumo-logic-ui), click **Copilot** in the left nav.
-
-
-### Step 3: Execute a prompt
+### Step 2: Review the auto-selected source
-#### Suggestions (recommended)
+Review the auto-selected **Source Category** and adjust it if needed. The source category is selected based on Copilot’s assessment of user intent. You can also type a source expression in the box. In either approach, you are defining the scope of your exploration. In this example, we'll select a source for AWS WAF.
-Under **Suggestions** > **Explore**, click on any of the prebuilt suggested prompts to start your investigation. For example:
+
-
+### Step 3: Execute a Suggestion
-#### Manual entry
+Click on any of the prebuilt **Suggestions** prompts to launch your investigation. These AI-curated natural language insights are tailored to the specific data source you've chosen.
-:::tip
-Because manually typing an AI prompt requires careful precision for optimal performance, we recommend clicking the prebuilt [Suggestions](#suggestions-recommended) prompts, which have been proven effective through extensive testing.
-:::
+In this example, we'll click `Count the number of log entries by the collector ID`. This translates the insight to a log query and renders results.
-In the **Ask Something...** field, enter a natural language query prompt similar to the ones under **Suggestions** > **Explore**.
+
-You'll need to be very specific. Broad questions do not return good results. When your question is framed as a query about a small, well-defined problem, Copilot answers more accurately.
+
-Optionally, follow any of the below steps to refine your search.
+Broad questions may not yield accurate results. For best outcomes, frame your queries around a small, well-defined problem. If Copilot is unable to translate your prompt into a query, it will display "Failed translation".
-#### Refine
+Break your questions into smaller, specific prompts to help Copilot provide more accurate answers.
+
+#### Time range
-##### Progressive refinement
+By default, Copilot searches run with a 15-minute time range. If your search returns no results, consider expanding the time range.
-As a best practice, start with a simple prompt, verify the query translation, and refine it gradually. For example:
+1. Click the clock icon and select your desired time range from the dropdown.
+1. Click the search button.
-1. Initial prompt. `Count of logs grouped by type`.
-1. Refinement. `Count of logs grouped by type, reason, kind, name`.
-1. Next refinement. `Count of logs grouped by type, reason, kind, name. Filter Logs where reason is FailedScheduling`.
-1. Further refinement. `Count of logs grouped by type, reason, kind, name. Filter logs where reason is FailedScheduling. Filter logs that contain redis-cluster in name. Sort the results by count`.
+#### Chart type
-:::tip
+Copilot will automatically attempt to visualize your data. For example, a query like `Top ip by geo` will trigger a geo lookup and display the results on a map:
-
-
+The following rules are used to deduce chart type:
+* If both latitude and longitude fields exist, it returns a MAP chart type.
+* If there is only one field and one record, it returns an SVP chart type. Example query: `(_sourceCategory=ic/linux/gcp) | count by %"_sourcename" | count`
+* If a `sort` operator is present and there are string fields, it returns a TABLE. Given that there is a `sort` operator, probably the user is interested in `count`. Query: `(_sourceCategory=ic/linux/gcp) | count by %"_sourcename" | sort by _count`
+* If there is a `_timeslice` field, it returns LINE chart type if there are numeric fields or a TABLE chart type if there are string fields.
+* If there is one string field, one numeric field, and record count is less than 6, it returns a PIE chart type. Query: `(_sourceCategory=ic/linux/gcp) | count by %"_sourcename"`.
+* If there is one string field, less than 3 numeric field, and record count is less than 20, it returns a LINE chart.
+* If none of the above conditions are met, it defaults to returning a TABLE chart type.
-
#### Edit query code
-If needed, you can edit your log search query code.
+You can manually edit your log search query code if needed.
-1. Click **Show Log Query** to show the current investigation as a log query.
-1. Click in the code editor field and edit your search. Not familiar with Sumo Logic query language? See [Search Query Language](/docs/search/search-query-language) to learn more.
- :::note JSON formatting
- If your log query contains a mix JSON and non-JSON formatting, add `{` to the source expression to trigger **Suggestions**.
- :::
-1. When you're done, click the **Play** icon.
+
+
+1. When you're done, press Enter or click the search button.
+
+:::tip
+To save space, you can use the **Hide Log Query** icon to collapse the log query code.
+:::
-Select your preferred chart type, such as **Table**, **Bar**, **Column**, or **Line** view, to visualize your results.
+#### History
-
+Often, users work on multiple incidents at the same time. To view Copilot interactions related to these incidents, click **History**.
-#### Time range
+You can resume a conversation in two ways:
-1. Click the clock icon and select your desired time range from the dropdown.
-1. Click the search button.
+First, the Resume conversation icon picks up from the last query in a conversation.
+
+Second, you can resume from a specific query in a conversation by clicking on the row in the conversation history and then clicking on the gray area on the right side, as shown below.
+
+#### New Conversation
-### Step 5: Open in Log Search
+To start a new exploration, click **New Conversation**.
-Click the **Open in Log Search** icon (insert pic), which will copy your query from Copilot over to a new Log Search, allowing you to utilize all of Sumo Logic's search functionality. You can continue investigating, save the search, and remediate.
-
+### Step 4: Open in Log Search
-If you'd like to start over and begin a new investigation, click the **New Conversation** icon.
+Click the **Open in Log Search** icon, which will copy your query from Copilot over to a new log search, allowing you to utilize all of Sumo Logic's search functionality. You can continue investigating, save the search, and remediate.
-## Copilot example for Cloud SIEM
+
+
+
+
+## Example queries
+
+### Observability
+
+
+
+In the video, Copilot is used to investigate a security issue involving the potential leak of AWS CloudTrail access keys outside the organization.
+
+The video demonstrates how to use Copilot to analyze AWS CloudTrail data, review AI-curated suggestions, refine searches using natural language prompts, and generate an AI-driven dashboard for root cause analysis and sharing.
+
+
+
+
+### Cloud SIEM
You are a SecOps engineer who uses [Cloud SIEM](/docs/cse/). You are worried about a signal in Cloud SIEM regarding malicious network activity. Rather than wait for 14 days for an Insight to trigger, you want to investigate network records and be proactive. You are under pressure to complete your investigation quickly. While familiar with Sumo Logic, you do not write log queries every day and could use a little help. Fortunately, all your Cloud SIEM records are in Sumo Logic.
@@ -192,6 +214,10 @@ To summarize, you conclude there is malicious activity originating from certain
## Feedback
-We want your feedback! Let us know what you think by clicking the thumbs up or thumbs down icon. Optionally, you can also enter more context and information.
+We want your feedback! Let us know what you think by clicking the thumbs up or thumbs down icon and entering the context of your query.
+
+
diff --git a/static/img/search/copilot/chart-types.png b/static/img/search/copilot/chart-types.png
index 9f74f42aea..253065f884 100644
Binary files a/static/img/search/copilot/chart-types.png and b/static/img/search/copilot/chart-types.png differ
diff --git a/static/img/search/copilot/code-editor.png b/static/img/search/copilot/code-editor.png
index 59a5dd08c8..285935f134 100644
Binary files a/static/img/search/copilot/code-editor.png and b/static/img/search/copilot/code-editor.png differ
diff --git a/static/img/search/copilot/copilot-geo-chart.png b/static/img/search/copilot/copilot-geo-chart.png
new file mode 100644
index 0000000000..20bb9e0b0d
Binary files /dev/null and b/static/img/search/copilot/copilot-geo-chart.png differ
diff --git a/static/img/search/copilot/copilot-tab-new.png b/static/img/search/copilot/copilot-tab-new.png
new file mode 100644
index 0000000000..f7b6a4dd23
Binary files /dev/null and b/static/img/search/copilot/copilot-tab-new.png differ
diff --git a/static/img/search/copilot/explore.png b/static/img/search/copilot/explore.png
deleted file mode 100644
index 7b618afaee..0000000000
Binary files a/static/img/search/copilot/explore.png and /dev/null differ
diff --git a/static/img/search/copilot/feedback-error.png b/static/img/search/copilot/feedback-error.png
new file mode 100644
index 0000000000..2d7c46c8ed
Binary files /dev/null and b/static/img/search/copilot/feedback-error.png differ
diff --git a/static/img/search/copilot/feedback-thumbs.png b/static/img/search/copilot/feedback-thumbs.png
index 3579949815..79c3229a95 100644
Binary files a/static/img/search/copilot/feedback-thumbs.png and b/static/img/search/copilot/feedback-thumbs.png differ
diff --git a/static/img/search/copilot/history.png b/static/img/search/copilot/history.png
new file mode 100644
index 0000000000..33f641f18c
Binary files /dev/null and b/static/img/search/copilot/history.png differ
diff --git a/static/img/search/copilot/manual-entry.png b/static/img/search/copilot/manual-entry.png
new file mode 100644
index 0000000000..f230f8143d
Binary files /dev/null and b/static/img/search/copilot/manual-entry.png differ
diff --git a/static/img/search/copilot/new-conversation.png b/static/img/search/copilot/new-conversation.png
index a788a45253..51564f0d92 100644
Binary files a/static/img/search/copilot/new-conversation.png and b/static/img/search/copilot/new-conversation.png differ
diff --git a/static/img/search/copilot/open-in-log-search.png b/static/img/search/copilot/open-in-log-search.png
index 54c95b3f04..0142db9654 100644
Binary files a/static/img/search/copilot/open-in-log-search.png and b/static/img/search/copilot/open-in-log-search.png differ
diff --git a/static/img/search/copilot/refine.png b/static/img/search/copilot/refine.png
deleted file mode 100644
index a068a2bef8..0000000000
Binary files a/static/img/search/copilot/refine.png and /dev/null differ
diff --git a/static/img/search/copilot/resume-convo-history1.png b/static/img/search/copilot/resume-convo-history1.png
new file mode 100644
index 0000000000..913c70770c
Binary files /dev/null and b/static/img/search/copilot/resume-convo-history1.png differ
diff --git a/static/img/search/copilot/resume-convo-history2.png b/static/img/search/copilot/resume-convo-history2.png
new file mode 100644
index 0000000000..a637ce9817
Binary files /dev/null and b/static/img/search/copilot/resume-convo-history2.png differ
diff --git a/static/img/search/copilot/search-button.png b/static/img/search/copilot/search-button.png
index 2601d2a68c..2430d0edb3 100644
Binary files a/static/img/search/copilot/search-button.png and b/static/img/search/copilot/search-button.png differ
diff --git a/static/img/search/copilot/show-hide-query.gif b/static/img/search/copilot/show-hide-query.gif
deleted file mode 100644
index 71006fdd96..0000000000
Binary files a/static/img/search/copilot/show-hide-query.gif and /dev/null differ
diff --git a/static/img/search/copilot/show-hide-query.png b/static/img/search/copilot/show-hide-query.png
new file mode 100644
index 0000000000..a9ed89420a
Binary files /dev/null and b/static/img/search/copilot/show-hide-query.png differ
diff --git a/static/img/search/copilot/source-category.png b/static/img/search/copilot/source-category.png
index aefd1cfafb..c3191a6441 100644
Binary files a/static/img/search/copilot/source-category.png and b/static/img/search/copilot/source-category.png differ
diff --git a/static/img/search/copilot/suggestions.png b/static/img/search/copilot/suggestions.png
new file mode 100644
index 0000000000..45efb09325
Binary files /dev/null and b/static/img/search/copilot/suggestions.png differ
diff --git a/static/img/search/copilot/time-period.png b/static/img/search/copilot/time-period.png
index bc534e0b7b..18ec6c7de7 100644
Binary files a/static/img/search/copilot/time-period.png and b/static/img/search/copilot/time-period.png differ