SumoLogic · jpipkin1 · Nov 6, 2025 · Nov 3, 2025 · Nov 3, 2025 · Nov 5, 2025
@@ -4,6 +4,8 @@ title: LogCompare
 description: LogCompare allows you to easily compare log data from different time periods to detect major changes or anomalies.
 ---
 
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
 LogCompare allows you to easily compare log data from different time periods to detect major changes or anomalies. LogCompare runs a delta analysis that helps you troubleshoot and discover root causes.
 
 For example, you could determine what was different right before a failure compared to the previous day or previous week. Or, you could easily check if a new release introduced a new issue by reviewing the difference in log streams across time.
@@ -40,7 +42,7 @@ LogCompare is an operator available in log searches. You can manually add it to
 
 First, run a non-aggregate search, then the **LogCompare** button in the **Messages** tab can be quickly pressed to run the baseline (historical) query 24 hours in the past. However, you can easily change the baseline query time range by clicking the dropdown arrow to the right of the button.
 
-![LogCompare button](/img/search/logcompare/logcompare-button.png)
+<img src={useBaseUrl('img/search/logcompare/logcompare-button.png')} alt="LogCompare button" style={{border: '1px solid gray'}} width="800" />
 
 Once clicked, a new search is opened with the `logcompare` operator and the specified `timeshift` added to your query, for example:
 
@@ -50,17 +52,17 @@ Once clicked, a new search is opened with the `logcompare` operator and the spec
 
 A new tab labeled **Signatures** is provided with the compared results.
 
-![Signatures tab](/img/search/logcompare/signatures-tab.png)
+<img src={useBaseUrl('img/search/logcompare/signatures-tab.png')} alt="Signatures tab" style={{border: '1px solid gray'}} width="400" />
 
 #### Custom option
 
 Click the dropdown arrow next to the **LogCompare** button and select **Custom**.
 
-![custom LogCompare](/img/search/logcompare/custom-logcompare.png)
+<img src={useBaseUrl('img/search/logcompare/custom-logcompare.png')} alt="<custom LogCompare" style={{border: '1px solid gray'}} width="150" />
 
 In the **Custom LogCompare** dialog, you can specify the target and baseline query independently, including their time ranges.
 
-![LogCompare custom](/img/search/logcompare/logcompare-custom.png)
+<img src={useBaseUrl('img/search/logcompare/logcompare-custom.png')} alt="LogCompare custom" style={{border: '1px solid gray'}} width="600" />
 
 * **Baseline Query** is your historical query.
 * **Time Shift** is the Time Shift of the Baseline Query, and it controls when the Baseline Query runs. If the Time Shift is -2d, that means that it will run for the exact Time Range duration (1 minute, in this query), but two days in the past.
@@ -166,14 +168,13 @@ error | logcompare timeshift -1d
 
 After running a query with LogCompare your results are displayed in the **Signatures** tab of the Search page. You will have a table with **Count**, **Score**, **Actions**, and **Signature** columns.
 
-![Signatures tab columns](/img/search/logcompare/signatures-tab-columns.png)
-
+<img src={useBaseUrl('img/search/logcompare/signatures-tab-columns.png')} alt="Signatures tab columns" style={{border: '1px solid gray'}} width="500" />
 
 ### Count
 
 **Count** is the number of raw logs that were clustered into the signature from the target query.
 
-![signature count](/img/search/logcompare/signature-count.png)
+<img src={useBaseUrl('img/search/logcompare/signature-count.png')} alt="Signature count" style={{border: '1px solid gray'}} width="800" />
 
 The **count** column shows the following:
 
@@ -185,11 +186,11 @@ You will see that some clusters are **new** and some are **gone** especially i
 
 New signatures have their column highlighted:
 
-![new-signature](/img/search/logcompare/new-signature.png)
+<img src={useBaseUrl('img/search/logcompare/new-signature.png')} alt="New signature" style={{border: '1px solid gray'}} width="500" />
 
 Gone signatures look like the following:
 
-![gone-signature](/img/search/logcompare/gone-signature.png)
+<img src={useBaseUrl('img/search/logcompare/gone-signature.png')} alt="Gone signature" style={{border: '1px solid gray'}} width="500" />
 
 The following table illustrates the way **Count** results are calculated. For example, if the baseline query returns signatures A, B, C, and D while the target includes A, B, D, and E signatures, your results would look like the following:
 
@@ -209,7 +210,7 @@ Using the **details** option launches a new query adding a unique signature ID
 
 After running a LogCompare search, from the **Signatures** tab, you can view logs grouped together in a signature. To see the raw log data from signatures click the blue underlined number in the **Count** column. A new log search is opened with the details option set against the selected signature.
 
-![details option](/img/search/logcompare/details-option.png)
+<img src={useBaseUrl('img/search/logcompare/details-option.png')} alt="Details option" style={{border: '1px solid gray'}} width="800" />
 
 Details option syntax:
 
@@ -222,7 +223,7 @@ The **Score** column is calculated based on the significance of the change in
 
 The value is calculated using a symmetric version of [Kullback-Leibler divergence score](https://en.wikipedia.org/wiki/Kullback%E2%80%93Leibler_divergence).
 
-![signature score](/img/search/logcompare/signature-score.png)
+<img src={useBaseUrl('img/search/logcompare/signature-score.png')} alt="Signature score" style={{border: '1px solid gray'}} width="800" />
 
 
 ### Actions
@@ -233,10 +234,10 @@ The following table explains the icons in the **Actions** column.
 
 | Icon | Action |
 |:---|:---|
-| ![promote](/img/search/logcompare/promote.png) | Promote a signature if the data included in the signature is relevant. Once promoted the thumbs-up icon turns blue. |
-| ![demote](/img/search/logcompare/demote.png) | Demote a signature if it's not relevant. Once demoted the thumbs-down icon turns blue. |
-| ![split](/img/search/logcompare/split.png) | Split a signature into multiple signatures to see more granular results. You'll notice that fewer wildcard asterisks will appear. Instead, specific values are included in the signatures. After splitting, the newly split signatures are highlighted. |
-| ![edit](/img/search/logcompare/edit.png) | Edit the signature. After editing, the signature is highlighted. |
+| <img src={useBaseUrl('img/search/logcompare/promote.png')} alt="promote" style={{border: '1px solid gray'}} width="50" /> | Promote a signature if the data included in the signature is relevant. Once promoted the thumbs-up icon turns blue. |
+| <img src={useBaseUrl('img/search/logcompare/demote.png')} alt="demote" style={{border: '1px solid gray'}} width="50" />| Demote a signature if it's not relevant. Once demoted the thumbs-down icon turns blue. |
+| <img src={useBaseUrl('img/search/logcompare/split.png')} alt="split" style={{border: '1px solid gray'}} width="50" />| Split a signature into multiple signatures to see more granular results. You'll notice that fewer wildcard asterisks will appear. Instead, specific values are included in the signatures. After splitting, the newly split signatures are highlighted. |
+| <img src={useBaseUrl('img/search/logcompare/edit.png')} alt="edit" style={{border: '1px solid gray'}} width="50" />| Edit the signature. After editing, the signature is highlighted. |
 
 ### Signature 
 
@@ -276,4 +277,4 @@ When selecting the time range of your search, keep in mind:
 
 By default, LogCompare email notifications provide details on the **Score**, **Count**, and **Signature**, as shown in the following email example. This is not configurable.
 
-![Email alert](/img/search/logcompare/logcompare-email-alert.png)  
+<img src={useBaseUrl('img/search/logcompare/logcompare-email-alert.png')} alt="Email alert" style={{border: '1px solid gray'}} width="700" />
@@ -4,6 +4,8 @@ title: LogExplain
 description: Group by the keys of JSON or keyvalue logs.
 ---
 
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
 The **LogExplain** operator allows you to compare sets of structured logs based on events you are interested in. Structured logs can be in JSON, CSV, key-value, or any structured format. Often logs relevant to troubleshooting and security insights are scattered among other logs that show the expected behavior and performance. These logs normally consist of different content, where it is helpful to see which values occur more often in events of interest versus normal operation logs. For example, events of interest often contain information relevant to persistent errors, excess load, and high latency.
 
 You will need to specify an event of interest as a conditional statement, this is called the Event Condition. You can specify a condition to compare against the event-of-interest condition, this is called the Against Condition. If no Against Condition is provided, LogExplain will generate the comparison data set based on the fields in your Event Condition.
@@ -125,7 +127,7 @@ _sourceCategory=*cloudtrail*
 
 Results show the relevance of each explanation:
 
-![CloudTrail example with LogExplain.png](/img/search/behavior-insights/cloudtrail-example-logexplain.png)
+<img src={useBaseUrl('img/search/behavior-insights/cloudtrail-example-logexplain.png')} alt="CloudTrail example with LogExplain" style={{border: '1px solid gray'}} width="800" />
 
 ### Windows Credentials
 

@@ -4,6 +4,8 @@ title: Detect Patterns with LogReduce
 description: LogReduce groups messages with similar structures and common repeated text strings into signatures, providing a quick investigative view, or snapshot, for the keywords or time range provided.
 ---
 
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
 The LogReduce&reg; algorithm uses fuzzy logic and soft matching to group messages with similar structures and common repeated text strings into **signatures**, providing a quick investigative view, or snapshot, for the keywords or time range provided.
 
 The **Signatures** tab displays LogReduce results as signatures. A signature is basically a reflection of the logs grouped by LogReduce—not all logs grouped in a signature will exactly match it. Within a signature, fields that vary are displayed with wildcard placeholders (`**********`) while other fields, such as timestamp (and some URLs) are ignored and replaced with placeholder variables such as `$DATE` and `$URL`.
@@ -30,7 +32,7 @@ The logreduce operator cannot be used with group-by functions such as "count b
    * Rate the relevance of signatures by promoting or demoting them under the available **Actions**.
    * Change signatures by clicking the pencil icon.
    * Split signatures that should not be grouped by clicking on the split arrows.
-   * To export the results, click the **Export** icon. Then click **Download** to save the file to your computer.<br/> ![LogreduceIcons.png](/img/search/logreduce/logreduceicons.png)
+   * To export the results, click the **Export** icon. Then click **Download** to save the file to your computer.<br/><img src={useBaseUrl('img/search/logreduce/logreduceicons.png')} alt="Logreduce Icons" style={{border: '1px solid gray'}} width="800" />
 1. Promote, Demote, Split, and Edit icons. 
 1. Undo and Redo icons. 
 1. Click to view messages for the selected signature.

@@ -4,6 +4,7 @@ title: Influence the LogReduce Outcome
 description: You can influence the algorithm by editing a signature to make the results more general, or see more granular results by splitting a signature.
 ---
 
+import useBaseUrl from '@docusaurus/useBaseUrl';
 
 The algorithm used for the LogReduce&reg; operator uses fuzzy logic and soft matching to group messages with similar structures and common repeated text strings into **Signatures**, providing a quick investigative view, or snapshot, for the keywords or time range provided. LogReduce data is based on the data available to the algorithm during the time range of your search.
 
@@ -13,26 +14,20 @@ The following icons allow you to change the results of a LogReduce report:
 
 | Icon | Action |
 | :-- | :-- |
-| ![Promote .png](/img/search/logreduce/Promote.png) | Promote a signature to the top position of the **Signatures** tab. |
-| ![Demote.png](/img/search/logreduce/Demote.png) | Demote a signature to move it to the bottom of the last page of the **Signatures** tab. |
-| ![Split.png](/img/search/logreduce/Split.png) | Split a signature into multiple signature. |
-| ![Edit.png](/img/search/logreduce/Edit.png) | Edit the signature. |
-| ![Undo.png](/img/search/logreduce/Undo.png) | Undo the last action or step back through the history of changes. |
-| ![Redo.png](/img/search/logreduce/Redo.png) | Redo the last action. Repeat to redo the history of undos. |
+| <img src={useBaseUrl('img/search/logreduce/Promote.png')} alt="Promote" width="50" />| Promote a signature to the top position of the **Signatures** tab. |
+| <img src={useBaseUrl('img/search/logreduce/Demote.png')} alt="Demote" width="50" />| Demote a signature to move it to the bottom of the last page of the **Signatures** tab. |
+| <img src={useBaseUrl('img/search/logreduce/Split.png')} alt="Split" width="50" />| Split a signature into multiple signature. |
+| <img src={useBaseUrl('img/search/logreduce/Edit.png')} alt="Edit" width="50" />| Edit the signature. |
+| <img src={useBaseUrl('img/search/logreduce/Undo.png')} alt="Undo" width="50" />| Undo the last action or step back through the history of changes. |
+| <img src={useBaseUrl('img/search/logreduce/Redo.png')} alt="Redo" width="50" />| Redo the last action. Repeat to redo the history of undos. |
 
 ## Promoting or Demoting a LogReduce Signature
 
 Relevance is one factor in LogReduce, but it is a global factor. Members of your org can promote and demote signatures related to your Search. 
 
 To influence the relevance of signatures, select the **Signatures** tab and:
-
-* **Promote** a signature by clicking the Thumbs-Up icon for a signature to indicate to Sumo Logic that the data included in the signature is relevant to you. This feedback is taken into consideration when you run LogReduce the next time.   
-
-    ![LogReducePromote.png](/img/search/logreduce/LogReducePromote.png)
-
-* **Demote** a signature by clicking the Thumbs-Down icon for a signature to indicate that this signature is not relevant to you.  
-
-    ![LogReduceDemote.png](/img/search/logreduce/LogReduceDemote.png)
+* **Promote** a signature by clicking the Thumbs-Up icon for a signature to indicate to Sumo Logic that the data included in the signature is relevant to you. This feedback is taken into consideration when you run LogReduce the next time.<br/><img src={useBaseUrl('img/search/logreduce/LogReducePromote.png')} alt="LogReduce Promote" style={{border: '1px solid gray'}} width="800" />
+* **Demote** a signature by clicking the Thumbs-Down icon for a signature to indicate that this signature is not relevant to you.<br/><img src={useBaseUrl('img/search/logreduce/LogReduceDemote.png')} alt="LogReduce Demote" style={{border: '1px solid gray'}} width="800" />
 
 If no one in your account has ever promoted or demoted a signature the default [relevance score](understand-the-logreduce-relevance-column.md) calculated by Sumo Logic is displayed. If you have never promoted or demoted a signature but someone else in your account has, then you will see the global setting for this signature. If you have promoted or demoted a signature, then you will see your personally calculated relevance score.
 
@@ -50,10 +45,10 @@ After you split a signature, the position of the signatures may move (one may ev
 
 For example, in your Windows logs you've selected a signature to split. The Category shouldn't be generic; by splitting the signature you should get more specific results.
 
-![LogReduceSplit.png](/img/search/logreduce/LogReduceSplit.png)
+<img src={useBaseUrl('img/search/logreduce/LogReduceSplit.png')} alt="LogReduce Split" style={{border: '1px solid gray'}} width="800" />
 
 After splitting, you will see that each signature has specific data:
 
-![SplitResult.png](/img/search/logreduce/SplitResult.png)
+<img src={useBaseUrl('img/search/logreduce/SplitResult.png')} alt="Split Result" style={{border: '1px solid gray'}} width="800" />
 
 
@@ -4,6 +4,7 @@ title: LogReduce Keys
 description: Group by the keys of JSON or keyvalue logs.
 ---
 
+import useBaseUrl from '@docusaurus/useBaseUrl';
 
 The **LogReduce Keys** operator allows you to quickly explore JSON or key-value formatted logs by schemas. If you have a large volume of JSON or key-value logs with different formats and aren't sure which ones you need to focus on, this operator can process them into their object schemas so you can review which ones are relevant to your needs.
 
@@ -102,6 +103,6 @@ _sourceCategory=*cloudtrail* *AccessDenied*
 
 The schemas returned in your results are sorted based on the alphabetical ordering of keys to allow easy identification of changes in patterns.
 
-![CloudTrail example LogReduce Keys.png](/img/search/behavior-insights/CloudTrail-example-LogReduce-Keys.png)
+<img src={useBaseUrl('img/search/behavior-insights/CloudTrail-example-LogReduce-Keys.png')} alt="CloudTrail example LogReduce Keys" style={{border: '1px solid gray'}} width="700" />
 
 Next, use [LogReduce Values](/docs/search/behavior-insights/logreduce/logreduce-values) to explore the schema based on specific keys.
@@ -4,6 +4,8 @@ title: LogReduce Operator
 description: The LogReduce Operator allows you to quickly assess activity patterns for things like a range of devices or traffic on a website.
 ---
 
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
 :::important
 The summarize operator has been renamed the LogReduce operator, to match the **LogReduce** button on the **Messages** tab. Both operators will continue to work in search queries as synonyms for a limited time. We recommend that you rewrite saved queries replacing summarize with logreduce.
 :::
@@ -22,10 +24,7 @@ For information on how to interpret and influence the outcome of LogReduce resul
 When you've already run a search query with non-aggregate results, you can use the **LogReduce** button in the **Messages** tab to automatically apply the LogReduce operator to the current results.
 
 1. Run a search query with non-aggregate results.
-1. In the **Messages** tab, the **LogReduce** button displays. Click it to automatically apply the LogReduce operator to your results.  
-
-    ![button](/img/search/logreduce/logreduce-button.png)
-
+1. In the **Messages** tab, the **LogReduce** button displays. Click it to automatically apply the LogReduce operator to your results.<br/><img src={useBaseUrl('img/search/logreduce/logreduce-button.png')} alt="Button" style={{border: '1px solid gray'}} width="400" />
 1. The **Signatures** tab is displayed with your results. 
 
 ### Rules
@@ -52,7 +51,7 @@ After running a LogReduce operation, from the **Signatures** tab, you can view
 * Click the number in the **Count** column for a signature.
 * Check the checkboxes in the **Select** column for any number of signatures and click the **View Details** button on the top right of the table.
 
-![logreduce details option.png](/img/search/logreduce/logreduce-details-option.png)
+<img src={useBaseUrl('img/search/logreduce/logreduce-details-option.png')} alt="LogReduce details option" style={{border: '1px solid gray'}} width="800" />
 
 Details option syntax: