Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DOCS-752 - Copilot unstructured logs #5196

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

DOCS-752 - Copilot unstructured logs #5196

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e46c954
Copilot unstructured logs
kimsauce Mar 21, 2025
177329d
Merge branch 'main' into DOCS-752
kimsauce Mar 24, 2025
39766e7
merge w/main and edit using meeting slide info
kimsauce Mar 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 81 additions & 0 deletions docs/search/copilot-unstructured-logs.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
---
id: copilot-unstructured-logs
title: Sumo Logic Copilot - Unstructured Logs Support (Beta)
description: Streamline your log analysis with Sumo Logic Copilot, our AI-based assistant that simplifies log analysis by letting you ask questions in plain English, even for logs without a well-defined structure.
keywords:
- copilot
- artificial intelligence
- ai
- machine learning
- ml
---

import Iframe from 'react-iframe';
import useBaseUrl from '@docusaurus/useBaseUrl';

<head>
<meta name="robots" content="noindex" />
</head>

<p><a href="/docs/beta"><span className="beta">Beta</span></a></p>

This feature is in Beta. To participate, contact your Sumo Logic account executive or [enroll here](https://forms.gle/LozrrAppM9FM94tS9).

Unstructured Logs Support for [Sumo Logic Copilot](/docs/search/copilot), our AI assistant, enables it to understand and provide insights from raw, text-based logs—even if they don't follow a structured format like JSON. This means you can ask questions in plain English and get meaningful results from nearly any log data, without requiring Field Extraction Rules (FERs).

## What's new

Previously, Copilot worked best on structured (JSON) logs. Now, it automatically applies parsing logic to unstructured logs, even if no FERs are configured. This allows Copilot to interpret logs from many popular data sources out-of-the-box.

Copilot learns from usage patterns—if a log source is already used in dashboards or commonly queried, it’s more likely to produce strong results.

* **Broader coverage**. Copilot now parses and generates insights from unstructured log formats, even without FERs, making it useful for environments that include custom or inconsistent log types.
* **Improved usability**. Ask questions in natural language. Copilot interprets your intent and suggests relevant searches—even for raw, non-JSON logs.
* **Performance and reliability**. Response times and suggestion accuracy are consistent with Copilot’s structured log experience.
* **Security and compliance**. The same strict data handling and privacy standards apply. Unstructured Logs Support builds on Copilot’s secure foundation.
* **Common use cases**.
* **Keyword-based search**. Search for IP addresses, error codes, or other patterns without needing a predefined schema.
* **Error triage**. Quickly identify the most common error messages in raw logs to speed up troubleshooting.
* **Threat hunting**. Detect suspicious activity, failed logins, or unusual patterns in plain-text logs.
* **Smarter prioritization**. Frequently used data sources (such as those in dashboards or frequent queries) are prioritized for deeper insights.

## Tips and best practices

* Start with common natural language queries, like:
- “Show failed login attempts for the past 24 hours”
- “Find logs with IP 192.0.2.0”
- “What are the top 5 errors from nginx logs today?”
* Use dashboards to monitor your log sources. Copilot performs better when logs are part of existing queries and visualizations.
* Logs with clear timestamps, separators (like commas or tabs), and consistent patterns tend to yield better results.

## Related updates

These recent Copilot enhancements make it even easier to work with unstructured logs:

* **Dynamic conversation titles**. Your queries are automatically named for easy organization and retrieval.
* **"Open in Copilot" for alerts**. Investigate alerts directly in Copilot without losing context.
* **Suggestion pinning**. Pin suggestions inside a conversation to revisit them during your investigation.

## FAQ

**Does this replace Field Extraction Rules (FERs)?**<br/>
No. Copilot works with or without FERs. While FERs are useful for structured analysis, they're no longer required for Copilot to interpret unstructured logs.

**Will Copilot interpret all my logs?**<br/>
Copilot prioritizes data sources that are already used in dashboards or frequent queries. This improves the relevance of insights and helps focus on high-value logs.

**How is this different from structured log support?**<br/>
Structured logs have predefined fields, allowing Copilot to map queries directly. For unstructured logs, Copilot uses AI and parsing techniques to infer structure on the fly.


## Feedback and support

We’re actively looking for customers to participate in the beta and provide feedback. Ideal participants:

* Use dashboards for monitoring across most of their data sources
* Have some hands-on experience with Copilot
* Are willing to provide detailed feedback during the beta

👉 [Click here to enroll](https://forms.gle/LozrrAppM9FM94tS9)

To report issues or share feedback, reach out through your Sumo Logic account team.