diff --git a/blog-service/2021/12-31.md b/blog-service/2021/12-31.md
index 42ff53b436..3b0f583401 100644
--- a/blog-service/2021/12-31.md
+++ b/blog-service/2021/12-31.md
@@ -566,7 +566,7 @@ Update - The [alert variable](/docs/alerts/monitors/alert-variables) `Results
---
## April 7, 2021 (Search)
-Update - The LogReduce operator now provides an [optimize option](/docs/search/logreduce) that provides up to 10x speedup over classic LogReduce on datasets with hundreds of thousands of logs.
+Update - The LogReduce operator now provides an [optimize option](/docs/search/behavior-insights/logreduce) that provides up to 10x speedup over classic LogReduce on datasets with hundreds of thousands of logs.
---
## April 6, 2021 (Dashboard)
diff --git a/cid-redirects.json b/cid-redirects.json
index bce94b0c8e..8af9425d8f 100644
--- a/cid-redirects.json
+++ b/cid-redirects.json
@@ -370,8 +370,8 @@
"/05Search/Anomaly-Detection/Anomalies-Page/Drill-Down-into-Events": "/docs/dashboards/drill-down-to-discover-root-causes",
"/05Search/Behavior_Insights": "/docs/search/behavior-insights",
"/05Search/Behavior_Insights/LogExplain": "/docs/search/behavior-insights/logexplain",
- "/05Search/Behavior_Insights/LogReduce_Keys": "/docs/search/behavior-insights/logreduce-keys",
- "/05Search/Behavior_Insights/LogReduce_Values": "/docs/search/behavior-insights/logreduce-values",
+ "/05Search/Behavior_Insights/LogReduce_Keys": "/docs/search/behavior-insights/logreduce/logreduce-keys",
+ "/05Search/Behavior_Insights/LogReduce_Values": "/docs/search/behavior-insights/logreduce/logreduce-values",
"/05Search/Get-Started-with-Search": "/docs/search/get-started-with-search",
"/05Search/Get-Started-with-Search/How-to-Build-a-Search": "/docs/search/get-started-with-search/build-search",
"/05Search/Get-Started-with-Search/How-to-Build-a-Search/Best-Practices%3A-Search-Rules-to-Live-By": "/docs/search/get-started-with-search/build-search/best-practices-search",
@@ -435,17 +435,17 @@
"/05Search/Live-Tail/Live-Tail-Show-in-Search": "/docs/search/live-tail/live-tail-show-in-search",
"/05Search/Live-Tail/Multiple-Live-Tails": "/docs/search/live-tail/multiple-live-tails",
"/05Search/Live-Tail/Troubleshooting-Live-Tail": "/docs/search/live-tail/troubleshooting-live-tail",
- "/05Search/LogCompare": "/docs/search/logcompare",
- "/05Search/LogCompare/About-LogCompare": "/docs/search/logcompare",
- "/05Search/LogCompare/Create-a-LogCompare-Email-Alert": "/docs/search/logcompare",
- "/05Search/LogCompare/LogCompare-Syntax": "/docs/search/logcompare",
- "/05Search/LogCompare/Run-LogCompare": "/docs/search/logcompare",
- "/05Search/LogCompare/Understand-LogCompare-Results": "/docs/search/logcompare",
- "/05Search/LogReduce": "/docs/search/logreduce/logreduce-operator",
- "/05Search/LogReduce/01-LogReduce-Operator": "/docs/search/logreduce/logreduce-operator",
- "/05Search/LogReduce/Detect-Patterns-with-LogReduce": "/docs/search/logreduce/detect-patterns-with-logreduce",
- "/05Search/LogReduce/Influence-the-LogReduce-Outcome": "/docs/search/logreduce/influence-the-logreduce-outcome",
- "/05Search/LogReduce/Understand-the-LogReduce-Relevance-Column": "/docs/search/logreduce/understand-the-logreduce-relevance-column",
+ "/05Search/LogCompare": "/docs/search/behavior-insights/logcompare",
+ "/05Search/LogCompare/About-LogCompare": "/docs/search/behavior-insights/logcompare",
+ "/05Search/LogCompare/Create-a-LogCompare-Email-Alert": "/docs/search/behavior-insights/logcompare",
+ "/05Search/LogCompare/LogCompare-Syntax": "/docs/search/behavior-insights/logcompare",
+ "/05Search/LogCompare/Run-LogCompare": "/docs/search/behavior-insights/logcompare",
+ "/05Search/LogCompare/Understand-LogCompare-Results": "/docs/search/behavior-insights/logcompare",
+ "/05Search/LogReduce": "/docs/search/behavior-insights/logreduce/logreduce-operator",
+ "/05Search/LogReduce/01-LogReduce-Operator": "/docs/search/behavior-insights/logreduce/logreduce-operator",
+ "/05Search/LogReduce/Detect-Patterns-with-LogReduce": "/docs/search/behavior-insights/logreduce/detect-patterns-with-logreduce",
+ "/05Search/LogReduce/Influence-the-LogReduce-Outcome": "/docs/search/behavior-insights/logreduce/influence-the-logreduce-outcome",
+ "/05Search/LogReduce/Understand-the-LogReduce-Relevance-Column": "/docs/search/behavior-insights/logreduce/understand-the-logreduce-relevance-column",
"/05Search/Lookup_Tables": "/docs/search/lookup-tables",
"/05Search/Lookup_Tables/01_Create_a_Lookup_Table0": "/docs/search/lookup-tables/create-lookup-table",
"/05Search/Lookup_Tables/01_Create_a_Lookup_Table": "/docs/search/lookup-tables/create-lookup-table",
@@ -1703,7 +1703,7 @@
"/cid/10450": "/docs/alerts/webhook-connections/microsoft-teams",
"/cid/1046": "/docs/alerts/webhook-connections/pagerduty",
"/cid/1047": "/docs/alerts/webhook-connections/datadog",
- "/cid/1048": "/docs/search/logcompare",
+ "/cid/1048": "/docs/search/behavior-insights/logcompare",
"/cid/1049": "/docs/get-started",
"/cid/1050": "/docs/integrations/amazon-aws/s3-audit",
"/cid/1051": "/docs/integrations/amazon-aws/vpc-flow-logs",
@@ -1720,8 +1720,8 @@
"/cid/1061": "/release-notes-collector",
"/cid/1062": "/docs/alerts/webhook-connections",
"/cid/1063": "/docs/alerts/webhook-connections/aws-lambda",
- "/cid/1064": "/docs/search/logreduce/logreduce-operator",
- "/cid/1065": "/docs/search/logreduce/logreduce-operator",
+ "/cid/1064": "/docs/search/behavior-insights/logreduce/logreduce-operator",
+ "/cid/1065": "/docs/search/behavior-insights/logreduce/logreduce-operator",
"/cid/1066": "/docs/send-data/hosted-collectors/cloud-syslog-source",
"/cid/1067": "/docs/search/live-tail/live-tail-cli",
"/cid/1068": "/docs/search/live-tail/about-live-tail",
@@ -1877,7 +1877,7 @@
"/cid/2005": "/docs/search/get-started-with-search",
"/cid/2006": "/docs/search/search-query-language/search-operators/manually-cast-data-string-number",
"/cid/2008": "/docs/send-data/installed-collectors/linux",
- "/cid/2009": "/docs/search/logcompare",
+ "/cid/2009": "/docs/search/behavior-insights/logcompare",
"/cid/2010": "/docs/search/search-query-language/search-operators/if",
"/cid/2011": "/docs/get-started/help",
"/cid/2012": "/docs/manage/security/enable-support-account",
@@ -1888,7 +1888,7 @@
"/cid/2017": "/docs/manage/users-roles/users/delete-user",
"/cid/2018": "/docs/send-data/installed-collectors/windows",
"/cid/2019": "/docs/integrations/pci-compliance/linux",
- "/cid/2021": "/docs/search/logreduce/detect-patterns-with-logreduce",
+ "/cid/2021": "/docs/search/behavior-insights/logreduce/detect-patterns-with-logreduce",
"/cid/2022": "/docs/send-data/installed-collectors",
"/cid/2023": "/docs/send-data/collection/edit-collector",
"/cid/2024": "/docs/search/get-started-with-search/search-basics/export-search-results",
@@ -1896,7 +1896,7 @@
"/cid/2027": "/docs/search/get-started-with-search/build-search/keyword-search-expressions",
"/cid/2028": "/docs/search/get-started-with-search",
"/cid/2030": "/docs/search/search-query-language/group-aggregate-operators",
- "/cid/2032": "/docs/search/logreduce/influence-the-logreduce-outcome",
+ "/cid/2032": "/docs/search/behavior-insights/logreduce/influence-the-logreduce-outcome",
"/cid/2033": "/docs/get-started",
"/cid/2036": "/docs/integrations/hosts-operating-systems/linux",
"/cid/2038": "/docs/search/search-query-language/math-expressions",
@@ -1911,10 +1911,10 @@
"/cid/2047": "/docs/search/get-started-with-search/search-basics/pause-cancel-search",
"/cid/2049": "/docs/send-data/installed-collectors/sources/remote-file-source/prerequisites-windows-remote-file-collection",
"/cid/2050": "/docs/get-started",
- "/cid/2057": "/docs/search/logcompare",
+ "/cid/2057": "/docs/search/behavior-insights/logcompare",
"/cid/2058": "/docs/alerts/scheduled-searches/create-email-alert",
"/cid/2059": "/docs/search/get-started-with-search/search-basics/save-search",
- "/cid/2060": "/docs/search/logcompare",
+ "/cid/2060": "/docs/search/behavior-insights/logcompare",
"/cid/2064": "/docs/search/search-cheat-sheets/general-search-examples",
"/cid/2066": "/docs/search/get-started-with-search/search-basics/search-surrounding-messages",
"/cid/2068": "/docs/integrations/saas-cloud/fastly",
@@ -1922,9 +1922,9 @@
"/cid/2070": "/docs/search/search-query-language/search-operators/sort",
"/cid/2071": "/docs/send-data/collection/start-stop-collector-using-scripts",
"/cid/2072": "/docs/search/get-started-with-search/suggested-searches",
- "/cid/2073": "/docs/search/logcompare",
- "/cid/2074": "/docs/search/logreduce/logreduce-operator",
- "/cid/2075": "/docs/search/logreduce/logreduce-operator",
+ "/cid/2073": "/docs/search/behavior-insights/logcompare",
+ "/cid/2074": "/docs/search/behavior-insights/logreduce/logreduce-operator",
+ "/cid/2075": "/docs/search/behavior-insights/logreduce/logreduce-operator",
"/cid/2076": "/docs/get-started",
"/cid/2077": "/docs/get-started",
"/cid/2078": "/docs/search/search-query-language/search-operators/if",
@@ -2089,7 +2089,7 @@
"/cid/4412": "/docs/integrations/saas-cloud/crowdstrike-fdr-host-inventory",
"/cid/44122": "/docs/integrations/saas-cloud/crowdstrike-spotlight",
"/cid/44123": "/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage",
- "/cid/4020": "/docs/search/logreduce",
+ "/cid/4020": "/docs/search/behavior-insights/logreduce",
"/cid/4021": "/docs/search/search-query-language/search-operators/accum",
"/cid/40001": "/docs/search/search-query-language/search-operators/as",
"/cid/40002": "/docs/search/search-query-language/search-operators/asn-lookup",
@@ -2285,7 +2285,7 @@
"/cid/5134": "/docs/dashboards/panels",
"/cid/5135": "/docs/dashboards/drill-down-to-discover-root-causes",
"/cid/5136": "/docs/get-started/library",
- "/cid/5138": "/docs/search/logreduce/influence-the-logreduce-outcome",
+ "/cid/5138": "/docs/search/behavior-insights/logreduce/influence-the-logreduce-outcome",
"/cid/5139": "/docs/send-data/collection/edit-source",
"/cid/5140": "/docs/get-started/library",
"/cid/5143": "/docs/manage/users-roles/roles/create-manage-roles",
@@ -2423,7 +2423,7 @@
"/cid/5334": "/docs/search/get-started-with-search/suggested-searches/microsoft-iis-parser",
"/cid/5335": "/docs/search",
"/cid/5336": "/docs/send-data/collection/search-for-a-collector-or-source",
- "/cid/5339": "/docs/search/logreduce",
+ "/cid/5339": "/docs/search/behavior-insights/logreduce",
"/cid/5340": "/docs/integrations/sumo-apps/security-analytics",
"/cid/5341": "/docs/integrations/sumo-apps/security-analytics",
"/cid/5342": "/docs/alerts/webhook-connections/servicenow",
@@ -2439,7 +2439,7 @@
"/cid/5356": "/docs/dashboards/panels/modify-chart",
"/cid/5368": "/docs/dashboards/panels/single-value-charts",
"/cid/5375": "/",
- "/cid/5377": "/docs/search/logreduce/understand-the-logreduce-relevance-column",
+ "/cid/5377": "/docs/search/behavior-insights/logreduce/understand-the-logreduce-relevance-column",
"/cid/5378": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-cloudtrail",
"/cid/5379": "/docs/integrations/amazon-aws/elastic-load-balancing",
"/cid/5380": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-cloudtrail",
@@ -2478,7 +2478,7 @@
"/cid/5444": "/docs/integrations/web-servers/varnish",
"/cid/5445": "/docs/integrations/web-servers/varnish",
"/cid/5446": "/docs/integrations/containers-orchestration/vmware-legacy",
- "/cid/5448": "/docs/search/logreduce/detect-patterns-with-logreduce",
+ "/cid/5448": "/docs/search/behavior-insights/logreduce/detect-patterns-with-logreduce",
"/cid/5449": "/docs/integrations/containers-orchestration/vmware-legacy",
"/cid/5450": "/",
"/cid/5454": "/docs/manage/security/create-allowlist-ip-cidr-addresses",
@@ -2687,8 +2687,8 @@
"/cid/23411": "/docs/integrations/saas-cloud/sophos",
"/cid/9078": "/docs/manage/users-roles/roles/construct-search-filter-for-role",
"/cid/915200739": "/docs/observability/sdo/about-sdo",
- "/cid/9201": "/docs/search/behavior-insights/logreduce-keys",
- "/cid/9202": "/docs/search/behavior-insights/logreduce-values",
+ "/cid/9201": "/docs/search/behavior-insights/logreduce/logreduce-keys",
+ "/cid/9202": "/docs/search/behavior-insights/logreduce/logreduce-values",
"/cid/9205": "/docs/search/behavior-insights/logexplain",
"/cid/96734": "/docs/send-data/hosted-collectors/http-source/troubleshooting",
"/cid/97652": "/docs/integrations/saas-cloud/qualys-vmdr",
@@ -3799,9 +3799,9 @@
"/Search/Get_Started_with_Search/Search_Basics/Search_Metadata": "/docs/search/get-started-with-search/search-basics",
"/Search/Library/Apps-in-Sumo-Logic/01-Sumo-Logic-Apps/Data-Volume-App": "/docs/integrations/sumo-apps/data-volume",
"/Search/Library/Apps-in-Sumo-Logic/01-Sumo-Logic-Apps/Data-Volume-App/Data-Volume-App-Dashboards": "/docs/integrations/sumo-apps/data-volume",
- "/Search/LogCompare": "/docs/search/logcompare",
- "/Search/LogCompare/About_LogCompare": "/docs/search/logcompare",
- "/Search/LogReduce": "/docs/search/logreduce",
+ "/Search/LogCompare": "/docs/search/behavior-insights/logcompare",
+ "/Search/LogCompare/About_LogCompare": "/docs/search/behavior-insights/logcompare",
+ "/Search/LogReduce": "/docs/search/behavior-insights/logreduce",
"/Query_Language": "/docs/search/search-query-language",
"/Search/Search_Query_Language": "/docs/search/search-query-language",
"/Search/Search_Query_Language/Parse_Operators/CSV_Operator": "/docs/search/search-query-language/parse-operators/parse-csv-formatted-logs",
@@ -4186,5 +4186,13 @@
"/docs/integrations/amazon-aws/aurora-mysql-ulm": "/docs/integrations/amazon-aws/rds",
"/docs/integrations/amazon-aws/aurora-postgresql-ulm": "/docs/integrations/amazon-aws/rds",
"/docs/integrations/amazon-aws/elastic-load-balancer-app": "/docs/integrations/amazon-aws/application-load-balancer",
- "/docs/integrations/amazon-aws/elastic-load-balancing-classic": "/docs/integrations/amazon-aws/classic-load-balancer"
+ "/docs/integrations/amazon-aws/elastic-load-balancing-classic": "/docs/integrations/amazon-aws/classic-load-balancer",
+ "/docs/search/logcompare": "/docs/search/behavior-insights/logcompare",
+ "/docs/search/behavior-insights/logreduce-keys": "/docs/search/behavior-insights/logreduce/logreduce-keys",
+ "/docs/search/logreduce": "/docs/search/behavior-insights/logreduce",
+ "/docs/search/logreduce/logreduce-operator": "/docs/search/behavior-insights/logreduce/logreduce-operator",
+ "/docs/search/logreduce/detect-patterns-with-logreduce": "/docs/search/behavior-insights/logreduce/detect-patterns-with-logreduce",
+ "/docs/search/logreduce/influence-the-logreduce-outcome": "/docs/search/behavior-insights/logreduce/influence-the-logreduce-outcome",
+ "/docs/search/logreduce/understand-the-logreduce-relevance-column": "/docs/search/behavior-insights/logreduce/understand-the-logreduce-relevance-column",
+ "/docs/search/behavior-insights/logreduce-values": "/docs/search/behavior-insights/logreduce/logreduce-values"
}
diff --git a/docs/alerts/monitors/alert-response-faq.md b/docs/alerts/monitors/alert-response-faq.md
index efa681a76b..1b2ff343fa 100644
--- a/docs/alerts/monitors/alert-response-faq.md
+++ b/docs/alerts/monitors/alert-response-faq.md
@@ -67,7 +67,7 @@ Sumo Logic detects and maintains a signature library. It does that by analyzing
There could be cases where the process has still not cataloged a new log message to a signature. As a result, it would get bundled into the "Others" category. This problem should be fixed automatically after some time (when the background process runs).
-You can also force run the signature cataloging process manually, by calling the [LogCompare](../../search/logcompare.md) or [LogReduce](/docs/search/logreduce) operators from the Log Search page.
+You can also force run the signature cataloging process manually, by calling the [LogCompare](/docs/search/behavior-insights/logcompare) or [LogReduce](/docs/search/behavior-insights/logreduce) operators from the Log Search page.
## I don’t see the Dimensional Explanation card for logs-based alert
diff --git a/docs/alerts/monitors/alert-response.md b/docs/alerts/monitors/alert-response.md
index 0901b69bd8..6eb834608c 100644
--- a/docs/alerts/monitors/alert-response.md
+++ b/docs/alerts/monitors/alert-response.md
@@ -160,7 +160,7 @@ See [Using tags in alerts](/docs/alerts/monitors/settings/#using-tags-in-alerts)
### Log fluctuations
-This card detects different signatures in your log messages using [LogReduce](/docs/search/logreduce) such as errors, exceptions, timeouts, and successes. It compares log signatures trends with a normal baseline period and surfaces noteworthy changes in signatures.
+This card detects different signatures in your log messages using [LogReduce](/docs/search/behavior-insights/logreduce) such as errors, exceptions, timeouts, and successes. It compares log signatures trends with a normal baseline period and surfaces noteworthy changes in signatures.
* **New**. Log signatures that were only seen after the Alert was triggered but not one hour prior to the Alert start time.
* **Gone**. Log signatures that are not present after the Alert was created but were present one hour prior to the Alert start time, such as **Transaction Succeeded** or **Success**.
diff --git a/docs/alerts/monitors/overview.md b/docs/alerts/monitors/overview.md
index da70a7930e..e302726a28 100644
--- a/docs/alerts/monitors/overview.md
+++ b/docs/alerts/monitors/overview.md
@@ -130,7 +130,7 @@ Custom variables used inside the Action Payload.
### General
* [Receipt Time](../../search/get-started-with-search/build-search/use-receipt-time.md) is not supported.
-* [LogReduce](/docs/search/logreduce/logreduce-operator) / [LogCompare](../../search/logcompare.md) operators are not supported in monitors. If your query contains these operators, you will not be able to create the monitor.
+* [LogReduce](/docs/search/behavior-insights/logreduce/logreduce-operator) / [LogCompare](/docs/search/behavior-insights/logcompare) operators are not supported in monitors. If your query contains these operators, you will not be able to create the monitor.
* Monitors only support the [Continuous data tier](/docs/manage/partitions/data-tiers).
* An aggregate Metric Monitor can evaluate up to 15,000 time series. A non-aggregate Metric Monitor can evaluate up to 3,000 time series.
* [Save to Index](../scheduled-searches/save-to-index.md) and [Save to Lookup](../scheduled-searches/save-to-lookup.md) are not supported.
diff --git a/docs/contributing/glossary.md b/docs/contributing/glossary.md
index cdb7edbb04..6bacf834d4 100644
--- a/docs/contributing/glossary.md
+++ b/docs/contributing/glossary.md
@@ -174,9 +174,9 @@ We also maintain a [DevOps and Security Glossary](https://www.sumologic.com/glos
**[Local Configuration File Management](/docs/send-data/use-json-configure-sources/local-configuration-file-management)**. Local Configuration File Management allows you to set up and manage Sources on an Installed Collector using one or more JSON files.
-**[LogCompare](/docs/search/logcompare)**. LogCompare allows you to compare a section of your log messages from one point in time with the same section at another point in time, and display the changes in patterns.
+**[LogCompare](/docs/search/behavior-insights/logcompare)**. LogCompare allows you to compare a section of your log messages from one point in time with the same section at another point in time, and display the changes in patterns.
-**[LogReduce](/docs/search/logreduce)**. LogReduce uses fuzzy logic to cluster messages together based on string and pattern similarity. Use the LogReduce button and operator to quickly assess activity patterns for things like a range of devices or traffic on a website.
+**[LogReduce](/docs/search/behavior-insights/logreduce)**. LogReduce uses fuzzy logic to cluster messages together based on string and pattern similarity. Use the LogReduce button and operator to quickly assess activity patterns for things like a range of devices or traffic on a website.
**[Logs-to-Metrics](/docs/metrics/logs-to-metrics)**. A Sumo Logic feature you can use to extract or create metrics from log data. You can extract metrics that are embedded in logs, or count logs as a metric.
diff --git a/docs/dashboards/restricted-operators-dashboards.md b/docs/dashboards/restricted-operators-dashboards.md
index 7d60d9b200..68404271ab 100644
--- a/docs/dashboards/restricted-operators-dashboards.md
+++ b/docs/dashboards/restricted-operators-dashboards.md
@@ -12,8 +12,8 @@ This page has information about restrictions and rules about using [Sumo Logic l
The following operators cannot be used with dashboards:
* `Details`
-* [`LogReduce`](/docs/search/logreduce/logreduce-operator)
-* [`LogCompare`](/docs/search/logcompare)
+* [`LogReduce`](/docs/search/behavior-insights/logreduce/logreduce-operator)
+* [`LogCompare`](/docs/search/behavior-insights/logcompare)
* [`Parse multi`](/docs/search/search-query-language/parse-operators/parse-variable-patterns-using-regex/#parse-multi)
* `Sample` (internal-use operator)
* [`Save`](/docs/search/search-query-language/search-operators/save)
@@ -26,8 +26,8 @@ The following operators cannot be used in Auto refresh:
* `Details`
* [`First`, `Last`](/docs/search/search-query-language/group-aggregate-operators/first-last/) - instead use the **withtime** option, see [`most_recent` and `least_recent`](/docs/search/search-query-language/group-aggregate-operators/most-recent-least-recent).
* [`Join`](/docs/search/search-query-language/search-operators/join/)
-* [`LogReduce`](/docs/search/logreduce/logreduce-operator/)
-* [`LogCompare`](/docs/search/logcompare/)
+* [`LogReduce`](/docs/search/behavior-insights/logreduce/logreduce-operator/)
+* [`LogCompare`](/docs/search/behavior-insights/logcompare/)
* [`Now`](/docs/search/search-query-language/search-operators/now)
* [`Outlier`](/docs/search/search-query-language/search-operators/outlier/) will omit the first N (window size) data points in results because those data points are used in the training phase.
* `Parse Using`
diff --git a/docs/get-started/ai-machine-learning.md b/docs/get-started/ai-machine-learning.md
index e3726cef39..add8a35553 100644
--- a/docs/get-started/ai-machine-learning.md
+++ b/docs/get-started/ai-machine-learning.md
@@ -49,11 +49,11 @@ With Copilot, you can effortlessly investigate complex issues without writing in
### LogReduce
-LogReduce® utilizes AI-driven algorithms to cluster log messages based on string similarity and distill thousands of log lines into easy-to-understand patterns. Separate the signal from the noise and detect anomalous behavior with Outlier Detection. LogReduce employs fuzzy logic to group similar messages into signatures, enabling quick assessment of activity patterns. You can refine results based on your preferences, teaching LogReduce for more specific outcomes. [Learn more](/docs/search/logreduce).
+LogReduce® utilizes AI-driven algorithms to cluster log messages based on string similarity and distill thousands of log lines into easy-to-understand patterns. Separate the signal from the noise and detect anomalous behavior with Outlier Detection. LogReduce employs fuzzy logic to group similar messages into signatures, enabling quick assessment of activity patterns. You can refine results based on your preferences, teaching LogReduce for more specific outcomes. [Learn more](/docs/search/behavior-insights/logreduce).
### LogCompare
-LogCompare simplifies log analysis by enabling easy comparison of log data from different time periods to detect changes or anomalies, facilitating troubleshooting and root cause discovery. By automatically running delta analysis, LogCompare streamlines the process, allowing users to identify significant alterations in log patterns efficiently. Utilizing baseline and target queries, LogCompare clusters logs into patterns and compares them based on the significance of change, providing insights into deviations over time. With intuitive actions like promoting, demoting, and splitting signatures, users can refine their analysis and focus on relevant patterns, ultimately enhancing decision-making and threat detection capabilities. Additionally, LogCompare supports alerts and scheduled searches to notify users of new signatures or significant changes, ensuring proactive monitoring and response to evolving log data [Learn more](/docs/search/logcompare).
+LogCompare simplifies log analysis by enabling easy comparison of log data from different time periods to detect changes or anomalies, facilitating troubleshooting and root cause discovery. By automatically running delta analysis, LogCompare streamlines the process, allowing users to identify significant alterations in log patterns efficiently. Utilizing baseline and target queries, LogCompare clusters logs into patterns and compares them based on the significance of change, providing insights into deviations over time. With intuitive actions like promoting, demoting, and splitting signatures, users can refine their analysis and focus on relevant patterns, ultimately enhancing decision-making and threat detection capabilities. Additionally, LogCompare supports alerts and scheduled searches to notify users of new signatures or significant changes, ensuring proactive monitoring and response to evolving log data. [Learn more](/docs/search/behavior-insights/logcompare).
### AI-driven Alerts
diff --git a/docs/integrations/microsoft-azure/windows-legacy.md b/docs/integrations/microsoft-azure/windows-legacy.md
index 8e62f10a3c..bb5874e09d 100644
--- a/docs/integrations/microsoft-azure/windows-legacy.md
+++ b/docs/integrations/microsoft-azure/windows-legacy.md
@@ -155,7 +155,7 @@ See information about Window event messages that contain a keyword that indicate
**Error Keyword - Outlier**. See timeslices where the count of problem keywords exceeds the moving average by a statistically significant amount, three standard deviations over the last 24 hours.
-**Error Keyword - LogReduce**. See a LogReduce analysis of event messages that contain problem keywords. (Sumo's LogReduce algorithm uses fuzzy logic to cluster messages together based on string and pattern similarity. For more information, see, [Detect Patterns with LogReduce](/docs/search/logreduce/detect-patterns-with-logreduce)).
+**Error Keyword - LogReduce**. See a LogReduce analysis of event messages that contain problem keywords. (Sumo's LogReduce algorithm uses fuzzy logic to cluster messages together based on string and pattern similarity. For more information, see, [Detect Patterns with LogReduce](/docs/search/behavior-insights/logreduce/detect-patterns-with-logreduce)).
## Upgrade/Downgrade the Windows Legacy app (Optional)
diff --git a/docs/manage/manage-subscription/cloud-flex-legacy-accounts.md b/docs/manage/manage-subscription/cloud-flex-legacy-accounts.md
index 3849a4ca8b..7a87427ebd 100644
--- a/docs/manage/manage-subscription/cloud-flex-legacy-accounts.md
+++ b/docs/manage/manage-subscription/cloud-flex-legacy-accounts.md
@@ -41,7 +41,7 @@ The following table provides a summary list of key features by package accounts.
| Log Data retention (Classic Accounts) | 7 days | 30 days |  |  |
| Log Data storage (Cloud Flex Accounts) | 4GB | 30GB |  |  |
| Log Data volume | 500MB per day | 1GB per day* |  |  |
-| [LogReduce](/docs/search/logreduce) |  |  |  |  |
+| [LogReduce](/docs/search/behavior-insights/logreduce) |  |  |  |  |
| [Lookup Tables](/docs/search/lookup-tables) | none | Varies by the account type being trialed | 10 tables per org | 100 tables per org |
| Metrics | |  |  |  |
| Metrics data retention | |  |  |  |
diff --git a/docs/observability/root-cause-explorer.md b/docs/observability/root-cause-explorer.md
index cc252f1a48..3ea4a76745 100644
--- a/docs/observability/root-cause-explorer.md
+++ b/docs/observability/root-cause-explorer.md
@@ -469,7 +469,7 @@ _view=sumologic_signals_anomalies
#### Return entities with the most problems
-This query uses the [logreduce](/docs/search/logreduce) operator to look for groups of anomalies to assess if some combination of metrics, clusters and so on, account for a large share of overall EOI volume.
+This query uses the [logreduce](/docs/search/behavior-insights/logreduce) operator to look for groups of anomalies to assess if some combination of metrics, clusters and so on, account for a large share of overall EOI volume.
```sql
_view=sumologic_signals_anomalies
diff --git a/docs/search/behavior-insights/index.md b/docs/search/behavior-insights/index.md
index 6b3429b9e0..6b8d3e4fd2 100644
--- a/docs/search/behavior-insights/index.md
+++ b/docs/search/behavior-insights/index.md
@@ -4,6 +4,8 @@ title: Behavior Insights
description: Gain behavioral insight of your environment using LogReduce operators.
---
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
Behavior Insights encompasses three log search operators to accelerate insights, troubleshooting, and action plans using structured logs. About 23% of the daily log ingest volume pertains to JSON data and accounts for a growing share of total log volume. This growth is driven by modern applications and underlying cloud (AWS, GCP, Azure) and orchestrator logs. Behavior Insights helps answer the following questions for SecOps, DevOps, and business users:
* What activity patterns are evident from structured logs? What patterns are trending?
@@ -12,28 +14,25 @@ Behavior Insights encompasses three log search operators to accelerate insights,
Modeled after our LogReduce log summarization feature, the LogReduce Values and LogReduce Keys operators cluster logs based on their structure or pattern and activity content respectively.
-
-## Guide contents
-
In this section, we'll introduce the following concepts:
-
LogExplain
-
This operator finds the root cause of outliers in logs based on conditions you specify.
+
})
LogCompare
+
Compare log data from different time periods to detect major changes or anomalies.
-
LogReduce Keys
-
Clusters JSON logs based on keys providing an at-a-glance summary of patterns in logs based on their schema while ignoring specific values.
+
LogReduce
+
Assess activity patterns for things like a range of devices or traffic on a website.
-
LogReduce Values
-
Clusters JSON logs using the values of keys.
+
LogExplain
+
Find the root cause of outliers in logs based on conditions you specify.
diff --git a/docs/search/logcompare.md b/docs/search/behavior-insights/logcompare.md
similarity index 100%
rename from docs/search/logcompare.md
rename to docs/search/behavior-insights/logcompare.md
diff --git a/docs/search/behavior-insights/logexplain.md b/docs/search/behavior-insights/logexplain.md
index c46545c3ab..6a8fd49cee 100644
--- a/docs/search/behavior-insights/logexplain.md
+++ b/docs/search/behavior-insights/logexplain.md
@@ -54,7 +54,7 @@ With the provided results you can:
* Field values must be categorical.
* [Built-in metadata fields](/docs/search/get-started-with-search/search-basics/built-in-metadata) are not supported.
* Not supported with [Real Time alerts](../../alerts/scheduled-searches/create-real-time-alert.md).
-* [Time Compare](../time-compare.md) and the [compare operator](/docs/search/search-query-language/search-operators/compare) are not supported against LogExplain results.
+* [Time Compare](/docs/search/time-compare) and the [`compare` operator](/docs/search/search-query-language/search-operators/compare) are not supported against LogExplain results.
* Response fields `_explanation`, `_relevance`, `_test_coverage`, and `_control_coverage` are not supported with [Dashboard filters](/docs/dashboards/filter-template-variables).
* If you reach the memory limit you can try to shorten the time range or the number of specified fields. When the memory limit is reached you will get partial results on a subset of your data.
@@ -92,7 +92,7 @@ _sourceCategory= *cloudtrail* errorCode
### Kubernetes
-After using [LogReduce Values to explore your event logs based on specific keys](logreduce-values.md), you can use LogExplain to analyze the frequency of events.
+After using [LogReduce Values to explore your event logs based on specific keys](/docs/search/behavior-insights/logreduce/logreduce-values), you can use LogExplain to analyze the frequency of events.
If a cluster of logs has `reason="FailedScheduling"` indicating the Kubernetes scheduler is unable to find nodes that can satisfy requirements for the requested pods, you can use `logexplain` to understand which pods and the reason they are unable to find a node to run in.
@@ -105,7 +105,7 @@ _sourceCategory="nite-primary-eks/events"
### AWS CloudTrail
-After using [LogReduce Values to explore your event logs based on specific keys](logreduce-values.md) you can use LogExplain to analyze which users, IP addresses, AWS regions, and S3 event names most explain the S3 Access Denied error based on their prevalence in AWS CloudTrail logs that contain S3 Access Denied errors versus logs that do not contain these errors.
+After using [LogReduce Values to explore your event logs based on specific keys](/docs/search/behavior-insights/logreduce/logreduce-values) you can use LogExplain to analyze which users, IP addresses, AWS regions, and S3 event names most explain the S3 Access Denied error based on their prevalence in AWS CloudTrail logs that contain S3 Access Denied errors versus logs that do not contain these errors.
```sql
_sourceCategory=*cloudtrail*
@@ -132,11 +132,11 @@ Results show the relevance of each explanation:
As a SecOps user, I want to detect compromised user credentials for Windows machines.
-SecOps Insight: A hacked credential will display a remote login pattern (eventdata_logontype = 10) where a given user logs into more machines than they usually do, based on eventid = 4624 (login successful). I want to baseline 14 days of remote access activity and detect outliers in the most recent 24 hours.
+SecOps Insight: A hacked credential will display a remote login pattern (`eventdata_logontype=10`) where a given user logs into more machines than they usually do, based on `eventid=4624` (login successful). I want to baseline 14 days of remote access activity and detect outliers in the most recent 24 hours.
#### Approach 1: Time Compare
-The time compare query attempts to enumerate all machine-to-user combinations over the past 24 hours and compares the average daily logins for each pair of machine and user. As `compare` only supports up to 8 sequential slices, the data has to be sliced into 2 day intervals with 7 epochs, to create 14 days of data.
+The time compare query attempts to enumerate all machine-to-user combinations over the past 24 hours and compares the average daily logins for each pair of machine and user. As `compare` only supports up to 8 sequential slices, the data has to be sliced into 2-day intervals with 7 epochs, to create 14 days of data.
```sql
_sourceCategory=OS*Windows* eventid=4624 eventdata_logontype=10
@@ -162,4 +162,4 @@ _sourceCategory=OS*Windows* eventid=4624 eventdata_logontype=10
In an example dataset, this requires you to examine just 4 results, versus 773 in the worst case for time compare. The machines were not reported as significant in the `logexplain` algorithm, as they appeared at relatively the same frequency in both the baseline and comparison logs. Subjectively, the 4 users identified by `logexplain` were among the 150 results in the `time compare` query, sorted by percent increase in activity, so we believe our accuracy was at least as good as `time compare` with fewer results for the user to examine.
-One important difference for `logexplain` is that it is able to detectusers who were very active 14 days ago but are no longer or less active recently. This is important as hackers may have left the network by the time Sec Ops chooses to run any of these queries. Time compare on the other hand, if sorted based on percent increase of activity, will force the user to examine all 773 user-machine combinations to get the full picture.
+One important difference for `logexplain` is that it is able to detect users who were very active 14 days ago but are no longer or less active recently. This is important as hackers may have left the network by the time SecOps chooses to run any of these queries. Time compare on the other hand, if sorted based on percent increase of activity, will force the user to examine all 773 user-machine combinations to get the full picture.
diff --git a/docs/search/logreduce/detect-patterns-with-logreduce.md b/docs/search/behavior-insights/logreduce/detect-patterns-with-logreduce.md
similarity index 100%
rename from docs/search/logreduce/detect-patterns-with-logreduce.md
rename to docs/search/behavior-insights/logreduce/detect-patterns-with-logreduce.md
diff --git a/docs/search/logreduce/index.md b/docs/search/behavior-insights/logreduce/index.md
similarity index 58%
rename from docs/search/logreduce/index.md
rename to docs/search/behavior-insights/logreduce/index.md
index ea0f8318dd..c1f6ea1352 100644
--- a/docs/search/logreduce/index.md
+++ b/docs/search/behavior-insights/logreduce/index.md
@@ -1,5 +1,5 @@
---
-slug: /search/logreduce
+slug: /search/behavior-insights/logreduce
title: LogReduce
description: The LogReduce algorithm uses fuzzy logic to cluster messages together based on string and pattern similarity. Use the LogReduce button and operator to quickly assess activity patterns for things like a range of devices or traffic on a website.
---
@@ -32,26 +32,38 @@ In this section, we'll introduce the following concepts:
-
})
Influence the LogReduce Outcome
-
Influence the algorithm by editing a signature to increase or decrease your results granularity.
+
LogReduce Keys
+
Clusters JSON logs based on keys providing an at-a-glance summary of patterns in logs based on their schema while ignoring specific values.
+
+
+
+
diff --git a/docs/search/logreduce/influence-the-logreduce-outcome.md b/docs/search/behavior-insights/logreduce/influence-the-logreduce-outcome.md
similarity index 100%
rename from docs/search/logreduce/influence-the-logreduce-outcome.md
rename to docs/search/behavior-insights/logreduce/influence-the-logreduce-outcome.md
diff --git a/docs/search/behavior-insights/logreduce-keys.md b/docs/search/behavior-insights/logreduce/logreduce-keys.md
similarity index 92%
rename from docs/search/behavior-insights/logreduce-keys.md
rename to docs/search/behavior-insights/logreduce/logreduce-keys.md
index 093ea67b56..a0cdfba5b0 100644
--- a/docs/search/behavior-insights/logreduce-keys.md
+++ b/docs/search/behavior-insights/logreduce/logreduce-keys.md
@@ -18,7 +18,7 @@ The following table shows the fields that are returned in results.
With the provided results, you can:
* Explore logs from each schema by clicking the links provided in the `_count` response field.
-* Compare results against a previous time range with [LogCompare](/docs/search/logcompare).
+* Compare results against a previous time range with [LogCompare](/docs/search/behavior-insights/logcompare).
* Run subsequent searches.
## Syntax
@@ -44,7 +44,7 @@ Results can be returned in two ways:
* When not specifying a field with the `field=` option, do not parse any fields. If you parse any fields, they'll be excluded from the schema in your results.
* A maximum of 100 keys are automatically parsed.
* Keys in arrays are not supported.
-* The [Time Compare](../time-compare.md) button will not work on LogReduce Keys results, you need to manually input the [`compare` operator](/docs/search/search-query-language/search-operators/compare) instead.
+* The [Time Compare](/docs/search/time-compare) button will not work on LogReduce Keys results, you need to manually input the [`compare` operator](/docs/search/search-query-language/search-operators/compare) instead.
* Response fields `_signature_id`, `_schema`, and `_count` are not supported with [Dashboard filters](/docs/dashboards/filter-template-variables).
## _count link
@@ -77,7 +77,7 @@ Returned schema:
object.apiversion, object.count, object.firsttimestamp, object.involvedobject.kind, object.involvedobject.name, object.involvedobject.namespace, object.kind, object.lasttimestamp, object.message, object.metadata.creationtimestamp, object.metadata.name, object.metadata.namespace, object.metadata.resourceversion, object.metadata.selflink, object.metadata.uid, object.reason, object.reportingcomponent, object.reportinginstance, object.source.component, object.type, timestamp, type, object.involvedobject.apiversion, object.involvedobject.resourceversion, object.involvedobject.uid, object.source.host, object.involvedobject.fieldpath
```
-Next, use [LogReduce Values to explore the schema based on specific keys](logreduce-values.md).
+Next, use [LogReduce Values to explore the schema based on specific keys](/docs/search/behavior-insights/logreduce/logreduce-values).
### AWS CloudTrail
@@ -104,4 +104,4 @@ The schemas returned in your results are sorted based on the alphabetical order
-Next, use [LogReduce Values](logreduce-values.md) to explore the schema based on specific keys.
+Next, use [LogReduce Values](/docs/search/behavior-insights/logreduce/logreduce-values) to explore the schema based on specific keys.
diff --git a/docs/search/logreduce/logreduce-operator.md b/docs/search/behavior-insights/logreduce/logreduce-operator.md
similarity index 100%
rename from docs/search/logreduce/logreduce-operator.md
rename to docs/search/behavior-insights/logreduce/logreduce-operator.md
diff --git a/docs/search/behavior-insights/logreduce-values.md b/docs/search/behavior-insights/logreduce/logreduce-values.md
similarity index 91%
rename from docs/search/behavior-insights/logreduce-values.md
rename to docs/search/behavior-insights/logreduce/logreduce-values.md
index 79c2c078eb..2fdd241dde 100644
--- a/docs/search/behavior-insights/logreduce-values.md
+++ b/docs/search/behavior-insights/logreduce/logreduce-values.md
@@ -6,7 +6,7 @@ description: Group by the values of specific keys in JSON logs.
-The **LogReduce Values** operator allows you to quickly explore structured logs by known keys. Structured logs can be in JSON, CSV, key-value, or any structured format. Unlike the LogReduce Keys operator, you need to specify the keys you want to explore. The values of each specified key are parsed and aggregated for you to explore.
+The **LogReduce Values** operator allows you to quickly explore structured logs by known keys. Structured logs can be in JSON, CSV, key-value, or any structured format. Unlike the [LogReduce Keys operator](/docs/search/behavior-insights/logreduce/logreduce-keys), you need to specify the keys you want to explore. The values of each specified key are parsed and aggregated for you to explore.
This operator does not automatically [parse](/docs/search/search-query-language/parse-operators) your logs. You need to parse the keys you want to explore prior to specifying them in the LogReduce Values operation.
@@ -21,7 +21,7 @@ The field is a clickable link that opens a new window with a query that drills d
With the provided results you can:
* Click the provided links to drill down and further explore logs from each schema.
-* Compare results against a previous time range with [LogCompare](/docs/search/logcompare).
+* Compare results against a previous time range with [LogCompare](/docs/search/behavior-insights/logcompare).
* Run subsequent searches.
## Syntax
@@ -80,7 +80,7 @@ To see all the logs by cluster identifiers for further processing, you'd use
## Limitations
-* [Time Compare](../time-compare.md) and the [`compare` operator](/docs/search/search-query-language/search-operators/compare) are not supported against LogReduce Values results.
+* [Time Compare](/docs/search/time-compare) and the [`compare` operator](/docs/search/search-query-language/search-operators/compare) are not supported against LogReduce Values results.
* If you reach the memory limit you can try to shorten the time range or the number of specified fields. When the memory limit is reached you will get partial results on a subset of your data.
* Response fields `_cluster_id`, `_signature`, and `_count` are not supported with [Dashboard filters](/docs/dashboards/filter-template-variables).
@@ -116,7 +116,7 @@ _sourceCategory="primary-eks/events"
| logreduce values on reason, objectName, message, kind, component, namespace
```
-Next, use [LogExplain to determine how frequently your `reason` is](logexplain.md) `FailedScheduling`.
+Next, use [LogExplain to determine how frequently your `reason` is](../logexplain.md) `FailedScheduling`.
### AWS CloudTrail
@@ -144,7 +144,7 @@ Results show each unique signature:
-Next, use [LogExplain](logexplain.md) to analyze which users, IP addresses, AWS regions, and S3 event names most explain the S3 Access Denied error based on their prevalence in AWS CloudTrail logs that contain S3 Access Denied errors versus logs that do not contain these errors.
+Next, use [LogExplain](../logexplain.md) to analyze which users, IP addresses, AWS regions, and S3 event names most explain the S3 Access Denied error based on their prevalence in AWS CloudTrail logs that contain S3 Access Denied errors versus logs that do not contain these errors.
**Drill down**
diff --git a/docs/search/logreduce/understand-the-logreduce-relevance-column.md b/docs/search/behavior-insights/logreduce/understand-the-logreduce-relevance-column.md
similarity index 100%
rename from docs/search/logreduce/understand-the-logreduce-relevance-column.md
rename to docs/search/behavior-insights/logreduce/understand-the-logreduce-relevance-column.md
diff --git a/docs/search/get-started-with-search/search-page/navigate-through-search-results.md b/docs/search/get-started-with-search/search-page/navigate-through-search-results.md
index 626958f633..a26f204b32 100644
--- a/docs/search/get-started-with-search/search-page/navigate-through-search-results.md
+++ b/docs/search/get-started-with-search/search-page/navigate-through-search-results.md
@@ -8,7 +8,7 @@ When you run a search, the results are displayed in the **Messages** tab. If the
-The **Signatures** tab is shown when using [LogReduce](/docs/search/logreduce).
+The **Signatures** tab is shown when using [LogReduce](/docs/search/behavior-insights/logreduce).
diff --git a/docs/search/index.md b/docs/search/index.md
index 16010e1f5b..bc3b0e028c 100644
--- a/docs/search/index.md
+++ b/docs/search/index.md
@@ -23,6 +23,12 @@ In this section, we'll introduce the following concepts:
Start here to begin exploring your data in Sumo Logic.
+
+
+
Copilot
+
Accelerate log investigations and troubleshooting with Sumo Logic Copilot, our AI-powered assistant that enables you to ask natural language questions and get contextual suggestions, helping first responders get to answers faster.
+
+
-
LogReduce
-
Quickly assess activity patterns for things like a range of devices or traffic on a website.
+
Behavior Insights
+
Gain behavioral insight of your environment using LogReduce operators.
+
+
+
+
+
Live Tail
+
Real-time live feed of log events associated with a Source or Collector.
-
LogCompare
-
Easily compare log data from different time periods to detect major changes or anomalies.
+
Time Compare
+
Run a compare operation automatically from your search results.
@@ -55,14 +67,14 @@ In this section, we'll introduce the following concepts:
-
Live Tail
-
Real-time live feed of log events associated with a Source or Collector.
+
Optimize Search Performance
+
Learn how to accelerate the search process to get query results in less time and improve productivity for forensic analysis and log management.
@@ -71,6 +83,12 @@ In this section, we'll introduce the following concepts:
Filter and evaluate conditions for a query when you may not be sure of the exact filter.
+
+
+
FAQ
+
Get answers to frequently asked questions about Log Search.
+
+
diff --git a/docs/search/search-cheat-sheets/general-search-examples.md b/docs/search/search-cheat-sheets/general-search-examples.md
index 67af77f3f7..14c850a964 100644
--- a/docs/search/search-cheat-sheets/general-search-examples.md
+++ b/docs/search/search-cheat-sheets/general-search-examples.md
@@ -272,7 +272,7 @@ exception* or fail* or error* or fatal*
```
:::sumo More Info
-For more information, see [LogReduce](/docs/search/logreduce).
+For more information, see [LogReduce](/docs/search/behavior-insights/logreduce).
:::
## Add metadata fields
diff --git a/docs/search/search-cheat-sheets/log-operators.md b/docs/search/search-cheat-sheets/log-operators.md
index d4cef0a85d..42396d809e 100644
--- a/docs/search/search-cheat-sheets/log-operators.md
+++ b/docs/search/search-cheat-sheets/log-operators.md
@@ -382,7 +382,7 @@ This section provides detailed syntax, rules, and examples for Sumo Logic Opera
| count by _sourceCategory
| sort by _count
| limit 5 |
- | logcompare |
+ logcompare |
The logcompare operator allows you to compare two sets of logs: baseline (historical) and target (current). To run a LogCompare operation, you can use the LogCompare button on the Messages tab to generate a properly formatted query. |
_count
_deltaPercentage
_anomalyScore
_isNew |
Not supported in Dashboards. |
@@ -396,21 +396,21 @@ This section provides detailed syntax, rules, and examples for Sumo Logic Opera
_sourceCategory=stream
| if(_raw matches "error", 1, 0) as hasError
| logexplain hasError == 1 on _sourceHost |
- | logreduce |
+ logreduce |
The LogReduce algorithm uses fuzzy logic to cluster messages together based on string and pattern similarity. Use the LogReduce button and operator to quickly assess activity patterns for things like a range of devices or traffic on a website. (Formerly Summarize.) |
|
Not supported in Dashboards. |
| logreduce |
- | logreduce keys |
- The logreduce keys operator allows you to quickly explore JSON or key-value formatted logs by schemas. |
+ logreduce keys |
+ The logreduce keys operator allows you to quickly explore JSON or key-value formatted logs by schemas. |
_signature_id
_schema
_count |
|
_sourcecategory="Labs/AWS/GuardDuty_V8"
| json keys "region", "partition", "resource"
| logreduce keys field=resource |
- | logreduce values |
+ logreduce values |
The logreduce values operator allows you to quickly explore structured logs by known keys. Structured logs can be in JSON, CSV, key-value, or any structured format. |
_cluster_id
_signature
_count |
Not supported with Real Time alerts. |
diff --git a/docs/search/search-query-language/group-aggregate-operators/overview.md b/docs/search/search-query-language/group-aggregate-operators/overview.md
index 14a8a5c337..559099b248 100644
--- a/docs/search/search-query-language/group-aggregate-operators/overview.md
+++ b/docs/search/search-query-language/group-aggregate-operators/overview.md
@@ -33,7 +33,7 @@ You can use **by** instead of **group by** so `count group by user` is equ
## Rules
-* Cannot be used with the [LogReduce](/docs/search/logreduce) operator.
+* Cannot be used with the [LogReduce](/docs/search/behavior-insights/logreduce) operator.
* When [parsing and naming (aliasing) fields](/docs/search/search-query-language/parse-operators/parse-field-option.md), avoid using the names of grouping functions or other operators as field names.
* When using **count**, or any grouping function, remember to include the underscore before the field name (sort by `_count`).
* Multiple **aggregation** functions can be on the same line, but you cannot include another function, such as a math function, on the same line of a query.
diff --git a/docs/search/time-compare.md b/docs/search/time-compare.md
index 9b37a2c92b..9e35237575 100644
--- a/docs/search/time-compare.md
+++ b/docs/search/time-compare.md
@@ -83,7 +83,7 @@ For more compare operator examples, see [Examples](./time-compare.md).
## Compare vs. LogCompare
-The [`compare`](/docs/search/search-query-language/search-operators/compare) and [`logcompare`](/docs/search/logcompare) operators are very similar in syntax and functionality, but they handle different types of data:
+The [`compare`](/docs/search/search-query-language/search-operators/compare) and [`logcompare`](/docs/search/behavior-insights/logcompare) operators are very similar in syntax and functionality, but they handle different types of data:
* `compare` is used for aggregated numeric data (such as: for analyzing results from a [group by](/docs/search/search-query-language/group-aggregate-operators) query or a query with aggregation operators such as count, sum, and avg).
* `logcompare` is used for log signature counts (used right after the first pipe).
diff --git a/i18n/ja/alerts/alerts/monitors/alert-response-faq.md b/i18n/ja/alerts/alerts/monitors/alert-response-faq.md
index 32322f40cc..18c0f9ea4c 100644
--- a/i18n/ja/alerts/alerts/monitors/alert-response-faq.md
+++ b/i18n/ja/alerts/alerts/monitors/alert-response-faq.md
@@ -58,7 +58,7 @@ Sometimes because of internal system errors Log Fluctuation cards might not appe
Sumo Logic detects and maintains a signature library. It does that by analyzing logs sent to Sumo Logic and catalogs them into various signatures in the signature library. This process happens in the background and runs periodically, to keep the signatures up to date. There could be cases, that the process has still not cataloged a new log message to a signature, as a result, it gets bundled into the "Others" category. This problem should be fixed automatically after some time (when the background process runs).
-You can also force run the signature cataloging process manually, by calling the [LogCompare](../../search/logcompare.md) or [LogReduce](/docs/search/logreduce) operators from the Log Search page.
+You can also force run the signature cataloging process manually, by calling the [LogCompare](/docs/search/behavior-insights/logcompare) or [LogReduce](/docs/search/behavior-insights/logreduce) operators from the Log Search page.
## I don’t see the Dimensional Explanation Card for logs-based Alert?
diff --git a/i18n/ja/alerts/alerts/monitors/alert-response.md b/i18n/ja/alerts/alerts/monitors/alert-response.md
index 9e5747c183..e2e75702d4 100644
--- a/i18n/ja/alerts/alerts/monitors/alert-response.md
+++ b/i18n/ja/alerts/alerts/monitors/alert-response.md
@@ -131,7 +131,7 @@ Depending on the type of data the alert was based on, metrics or logs, and the d
### Log Fluctuations
-This card detects different signatures in your log messages using [LogReduce](/docs/search/logreduce) such as errors, exceptions, timeouts, and successes. It compares log signatures trends with a normal baseline period and surfaces noteworthy changes in signatures.
+This card detects different signatures in your log messages using [LogReduce](/docs/search/behavior-insights/logreduce) such as errors, exceptions, timeouts, and successes. It compares log signatures trends with a normal baseline period and surfaces noteworthy changes in signatures.
* **New**: Log signatures that were only seen after the Alert was triggered but not one hour prior to the Alert start time.
* **Gone**: Log signatures that are not present after the Alert was created but were present one hour prior to the Alert start time, such as, Transaction Succeeded or Success.
diff --git a/sidebars.ts b/sidebars.ts
index f501fc83fc..8c08d2797d 100644
--- a/sidebars.ts
+++ b/sidebars.ts
@@ -1536,9 +1536,23 @@ module.exports = {
collapsed: true,
link: {type: 'doc', id: 'search/behavior-insights/index'},
items: [
+ 'search/behavior-insights/logcompare',
+ {
+ type: 'category',
+ label: 'LogReduce',
+ collapsible: true,
+ collapsed: true,
+ link: {type: 'doc', id: 'search/behavior-insights/logreduce/index'},
+ items: [
+ 'search/behavior-insights/logreduce/logreduce-operator',
+ 'search/behavior-insights/logreduce/detect-patterns-with-logreduce',
+ 'search/behavior-insights/logreduce/logreduce-keys',
+ 'search/behavior-insights/logreduce/logreduce-values',
+ 'search/behavior-insights/logreduce/understand-the-logreduce-relevance-column',
+ 'search/behavior-insights/logreduce/influence-the-logreduce-outcome',
+ ],
+ },
'search/behavior-insights/logexplain',
- 'search/behavior-insights/logreduce-keys',
- 'search/behavior-insights/logreduce-values',
],
},
{
@@ -1558,20 +1572,6 @@ module.exports = {
'search/live-tail/troubleshooting-live-tail',
],
},
- 'search/logcompare',
- {
- type: 'category',
- label: 'LogReduce',
- collapsible: true,
- collapsed: true,
- link: {type: 'doc', id: 'search/logreduce/index'},
- items: [
- 'search/logreduce/logreduce-operator',
- 'search/logreduce/detect-patterns-with-logreduce',
- 'search/logreduce/influence-the-logreduce-outcome',
- 'search/logreduce/understand-the-logreduce-relevance-column',
- ],
- },
'search/time-compare',
{
type: 'category',