diff --git a/cid-redirects.json b/cid-redirects.json index c4cb04fc142..0ebb1ef7342 100644 --- a/cid-redirects.json +++ b/cid-redirects.json @@ -4708,6 +4708,7 @@ "/docs/search/copilot-unstructured-logs-beta": "/docs/search/mobot", "/docs/search/mobot-unstructured-logs-beta": "/docs/search/mobot", "/docs/search/mobot-unstructured-logs": "/docs/search/mobot", + "/docs/search/mobot-preview": "/docs/search/mobot", "/docs/manage/data-forwarding/amazon-s3-bucket": "/docs/manage/data-forwarding/forward-data-from-sumologic", "/docs/cse/signals": "/docs/cse/records-signals-entities-insights", "/docs/query/query-operators/aggregation-functions": "/docs/search/search-query-language/group-aggregate-operators", diff --git a/docs/search/index.md b/docs/search/index.md index de5923a3d53..22f55cb1d41 100644 --- a/docs/search/index.md +++ b/docs/search/index.md @@ -51,8 +51,8 @@ In this section, we'll introduce the following concepts:
Accelerate log investigations and troubleshooting with Sumo Logic Mobot, our AI-powered assistant that enables you to ask natural language questions and get contextual suggestions, helping first responders get to answers faster.
+Ask Mobot a question in plain language and get a guided, multi-step investigation across your logs, no query writing required.
-
-Try asking a log analysis question (errors, trends, anomalies, or security events) or a platform how-to question (configuration, setup, or best practices). Mobot automatically routes your question to the appropriate capability.
-
-Here are some example Mobot queries:
-
-
-
-
-
-
-
-Here's another example showing Mobot displaying inline results and summarizing key observations below it:
-
-
-
-### Clarification prompts
-
-Mobot interprets natural language questions even when they are incomplete or ambiguous. If your question is unclear, Mobot asks a targeted follow-up question to narrow intent before running a search.
-
-For example, asking `Show me logs from the last 15 minutes` or `Show me all logs from the last 24 hours` without specifying a source prompts Mobot to ask which application, service, or log source you are interested in, with inline examples such as `kubernetes`, `nginx`, or `auth_logs`.
-
-
-
-
-
-Respond with a source name, source category expression, or any keyword related to what you are looking for. If your question falls outside available data or system capabilities, Mobot clarifies or redirects rather than returning an error.
-
-### Unstructured logs support
-
-Previously, Mobot worked best on structured (JSON) logs. With this preview release, Mobot can apply parsing logic to unstructured logs, even if no FERs are configured.
-
-Now it has built-in support for unstructured logs (raw, text-based log data that does not follow a structured format like JSON). You can ask questions in plain English and get meaningful results from nearly any log data, without requiring Field Extraction Rules (FERs).
-
-At this stage, Mobot prioritizes unstructured logs that are already used in dashboards, allowing it to surface insights from high-value log sources out-of-the-box. This means it will not interpret all raw logs yet, but support is actively being expanded beyond dashboards.
-
-* **Broader coverage**. Mobot parses and generates insights from unstructured log formats, even without FERs, making it useful for environments that include custom or inconsistent log types.
-* **Performance and reliability**. Response times and suggestion accuracy are consistent with Mobot's structured log experience.
-* **Security and compliance**. The same strict data handling and privacy standards apply. Unstructured logs support builds on Mobot's secure foundation.
-
-#### Common use cases
-
-* **General log exploration**. Ask questions about unstructured logs already used in your dashboards, even if they lack predefined fields.
-* **Error triage**. Investigate frequently visualized log data to surface patterns and recurring issues in unstructured formats.
-* **Security insights**. Detect anomalies or signs of failed logins by querying raw logs already powering security dashboards.
-* **Smarter prioritization**. Mobot focuses on unstructured logs that are visualized in dashboards, helping you get meaningful insights from high-value data sources.
-
-## Example prompts
-
-Mobot works best when you start with a business question, not a query. Ask questions the way you naturally think about a problem, then refine through conversation. Here are some tips:
-- Start broad, then refine with follow-up questions.
-- Do not worry about structure. Mobot will guide you.
-- If Mobot needs more context, provide a hint such as a data source, lookup table, or field name.
-
-### Developer and SRE
-
-* `What does the error trend look like for my service over the past 24 hours?`
- * Follow up: `Which instances are most impacted?`
-
-* `Which services have the worst P99 latency trend lately — anything persistent?`
- * Follow up: `When did this start?`
-
-* `Show me pod crash behavior over the last 7 days.`
- * Follow up: `Are there any patterns worth paying attention to?`
-
-* `Any pipelines failing on first run, but passing on retry this week?`
- * Follow up: `What's the flakiness pattern?`
-
-* `Checkout-service depends on inventory-service — give me a health snapshot of both.`
-
-### Security analyst
-
-* `Have there been any recent phishing attempts?`
- * Follow up: `Which users are involved?`
-
-* `Are there any unusual authentication patterns in our environment?`
- * Follow up: `Is this activity increasing over time?`
-
-* `Any unusual login patterns or access spikes from threat intel IPs in the last 24 hours?`
-
-### Product and research
-
-* `What integrations does Sumo Logic support for cloud security?`
-
-## Limitations
-
-Mobot is in Extended Preview and has the following known limitations.
-
-**Use cases**
-* Log analysis only. Metrics, traces, and other telemetry types are not supported.
-* Domain intelligence and planning are still evolving.
-
-**Access and actions**
-* Read-only. Mobot can query and analyze data but cannot modify, delete, ingest data, manage dashboards or monitors, or access external systems.
-
-**Data and query constraints**
-* Only works with data that has been ingested and is still within your retention period.
-* Large time ranges (30 or more days) or deeply nested queries may be slow, time out, or hit platform limits.
-
-**Rate limits**
-* Each user is limited to 10 prompts per day. If you have a critical need that exceeds this limit, contact your account team.
-
-**Experience**
-* Performance and latency may vary depending on query complexity.
-* Responses may not always be fully accurate or complete.
-* No memory across sessions. Each conversation starts fresh.
-
-## FAQ
-
-### What's new in this preview release?
-
-This release replaces the manual Query Agent and Knowledge Agent selection with a unified interface and automated routing. It adds higher-order reasoning, multi-step analysis, and support for unstructured logs.
-
-### Do I need to select an agent? What happened to Query Agent and Knowledge Agent?
-
-No. The underlying capabilities are still there, but you no longer select them manually. Mobot automatically routes data questions to log analysis and how-to questions to platform guidance based on what you ask.
-
-### Can Mobot detect what sources or integrations I do not have set up?
-
-Mobot can detect missing sources or partitions reactively. When you ask a question that requires a specific data source, Mobot attempts the query and detects if the partition or data does not exist, then provides setup guidance. Mobot cannot proactively scan your environment and generate a list of all unconfigured integrations.
-
-### When should I start a new conversation instead of continuing the same one?
-
-Start a new conversation when you are switching to a completely different topic, the current thread has gone in the wrong direction, or you want to reset context. Continue the same conversation when you are refining or digging deeper into the same question, or exploring a problem through multiple follow-up questions. If you find yourself re-explaining the problem or correcting earlier assumptions, it is usually better to start a new conversation.
-
-### Will Mobot interpret all my unstructured logs?
-
-Mobot prioritizes unstructured logs that are already used in dashboards. This improves the relevance of insights and helps focus on high-value data sources.
-
-### How is unstructured log support different from structured log support?
-
-Structured logs have predefined fields, allowing Mobot to map queries directly. For unstructured logs, Mobot uses AI and parsing techniques to infer structure on the fly.
-
-### Will Mobot support additional capabilities over time?
-
-Yes. Mobot is designed to be extensible. Over time, more capabilities can be added as teams across the platform contribute new features. The current preview focuses on log analysis and platform how-to guidance, with additional capabilities planned for future releases.
-
-### Are there any usage restrictions for Mobot?
-
-Preview participants are limited to 10 prompts per user per day. This limit is subject to change when we reach GA based on preview learnings.
-
-## Feedback
-
-Your input directly shapes Mobot before general availability. For ways to rate responses or report issues, see [Feedback](/docs/search/mobot#feedback).
diff --git a/docs/search/mobot.md b/docs/search/mobot.md
index 45944d10922..520e2213b77 100644
--- a/docs/search/mobot.md
+++ b/docs/search/mobot.md
@@ -2,270 +2,222 @@
id: mobot
title: Sumo Logic Mobot
sidebar_label: Mobot ✨
-description: Accelerate investigations and simplify security workflows with Mobot, Sumo Logic's AI assistant that turns plain-language questions into log queries and returns answers from Sumo Docs.
+description: Troubleshoot logs without writing search queries, learn the platform, and take action, all using plain-language questions with Mobot, Sumo Logic's AI assistant.
keywords:
- mobot
- - ai
- - ml
- - agents
- dojo ai
+ - ai assistant
+ - log analysis
+ - log troubleshooting
+ - unstructured logs
---
-import Iframe from 'react-iframe';
import useBaseUrl from '@docusaurus/useBaseUrl';
+import SumoAcademy from '../reuse/sumo-logic-academy.md';
-Mobot is Sumo Logic's AI assistant that turns plain-language questions into log queries. Ask what you want to investigate and get query results, visualizations, and guided refinements in one conversational experience—without writing queries from scratch. Mobot tracks your intent, maintains conversation context, and surfaces step-by-step suggestions to move you from question to insight faster.
-
-Mobot connects you to two specialized agents:
+Mobot is Sumo Logic's AI-powered conversational assistant for security analysts, on-call engineers, administrators, and other Sumo Logic users. Ask questions in plain English to investigate log data or learn how to use the platform without selecting an agent or writing queries from scratch.
-* **Query Agent** translates your natural-language questions into log search queries and helps you refine them step by step.
-* **Knowledge Agent** answers how-to questions about Sumo Logic, from setup to troubleshooting, best practices, and more.
+In a single conversation, Mobot determines whether you have a log data question or a how-to question and responds accordingly. For log data questions, it identifies relevant sources, correlates information across logs, and returns inline results with anomaly callouts and suggested next steps. For how-to questions, it provides structured answers and reference links from Sumo Logic documentation. Conversation context lets you refine, pivot, and dig deeper without starting over.
-Together, these agents help you troubleshoot faster, explore your data more intuitively, and learn the platform without friction.
+:::info Participation requirement
+Access requires a signed AI addendum, since Mobot uses AI to make inferences on your log data. Contact your account team if you have not yet signed the addendum.
+:::
## At a glance
-- **What it is**: Sumo Logic's AI-powered assistant for log investigation and platform guidance.
-- **Two agents**: Query Agent (log search queries) and Knowledge Agent (how-to answers from official docs).
-- **How it works**: Ask questions in plain English; Mobot translates them into Sumo Logic queries or returns documentation-sourced answers.
-- **Response time**: Typically under 2 seconds for most queries.
-- **Compatible log types**: JSON, partial JSON, and unstructured logs with Field Extraction Rules.
-- **AI provider**: Amazon Bedrock (no customer data used for training).
+- **Response time**. Typically under 2 seconds for most queries. See [response time FAQ](#what-is-the-typical-mobot-response-time) for details.
+- **Compatible log types**. Structured, semi-structured, and unstructured logs. Unstructured logs already used in dashboards do not require Field Extraction Rules. See [Compatible log formats](#compatible-log-formats) for details.
+- **AI provider**. Amazon Bedrock (no customer data used for training). See [Security and compliance](#security-and-compliance) for details.
:::training Sumo Logic Academy
-import SumoAcademy from '../reuse/sumo-logic-academy.md';
-
-- **Home page**. Go to **Home**, select the **Home** tab, then click the **Mobot** tile.
+1. **Open Mobot**. Open Mobot from one of the following places:
+ - **Left nav**. Click **Mobot** in the left navigation menu.
+ - **Home page**. Go to **Home**, select the **Home** tab, then click the **Mobot** tile.
+ - **Cloud SIEM insight** (requires Cloud SIEM). From an insight's **Details** page, click **Ask Mobot** to continue an AI-driven investigation in Mobot with that insight's context already loaded. See [SOC Analyst Agent](/docs/cse/get-started-with-cloud-siem/soc-analyst-agent/#investigate-the-insight-in-mobot).
+1. **Ask a question**. Type your question in the **Ask Something** field and press Enter or click the send button.
-Not sure where to start? Choose an agent based on what you need:
+You can ask something about your log data (for example, `Show me logs from last 15 minutes`) or a how-to question (for example, `How do I set up an OTel Collector?`). See [How Mobot responds](#how-mobot-responds) for what happens next, or jump to [Example workflows](#example-workflows) to see it in action.
-| | Query Agent | Knowledge Agent |
-|:-----|:------------|:----------------|
-| **Purpose** | Create and refine log queries | Learn platform features |
-| **Input** | Data questions and analysis requests | How-to and configuration questions |
-| **Output** | Executable queries with live results | Answers with guidance links |
-| **Best for** | Troubleshooting, investigating, analyzing trends | Onboarding, setup guidance, learning concepts |
-| **Example** | "Show me 500 errors from the API service" | "How do I set up a CloudTrail collector?" |
+## How Mobot responds
-## Query Agent
+### Clarification prompts
-Select **Query Agent** to get help with Sumo Logic log search queries. In this section, you'll learn how to use Query Agent effectively, along with best practices to maximize its benefits.
+If your question is ambiguous or does not match a specific source, Mobot asks a targeted follow-up question before running the analysis. The clarification message explains what additional information is needed and provides inline examples you can reference or type directly.
-
+For example, asking `Show me logs from last 15 minutes` without specifying a source prompts Mobot to ask which application, service, or log source you are interested in, with inline examples such as `kubernetes`, `nginx`, or `auth_logs`.
-:::training Micro Lesson
+
-This short video introduces Query Agent and how it can help you with log search and analysis—perfect for getting a quick overview before diving in.
+
-
+In this scenario, you'd respond with a source name, source category expression, or any keyword related to what you are looking for.
-:::
+### Execution steps and inline results
-Intent cards summarize your current goal, and suggested follow-up queries offer refinements you can apply with a click. The conversation pane shows your prompts and refinements, with queries rendered directly in the editor alongside live results.
+After you respond, Mobot displays a **Thinking...** or **Planning...** indicator while it identifies relevant data sources and analyzes the problem. Results render as a structured table directly in the conversation, along with an option to open the query in Log Search.
-:::training Micro Lesson
+
-In this video, you'll learn how to turn natural language requests into queries, simplifying data exploration.
+### Notable findings
-
-
-:::
+After returning results, Mobot summarizes anything that stands out at the bottom of the response, labeled **Notable**. For example, if two `WARN` entries share an unusual pattern, Mobot flags them, explains what they may indicate, and asks whether you want to investigate further.
+
-### Example workflow: Observability investigation
+### Follow-up guidance
-This example shows a typical investigation workflow that takes just a few minutes. You can apply the same patterns to different logs, events, or dimensions.
+Mobot suggests follow-up questions to guide you through the next steps of your investigation. These suggestions appear in the interface and help you explore the data without needing to formulate queries from scratch. You can click a suggestion or type your own question to continue the conversation.
-#### Ask your initial question
+## Example workflows
-Use natural language to ask what you're looking for. For better results, include the name of the data source you're querying and any related fields or values.
+The following workflows show how you can investigate a problem through multiple conversational turns. For quick starting points grouped by task, see [Example prompts](#example-prompts).
-If you do not select a source, Query Agent chooses one automatically based on your question. You can override it by typing the source name directly in your prompt or by choosing it from the **Auto Source Selection** dropdown.
+### Log analysis
-For example, if you enter a broad question like "Show me AWS CloudTrail errors", your query will translate to Sumo Logic query language (something like `(_source="AWS CloudTrail") "error"`) and an intent card appears in the conversation pane summarizing your goal. Query Agent then surfaces suggested follow-up queries with related refinements you can click. You'll also see an option to open your query in Log Search.
+**Prompt**: `I'm getting reports that users can't log in. Is auth-service having issues?`
-#### Narrow the scope
+**Prompt**: `What does the error trend look like for my service over the past 24 hours?`
-After you click a follow-up suggestion or type a refinement, Query Agent refreshes the results and updates the intent card and query to reflect the new focus. With each refinement, Query Agent adjusts the query, applies the changes, and renders a visual chart.
+### Security investigation
-For example, clicking a suggestion like "Show me trend of errors each minute" applies a timeslice to group the results over time.
+You're a SecOps engineer using [Cloud SIEM](/docs/cse/) and receive an alert about suspicious network activity. Here's how to investigate using natural language.
-#### Drill into causes
+#### Review network activity
-As you go, Query Agent presents new suggestions to help you pivot into related questions, such as analyzing trends of event reasons or identifying top namespaces. The intent card expands each time to include the new scope, and results show additional details.
+**Prompt**: `Show me Cloud SIEM network records grouped by action`
-For example, you could refine further by clicking a suggestion like "Show the count of error logs per minute, grouped by error code".
+Mobot returns network activity categorized by action type (Allowed, Blocked, Malicious, etc.). Notice `Malicious` appears in the results.
-#### Next steps
+
-In just a few conversational turns, you went from a broad question to a detailed analysis showing error trends grouped by error code over time.
+#### Focus on malicious events
-From here, you can continue refining or explore different angles like [switching the chart type](#chart-type), [opening the query in Log Search](#open-in-log-search), [adjusting the time range](#time-range), [editing the query logic](#edit-query-code), or [starting over with a new chat](#new-conversation).
+**Prompt**: `Show me only the malicious activity`
-### Example workflow: Security investigation
+Mobot filters to show just the malicious network events.
-The steps below outline a typical conversational interaction pattern for investigating a security incident. You can apply the same approach to different security scenarios.
+
-#### Ask your initial question
+:::tip
+If your search doesn't return results, try using a wildcard (`Malicious*`). Searches are case-sensitive.
+:::
-Use natural language to ask what you're looking for. For better results, include the name of the data source you're querying and any related fields or values. If you do not select a source, Query Agent chooses one automatically based on your question.
+#### Identify affected resources
-For example, if you enter "Show me recent user-service logs", Query Agent selects the correct source category and returns recent events. An intent card appears in the conversation pane summarizing your goal. Query Agent then surfaces suggested follow-up queries with related refinements you can click.
+**Prompt**: `Which URLs and users are involved?`
-#### Identify patterns
+Mobot breaks down the malicious activity by target URLs and affected user accounts, helping you identify attack patterns and compromised credentials.
-After you click a follow-up suggestion or type a refinement, Query Agent refreshes the results and updates the intent card and query to reflect the new focus. With each refinement, Query Agent adjusts the query, applies the changes, and renders a visual chart.
+
-For example, asking "What's the request volume by service?" would aggregate traffic by service. Query Agent might surface that user-service has 3× higher requests than baseline, while other services remain healthy—suggesting a traffic surge on one service.
+#### Next steps
-#### Analyze geographic distribution
+In three conversational turns, you went from a general alert to:
-As you go, Query Agent presents new suggestions to help you pivot into related questions. The intent card expands each time to include the new scope, and results show additional details.
+* Reviewing all network activity types
+* Isolating malicious events
+* Identifying specific URLs targeted and users affected
-For example, asking "Where are these requests coming from?" aggregates by geography. Query Agent might reveal that 80% of requests originate from France, with elevated activity from China, Netherlands, and India—a geographic clustering pattern consistent with coordinated attacks.
+Even if the activity was blocked, investigate the affected users in Cloud SIEM's endpoint records to check for lateral movement or other indicators of compromise.
-#### Examine error patterns and sources
+### How-to workflow
-Query Agent maintains context from previous questions, so you can continue refining without repeating filters. For example, asking "What status codes are returned by the register API?" shows that over 85% of requests are failing with 503 errors. Following up with "Which IPs are behind these 503 errors?" reveals that two IPs account for over 97% of the failed traffic.
+For how-to questions, Mobot returns a structured answer sourced from our official Sumo Logic documentation.
-#### Validate with threat intelligence
+For example, asking `How do I set up an OTel Collector?` returns:
-You can enrich findings by asking Query Agent to cross-reference with external data. For example, "Check these IPs against threat intel" would reveal if the source IPs are flagged as known malicious actors, confirming whether the incident is an attack or organic load.
+* A brief explanation of what the OTel Collector is and what it collects.
+* Numbered installation steps with navigation paths for both the new UI and Classic UI.
+* A table of supported platforms and installation methods.
+* A key features summary.
+* Reference links to the relevant documentation pages.
-#### Next steps
+For more questions you can try, see [Sumo Logic how-to questions](#sumo-logic-how-to-questions).
-In just a few conversational turns, we went from an initial alert to confirming a DDoS attack with:
+## Working with log results
-* Identified affected services and APIs
-* Traced attack origin to specific geographic regions and IPs
-* Validated malicious actors using threat intelligence
-* Quantified impact on latency and error rates
+### Time range
-From here, you can continue refining or take action like blocking malicious IPs, [opening the query in Log Search](#open-in-log-search), [adjusting the time range](#time-range), [editing the query logic](#edit-query-code), or [starting over with a new chat](#new-conversation).
+By default, searches run with a 15-minute time range. If a search does not return results, expand the time range.
-### Working with Query Agent
+Click the clock icon and select your desired time range from the drop-down, then click the blue search button.
-#### Time range
+
-By default, Query Agent searches run with a 15-minute time range. If your search does not return any results, consider expanding the time range.
+Mobot understands relative time expressions. Use `last X` or `past X` with time units for rolling time windows:
-Click the clock icon (see below), select your desired time range from the dropdown, then click the blue search button.
+* `within the last 60 minutes`
+* `in the last 6 months`
+* `over the last 7 days`
+* `in the last 24 hours`
+* `last 48 hours`, `last 90 days`, `last 12 months`
+* `last week`, `last month`, `last night` (as rolling ranges)
-
+### Chart type
-#### Chart type
+Mobot automatically visualizes data results, or you can change it to a different [chart type](/docs/dashboards/panels), such as **Table**, **Bar**, **Column**, **Line**, **Area**, **Pie**, **Scatter**, **Map**, or **Bubble**. In this example, we convert the table data to a map visualization.
-Query Agent automatically visualizes your data. For example, a query like "Top ip by geo" triggers a geo lookup and displays results on a map.
+
-
+Mobot uses the following rules to deduce chart type automatically:
+* If both latitude and longitude fields exist, it returns a **Map** chart.
+* If there is only one field and one record, it returns a single value panel.
+* If a `sort` operator is present and there are string fields, it returns a **Table**.
+* If there is a `_timeslice` field, it returns a **Line** chart if there are numeric fields, or a **Table** if there are string fields.
+* If there is one string field, one numeric field, and the record count is less than 6, it returns a **Pie** chart.
+* If there is one string field, less than 3 numeric fields, and the record count is less than 20, it returns a **Line** chart.
+* If none of the above conditions are met, it defaults to a **Table**.
-Select your preferred chart type, such as **Table**, **Bar**, **Column**, or **Line** view to visualize your results. You can also click **Add to Dashboard** to export an AI-generated dashboard for root cause analysis.
+Click **Add to Dashboard** to export an AI-generated dashboard for root cause analysis.
-
+
-The following rules are used to deduce chart type:
-* If both latitude and longitude fields exist, it returns a MAP chart type.
-* If there is only one field and one record, it returns an SVP chart type. Example query: `(_sourceCategory=ic/linux/gcp) | count by %"_sourcename" | count`
-* If a `sort` operator is present and there are string fields, it returns a TABLE. Given that there is a `sort` operator, probably the user is interested in `count`. Query: `(_sourceCategory=ic/linux/gcp) | count by %"_sourcename" | sort by _count`
-* If there is a `_timeslice` field, it returns a LINE chart type if there are numeric fields or a TABLE chart type if there are string fields.
-* If there is one string field, one numeric field, and record count is less than 6, it returns a PIE chart type. Query: `(_sourceCategory=ic/linux/gcp) | count by %"_sourcename"`.
-* If there is one string field, less than 3 numeric fields, and record count is less than 20, it returns a LINE chart.
-* If none of the above conditions are met, it defaults to returning a TABLE chart type.
+### Edit query code
-#### Edit query code
+You can manually change the log search query generated by Mobot by clicking in the code editor field, editing your query, then clicking the blue search button (magnifying glass).
-Optionally, you can manually edit your log search query code.
+})
-1. Click the search button.
-
-#### Open in Log Search
-
-Open your query in [Log Search](/docs/search) to access Sumo Logic's full search functionality. This allows you to continue investigating, refining your query, take action, or save the search for later.
-
-There are two ways to do this:
-
-* From your conversation, click **View results**.
-* From the query section, click the **Open in Log Search** icon.
-
-#### My Conversations
+### Open in Log Search
-To resume a conversation, go to the **My Conversations** list and click on the one you're looking for.
+Open your query in [Log Search](/docs/search) to access full search functionality, take action, or save the search for later. There are two ways to do this:
-This conversation history feature saves all previous queries and suggestions, allowing you to backtrack and refine your investigation. For example, if a status code analysis yields inconclusive results, you can revisit earlier queries to explore other possibilities. This functionality can also be useful when you're working on multiple incidents at the same time.
+From your conversation, click on a results bubble.
-#### Edit conversation title
+Or, from the query section, click **Open in Log Search**.
-Query Agent automatically updates conversation titles based on your query. You can also set a custom title by hovering over your conversation in the **My Conversations** pane, then clicking the "Rename" pencil icon. This helps keep investigations organized and easier to revisit.
+### Audit Mobot queries
-#### New Conversation
-
-To start a fresh exploration, click **New Conversation**. This clears your current session and allows you to begin with a clean slate.
-
-
-
-#### View Query Agent queries
-
-Account administrators can view queries generated by Query Agent for users in their organization using the search audit index.
+:::info Prerequisites
+* You need to be an account administrator.
+* The [search audit index](/docs/manage/security/audit-indexes/search-audit-index) needs to be enabled for your organization.
+:::
-Prerequisites:
-* You must be an account administrator.
-* The [search audit index](/docs/manage/security/audit-indexes/search-audit-index) must be enabled for your organization.
+Administrators can audit queries generated by Mobot using the search audit index.
-To view Query Agent queries:
+To view Mobot queries:
1. Open **Log Search**.
1. Use the following query:
```sumo
@@ -273,266 +225,301 @@ To view Query Agent queries:
| where query_type in ("Query Agent")
| count user_name, query
```
-1. Set your time range to cover the period when Query Agent queries were run (for example, last 24 hours).
+1. Set your [time range](#time-range) to cover the period when queries were run (for example, last 24 hours).
-This allows you to audit and review natural language queries submitted to Query Agent along with the generated log search queries.
+## Managing conversations
-### Tips for better answers
+### My conversations
-Get the most out of Query Agent by following these tips:
+To resume a conversation, go to the **My Conversations** panel and click the one you want.
-* **Talk to it like a conversation**. Layer refinements instead of rewriting the whole question. For example, start with "Show me API errors" and then follow up with "group by status code" and "show the last 6 hours".
-* **Be specific**. Combine filters, units, and percentiles in clear language. Instead of "Show me errors", try "Show me 500 errors from the API service, grouped by status code" Query Agent performs better with explicit filters, time ranges, and field names.
-* **Start with a broad query**. Begin with a query like "Show me the most recent logs" to understand the structure and available fields in your logs, then refine from there.
-* **Ask about data tied to dashboards**. Query Agent works best when you reference data sources that already have dashboards built on them. Try asking questions using dashboard panel names or descriptions, even if built on unstructured logs.
-* **Disambiguate field names**. If fields have similar names and cause confusion, explicitly specify the field (for example, `
-### Sample queries
+### Share conversation
-Below are examples of how you can phrase queries:
+You can share a specific conversation with other users, which can be useful for reporting issues or sharing examples with your team.
-#### Basic patterns
+1. Click the **Share** icon.
+1. In the **Share Conversation** dialog:
+ * **Share with specific users and roles**. Enter names, roles, or your entire organization in **Add people or roles...** to grant them access to the conversation.
+ * **See who has access**. Expand to view a list of everyone who currently has access to the conversation.
+ * **Get sharable URL**. Copy a URL that opens the conversation for anyone with access.
+1. Click **Done**.
-* `Count logs by` [field(s)] and `Group logs by` [field(s)] produce the same result
-* `Sort by` [field(s)] [in descending order]
-* `Percentage by` [field] `values`
-* `Find` [stat] `for` [field] (max, min, standard deviation, etc.)
-* `Filter by` [field] `contains` [keyword]
- :::note
- Keyword searches are case-sensitive.
- :::
-* `Apply logreduce to logs`
+## Tips for better results
-#### Common use cases
+### Start with a clear question
-* Detecting malicious activity:
- ```
- Count logs by action. Sort the results.
- Filter results by action contains Malicious.
- ```
-* Advanced analysis with users and URLs:
- ```
- Count logs by action, url, user.
- Sort the results. Filter results by action contains Malicious.
- ```
-* Root cause analysis for latency:
- ```
- Calculate 95th percentile latency by service and API.
- ```
+* **Describe the outcome**. Start with a business question instead of query syntax. For example, ask `Are API errors increasing?` instead of starting with operators and fields.
+* **Include relevant context**. Specify a service, source, time range, unit, or field name when you know it. `Show me 500 errors from the API service, grouped by status code` provides more context than `Show me errors`.
+* **Start broad when exploring unfamiliar data**. Ask `Show me the most recent logs` to learn which fields are available, then refine the result.
+* **Ask complete how-to questions**. Instead of typing `Collectors`, ask `How do I install a Collector on Windows?`
-* Network activity analysis:
- * `Analyze risk and severity of network activity`
- * `Identify top application categories accessed`
+### Refine the conversation
+* **Layer refinements**. Start with `Show me API errors`, then follow up with `Group by status code` and `Show the last 6 hours` instead of rewriting the entire question.
+* **Correct unexpected results**. Tell Mobot what to change. For example, ask `Do not filter by namespace. Group by error type instead` or `Use P90 instead of P50`.
+* **Clarify field names**. If similar names cause confusion, specify the field explicitly, such as `
-1. As soon as you do that, you can look at the suggested follow-up queries, which are curated based on their relevance to this Cloud SIEM source. In this example, we'll pick a suggested query to compare results to the last hour: `Count logs by action. Sort the results. versus the previous 1h`
-1. Switching to table view, you notice "Malicious" in the search results. So, you add in `Filter results by action contains Malicious` to the query: `Count logs by action. Sort the results. Filter results by action contains Malicious.`
- :::note
- If `Malicious` does not work, try `Malicious*`. Sumo Logic is case sensitive.
- :::
-1. Next, you look for URLs that pertain to the malicious action: `Count logs by action, url, user. Sort the results. Filter results by action contains Malicious.`
-
-1. Even though the activity was blocked, you can investigate the affected users in the endpoint records next.
+### Improve how-to answers
-To summarize, you conclude there is malicious activity originating from certain users who need to be investigated further.
+* **Provide troubleshooting details**. For example, ask `I'm getting a 403 error when setting up an AWS integration. What could be wrong?`
+* **Reference specific features**. Use product names when you know them. `How do I use Field Extraction Rules?` provides more context than `How do I extract fields?`
+* **Follow up naturally**. If the initial answer is close, refine it with a question such as `What about Azure instead of AWS?`
-### Requirements and limitations
+## Example prompts
-#### Compatible log formats
+Use these prompts as starting points. After Mobot responds, refine the result through follow-up questions. For examples of complete multi-turn investigations, see [Example workflows](#example-workflows).
-Query Agent querying is compatible with JSON logs, partial JSON logs, and unstructured logs with Field Extraction Rules. It cannot be used to query metrics or trace telemetry.
-
-To retrieve a list of `_sourceCategories` with JSON data, use the following query:
-
-```sumo
-_sourceCategory=* "{" "}"
-| limit 10000 | logreduce keys noaggregate
-| count by _sourceCategory, _schema
-| where _schema != "unknown"
-| sum(_count) by _sourceCategory
-```
-
-If your log query contains a mix of JSON and non-JSON formatting (for example, if a log file is partially JSON), you can isolate the JSON portion by adding a left curly brace (`{`) to the source expression to trigger **Suggestions**.
-
-#### Role Based Access Control
-
-Role Based Access Control (RBAC) is not supported for contextual suggestions and autocompletions. It is possible for a user who is blocked by [log search RBAC](/docs/manage/users-roles/roles/construct-search-filter-for-role/) to view suggestions or completions for unpermitted source expressions. However, they will not be executed by the search.
+:::note
+Keyword searches are case-sensitive.
+:::
-#### Search behavior and data tier access
+### Security investigations
+
+* `Look into any unusual login attempts from yesterday`.
+* `Are there any signs of data exfiltration in our environment today?`
+* `Have any IP addresses or domains in my logs been flagged by threat intelligence?`
+* `Count logs by action and sort the results`.
+ * Follow up with `Filter results where action contains Malicious`.
+* `Count logs by action, URL, and user`.
+ * Follow up with `Sort the results and filter where action contains Malicious`.
+* `Analyze the risk and severity of network activity`.
+ * Follow up with `Identify the top application categories accessed`.
+
+
+
+### Observability investigations
+
+* `Are there any error spikes in the last 15 minutes? Investigate the cause`.
+* `Analyze latency anomalies or slow requests in the last hour`.
+* `Are there any timeouts or connection failures in the last hour?`
+* `Calculate 95th percentile latency by service and API`.
+
+
+
+### Platform administration investigations
+
+* `What data sources are available?`
+* `Have any Collectors gone silent in the last few hours?`
+* `Show me the users who scanned the most data last week`.
+
+### Sumo Logic how-to questions
+
+* `What is Mobot?`
+* `How do I configure OpenTelemetry for my service?`
+* `How do I add a Collector for AWS CloudTrail?`
+* `What's the difference between a scheduled search and a real-time alert?`
+* `Why isn't my Collector sending data?`
+* `What are the API endpoints for Sumo Logic?`
+
+### Query syntax
+
+If you'd rather work with explicit query syntax, Mobot recognizes these patterns too:
+
+* `Count logs by [fields]` and `Group logs by [fields]` produce the same result.
+* `Sort by [fields] [in descending order]`.
+* `Percentage by [field] values`.
+* `Find [statistic] for [field] (max, min, standard deviation, and so on)`.
+* `Apply logreduce to logs`.
+* `Filter by [field] contains [keyword]`.
+
+## Additional considerations
+
+### Compatible log formats
+
+Mobot works with JSON logs, partial JSON logs, and unstructured logs. It cannot query metrics or trace telemetry.
+
+Mobot applies parsing logic to unstructured logs (raw, text-based log data that doesn't follow a structured format like JSON) without requiring Field Extraction Rules (FERs). It prioritizes unstructured logs that are already used in dashboards, so it may not interpret every raw log source right away—support continues to expand beyond dashboards over time.
+
+* **Broader coverage**. Mobot parses and generates insights from unstructured log formats, even without FERs, making it useful for environments with custom or inconsistent log types.
+* **Performance and reliability**. Response times and suggestion accuracy are consistent with Mobot's structured log experience.
+* **Security and compliance**. The same strict data handling and privacy standards apply.
-Query Agent follows the same search behavior as standard log search and respects your account’s data configuration, whether you're on Flex pricing or tiered pricing.
+:::tip
+If a log file contains a mix of JSON and non-JSON formatting, isolate the JSON portion by adding a left curly brace (`{`) to the source expression: `(_sourceCategory=monitor-manager "{") | count by %"customerid"`
+:::
-##### Flex pricing
+### Role-based access control
-If you're on [Flex pricing](/docs/manage/partitions/flex), all data is stored in a single intelligent layer and pricing is based on the volume of data scanned.
+Role-based access control (RBAC) is not supported for contextual suggestions and autocompletions. A user blocked by [log search RBAC](/docs/manage/users-roles/roles/construct-search-filter-for-role/) may see suggestions for unpermitted source expressions, but those searches will not execute.
-##### Tiered pricing
+### Search behavior and data tier access
-If you're on a [tiered pricing](/docs/manage/partitions/data-tiers/searching-data-tiers/) plan such as Continuous Tier, Frequent Tier, or Infrequent Tier:
+Mobot follows the same search behavior as standard log search and respects your account's data configuration.
-* Query Agent searches across *continuous data tiers only*, unless otherwise specified.
-* To query a specific tier, include the `_dataTier` field in your prompt. For example, to search the Infrequent tier:
+* **Flex pricing**. If you are on [Flex pricing](/docs/manage/partitions/flex), all data is stored in a single intelligent layer and pricing is based on the volume of data scanned.
+* **Tiered pricing**. If you are on a [tiered pricing](/docs/manage/partitions/data-tiers/searching-data-tiers/) plan, Mobot searches across continuous data tiers only, unless you specify otherwise. To query a specific tier, include the `_dataTier` field in your prompt. For example:
```sumo
_dataTier=Infrequent
```
+### Known limitations
-## Knowledge Agent
+Mobot continues to evolve. Current limitations include:
-Knowledge Agent is Sumo Logic's in-platform assistant for learning how to use the product. Ask how-to questions and get answers sourced directly from official Sumo Logic documentation.
+**Use cases**
+* Log analysis only. Metrics, traces, and other telemetry types are not supported.
+* Capabilities are constrained by available skills. Domain intelligence and planning capabilities are still evolving.
-
+**Access and actions**
+* Read-only. Mobot can query and analyze data but cannot modify, delete, or ingest data.
+* Cannot create or manage dashboards, monitors, or scheduled searches.
+
+* No access to external systems (for example, CRM, databases, APIs, PagerDuty, Jira, or Splunk).
-