Abstract: Methods, systems, and computer programs are presented for providing contextual suggestions and automated responses to users managing incidents within production or security environments. The system utilizes a combination of user-provided data and contextual analysis to proactively offer solutions and insights without requiring explicit queries from the user. The system integrates out-of-the-box insights, natural language interactions, and remediation flows into a cohesive user experience, incorporating playbooks enhanced by automation while leveraging user data and interaction history to tailor suggestions. The system includes a predictive analysis mechanism that runs analyses on relevant data sources, identifying unusual results and generating potential queries. A large language model (LLM) is integrated for generating questions and analyses, with a ranking system prioritizing insights based on machine learning models.

Abstract: Methods, systems, and computer programs are presented for automatic evaluation of security incidents. One method includes receiving a resolution status, for a set of insights, indicating if each insight was a true or a false positive. A global training set, comprising the resolution status for the insights, is generated, and a local training set with a subset of the insights associated with a first user. A machine-learning (ML) program is trained, using the global training set, to obtain a global model, and using the local training set to obtain a local model for the first user. When a new insight for the first user is detected, a global score is obtained using the global model, and a local score is obtained using the local model. A confidence score, calculated based on the global and local scores, is presented as an indication of an estimated severity of the new insight.

Abstract: Techniques are presented for recommending queries to search log information. The system provides useful insights and recommendations based on user needs and queries by utilizing the user context, with information about the user activities (e.g., recent alerts) and the user configuration in the system (e.g., applications configured by the user), to provide recommendations. There may not be enough context for a new user to provide good recommendations, so the system determines the context based on the activities of other users, such as more experienced users or users investigating the same type of problem. Based on the context, the user recommends natural language queries (NLQ) or system queries to accelerate the search process and assist the user during an investigation. Further, NLQs may be converted to complex search queries that use the search query language, and the NLQs may also be used as part of the context for the subsequent recommendations.

Abstract: Methods, systems, and computer programs are presented to generate response information for an alert. One method includes an operation for detecting an alert based on incoming log data or metric data and for calculating information for panels to be presented on a response-alert page. Calculating the information includes calculating first performance values for a period associated with the alert, calculating second performance values for a background period where the alert condition was not present, and calculating a difference between the first performance values and the second performance values. Further, the method includes an operation for selecting, based on the difference, relevant performance values for presentation in one of the panels. The response-alert page is presented with at least one of the panels based on the selected relevant performance values.

Abstract: Methods, systems, and computer programs are presented for generating recommendations to update the severity of a rule for incident-detection. One method includes accessing a resolution status for insights generated based on an evaluation of rules, each rule associated with a weight. The method determines, based on the resolution status, if each insight corresponds to a true positive (TP) or a false positive (FP), and optimizing values for the weights of the one or more rules to lower the number of FPs. The optimizing comprises identifying an objective function based on predicted values for the insights and the insights resolution status, identifying one or more constraints, and using a solver to obtain the optimized values for the weights. A recommendation to change the weight associated with at least one rule is presented on a user interface based on the optimized values for the at least one rule.

Abstract: Methods, systems, and computer programs are presented to generate response information for an alert. One method includes an operation for detecting an alert based on incoming log data or metric data and for calculating information for panels to be presented on a response-alert page. Calculating the information includes calculating first performance values for a period associated with the alert, calculating second performance values for a background period where the alert condition was not present, and calculating a difference between the first performance values and the second performance values. Further, the method includes an operation for selecting, based on the difference, relevant performance values for presentation in one of the panels. The response-alert page is presented with at least one of the panels based on the selected relevant performance values.

Abstract: Clustering structured log data by key-values includes receiving, via a user interface, a request to apply an operator to cluster log messages according to values for keys associated with the request. At least a portion of each log message comprises structured machine data including a set of key-value pairs. The method further includes receiving a log message and determining whether to include the log message in a cluster based at least in part on an evaluation of values in the structured machine data of the log message for the keys associated with the request. The cluster is included in a set of clusters. Each cluster in the set is associated with a different combination of values for the keys associated with the request. The method further includes providing, via the user interface, information associated with the cluster.

Abstract: Methods, systems, and computer programs are presented for problem detection based on deviations from the forecasted behavior of a metric. One method includes an operation for selecting a machine learning (ML) model for predicting future values of a time series for a metric. Further, the method includes forecasting, using the ML model, values of the metric for a forecast period. Afterwards, actual values of the metric are collected during the forecast period, and the actual values are compared to the forecasted values. The method further includes operations for determining an anomaly in a behavior of the metric based on the comparison, and causing presentation in a computer user interface (UI) of the anomaly.

Abstract: Data enrichment and augmentation is disclosed. Machine data comprising at least one of a log message and a metrics data point is received. The received machine data comprises an identifier of an instance of a virtual machine. Based at least in part on the identifier of the instance of the virtual machine, a query for tags associated with the instance of the virtual machine is performed. At least one key-value pair is generated based at least in part on tags received in response to the query performed based at least in part on the identifier of the instance of the virtual machine. The received machine data is augmented with the at least one key-value pair generated based at least in part on the tags received in response to the query based at least in part on the identifier of the instance of the virtual machine.

Abstract: Methods, systems, and computer programs are presented for automatic evaluation of security incidents. One method includes receiving a resolution status, for a set of insights, indicating if each insight was a true or a false positive. A global training set, comprising the resolution status for the insights, is generated, and a local training set with a subset of the insights associated with a first user. A machine-learning (ML) program is trained, using the global training set, to obtain a global model, and using the local training set to obtain a local model for the first user. When a new insight for the first user is detected, a global score is obtained using the global model, and a local score is obtained using the local model. A confidence score, calculated based on the global and local scores, is presented as an indication of an estimated severity of the new insight.

Abstract: Methods, systems, and computer programs are presented to generate response information for an alert. One method includes an operation for detecting an alert based on incoming log data or metric data and for calculating information for panels to be presented on a response-alert page. Calculating the information includes calculating first performance values for a period associated with the alert, calculating second performance values for a background period where the alert condition was not present, and calculating a difference between the first performance values and the second performance values. Further, the method includes an operation for selecting, based on the difference, relevant performance values for presentation in one of the panels. The response-alert page is presented with at least one of the panels based on the selected relevant performance values.

Abstract: Querying of time-aware metrics time series includes receiving a query, the query comprising a set of query metadata and a query time range. It further includes, based at least in part on the set of query metadata and the query time range, selecting a time series from a plurality of metrics time series. Each metrics time series in the plurality of metrics time series is associated with a set of metadata and an active interval of time. A set of metadata associated with the selected time series matches the set of query metadata, and an active interval of time associated with the selected metrics time series intersects with the query time range. The selected metrics time series is returned.

Abstract: Key name synthesis is disclosed. A metrics data point is received. Based at least in part on a translation statement, at least a portion of the received metrics data point is associated with a key specified by the translation statement such that the specified key and the associated at least portion of the received metrics data point form a key-value pair. The key-value pair is associated with the received metrics data point.

Abstract: Analyzing log data, such as security log data and machine data, is disclosed. A baseline is built for a set of machine data. The baseline is built at least in part by determining a plurality of signature profiles for a plurality of respective time slices. An occurrence of an anomaly associated with the source of the machine data is determined. The occurrence is determined at least in part by determining that received machine data does not conform to the baseline within a threshold.

Abstract: Clustering structured log data by key schema includes receiving a raw log message. At least a portion of the raw log message comprises structured machine data including a set of key-value pairs. It further includes receiving a map of keys to values. It further includes using the received map of keys to values to determine a key schema of the structured machine data. The key schema is associated with a corresponding cluster. It further includes associating the raw log message with the cluster corresponding to the determined key schema.

Abstract: Clustering structured log data by key-values includes receiving, via a user interface, a request to apply an operator to cluster log messages according to values for keys associated with the request. At least a portion of each log message comprises structured machine data including a set of key-value pairs. The method further includes receiving a log message and determining whether to include the log message in a cluster based at least in part on an evaluation of values in the structured machine data of the log message for the keys associated with the request. The cluster is included in a set of clusters. Each cluster in the set is associated with a different combination of values for the keys associated with the request. The method further includes providing, via the user interface, information associated with the cluster.

Abstract: Clustering structured log data by key-values includes receiving, via a user interface, a request to apply an operator to cluster a set of raw log messages according to values for a set of keys associated with the request. At least a portion of each raw log message comprises structured machine data including a set of key-value pairs. It further includes receiving a raw log message in the set of raw log messages. It further includes determining whether to include the raw log message in a cluster based at least in part on an evaluation of values in the structured machine data of the raw log message for the set of keys associated with the request. The cluster is included in a plurality of clusters. Each cluster in the plurality is associated with a different combination of values for the set of keys associated with the request. It further includes providing, via the user interface, information associated with the cluster.

Abstract: Logs to metrics synthesis includes receiving a log message. It further includes translating the log message into a metrics data point comprising a timestamp, a metric name, a metric value, and a set of metadata key-value pairs. It further includes determining a time series in which to insert the metrics data point into which the log message was translated. It further includes inserting the metrics data point into the determined time series. It further includes updating a metadata catalog based at least in part on the metrics data point.

Abstract: Key name synthesis is disclosed. A metrics data point is received. Based at least in part on a translation statement, at least a portion of the received metrics data point is associated with a key specified by the translation statement such that the specified key and the associated at least portion of the received metrics data point form a key-value pair. The key-value pair is associated with the received metrics data point.

Abstract: Key name synthesis is disclosed. A metrics data point is received. Based at least in part on a translation statement, at least a portion of the received metrics data point is associated with a key specified by the translation statement such that the specified key and the associated at least portion of the received metrics data point form a key-value pair. The key-value pair is associated with the received metrics data point.