Skip to main content

Behavior Insights

Behavior Insights encompasses three new log search operators to accelerate insights, troubleshooting, and action plans using structured logs. About 23% of the daily log ingest volume pertains to JSON data and accounts for a growing share of total log volume. This growth is driven by modern applications and underlying cloud (AWS, GCP, Azure) and orchestrator logs. Behavior Insights helps answer the following questions for SecOps, DevOps, and business users:

  • What activity patterns are evident from structured logs? What patterns are trending?
  • Which groups of users, apps, services, or resources are responsible for activity in logs?
  • Which groups of users, apps, services, or resources are responsible for unusual activity in logs?

Modeled after our LogReduce log summarization feature, the two Behavior Insights operators below cluster logs based on their structure or pattern and activity content respectively.

  • LogReduce Keys clusters JSON logs based on keys providing an at-a-glance summary of patterns in logs based on their schema while ignoring specific values.
  • LogReduce Values clusters JSON logs using the values of keys.

The third Behavior Insights operator, LogExplain, finds the root cause of outliers in logs based on conditions you specify.

Guide contents

In this section, we will introduce the following concepts:

📄️ LogExplain

The LogExplain operator allows you to compare sets of structured logs based on events you are interested in. Structured logs can be in JSON, CSV, key-value, or any structured format. Often logs relevant to troubleshooting and security insights are scattered among other logs that show the expected behavior and performance. These logs normally consist of different content, where it is helpful to see which values occur more often in events of interest versus normal operation logs. For example, events of interest often contain information relevant to persistent errors, excess load, and high latency.