splunk

Ingesting, indexing, and analyzing machine and application logs with Splunk by writing SPL searches, building dashboards and alerts, configuring forwarders and data models, managing indexes and retention, and tuning queries and role-based access for operational monitoring and incident investigation.

splunk

12-Month Skill Trend

Momentum and market value over time
Trending
Score
+20 in 12 mo
96
12 mo agoNow
Career
Value
+$12K in 12 mo
$42K/year
12 mo agoNow

Recommended Survey Paper

Quick overview of the field
View more

This work addresses the challenges of efficiently analyzing large-scale, dynamically evolving semi-structured logs under conditions of label scarcity and distribution shift, which hinder system reliability and AIOps advancement. It presents the first unified task taxonomy for log analysis driven by large language models (LLMs), offering a systematic survey of their application across the full log analysis pipeline—including log generation, parsing, anomaly detection, and root cause analysis. Through structured analysis of 145 studies, the paper identifies five core design paradigms: prompt engineering, retrieval augmentation, fine-tuning, agent collaboration, and result verification. It further synthesizes the state of research, datasets, and evaluation practices across seven key tasks, while highlighting critical challenges in robustness, trustworthiness, and reproducibility, thereby providing a comprehensive roadmap for reliable LLM-based log intelligence.

AIOpsdata driftlarge language models

Must-Read Papers

Most classic and influential ideas
View more

This work proposes an automated, dynamic threat-hunting framework that integrates AI agents with the Splunk SIEM platform to address the evolving challenges posed by advanced persistent threats (APTs) and the inefficiencies in processing massive volumes of heterogeneous logs within security operations centers (SOCs). The framework uniquely combines a reconstruction-based autoencoder, a two-layer deep reinforcement learning architecture, and a large language model to establish a policy-guided, context-aware autonomous hunting mechanism. This enables an end-to-end closed-loop pipeline—from traffic ingestion and anomaly detection to risk prioritization. Experimental results demonstrate that the approach adaptively aligns with diverse SOC objectives and effectively identifies suspicious and malicious network traffic on both public and simulated datasets, significantly enhancing analysts’ decision-making efficiency.

Advanced Persistent ThreatsCybersecurityLog Analysis

To address the infeasibility of manual analysis for large-scale IT system logs, this paper proposes a lightweight log analysis framework leveraging large language models (LLMs). The method introduces a CPU-efficient inference mechanism that significantly improves LLM throughput on resource-constrained hardware without compromising semantic understanding fidelity. It integrates log parsing, contextual modeling, and fault-oriented semantic reasoning to enable end-to-end automated diagnosis. Deployed in production, the system supports 70 software products and has processed over 2,000 incident tickets. Empirical evaluation demonstrates an average monthly reduction of more than 300 human labor hours compared to conventional approaches—equivalent to approximately USD 15,444 in cost savings. The framework thus advances practical, scalable, and cost-effective LLM-based log analytics for real-world operational environments.

Automating log analysis for massive IT system logsProcessing large log volumes efficiently using LLMs on CPUsReducing manual effort in IT issue diagnosis and support

Applying Process Mining on Scientific Workflows: a Case Study

Jul 06, 2023
ZS
Zahra Sadeghibogar
🏛️ RWTH Aachen University

SLURM logs in HPC scientific workflows lack explicit case identifiers, hindering direct application of process mining. Method: This paper proposes an automatic job-correlation method based on implicit job dependency modeling—parsing SLURM logs and jointly leveraging spatiotemporal job feature matching and graph-structured modeling to achieve end-to-end clustering of unannotated jobs. Contribution/Results: We introduce the first systematic preprocessing framework for process mining on HPC logs, integrating algorithms such as Heuristics Miner to support process discovery and bottleneck diagnosis. Evaluated on real-world HPC cluster logs, our approach significantly improves workflow traceability, accurately identifies I/O- and scheduler-related performance bottlenecks, and enables high-fidelity reconstruction of end-to-end process models.

Correlate jobs with explicit or implicit dependencies.Document workflows and identify performance bottlenecks.Extract case IDs from SLURM-based HPC logs.

Security logs exhibit diverse and semi-structured formats, making traditional parsing approaches heavily reliant on extensive engineering effort, while direct querying struggles to capture complex temporal patterns and cross-event semantics. This work proposes a natural language–to–log query code generation method that eliminates the need for custom parsers by leveraging lightweight, automatically extracted log format context to guide large language models in translating natural language security questions into executable query code. The approach requires only a single model invocation followed by deterministic execution. Evaluated across five log types and 133 security queries, the method reduces error rates by more than threefold compared to handcrafted scripts, demonstrating particularly significant improvements in critical tasks involving multi-line event correlations.

log parsinglog queryingsecurity logs

LogLM: From Task-based to Instruction-based Automated Log Analysis

Oct 12, 2024
YL
Yilun Liu
🏛️ Huawei | Nankai University

Existing log analysis models are task-specific, rely heavily on domain-specific annotated data, exhibit poor generalization, and struggle with complex or unseen instructions. Method: We propose LogLM, an instruction-driven large language model for log analysis, which unifies diverse log tasks—including anomaly detection, parsing, and summarization—into a standardized instruction-response format. LogLM is adapted to the log domain via multi-task instruction tuning and log-specific instruction engineering. It accepts natural-language instructions and supports zero-shot cross-task transfer. Contribution/Results: Experiments demonstrate that LogLM outperforms all state-of-the-art methods across five core log analysis tasks. It exhibits strong generalization to complex instructions and previously unseen tasks. As a single unified model, LogLM replaces multiple specialized models, significantly improving deployment efficiency and task-agnostic capability.

Log AnalysisModel AdaptabilityTask Generalization

Latest Papers

What's happening recently
View more

This work proposes an automated log aggregation and analysis framework based on large language models to address the growing challenge of log analysis in increasingly complex systems, where engineers traditionally rely on domain expertise to manually craft intricate LogQL queries. The framework enables end-to-end generation of LogQL queries from natural language instructions by integrating a hierarchical log knowledge base, natural language understanding, knowledge retrieval, and tool invocation mechanisms. Evaluated on four real-world log datasets, the approach achieves an average accuracy of 76.8%, significantly outperforming existing baselines and demonstrating its effectiveness and practicality for log analysis tasks.

DSL queryfault diagnosislog aggregation

This work addresses the challenges of root cause diagnosis in large-scale microservice systems, where existing approaches are hindered by massive log volumes, limited LLM context windows, and insufficient semantic reasoning and interpretability. The authors propose a neuro-symbolic hybrid method that emulates Site Reliability Engineers’ manual troubleshooting process through a six-stage pipeline for log sampling, template clustering, and anomaly ranking, producing a concise evidence package for LLM-based root cause inference. This approach compresses raw logs by 1,000–7,000× while preserving critical failure signals and provides auditable log templates and statistical evidence, substantially enhancing interpretability and practicality. Evaluated on 11 real-world incidents, the method achieves an MRR of 0.790 and ranks the correct root cause within the top three candidates in over 90% of cases within one minute, earning strong endorsement from operations teams.

incident diagnosislarge-scale systemslog analysis

This work addresses the inefficiencies in security alert investigation caused by overwhelming alert volumes, lack of contextual information, and the manual correlation of multi-source logs. To tackle these challenges, the authors propose an intelligent agent workflow grounded in large language models (LLMs), which emulates real-world analyst reasoning. The approach leverages constrained tool invocations—specifically structured SQL queries over Suricata logs and grep-based text searches—to autonomously conduct initial alert triage, encompassing data summarization, query formulation, evidence extraction, and verdict determination. Innovatively, the LLM is embedded within a controlled collaborative framework that prevents direct exposure to high-noise, unstructured data. Experimental results demonstrate that this workflow significantly improves alert classification accuracy compared to baseline LLM approaches without workflow support, thereby substantially reducing manual investigative burden.

alert investigationcontext deficiencylog correlation

This study addresses the challenge in Security Operations Centers (SOCs) where system logs, often structured in rigid templated formats, hinder both automated analysis and human interpretability, thereby limiting anomaly detection efficiency. To bridge this gap, the authors propose an auditable, deterministic log rewriting mechanism that transforms parsed log templates into natural-language-style WHO-WHAT-SEVERITY sentences. This approach integrates lightweight dense encoding with coverage validation to yield an interpretable and pre-deployment-verifiable log representation layer. Building upon this foundation, the method employs TF-IDF weighting, tree-based ensemble classification, and TreeSHAP for post-hoc explainability, achieving low-latency, low false-positive anomaly detection. Experimental results demonstrate superior performance over existing baselines on the HDFS, BGL, and AIT datasets, highlighting its suitability for SOC triage scenarios.

false-positive ratelog anomaly detectionlog interpretability

Existing REST API testing approaches often fail to effectively cover business-sensitive functionality due to the absence of business-level constraints. This work proposes LoBREST, the first method to incorporate business context derived from historical request logs into REST API testing. By slicing operation sequences, identifying missing operations, and completing resource dependencies, LoBREST constructs business-aware enhanced inputs and integrates them with a business-logic-guided fuzzing strategy, thereby overcoming the limitations of specification-driven testing. Evaluation on 17 real-world services demonstrates that LoBREST substantially outperforms eight state-of-the-art tools, achieving 2.1× higher operation coverage and 1.2× greater line coverage on average, while uncovering 108 distinct 5XX errors—38 of which were uniquely identified by LoBREST.

business constraintsmicroservicesREST API testing

Hot Scholars

DT

Daniel Tamayo

Harvey Mudd College
Orbital DynamicsPlanetary ScienceChaos
HR

Hanno Rein

University of Toronto
astrophysicsdynamicsplanetary systemsexoplanets
GG

Golden G. Richard III

Professor of Computer Science, Louisiana State University
digital forensicsmemory forensicsreverse engineeringmalware analysis
PD

Patrick Diehl

Los Alamos National Laboratory
Crack and fracture mechanicsPeridynamicsHPCHPX
HK

Harrison Katz

Forecasting Data Science, Airbnb
StatisticsForecastingBayesian Data AnalysisCompositional Time Series