Score
Ingesting, indexing, and analyzing machine and application logs with Splunk by writing SPL searches, building dashboards and alerts, configuring forwarders and data models, managing indexes and retention, and tuning queries and role-based access for operational monitoring and incident investigation.
Traditional security log analysis methods suffer from low efficiency, high false-positive rates, and poor interpretability. Method: This paper presents the first systematic meta-analysis of large language model (LLM)-driven log analysis, synthesizing insights from 127 state-of-the-art studies through bibliometric analysis, methodological comparison, and cross-modal representation evaluation. Contribution/Results: We propose the first holistic taxonomy framework for LLM-based log analysis; identify critical gaps—including insufficient log format robustness and lack of causal reasoning—and derive design principles for scalable, standardized evaluation benchmarks. We categorize six mainstream technical paradigms (e.g., fine-tuning, retrieval-augmented generation, in-context learning), distill four persistent bottlenecks, and outline seven concrete future research directions. Our work delivers a theoretical roadmap and practical guidelines for automated threat detection and interpretable log auditing.
This work addresses the challenges of efficiently analyzing large-scale, dynamically evolving semi-structured logs under conditions of label scarcity and distribution shift, which hinder system reliability and AIOps advancement. It presents the first unified task taxonomy for log analysis driven by large language models (LLMs), offering a systematic survey of their application across the full log analysis pipeline—including log generation, parsing, anomaly detection, and root cause analysis. Through structured analysis of 145 studies, the paper identifies five core design paradigms: prompt engineering, retrieval augmentation, fine-tuning, agent collaboration, and result verification. It further synthesizes the state of research, datasets, and evaluation practices across seven key tasks, while highlighting critical challenges in robustness, trustworthiness, and reproducibility, thereby providing a comprehensive roadmap for reliable LLM-based log intelligence.
This work proposes an automated, dynamic threat-hunting framework that integrates AI agents with the Splunk SIEM platform to address the evolving challenges posed by advanced persistent threats (APTs) and the inefficiencies in processing massive volumes of heterogeneous logs within security operations centers (SOCs). The framework uniquely combines a reconstruction-based autoencoder, a two-layer deep reinforcement learning architecture, and a large language model to establish a policy-guided, context-aware autonomous hunting mechanism. This enables an end-to-end closed-loop pipeline—from traffic ingestion and anomaly detection to risk prioritization. Experimental results demonstrate that the approach adaptively aligns with diverse SOC objectives and effectively identifies suspicious and malicious network traffic on both public and simulated datasets, significantly enhancing analysts’ decision-making efficiency.
To address the infeasibility of manual analysis for large-scale IT system logs, this paper proposes a lightweight log analysis framework leveraging large language models (LLMs). The method introduces a CPU-efficient inference mechanism that significantly improves LLM throughput on resource-constrained hardware without compromising semantic understanding fidelity. It integrates log parsing, contextual modeling, and fault-oriented semantic reasoning to enable end-to-end automated diagnosis. Deployed in production, the system supports 70 software products and has processed over 2,000 incident tickets. Empirical evaluation demonstrates an average monthly reduction of more than 300 human labor hours compared to conventional approaches—equivalent to approximately USD 15,444 in cost savings. The framework thus advances practical, scalable, and cost-effective LLM-based log analytics for real-world operational environments.
SLURM logs in HPC scientific workflows lack explicit case identifiers, hindering direct application of process mining. Method: This paper proposes an automatic job-correlation method based on implicit job dependency modeling—parsing SLURM logs and jointly leveraging spatiotemporal job feature matching and graph-structured modeling to achieve end-to-end clustering of unannotated jobs. Contribution/Results: We introduce the first systematic preprocessing framework for process mining on HPC logs, integrating algorithms such as Heuristics Miner to support process discovery and bottleneck diagnosis. Evaluated on real-world HPC cluster logs, our approach significantly improves workflow traceability, accurately identifies I/O- and scheduler-related performance bottlenecks, and enables high-fidelity reconstruction of end-to-end process models.
Security logs exhibit diverse and semi-structured formats, making traditional parsing approaches heavily reliant on extensive engineering effort, while direct querying struggles to capture complex temporal patterns and cross-event semantics. This work proposes a natural language–to–log query code generation method that eliminates the need for custom parsers by leveraging lightweight, automatically extracted log format context to guide large language models in translating natural language security questions into executable query code. The approach requires only a single model invocation followed by deterministic execution. Evaluated across five log types and 133 security queries, the method reduces error rates by more than threefold compared to handcrafted scripts, demonstrating particularly significant improvements in critical tasks involving multi-line event correlations.
Existing log analysis models are task-specific, rely heavily on domain-specific annotated data, exhibit poor generalization, and struggle with complex or unseen instructions. Method: We propose LogLM, an instruction-driven large language model for log analysis, which unifies diverse log tasks—including anomaly detection, parsing, and summarization—into a standardized instruction-response format. LogLM is adapted to the log domain via multi-task instruction tuning and log-specific instruction engineering. It accepts natural-language instructions and supports zero-shot cross-task transfer. Contribution/Results: Experiments demonstrate that LogLM outperforms all state-of-the-art methods across five core log analysis tasks. It exhibits strong generalization to complex instructions and previously unseen tasks. As a single unified model, LogLM replaces multiple specialized models, significantly improving deployment efficiency and task-agnostic capability.
This work proposes an automated log aggregation and analysis framework based on large language models to address the growing challenge of log analysis in increasingly complex systems, where engineers traditionally rely on domain expertise to manually craft intricate LogQL queries. The framework enables end-to-end generation of LogQL queries from natural language instructions by integrating a hierarchical log knowledge base, natural language understanding, knowledge retrieval, and tool invocation mechanisms. Evaluated on four real-world log datasets, the approach achieves an average accuracy of 76.8%, significantly outperforming existing baselines and demonstrating its effectiveness and practicality for log analysis tasks.
This work addresses the challenges of root cause diagnosis in large-scale microservice systems, where existing approaches are hindered by massive log volumes, limited LLM context windows, and insufficient semantic reasoning and interpretability. The authors propose a neuro-symbolic hybrid method that emulates Site Reliability Engineers’ manual troubleshooting process through a six-stage pipeline for log sampling, template clustering, and anomaly ranking, producing a concise evidence package for LLM-based root cause inference. This approach compresses raw logs by 1,000–7,000× while preserving critical failure signals and provides auditable log templates and statistical evidence, substantially enhancing interpretability and practicality. Evaluated on 11 real-world incidents, the method achieves an MRR of 0.790 and ranks the correct root cause within the top three candidates in over 90% of cases within one minute, earning strong endorsement from operations teams.
This work addresses the inefficiencies in security alert investigation caused by overwhelming alert volumes, lack of contextual information, and the manual correlation of multi-source logs. To tackle these challenges, the authors propose an intelligent agent workflow grounded in large language models (LLMs), which emulates real-world analyst reasoning. The approach leverages constrained tool invocations—specifically structured SQL queries over Suricata logs and grep-based text searches—to autonomously conduct initial alert triage, encompassing data summarization, query formulation, evidence extraction, and verdict determination. Innovatively, the LLM is embedded within a controlled collaborative framework that prevents direct exposure to high-noise, unstructured data. Experimental results demonstrate that this workflow significantly improves alert classification accuracy compared to baseline LLM approaches without workflow support, thereby substantially reducing manual investigative burden.
This study addresses the challenge in Security Operations Centers (SOCs) where system logs, often structured in rigid templated formats, hinder both automated analysis and human interpretability, thereby limiting anomaly detection efficiency. To bridge this gap, the authors propose an auditable, deterministic log rewriting mechanism that transforms parsed log templates into natural-language-style WHO-WHAT-SEVERITY sentences. This approach integrates lightweight dense encoding with coverage validation to yield an interpretable and pre-deployment-verifiable log representation layer. Building upon this foundation, the method employs TF-IDF weighting, tree-based ensemble classification, and TreeSHAP for post-hoc explainability, achieving low-latency, low false-positive anomaly detection. Experimental results demonstrate superior performance over existing baselines on the HDFS, BGL, and AIT datasets, highlighting its suitability for SOC triage scenarios.
Existing REST API testing approaches often fail to effectively cover business-sensitive functionality due to the absence of business-level constraints. This work proposes LoBREST, the first method to incorporate business context derived from historical request logs into REST API testing. By slicing operation sequences, identifying missing operations, and completing resource dependencies, LoBREST constructs business-aware enhanced inputs and integrates them with a business-logic-guided fuzzing strategy, thereby overcoming the limitations of specification-driven testing. Evaluation on 17 real-world services demonstrates that LoBREST substantially outperforms eight state-of-the-art tools, achieving 2.1× higher operation coverage and 1.2× greater line coverage on average, while uncovering 108 distinct 5XX errors—38 of which were uniquely identified by LoBREST.