Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions blog-service/2026-06-24-search.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
title: AI Parse Assist (Search)
image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082
keywords:
- search
- parse
- ai-parse
hide_table_of_contents: true
---

We're excited to introduce **AI Parse Assist** in the parse anchor UI tool that automatically generates a parse statement and field names from any text you highlight in a log message. This eliminates the need to manually identify and label fields, helping you build parse queries faster, especially when working with complex or unfamiliar log formats. [Learn more](/docs/search/search-query-language/parse-operators/parse-predictable-patterns-using-an-anchor/#ai-parse-assist).
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@ description: Use the parse anchor operator to parse strings using specified star

import useBaseUrl from '@docusaurus/useBaseUrl';

The parse operator (also called the parse anchor) parses strings according to specified start and stop anchors, and then labels them as fields for use in subsequent aggregation functions in the query such as sorting, grouping, or other functions.
The parse operator (also called the parse anchor) parses strings according to specified start and stop anchors, and then labels them as fields for use in subsequent aggregation functions in the query such as sorting, grouping, or other functions.

This topic describes how to use the parse anchor UI tool to add parsing to a query and provides details on the structure of the parse anchor operator.
This topic describes how to use the parse anchor UI tool to add parsing to a query and provides details on the structure of the parse anchor operator.

## Syntax

Expand All @@ -18,34 +18,47 @@ This topic describes how to use the parse anchor UI tool to add parsing to a que

## Options

* The `nodrop` option forces results to also include messages that do not match any segment of the parse term. For details, see [Parse nodrop](parse-nodrop-option.md). 
* The `field=fieldname` option allows you to specify a field to parse other than the default message. For details, see [Parse field](parse-field-option.md). 
* The `nodrop` option forces results to also include messages that do not match any segment of the parse term. For details, see [Parse nodrop](parse-nodrop-option.md).
* The `field=fieldname` option allows you to specify a field to parse other than the default message. For details, see [Parse field](parse-field-option.md).

## Rules

* User-created fields, such as extracted or parsed fields, can be named using alphanumeric characters and underscores (`_`). Fields must start with an alphanumeric character. 
* If no field is specified, the entire text of incoming messages is used.
* A wildcard is used as a placeholder for the extracted field. Wildcards must be separated by a space or other character. `**` is not valid. Use a different parse operator, like [parse regex](parse-variable-patterns-using-regex.md) instead.
* User-created fields, such as extracted or parsed fields, can be named using alphanumeric characters and underscores (`_`). Fields must start with an alphanumeric character.
* If no field is specified, the entire text of incoming messages is used.
* A wildcard is used as a placeholder for the extracted field. Wildcards must be separated by a space or other character. `**` is not valid. Use a different parse operator, like [parse regex](parse-variable-patterns-using-regex.md) instead.
* The number of wildcards in the pattern string must match the number of variables.
* Multiple extractions are allowed for a single parse operator.
* Characters quoted with double quotes (not single quotes) are string literals. Use a backslash to escape double quotes in the string. For example: `| parse "\"tier\" : *," as tier`

## parse anchor UI tool
## Parse anchor UI tool

You can use the parse anchor UI tool to highlight the message text to parse, identify parsing fields, and perform the parsing action.
You can use the parse anchor UI tool to highlight message text and add a parse operation to your query. Two parsing methods are available:

**To parse using the parse anchor tool:**
- [**Manual parse**](#manual-parse). Highlight text in a log message, select the values to extract, and label them as fields using the **Parse Text** dialog.
- [**AI Parse Assist**](#ai-parse-assist). Highlight text in a log message and let AI automatically generate the parse statement and field names for you.

### Manual parse

1. Run a search.
1. In the search results, find a message with the text you want to parse.
1. Highlight the text, right-click, and select **Parse the selected text**.<br/><img src={useBaseUrl('img/search/searchquerylanguage/parse-operators/anchor/parse-selected-text-UI-option.png')} alt="Screenshot of a log entry in Sumo Logic, showing a request with the details 'HttpRequest(HttpMethod(GET), http://10.4.87.223:8080/...' followed by a context menu with options including 'Copy Selected Text,' 'Parse Selected Text' (highlighted), and additional filtering options." style={{border: '1px solid gray'}} width="800" />
1. Highlight the text, right-click, and select **Parse Selected Text**.<br/><img src={useBaseUrl('img/search/searchquerylanguage/parse-operators/anchor/parse-selected-text-UI-option.png')} alt="Screenshot of a log entry in Sumo Logic, showing a request with the details 'HttpRequest(HttpMethod(GET), http://10.4.87.223:8080/...' followed by a context menu with options including 'Copy Selected Text,' 'Parse Selected Text' (highlighted), and additional filtering options." style={{border: '1px solid gray'}} width="800" />

The **Parse Text** dialog box opens and displays the text you highlighted.<br/><img src={useBaseUrl('img/search/searchquerylanguage/parse-operators/anchor/parse-text-window.png')} alt="Screenshot of the Parse Text dialog box in Sumo Logic." style={{border: '1px solid gray'}} width="600" />
1. Select the text for the first parsing field, and click **Click to extract this value**. The text you highlighted is replaced by an asterisk (\*).<br/><img src={useBaseUrl('img/search/searchquerylanguage/parse-operators/anchor/highlighted-term-in-parse-text-window.png')} alt="Screenshot of the Parse Text dialog box in Sumo Logic with a term highlighted." style={{border: '1px solid gray'}} width="600" />
1. Enter a name (no spaces) for the parsing field in the **Fields** area.<br/><img src={useBaseUrl('img/search/searchquerylanguage/parse-operators/anchor/parsing-field.png')} alt="Screenshot of the Parse Text dialog box in Sumo Logic showing a parsing field name entered." style={{border: '1px solid gray'}} width="600" />
1. If you want to parse additional fields, add a comma after the field name, and repeat the parsing action. The following screenshot shows three parsed fields: **method**, **ip**, and **port** (in that order). Notice that the three fields correspond to the three asterisks in the parse text.<br/><img src={useBaseUrl('img/search/searchquerylanguage/parse-operators/anchor/three-parsing-fields.png')} alt="In the Fields input box, the text 'method, ip, port' is entered." style={{border: '1px solid gray'}} width="600" />
1. Click **Submit**. The query is updated with the parse operation you constructed.<br/><img src={useBaseUrl('img/search/searchquerylanguage/parse-operators/anchor/query-from-parse-UI-tool.png')} alt="Screenshot of a query parsing the log entry with the commands method, ip, port." style={{border: '1px solid gray'}} width="600" />
1. Click **Start** to display the search results, which now show the parsed message.<br/><img src={useBaseUrl('img/search/searchquerylanguage/parse-operators/anchor/parsed-results.png')} alt="Search results which now show the parsed message." style={{border: '1px solid gray'}} width="800" />

### AI Parse Assist

The **Parse Text** dialog box opens and displays the text you highlighted.<br/><img src={useBaseUrl('img/search/searchquerylanguage/parse-operators/anchor/parse-text-window.png')} alt="Screenshot of the 'Parse Text' dialog box in Sumo Logic" style={{border: '1px solid gray'}} width="600" />  
1. Select the text for the first parsing field, and click **Click to extract this value**. The text you highlighted is replaced by an asterisk (\*). <br/><img src={useBaseUrl('img/search/searchquerylanguage/parse-operators/anchor/highlighted-term-in-parse-text-window.png')} alt="Screenshot of the 'Parse Text' dialog box in Sumo Logic" style={{border: '1px solid gray'}} width="600" />  
1. Enter a name (no spaces) for the parsing field in the **Fields** area. <br/><img src={useBaseUrl('img/search/searchquerylanguage/parse-operators/anchor/parsing-field.png')} alt="Screenshot of the 'Parse Text' dialog box in Sumo Logic" style={{border: '1px solid gray'}} width="600" /> 
1. If you want to parse additional fields, add a comma after the field name, and repeat the parsing action. The following screenshot shows three parsed fields: **method**, **ip**, and **port** (in that order). Notice that the three fields correspond to the three asterisks in the parse text.<br/><img src={useBaseUrl('img/search/searchquerylanguage/parse-operators/anchor/three-parsing-fields.png')} alt="n the 'Fields' input box, the text 'method, ip, port' is entered. " style={{border: '1px solid gray'}} width="600" />  
1. Click **Submit**. The query is updated with the parse operation you constructed.<br/><img src={useBaseUrl('img/search/searchquerylanguage/parse-operators/anchor/query-from-parse-UI-tool.png')} alt="Screenshot of a query parsing the log entry with the commandas method,ip,port." style={{border: '1px solid gray'}} width="600" />  
1. Click **Start** to display the search results, which now show the parsed message.<br/><img src={useBaseUrl('img/search/searchquerylanguage/parse-operators/anchor/parsed-results.png')} alt="Search results which now show the parsed message" style={{border: '1px solid gray'}} width="800" />
AI Parse Assist automatically generates a parse statement from the text you select, without requiring you to manually identify and label fields.

1. Run a search.
1. In the search results, find a message with the text you want to parse.
1. Highlight the text, right-click, and select **AI Parse Assist**.<br/><img src={useBaseUrl('img/search/searchquerylanguage/parse-operators/anchor/ai-parse-text.png')} alt="Right-click context menu on a log entry showing the AI Parse Assist option with the description 'Generate parse statement automatically'." style={{border: '1px solid gray'}} width="600" />
1. The **AI Parse Assistant** pop-up appears, showing the AI-generated parse statement and the suggested field name and value extracted from your selected text.<br/><img src={useBaseUrl('img/search/searchquerylanguage/parse-operators/anchor/ai-parse-text-pop-up.png')} alt="AI Parse Assistant pop-up showing a suggested parse field with Cancel and Accept buttons." style={{border: '1px solid gray'}} width="800" />
1. Review the suggested field. Click **Accept** to add the parse statement to your query, or **Cancel** to dismiss.

## Examples

Expand All @@ -55,21 +68,21 @@ Sample log message:
Aug 2 04:06:08: host=10.1.1.124: local/ssl2 notice mcpd[3772]: User=jsmith@demo.com: severity=warning: 01070638:5: Pool member 172.31.51.22:0 monitor status down.
```

In the following examples, the start_anchor is **"user="** and the stop_anchor is **":"**, which ends the email address. The asterisk (`*`) is the glob representing the parsed term. The examples create a new field for each message named **"user"** and that field will contain the value of the email address, in this case `jsmith@demo.com`.
In the following examples, the start_anchor is **"user="** and the stop_anchor is **":"**, which ends the email address. The asterisk (`*`) is the glob representing the parsed term. The examples create a new field for each message named **"user"** and that field will contain the value of the email address, in this case `jsmith@demo.com`.

```sumo
... | parse "user=*:" as user 
... | parse "user=*:" as user
```

The parse operator also allows you to extract multiple fields in one command:

```sumo
... | parse "user=*: severity=*:" as user, severity | ... 
... | parse "user=*: severity=*:" as user, severity | ...
```

This example creates two fields from the sample log message: `user=jsmith@demo.com` and `severity``=warning`.
This example creates two fields from the sample log message: `user=jsmith@demo.com` and `severity``=warning`.

### Name Fields with Special Characters
### Name Fields with Special Characters

You can create field names that contain special characters, for example, spaces, dashes, and backslashes or forward slashes, using the following syntax:

Expand All @@ -85,14 +98,14 @@ For example, this query will allow you to parse the phrase "Class ID", including

Special characters in field names are not permitted with Regex parsing. You must rename the field after parsing.

Example: `extract "\[Classification:(?<class_id>.*)\]" | class_id as %"Class ID"`
Example: `extract "\[Classification:(?<class_id>.*)\]" | class_id as %"Class ID"`

### Use Line Breaks as an Anchor

If your logs are delivered in a multi-line format, you may want to parse up until a line break in the message. In order to do so, use the following regular expressions as a stop anchor on the line break: 
If your logs are delivered in a multi-line format, you may want to parse up until a line break in the message. In order to do so, use the following regular expressions as a stop anchor on the line break:

  Linux logs:    `\n `
  Windows logs:    `\r`
Linux logs: `\n `
Windows logs: `\r`

For example, if we have the following message in our logs:

Expand All @@ -110,4 +123,4 @@ or

`... | parse "To: *\r" as toAddress`

which returns example@sumologic.com in the `toAddress` column.
which returns example@sumologic.com in the `toAddress` column.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading