Sazabi
ChatTools

Log Search

How the assistant searches, filters, and analyzes logs from your data sources and backends.

The log search tool is one of the assistant's primary capabilities. It can search logs from both Sazabi's managed storage and external backends like Datadog and AWS CloudWatch.

Backend-specific queries

Each backend has its own query tool optimized for that platform's query language and capabilities:

  • query_sazabi_logs for logs stored in Sazabi
  • query_datadog_logs for Datadog backends
  • query_cloudwatch_logs for AWS CloudWatch

The assistant automatically selects the appropriate tool based on which backends are connected to your project. You do not need to specify which backend to query.

If you have multiple backends connected, the assistant may query several of them to get a complete picture. It will indicate which backend each result came from.

How log queries work

When you ask a question that requires log data, the assistant:

Determines time range and filters

Based on your question, the assistant figures out the appropriate time window and any filters needed (service, log level, error type, etc.).

Constructs backend-appropriate query

The assistant builds a query using the syntax for your specific backend. For Sazabi logs this uses our query language; for Datadog it uses their log query syntax.

Executes and retrieves results

The query runs against your log data and results are returned. Large result sets are sampled to stay within response limits.

Summarizes findings

The assistant analyzes the results and presents a summary, highlighting patterns, anomalies, and relevant entries.

Time ranges

The assistant supports flexible time range specifications:

Relative time ranges:

  • "last hour", "past 24 hours", "last 7 days"
  • "since yesterday", "this week"

Absolute time ranges:

  • "between January 1 and January 5"
  • "from 2:00 PM to 3:30 PM today"
  • "on March 15th"

Default behavior: If you do not specify a time range, the assistant defaults to the last 1 hour. For questions about trends or patterns, it may automatically extend this range.

Filtering

The assistant can filter logs by multiple criteria:

By service or component

"Show me errors from the payment service"
"Logs from the API gateway in the last hour"

By log level

"Show only error and critical logs"
"Filter to warnings and above"

By field values

"Logs where user_id is 12345"
"Requests with status code 500"

Full-text search

"Find logs mentioning 'connection timeout'"
"Search for 'database connection refused'"

Aggregations

Beyond searching for individual log entries, the assistant can aggregate data to show patterns:

Count by field

"How many errors by service?"
"Count of 500 errors by endpoint"

Time-series grouping

"Error rate over the last 24 hours, grouped by hour"
"Request volume by minute for the past hour"

Top N values

"Top 10 error messages"
"Most frequent endpoints with errors"

Aggregation results are often displayed as artifacts (charts or tables) for easier visualization.

Schema context

The assistant understands your log schema:

  • Field names: Automatically detected from your log data
  • Service names: Extracted from your logs and infrastructure
  • Common patterns: Recognizes standard fields like level, message, timestamp, service, and custom fields specific to your setup

This context helps the assistant construct accurate queries even when you use informal language like "payment errors" instead of the exact field and value syntax.

The assistant can also search across your thread history to find relevant context from previous investigations.

What gets searched

  • Thread titles: The names of your investigation threads
  • Message content: All messages within threads, including both user messages and assistant responses

How it works

The search uses PostgreSQL full-text search with English language stemming. This means:

  • Searching for "error" also matches "errors" and "erroring"
  • Searching for "database connection" finds threads about database connections even if the exact phrase is not present
  • Common words like "the" and "is" are ignored

Search scope

Thread search respects your access permissions:

  • Organization threads: Visible to all members of your organization
  • Private threads: Only visible to you (the thread creator)

You cannot search threads from other projects within your organization unless those threads have organization-level visibility.

Archived threads are excluded from search results by default. Only active threads appear in search results.

The assistant can search your project's alert history to find relevant incidents and their resolutions.

Available filters

When searching alerts, the assistant can filter by:

FilterOptionsDescription
NameAny textCase-insensitive partial match on alert names
Statusopen, resolvedCurrent alert state
Severitylow, medium, high, criticalAlert severity level

Example queries

"Find all critical alerts from the past week"
"Show me resolved alerts related to the payment service"
"Are there any open high-severity alerts?"

The assistant uses the search_alerts tool when it needs to narrow results by specific criteria. For broader lookups, it uses list_alerts first, then refines with search if needed.

For questions that require current information beyond your logs and threads, the assistant can search the web using the Exa neural search engine.

When web search is used

The assistant searches the web when you ask about:

  • Documentation for external services or libraries
  • Best practices and troubleshooting guides
  • Current status of third-party services
  • Technical concepts or error messages

Search capabilities

Web search supports several options:

  • Search type: Neural (semantic), keyword, or automatic selection
  • Domain filtering: Include or exclude specific domains
  • Date filtering: Limit to content published within a date range
  • Result count: Up to 100 results per search

Example queries

"What does this AWS error code mean?"
"How do I configure Datadog log forwarding?"
"Is there a known issue with Stripe webhooks today?"

Web search results include the source URL, author, and publication date when available, so you can verify the information and check its recency.

Tips for effective searching

Be specific with thread searches

Instead of searching for generic terms like "error", include context:

"Find threads about payment gateway timeouts"
"Show me investigations into the checkout service"

Use alert filters for targeted results

When looking for specific alerts, provide filter criteria:

"Show me critical alerts from the API service"
"Find resolved alerts about database connections"

Combine search with log queries

The assistant can search threads to find relevant past investigations, then query current logs to compare patterns:

"Did we see this error before? Check past threads and compare with current logs."

MCP

Extend Chat with tools from external services using the Model Context Protocol.

Overview

The assistant runs code in a secure sandbox environment that you can customize.

On this page

Backend-specific queriesHow log queries workTime rangesFilteringBy service or componentBy log levelBy field valuesFull-text searchAggregationsCount by fieldTime-series groupingTop N valuesSchema contextThread and message searchWhat gets searchedHow it worksSearch scopeAlert searchAvailable filtersExample queriesWeb searchWhen web search is usedSearch capabilitiesExample queriesTips for effective searchingBe specific with thread searchesUse alert filters for targeted resultsCombine search with log queries