# Using AI Features Master Gonzo's AI-powered capabilities to transform log analysis from manual investigation to intelligent, automated insights. This comprehensive guide covers all AI features, workflows, and advanced techniques for getting the most out of AI-assisted log analysis. {% hint style="success" %} **Prerequisites:** Ensure you have AI configured - see Setup & Configuration if you haven't completed AI setup yet. {% endhint %} ### AI Features Overview Gonzo integrates AI throughout the interface, providing intelligent assistance at every level: | Feature | Trigger | What It Does | Best For | | ----------------------- | ------------------------ | ----------------------------------- | ----------------------------- | | **Log Analysis** | Press `i` on log entry | Analyzes individual log entries | Understanding specific errors | | **AI Chat** | Press `c` in log details | Interactive conversation about logs | Complex investigation | | **Model Switching** | Press `m` anywhere | Switch between available AI models | Optimizing cost vs quality | | **Pattern Insights** | AI + Counts panel | Explains detected patterns | Understanding system behavior | | **Contextual Analysis** | AI across multiple logs | Correlates events and trends | Root cause analysis | ### Basic AI Workflows #### Single Log Analysis **Use Case:** Understanding what a specific log entry means ```bash # 1. Start Gonzo with AI enabled gonzo -f application.log --ai-model="gpt-4" # 2. Navigate to an interesting log entry # Use ↑/↓ or mouse to select a log # 3. Press 'i' for instant AI analysis # Example log: {"timestamp":"2024-01-15T10:30:05Z","level":"error","service":"payment","message":"Transaction failed: insufficient funds","user_id":"12345","amount":250.00,"account_balance":75.50} # 4. AI provides analysis like: ``` **Example AI Response:** ``` This payment transaction failure is a business logic error, not a technical issue. Key details: - User 12345 attempted a $250 transaction - Account balance is only $75.50 - System correctly prevented overdraft This is normal application behavior - the user simply has insufficient funds. However, you should verify: 1. Balance calculation is accurate 2. User was notified of insufficient funds 3. No retry loops are occurring 4. Consider if this pattern indicates UI/UX issues (users not seeing balance before purchase) Not a system error requiring technical intervention. ``` #### Interactive AI Conversation **Use Case:** Deep investigation of complex issues ```bash # 1. Select a log entry and press 'Enter' for details # 2. Press 'c' to start AI chat # 3. Have a natural conversation about the logs # Example conversation: ``` **Example AI Chat Session:** ``` You: Why are we seeing so many payment failures? AI: I see 47 payment failures in the last hour. The pattern breaks down as: - 23 insufficient funds (normal user behavior) - 18 card declined (bank/card issues) - 6 system timeouts (technical issue requiring attention) The system timeouts are concerning and started 20 minutes ago. You: What's causing the system timeouts? AI: The timeout pattern correlates with database slow query warnings that started at the same time. I see: - Payment queries taking 8-12 seconds (normally <1 second) - Database connection pool showing high utilization - No infrastructure alerts, suggesting query performance issue Recommended investigation: Check for long-running queries, missing indexes, or table locks in the payment database. You: Show me what to look for in the database AI: Here's your investigation checklist: 1. Current active queries: SELECT * FROM pg_stat_activity WHERE state = 'active'; 2. Slow queries in logs: Look for payment-related queries >5 seconds 3. Lock analysis: SELECT * FROM pg_locks WHERE NOT granted; 4. Recent schema changes: Check if indexes were dropped or tables altered The timing suggests a recent change triggered this performance degradation. ``` #### Model Optimization Workflow **Use Case:** Balancing cost, speed, and quality ```bash # 1. Start with a fast, cost-effective model gonzo -f logs.log --ai-model="gpt-3.5-turbo" # 2. For basic questions, this model is sufficient # Press 'i' on routine logs, get quick insights # 3. When you encounter complex issues, switch models # Press 'm' → Select "gpt-4" → Continue analysis # 4. Use the better model for deeper investigation # Press 'c' for complex conversations with gpt-4 # 5. Switch back to cheaper model for routine monitoring # Press 'm' → Select "gpt-3.5-turbo" → Continue ``` ### Advanced AI Techniques #### Multi-Log Correlation Analysis **Technique:** Use AI to understand relationships across multiple log entries ```bash # 1. Filter logs for a specific timeframe or issue /2024-01-15.*14:[2-3][0-9] # 2:20-2:39 PM timeframe # 2. Use AI analysis on multiple entries # Navigate through filtered logs, press 'i' on several entries # 3. Start AI chat to correlate findings # Press 'c' and ask: "What patterns do you see across these logs?" # 4. AI will identify cross-log relationships: ``` **Example Correlation Analysis:** ``` You: What patterns do you see across these filtered logs? AI: Analyzing the 2:20-2:39 PM timeframe, I see a clear cascade failure pattern: Timeline of events: 2:22 PM - Database connection pool exhaustion begins 2:23 PM - API gateway starts returning 503 errors 2:24 PM - Authentication service becomes unresponsive 2:25 PM - Load balancer fails health checks 2:26 PM - Auto-scaling triggers but fails to help Root cause: Database connection pool exhaustion triggered a system-wide cascade failure. The auto-scaling didn't help because the bottleneck was database connections, not compute capacity. Recovery actions taken: - 2:35 PM - Database connections manually reset - 2:37 PM - Services began recovering - 2:39 PM - Full system recovery Prevention: Implement circuit breakers and better connection pool monitoring. ``` #### AI-Enhanced Pattern Recognition **Technique:** Combine Gonzo's pattern detection with AI interpretation ```bash # 1. Open the Counts panel analysis modal # Press Enter on Counts panel (bottom-right) # 2. Review the pattern analysis # Note the top patterns detected by drain3 algorithm # 3. Use AI to interpret patterns # Press 'i' on logs matching interesting patterns # Ask AI: "Why is this pattern significant?" # 4. Get intelligent pattern interpretation: ``` **Example Pattern Interpretation:** ``` Detected Pattern: "User authentication failed from IP " Occurrences: 234 in last hour AI Analysis: This pattern indicates a distributed brute force attack: Attack characteristics: - 234 failed attempts across 67 different IPs - Targeting multiple user accounts (87 unique user IDs) - Geographic distribution suggests botnet usage - Rate: ~4 attempts per minute (automated, not human) Immediate actions: 1. Implement rate limiting on authentication endpoint 2. Consider geographic IP blocking 3. Enable account lockout after N failed attempts 4. Alert security team about coordinated attack This is not a system error - it's a security incident requiring immediate attention. ``` #### Predictive Analysis Workflow **Technique:** Use AI to identify trends and predict future issues ```bash # 1. Analyze trends over time # Use time-series data from Counts panel # Look for growing patterns in heatmap # 2. Ask AI about trend implications # Press 'c' and describe what you see: # "I see increasing error rates over the last 2 hours" # 3. Get predictive insights: ``` **Example Predictive Analysis:** ``` You: I see error rates increasing steadily over the last 2 hours. What should I expect? AI: Based on the escalating pattern, you're heading toward a system overload scenario: Current trend analysis: - Error rate: 5/min → 15/min → 25/min (exponential growth) - Memory warnings appearing more frequently - Database query times increasing linearly - Cache hit rate declining steadily Projected timeline if no intervention: - Next 30 minutes: Error rate will likely reach 40-50/min - Within 1 hour: Expect system timeouts and user impact - Critical threshold: ~60 errors/min (based on historical data) Recommended immediate actions: 1. Scale database connections NOW (don't wait for critical threshold) 2. Implement circuit breakers to prevent cascade failures 3. Consider temporary rate limiting to reduce load 4. Alert on-call team - intervention needed within 30 minutes The pattern suggests underlying capacity issues that will require architectural changes long-term. ``` ### AI Feature Deep Dive #### Intelligent Log Analysis (`i` key) **What AI Analyzes:** * **Error significance** - Is this a critical error or expected behavior? * **Context understanding** - What was happening when this occurred? * **Impact assessment** - How does this affect users/system? * **Investigation guidance** - What should you check next? * **Pattern recognition** - Is this part of a larger issue? **Optimizing AI Analysis:** ```bash # Provide context for better analysis # Instead of analyzing isolated logs, filter for relevant timeframe: /2024-01-15.*15:[1-2][0-9] # Focus on incident timeframe # Then use AI analysis on logs within that context # AI will provide more relevant insights with proper context ``` **AI Analysis Types:** {% tabs %} {% tab title="Error Analysis" %} **For error-level logs, AI focuses on:** ``` Technical Details: - What specific error occurred - Likely root causes - System components involved - Data/state that might be corrupted Business Impact: - User experience effects - Revenue/functionality impact - Urgency level assessment - Customer communication needs Investigation Steps: - What to check first - Related systems to examine - Logs/metrics to correlate - Tools/commands to run Prevention: - How to prevent recurrence - Monitoring improvements - Code/config changes needed - Process improvements ``` {% endtab %} {% tab title="Performance Analysis" %} **For performance-related logs, AI examines:** ``` Performance Metrics: - Response time analysis - Resource utilization patterns - Throughput characteristics - Bottleneck identification Capacity Planning: - Current vs optimal performance - Scaling recommendations - Resource allocation guidance - Infrastructure optimization Optimization Opportunities: - Code efficiency improvements - Database query optimization - Caching strategies - Architecture improvements Monitoring Enhancements: - Additional metrics to track - Alert threshold recommendations - Dashboard improvements - SLA/SLO considerations ``` {% endtab %} {% tab title="Security Analysis" %} **For security-related logs, AI identifies:** ``` Security Events: - Attack pattern recognition - Threat level assessment - Compromise indicators - Data exposure risks Response Actions: - Immediate containment steps - Investigation procedures - Evidence preservation - Communication requirements Prevention Strategies: - Security control improvements - Policy/process enhancements - Technology recommendations - Training needs Compliance Considerations: - Regulatory requirements - Audit trail preservation - Notification obligations - Documentation needs ``` {% endtab %} {% endtabs %} #### Interactive AI Chat (`c` key) **Chat Best Practices:** ```bash # 1. Start with specific questions "What caused this database timeout?" # 2. Build on AI responses "You mentioned connection pooling - how do I check pool status?" # 3. Ask for actionable guidance "What specific commands should I run to investigate this?" # 4. Request prioritization "Which of these issues should I fix first?" # 5. Get prevention advice "How can I prevent this type of issue in the future?" ``` **Advanced Chat Techniques:** ```bash # Multi-turn investigation You: "Analyze this error pattern" AI: [Provides analysis] You: "What's the business impact?" AI: [Explains user/revenue impact] You: "Give me a 5-minute action plan" AI: [Provides prioritized steps] You: "Draft an incident summary for stakeholders" AI: [Creates stakeholder communication] ``` #### Model Switching (`m` key) **Strategic Model Usage:** | Scenario | Recommended Model | Reasoning | | --------------------- | ----------------- | ----------------------------------------- | | **Quick checks** | gpt-3.5-turbo | Fast, cost-effective for simple questions | | **Complex debugging** | gpt-4 | Better reasoning for root cause analysis | | **Large context** | gpt-4-turbo | Handles extensive log context | | **Privacy-sensitive** | Local model | Keeps data on your infrastructure | | **High volume** | Local model | No API costs for extensive analysis | **Model Switching Workflow:** ```bash # 1. Start monitoring with fast model gonzo -f logs.log --follow --ai-model="gpt-3.5-turbo" # 2. When issues arise, upgrade model quality # Press 'm' → Select "gpt-4" # 3. Conduct deep analysis with better model # Use AI chat for complex investigation # 4. Return to monitoring mode # Press 'm' → Select "gpt-3.5-turbo" # 5. Save expensive model for critical issues only ``` ### Real-World AI Workflows #### Production Incident Response **Scenario:** Critical production issue requiring rapid resolution ```bash # Phase 1: Rapid Assessment (2-3 minutes) gonzo -f /var/log/prod/*.log --follow --ai-model="gpt-4" # 1. Identify scope and timing # Filter to incident timeframe: /2024-01-15.*14:[1-3][0-9] # 2. Get AI overview of situation # Press 'i' on error logs: "What's the severity and scope?" # 3. Quick impact assessment # Press 'c': "How many users are affected and what's broken?" # Phase 2: Root Cause Analysis (5-10 minutes) # 4. Deep dive with AI # "Walk me through what happened step by step" # 5. Get investigation plan # "What should I check first to resolve this?" # Phase 3: Resolution Guidance (ongoing) # 6. Implementation assistance # "How do I safely implement this fix?" # 7. Validation guidance # "How will I know if the fix worked?" ``` #### Development Debugging Session **Scenario:** Complex bug investigation during development ```bash # Setup: Development environment with detailed logging gonzo -f logs/debug.log --follow --ai-model="gpt-3.5-turbo" # 1. Reproduce issue while monitoring # AI continuously analyzes logs as they appear # 2. Focus on anomalies # Press 'i' on unusual log entries during reproduction # 3. Build understanding through conversation # Press 'c': "What's different about this execution vs normal?" # 4. Get debugging strategy # "What's the most efficient way to isolate this bug?" # 5. Validate hypotheses # "Does this log pattern support the theory that...?" # 6. Solution guidance # "What's the safest way to implement this fix?" ``` #### Security Monitoring Workflow **Scenario:** Continuous security monitoring with AI assistance ```bash # Setup: Security-focused monitoring gonzo -f /var/log/auth.log -f /var/log/nginx/access.log --follow --ai-model="gpt-4" # 1. Filter for security events /(fail|denied|blocked|suspicious|attack|breach)/i # 2. AI assessment of security events # Press 'i' on security-related logs for threat analysis # 3. Pattern recognition # Press 'c': "Are these isolated incidents or part of a campaign?" # 4. Response prioritization # "Which of these events requires immediate attention?" # 5. Investigation guidance # "What additional data should I collect for this incident?" # 6. Prevention recommendations # "How can I prevent this type of attack?" ``` ### AI Performance Optimization #### Context Management **Optimize AI responses with better context:** ```bash # Instead of: Analyzing random individual logs # Do this: Filter first, then analyze /error.*database.*timeout # Focus AI on specific issue type # Instead of: Asking vague questions # Do this: Provide specific context "This database timeout started after the 2 PM deployment - what should I check?" # Instead of: Single log analysis # Do this: Multi-log correlation "Compare these three error patterns and tell me if they're related" ``` #### Cost Optimization Strategies **Balance AI quality with cost:** ```bash # Development: Use cheaper models export GONZO_DEV_MODEL="gpt-3.5-turbo" alias gonzo-dev='gonzo --ai-model="$GONZO_DEV_MODEL"' # Production monitoring: Balanced approach export GONZO_MONITOR_MODEL="gpt-3.5-turbo" alias gonzo-monitor='gonzo --ai-model="$GONZO_MONITOR_MODEL"' # Incident response: Use premium models export GONZO_INCIDENT_MODEL="gpt-4" alias gonzo-incident='gonzo --ai-model="$GONZO_INCIDENT_MODEL"' # High-volume analysis: Local models export GONZO_LOCAL_MODEL="llama3" alias gonzo-local='OPENAI_API_BASE="http://localhost:11434" gonzo --ai-model="$GONZO_LOCAL_MODEL"' ``` #### Quality Optimization **Get better AI insights:** ```bash # 1. Use specific, targeted questions # Instead of: "What's wrong?" # Ask: "Why did the authentication service start timing out at 2 PM?" # 2. Provide business context # "This is our payment system - what's the user impact of these errors?" # 3. Ask for actionable guidance # "Give me the top 3 investigation steps in priority order" # 4. Request specific formats # "Create a timeline of events from these logs" # "Draft an incident report for stakeholders" # "List the exact commands I should run" ``` ### Advanced AI Integration Patterns #### AI + Pattern Detection **Combine Gonzo's algorithms with AI interpretation:** ```bash # 1. Use Counts panel for pattern detection # Press Enter on Counts panel → Review drain3 patterns # 2. Apply AI to interpret patterns # Filter by pattern: /pattern.*from.*analysis # Press 'i': "Why is this pattern significant?" # 3. Get pattern evolution insights # Press 'c': "Is this pattern getting worse over time?" # 4. Predictive pattern analysis # "Based on this pattern trend, what should I expect?" ``` #### AI + Time-Series Analysis **Enhance heatmap analysis with AI insights:** ```bash # 1. Review time-series heatmap in Counts modal # Identify interesting time periods and intensity patterns # 2. Filter logs to specific time periods # /2024-01-15.*1[4-5]:[0-9]{2} # Focus on 2-6 PM # 3. Ask AI about timing correlations # Press 'c': "What caused the error spike at 3 PM?" # 4. Get predictive timeline analysis # "Based on this trend, when will we hit critical thresholds?" ``` #### AI + Multi-Source Correlation **Use AI to understand relationships across log sources:** ```bash # 1. Monitor multiple related sources gonzo -f api.log -f db.log -f cache.log --follow --ai-model="gpt-4" # 2. Filter for specific incident timeframe /2024-01-15.*15:[2-4][0-9]/ # 3. Ask AI to correlate across sources # Press 'c': "How do these three services relate in this incident?" # 4. Get cascade failure analysis # "Which service failed first and how did it cascade?" # 5. Architecture improvement recommendations # "How can we prevent this type of cascade failure?" ``` ### Troubleshooting AI Features #### Common AI Issues **AI Analysis Not Working:** ```bash # Check AI configuration echo $OPENAI_API_KEY echo $OPENAI_API_BASE # Test AI connectivity gonzo -f test.log --ai-model="gpt-3.5-turbo" --test-mode # Verify model availability # Press 'm' to see available models ``` **Poor AI Response Quality:** ```bash # 1. Provide more context # Filter logs first: /specific.*error.*pattern # Then ask specific questions # 2. Use better models for complex analysis # Press 'm' → Switch to "gpt-4" # 3. Ask follow-up questions # "Can you be more specific about the root cause?" # "What exact commands should I run?" ``` **AI Responses Too Slow:** ```bash # 1. Use faster models # Press 'm' → Switch to "gpt-3.5-turbo" # 2. Reduce context size # Filter logs to smaller timeframes # Ask more focused questions # 3. Check network connectivity (cloud models) ping api.openai.com # 4. Monitor local resources (local models) htop # Check CPU/memory usage ``` #### Optimizing AI Workflows **Best Practices:** ```bash # 1. Filter before analyzing # Reduce noise with targeted filters: /error.*payment/ # 2. Start broad, then narrow # "What types of errors do you see?" → "Focus on payment errors" # 3. Ask for actionable outputs # "Give me a runbook for this issue" # "Create a timeline I can share with stakeholders" # 4. Validate AI insights # Cross-check AI conclusions with data # Ask AI to explain its reasoning ``` ### What's Next? You've now mastered AI-powered log analysis! Continue exploring: * **Log Analysis** - Combine AI with algorithmic pattern detection * **Format Detection** - Optimize log parsing for better AI analysis * **Configuration** - Set up AI-specific configurations * **Integration Examples** - Apply AI features to real-world scenarios Or start using AI features immediately in your daily workflows: ```bash # Start your AI-enhanced log analysis session gonzo -f your-production-logs.log --follow --ai-model="gpt-4" # Remember the key AI shortcuts: # 'i' - Analyze any log entry # 'c' - Start AI conversation # 'm' - Switch AI models ``` *** **You're now equipped with AI superpowers for log analysis!** 🤖 From rapid incident response to deep debugging sessions, AI transforms complex log investigation into intelligent, guided analysis that helps you solve problems faster and more effectively. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.controltheory.com/backup/using-ai-features.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.