Logs record the runtime behavior of software and are widely used in various tasks such as debugging, testing, and fault diagnosis. With the increase in system size and complexity, log analysis has gradually become a challenging task. Current industrial systems typically use log aggregation systems such as Grafana Loki and ELK to simplify the log collection and analysis process. Engineers write queries using the DSL query language provided by these systems can complete a variety of log analysis tasks. However, writing these queries is often time-consuming and labor-intensive, as it requires engineers to have a thorough understanding of the DSL syntax and the detailed information contained in the logs. To address these challenges, this paper proposes LogCopilot, an automated log aggregation analysis framework based on large language models (LLMs). LogCopilot accepts natural language log analysis instructions and accomplishes automated log analysis through knowledge retrieval and tool calling. LogCopilot constructs a hierarchical knowledge base to represent and provide key knowledge in logs. And it achieves automated log aggregation analysis by generating and executing LogQL queries. The evaluation based on four log datasets confirm the effectiveness of LogCopilot, which achieves an average accuracy of 76.8% and outperforms baseline approaches. Moreover, experiment results shows that LogCopilot is effective in LogQL query generation.

翻译：日志记录了软件在运行时的行为，广泛应用于调试、测试和故障诊断等各项任务中。随着系统规模与复杂性的增加，日志分析逐渐成为一项具有挑战性的任务。当前工业系统通常采用如Grafana Loki和ELK等日志聚合系统来简化日志的收集与分析过程。工程师利用这些系统提供的DSL查询语言编写查询，可完成多种日志分析任务。然而，编写这些查询往往耗时且费力，因为这要求工程师充分掌握DSL语法以及日志中包含的细节信息。为应对这些挑战，本文提出了LogCopilot——一种基于大语言模型（LLM）的自动化日志聚合分析框架。LogCopilot接收自然语言的日志分析指令，并通过知识检索与工具调用来实现自动化日志分析。LogCopilot构建了分层知识库以表征并提供日志中的关键知识，并通过生成与执行LogQL查询来实现自动化的日志聚合分析。基于四个日志数据集的评估证实了LogCopilot的有效性，其平均准确率达到76.8%，优于基线方法。此外，实验结果表明，LogCopilot在LogQL查询生成方面表现出色。