From f0e95ed05cfc570077bd660e5ae7dda823eee9fd Mon Sep 17 00:00:00 2001
From: Esther Kim <esther.kim@datadoghq.com>
Date: Wed, 29 Oct 2025 17:06:37 -0400
Subject: [PATCH 1/2] Add grok syntax suggestion and clean up images

---
 content/en/logs/log_configuration/parsing.md  |  39 ++++++++++--------
 .../en/logs/log_configuration/processors.md   |  22 +++++-----
 .../grok_advanced_settings_extract.png        | Bin 0 -> 9861 bytes
 3 files changed, 33 insertions(+), 28 deletions(-)
 create mode 100644 static/images/logs/processing/parsing/grok_advanced_settings_extract.png

diff --git a/content/en/logs/log_configuration/parsing.md b/content/en/logs/log_configuration/parsing.md
index 672a99e05107c..3c53aab8648f4 100644
--- a/content/en/logs/log_configuration/parsing.md
+++ b/content/en/logs/log_configuration/parsing.md
@@ -57,7 +57,12 @@ MyParsingRule %{word:user} connected on %{date("MM/dd/yyyy"):date}
 
 After processing, the following structured log is generated:
 
-{{< img src="logs/processing/processors/_parser.png" alt="Parsing example 1" style="width:80%;">}}
+```json
+{
+  "users": "john",
+  "date": 1575590400000
+}
+```
 
 **Note**:
 
@@ -80,7 +85,7 @@ Here is a list of all the matchers and filters natively implemented by Datadog:
 {{< tabs >}}
 {{% tab "Matchers" %}}
 
-`date("pattern"[, "timezoneId"[, "localeId"]])` 
+`date("pattern"[, "timezoneId"[, "localeId"]])`
 : Matches a date with the specified pattern and parses to produce a Unix timestamp. [See the date Matcher examples](#parsing-dates).
 
 `regex("pattern")`
@@ -216,21 +221,19 @@ Here is a list of all the matchers and filters natively implemented by Datadog:
 
 ## Advanced settings
 
-At the bottom of your Grok processor tiles, there is an **Advanced Settings** section:
-
-{{< img src="logs/processing/parsing/advanced_settings.png" alt="Advanced Settings" style="width:80%;">}}
+Use the **Advanced Settings** section at the bottom of your Grok processor to parse a specific attribute instead of the default `message` attribute, or to define helper rules that reuse common patterns across multiple parsing rules.
 
 ### Parsing a specific text attribute
 
 Use the **Extract from** field to apply your Grok processor on a given text attribute instead of the default `message` attribute.
 
-For example, consider a log containing a `command.line` attribute that should be parsed as a key-value. You could parse this log as follows:
+For example, consider a log containing a `command.line` attribute that should be parsed as a key-value. Extract from `command.line` to parse its contents and create structured attributes from the command data.
 
-{{< img src="logs/processing/parsing/parsing_attribute.png" alt="Parsing Command Line" style="width:80%;">}}
+{{< img src="/logs/processing/parsing/grok_advanced_settings_extract.png" alt="Advanced Settings with Extract from command.line attribute example" style="width:80%;">}}
 
-### Using helper rules to factorize multiple parsing rules
+### Using helper rules to reuse common patterns
 
-Use the **Helper Rules** field to define tokens for your parsing rules. Helper rules help you to factorize Grok patterns across your parsing rules. This is useful when you have several rules in the same Grok parser that use the same tokens.
+Use the **Helper Rules** field to define tokens for your parsing rules. Helper rules help you to reuse common Grok patterns across your parsing rules. This is useful when you have several rules in the same Grok parser that use the same tokens.
 
 Example for a classic unstructured log:
 
@@ -252,8 +255,6 @@ connection connected on %{date("MM/dd/yyyy"):connect_date}
 server on server %{notSpace:server.name} in %{notSpace:server.env}
 ```
 
-{{< img src="logs/processing/parsing/helper_rules.png" alt="helper rules" style="width:80%;">}}
-
 ## Examples
 
 Some examples demonstrating how to use parsers:
@@ -292,12 +293,18 @@ user=john connect_date=11/08/2017 id=123 action=click
 rule %{data::keyvalue}
 ```
 
-{{< img src="logs/processing/parsing/parsing_example_2.png" alt="Parsing example 2" style="width:80%;">}}
-
 You don't need to specify the name of your parameters as they are already contained in the log.
 If you add an **extract** attribute `my_attribute` in your rule pattern you will see:
 
-{{< img src="logs/processing/parsing/parsing_example_2_bis.png" alt="Parsing example 2 bis" style="width:80%;">}}
+```json
+{
+  "my_attribute": {
+    "user": "john",
+    "id": 123,
+    "action": "click"
+  }
+}
+```
 
 If `=` is not the default separator between your key and values, add a parameter in your parsing rule with a separator.
 
@@ -313,8 +320,6 @@ user: john connect_date: 11/08/2017 id: 123 action: click
 rule %{data::keyvalue(": ")}
 ```
 
-{{< img src="logs/processing/parsing/key_value_parser.png" alt="Key value parser" style="width:80%;" >}}
-
 If logs contain special characters in an attribute value, such as `/` in a url for instance, add it to the allowlist in the parsing rule:
 
 **Log:**
@@ -329,8 +334,6 @@ url=https://app.datadoghq.com/event/stream user=john
 rule %{data::keyvalue("=","/:")}
 ```
 
-{{< img src="logs/processing/parsing/key_value_allowlist.png" alt="Key value allowlist" style="width:80%;" >}}
-
 Other examples:
 
 | **Raw string**               | **Parsing rule**                                      | **Result**                            |
diff --git a/content/en/logs/log_configuration/processors.md b/content/en/logs/log_configuration/processors.md
index 134d672d83ca2..019f769aeccf4 100644
--- a/content/en/logs/log_configuration/processors.md
+++ b/content/en/logs/log_configuration/processors.md
@@ -35,20 +35,21 @@ In [log configuration settings][1], you can configure processors such as the [Gr
 
 ## Grok parser
 
-Create custom grok rules to parse the full message or a specific attribute of your raw event. For more information, see the [parsing section][2]. As a best practice, it is recommended to use at most 10 parsing rules within a grok processor.
-
-{{< tabs >}}
-{{% tab "UI" %}}
-
-Define the Grok processor on the [**Pipelines** page][1]:
+Create custom grok rules to parse the full message or a specific attribute of your raw event. As a best practice, limit your grok parser to 10 parsing rules. For more information on Grok syntax and parsing rules, see [Parsing][10].
 
 {{< img src="logs/log_configuration/processor/grok_parser.png" alt="Grok Parser" style="width:80%;" >}}
 
-Click **Parse my logs** to kickstart a set of three parsing rules for the logs flowing through the underlying pipeline. Refine attribute naming from there, and add new rules for other type of logs if needed. This feature requires that the corresponding logs are being indexed, and actually flowing in—you can temporarily deactivate or sample down exclusion filters to make this work for you.
+{{< tabs >}}
+{{% tab "UI" %}}
 
-Select a sample by clicking on it to trigger its evaluation against the parsing rule and display the result at the bottom of the screen.
+Define the Grok processor on the [**Pipelines** page][1]. To configure Grok parsing rules:
 
-Up to five samples can be saved with the processor, and each sample can be up to 5000 characters in length. All samples show a status (`match` or `no match`), which highlights if one of the parsing rules of the grok parser matches the sample.
+1. Click **Parse my logs** to automatically generate a set of three parsing rules based on the logs flowing through the pipeline. This feature requires that the corresponding logs are being indexed and actively flowing in. You can temporarily deactivate or sample down exclusion filters to make this work for you.
+1. **Log Samples**: Add up to five sample logs (up to 5000 characters each) to test your parsing rules.
+1. **Define parsing rules**: Write your parsing rules in the rule editor. As you define rules, the Grok parser provides syntax assistance:
+   - **Matcher suggestions**: As you type `%{`, a dropdown appears with available matchers (such as `word`, `integer`, `ip`, `date`). Select a matcher from the list to insert it into your rule.
+   - **Filter suggestions**: When adding a filter with `:`, a dropdown shows compatible filters for the selected matcher.
+1. **Test your rules**: Select a sample by clicking on it to trigger its evaluation against the parsing rule and display the result at the bottom of the screen. All samples show a status (`match` or `no match`), which highlights if one of the parsing rules of the grok parser matches the sample.
 
 [1]: https://app.datadoghq.com/logs/pipelines
 {{% /tab %}}
@@ -1047,7 +1048,7 @@ The Decoder processor translates binary-to-text encoded string fields (such as B
 2. Select the source encoding: Choose the binary-to-text encoding of the source: `base64` or `base16/hex`.
 2. For `Base16/Hex`: Choose the output format: `string (UTF-8)` or `integer`.
 3. Set the target attribute: Enter the attribute path to store the decoded result.
-   
+
 {{< img src="logs/log_configuration/processor/decoder-processor.png" alt="Decoder processor - Append" style="width:80%;" >}}
 
 {{% /tab %}}
@@ -1075,3 +1076,4 @@ For more information, see [Threat Intelligence][9].
 [7]: /integrations/guide/reference-tables/
 [8]: /tracing/other_telemetry/connect_logs_and_traces/
 [9]: /security/threat_intelligence/
+[10]: /logs/log_configuration/parsing/?tab=matchers
diff --git a/static/images/logs/processing/parsing/grok_advanced_settings_extract.png b/static/images/logs/processing/parsing/grok_advanced_settings_extract.png
new file mode 100644
index 0000000000000000000000000000000000000000..ce07ef832bcc6d3e9c88a30b282f5fd468bb840f
GIT binary patch
literal 9861
zcmeHtg;!MF_cx%3fFh+xcT0<e)Bw`m-61V8bc-UALpKNvNQ(%<&>-DI3q$wN%~0<=
z-|qwZuJyj__YeHmnmg;<d(OFMpMCb(`}5i7hN&n?KgJ@#LP0@!EGr|ahJu0?i!A#;
ze1QB<0_|6$prGp5NJyy2N=Q(txHwta*ju8YFoA$E%JOKYxE)!%5~`R_@b06_4^dBw
zm$1Y7hC+m2BpzV|kHZx28P1I-JVf9EH-6J2u&@jvUK`H{C5^Mw2)Dq?4o0O~;SWBZ
z@9*_-@`zED@MvM8ef?b)H(1s){kqO&9UV`>{1H#`Xr!RLO{&~8--(4i3aT(~Q4Xsw
zaSLntGdRiyQl$G6X-(H(J|%0xvJrq3&g3PuSn(3_I)y#v{Tc~*yev%i<8!%p6@#Uj
z);w7ZjkHmumM}Vh2CdKcyln!D6F%-&y`L1Zn)>jVE7S#x<$DYW5F|sd*ZEuY8k{K_
zN%CB2ejb-TenCz7GvP<97mH-}&vgRD(<OslbT7|OZ+y2u?dWx*1{IZW+ldv^4jfkL
zA~Z`L&+Kr)h65T|yjl<~X5R;g892RL&ZnQ@rrv`@r#JBl>>AypRUU==p~*~|k(hf(
z;v-efZ>b||rKpI)f-FBoK@GJ*xsNQNA}<o;g<O?vwA&|WvDx=-%P9W;RO($6$)KRn
z<;h9{G(1taVL&&+iMa=RjN(-M)M6D3Izcq;pPzZKI<l!{*Stpmtex%jrKaxcUFb75
z!cdZ(c41Gd5W4zPpPxKiA49enUMP0C4tDQs^^srLUwaND=q3>r1%5yy%tk?H5<|sO
z2}Hxesu9%58e{(N-G3^w(Vx?uNB{Kzml^dzw@igI<3An#?fXFX`pKU=EJ?XQ0Joa`
zOxSHbvMC_;=H6c;f$&XYA_z%6a_+_^G>KWh`E!>omUsU-9c_C@#=o-t(-|p>=>H&!
zhcu?RxY7J(<OP2~_miL?K-A6vg7Dqvz|hdw&;li_xufod&CSJl*S+jpaVD{9>Q&m^
zHP5o>B(H&6SoptA1C<3ieua}VUiQq02mNHi-P;miH>$<HVGQbuqa|-!*8j0q_#e5b
zPO$h1>8^Ipmj+;+U8&5PTThoVr0s&#*Boi0>PWc}p3-pma=Yq(RW*x_8rmU4Aq+J9
zDcOk4H{j#Rhn@$%JUG7CUG3j5`*)_p3e8`rn9XUXGRXTI0Y*`gftLX;TV;<iMgP@t
zI>Wq5jN5O`z2@5~AS<|(kV^0Hv#d9{TNqqnqzZF8Pn(PXEHRf7mDYpqwZSY}emc4i
zKiv-W&LcSA&imclSN*aN@}QB)yjVj^EYXR~&i+IhLy?1Kky!uXn@d09`Fa18>(zwQ
z>@P?bpXouLfKIh7n^LC0MaS;(Xo~A|&aKyVeRF5sUShXW<a}s;jYlUPnHDm8FVy71
zsg72%>S6<qN3qdVh&z0IQ}pO_d}&0K@P*kJ<ni;PZ5fRsO-dpT;|h4Na;8Y`$@E+G
ziJNYMh?JLOR<IB9Nt^-uYC^t8lUBmF>R`h4xo_qhQ}5UL1kUFm<-)=7!l;q^#MgCU
zW+Pd4Bxd{l3x0PKB7dWb=h7$J%?L2|LY#;pzt3cuQMEUl`}VX`rOV*;`{cT}Vf~QL
zmhwwma~KN=FADp;{crU~b@Gt^Qh$0l(yISs)|m1uhURame#4DEPBS$?>|L;ejnOKY
zRh#SRg7VvG^KMuCFp;tE?9fcL*|v9IdL1sdwUX4LWLV!Z4B;P17e-+Eu4z`MZlCCd
z&UZ5Ffeh`nu;|}eS`wjJ{dkN~D{IvHz|AP-VvS#o@0*s^*rsCyHCe7|WpfdG5k$(A
zBXc*H{?B<R>P{(}tKfVfVY_DvBv<#;JQ*io1L{_NEd#<npq4eimnG`hKsznI@)h8O
zlh${=y*eKvusq?&1WU1@p&^LY=T+s$OPbZusl#vAN&Pk6+mNCQOoZEZUinHW7Xhc=
zfbX`~(HUl*e4O5#Q#q={sPYp;uG;nk1pi@y;;-%zYp%;sRh`;*QH{zzWSI}{&tIsT
zYy7;h3b#Bi+Kbo?D^R{SROM%PA05N|cS-GJqbpxjhR}z2=6clvDPA{w7_{D>{nlyV
z`rW^-q+$jz$mc7ZQMq==*vT-ZHhB_nP9O+Z<PwHZ->&?A{C461+pn*=S?uN86EKcn
zZWHO}HQPrkpN5zE4*k+Oo<IVQd0#nPjXiQoDmQBH0mAo}eo6ov^ndPVTU5{p_K|5X
ztWHw~h-VrIs1$i}HC)A$1WXoAlrtrBWZ_t>aTtvPgEg6KPc2=$ekHGN3&Kr~bQ^wm
z#l2><$XYh)es?(T;5+-B?YmWX1U1VKx#!ygCb;-?pQ3wKdW$gZnywN3q!oHG^Ss`z
z7QV@BthUA3R`-o^dnUU_IDz9rKWv6IFm_~ltl)6{s<%;%1&`CJsg8XLhpJbIHWv<^
zK`(6Z<5>;S^s9Fzn=)ZXrug&<AsA06i#WX=a9gR%N#dwk5Ao4{vskfxc~g(aZMCOa
znjQ`mD_3vBPbVsB7FjHCe$M4a1u1YUuD;4G2b@@b`PZFNAuul)0WL=&%=~^Q>Cnjt
zNAllNf(qCBr>2*=!PCj0x#qUEdyh9qf8~H#hw{DDVfa7ICn&mp#ibB*=0w<f#Vsx_
z=IFCq3i$p0!KC+<D$f%77CnBPn>nE;ad?+4&A)7JWhIX0gBz@W+9MgDHZK1Y5nDTA
zsY*m#a5e!l_dXB7(#N<yyGI}$DVcz^as(-Q+6zA&gY${&;W9>26zYi)<m!R3&ft5h
z!cwZi7LpU?Pw+RvZ{h|ux_m-J?uD8yD=z`RI_9C3{K%IJ&kE^Na%hxXt1dmtoGsG)
z@#bPc@S)tdMBEgHV;?5fAK$!|U!-uGP0U`sg7-ygVVAqsc-#cxfJ#$&0XIg8VtSQ&
zmdh*#twO;e>NbY#`HgXIHY3@4o#=fI26tN?fmwe{b<QoR$4NIS`AVTj!GSsS`cnT!
z*!SpRQkg+Zi|DoF7qs(!Oa?F4weRT)4XZsMm_g!)k1W3KJFq7cPBWv_a#2&+?usxL
zrs=`V8w~g>$5!IwYZdg2UhOjKxbkv)?(q8x@YvU#p*1;>NHCeOzgiPfUzT>0eiNB0
ztW!<!WZkYTah`QS?K2l(6}gRf&UVFfLNK|$DL?Tu=2>MQf(>$eSq+yk*Ek<0meCvT
z;p>29JSyWytOuvvg5U`_jr9Y7Mj~c(>}8&4mWfn85644S!!hn!@&5dqJTu;>TcVn5
zNsn`V6<1qoZzF3nDUoL}fZOfU%N+)8(}UrqPMvzQ1d6yC$p-x-de(_`DrQ)Z+G2aS
zonvC6C|s>kf%!_cL;M-@QHA3InSgzak;mewjYipsN|n_!>EoWK$Na4z+Y<BjSawB{
zG)?HHO+2G*M<t=Mva)%?IlDO{_-VP+SkJ1U?#a=Qh|(Wxh<<VjHs2V5xE-2AxZ_L_
zx%<v+vHp2pYRHyQtxKv;S503%Wy7QC)dv_vMr$TQsj_-fZLCldh|L&2ufJ=!x7)D2
zM(Jq^1v{0*eVtqU@W~&|iB0As5zS+K>9)LxmALO#`@ZCR5lafmf&`)w<mLJ+c|ICF
zAah2O9}h_k2c-N`a1Xt%Adp_f&eesdsG%TX*9B<y1y2IF7<d^yN85-M4E6TdxkS%<
z@{}yn{KGN3`BU)a^~8cU<Rg8(!}NJtCK+uIw_C*;LSmNyQ5n$`PqW0;o4`_-v{Y0P
zEv4OPgtxgeRcZao&R{+`5M>(p>gm=Q6>LQf=juF(L}{<WD3R)FZK2J!J}>(E1qXM&
zI;7rCqcnti?kc-eq1t9x;fW?Et8>u5Fe~US_1<`}g$Bb|2t7SdA#0Iy1oz<-Wc2z+
z5l$@kc!eJLK=5JD)*=P@G_^{Vic<QkUI@e}k$ntZK5@el9_667=^XzZz|iqRuNo~h
znnD6fCwugZBBfzV22|#j(#=Mo2>D?bnNDdn(o*g6;d{*Z5M`&L<b=q*y*EozUFlr+
zmKQd;!@k;gFEV{$IG2fuTt`I0L0lir8I`4-$HuNRZDDb`Q{jp16KR$PRx>peklwR^
zUag`F*$BCno^?#&1JA6E$MB7*3CgegG4d<atG4z9eHKY5OaSE_eFm8oZR*#$_??vJ
zv=7?D2|Ln1goCvD9}K3q5MhsbYQYbB$G1NfcR;KL5kcM};795;McWpu0@%0cc3647
z6kQgRTa&es7$xN^?LwK|#jA2M6^JyLRS(i2T5gOn(h;dvS=1z6SxpW!#B@ES6bcN7
z_wHC@MiBe@y8W#F@sSv8`{4kRR%LoP?yY$a1rJ^KK3ko9lbe~Qe+H25KxI$meR?4C
zrOfXFZb(O#$fij)rD3-Kt>pps>i6OpMzn3P+niIu_D&3%Dsu0a!7fhBJ7&(k6Vj!v
z3^>xc&<oY_hv1ErLSh&l-J2i@d^2#DD<i#(oQ*~~&Ule=J4pIUhIM22_0M%#DQ?yV
ziD(hXKsAsfYr+N=c_WB1rTXzvm&b7KoR}Y3ij9-7)WJ!{Ys7@hk<_tTj*hCZZ1-88
z#~n0F3JkZs@;2S2cbN6UUy-l(W%$x?@g~&U<MJ}*rHxumU9Etxz(Fs&qpheHnUY3N
zT!At*tk!6ASk&>0-js!Y;HIE*NvpZe#Cq4UJkg~Duj^|smvYW%`co?7I)zP8McS86
zwjNr)Wx#IOSmnz|YttSPk6oBHPMP3*&sx_r8wWQJkBQ9o9&JswUhpx`>lIJ#M7050
zYCSy_T6MF78ykzAq>Fz+!ZmBq&vBY_V_3Gc(e84!;e3a;&#VLno6iYmaa2TQeABlc
zc(tsbbeVB$77*nT+!q@Ae3lDrIr6sU$1Gn_lNl|~Bmsj$c7P?LB>L1CJYYQ9n!5wk
zQ%h&k^S(>>&P`mSRWQg%-IOoFn#8@%&Jo71Hk`A#<BaqqS9C#DMcQ7cPMIDu|KUr7
zo)}0@GS|Yv3z>}-;%~f4GM<koSz_U7@tadFXMCv}T^Ug}F#x}1IrExG?xd|)(;<t-
zeWLDvI*s_*l;Orgk$Ag<e^TLIyDj~E=aL!xhdWWNVsXlJ%<M*KEB$v=WQe*}M-2_m
zLvk9lOkIEXJ<$f+%yhJchg~-Xms#I$QPsRJvXKR1RMvUF$8gQ~>7ZDU4A%dnNuCp8
zd9&aE&3SW1v06d!rfz|l3^yiG=DaEXM)_Ry4o5Vfqv2eAk2Fw{>B2Us*$VBQ*e#y3
z!Ew2Mdhm$wn}iso5=^fqo>x3JX#Bf^wfI&HTv^o6_ZD=6ZLnJ%BPTG+g&GQ}o~!U#
z+rDjwj6ae9B#FWDoJqKw{Vyw|$|f(j4`=UKsTkouv?j3A@Xr(bXGl8PKPR%Aao6#G
zU-b{?{Qu}mWA6HW=o37AeEhVVC!TlQPo>!u)kFHU=G{Ji6q)FLk7KQ?@58Lqk*4n=
zg601(z5KrP_dIKZxfT^U$vl?6ZjA;;q_^&s@RJrA4o0`3&#8Iy-tPQ%!py1^;&jJK
zJLb|7?w%(HLi2K2`!RK+=)V_maDQa2PddrHv`u)6ys2&-iKIzJ%fdF6q(k+iN&hmF
z)@SedWk^B=YRm}?3=ATo-J7B_If;#5Ic$wm)t)v}_v!yQssbDwBorf3MT?C)%TVl3
z9}B9eLPiV?1t86++*;sU5KMwuKTKHZ+0LR-e2QfA5c}E1vqBz~pR(99^*~ZKLAMqp
zr`fyuTJcq*4z)u$1;>UseuZakAlLe)rAzlK|LT<!W^nL(E-R>ppOCJ0t|>u@!Os?<
zvKQ${t_(TaiAJOEfj2q&VVErCm#+UV5Z#$M9_dUlpKDyQuAECW_E>~3%)x<%7mtRH
zDK0K@H4AnoucsaTW?L;;a{uGU8!k?Vox1p9fCr~z^9wcpOZi@X8Fi<dKGXGnp<WFR
zbtkPbpHn26Fo-YHlfUV{>he@zUgI#3?3h9SX0p$H$bW}kk@)~wDkxhletn7lh|p5I
zM1N5Nm)$kZ(Yolvn>69a(oqzhH<1~EcoG;ix=^~e&~GBu+h>n?i?sn^IUhhQmU6<~
zZ(1#LR~=$Rog5!sAXt6lc`#;RGw+sG*<L#85N$y7T2dd2N(7sw;Ac_EF8-=<*%l;u
zX@~CN;qk*^>XA`*EX}+w6}NRy;CFg?6L?g{`b2K=H9J0|+}pzpi#;#OF&53{VFJdX
zFPhkS3JZ~*&P$8SDLm`o)-9hxwH*12@vih?qLvowx6q<{>;{mKL`6~Q*87;FH9fVH
z9(x`o2K=P5adbgCU4G;uE@b^8b|}h&o@X|Tgz;aGnAJRea=n(MJkQoa)ej#%k}PK@
zUpR4+UmgiWNwZtRxQ&2Jxa#+5$mv|4vYWa_Pmh;MN*Pl|5bv|Gj29K?lO~nxh8}?B
zH=IAI)z)A|t9`fZj=*pKyuN~@l<TL_E-TG>!=jTRBfAft3{5YuwAoXdboY$Kj5lp2
zur4BbyIb*6(00>Ts^r!ZMr>V;<e7%uKrfuM$W4j-M~yWZ(@;6xZ(<_#S?r~X3Ftfw
z8{b%1!5`Gn)*|*rzt}VP3MVn^l35l{bW~^5snmIEy3Pgp`OJ^7Bpj{96%3k9ZSp4b
z0cj5W<K@fa_QBH8S);w&TpN8^7kG?HWUc{s<XS8!nGSb@sul@%)3{=#p7*BG6FdkQ
zBYodQTFAKUE4pk~Csd@x;zU4W$%y$Le>tz%fMH0+Yp)r~dwB}V?TY1EVx?Bo{@f~`
z5}Wu;c?lQl$4+mYIfF1XqT}qf$Zd)ytHg{I5bbjuKc{k)YDj18>;>v-28y`1;?r5u
zO5}C7qu(mr44Kz^Z^8aFl_u4mVDAMAhf)2v@b>B6-u&5M`rhGyb-tq4wOqD^W$!jf
z<|=Ojb)|zXTSKZ1$5%U;UdZtM1Ug@Nh=YLZaTkf~z<>bx8s5zUIh$#27E|@jin~A(
z<e@qrsZ@=Zt!_QAIo^e&yPNw#eh+YX+w!nqRMy|i5{({mnOWXIOhp-=?nJRX?J4An
z*tb6ct!Z6*opDkK``cF<1*ia&#kbO!q{0`CL!(ne>%6Z79cLhz##zb7GYW?fYHs-w
zGMEJ-XSM9)a{}nNBo5#n=c1Y?Msm0C;Pb;T=5P)!M4hQOw6_(^dIW~l*3!I>j?Uz#
zjkAo{2bsd8LBZ$Fvcfsiki=7R{t!IT$jU-3WP0MN*0tOpL86o{7zq@0g2F8x<tYSC
zeX|MAWV_y);z{!(Kab(@aff|iudJVNynN$P<pH<bC@a^`h0un6FJ!H3wETF{(Xa0?
zet7SXi)Kax;lwIVyNNAnZTB^8H*G_s`$5KG=lj!NVuqNWknhe^SMB5^8vg=8bJbt-
zE}i3w6skO(izG1@)Ez`gN`QhhsQi6}3&E!0<AUkWIMklA-we19#IY7+qPPMgv*O`j
z4GO3e%Z&=6Ph}UxA^sOT4XR%i-WW9aw+Sh)e;8T=0)dr<G(6vk`jShmq6(x6jEui{
z)hQvI#lx+YCo1boS@k`R^*Km^C6smNd&B0!VbWG5m4B8tnQ1<!gY!4vr{T?=7j^vC
zoGwea0001)-Fnj95c`Jzqe^C7GABTsTp{vGqN&%Fg1)9Z*Rv#CsB>6RSW1S1=!l_b
zqyY7yFU46$6k{}BZ09}Mb*tM{Ng&!yWOMk#wT2K6LmVVoh)EpX$mtaBaiMd0>p9VS
ze48aj%Ht#}MzWBnI|L0cYR#*)zd@fA2J8H0TOn-Ow7wD_4V{l6LKv2N)F_TzV_PWR
zZU82+AU;;Aw(Vu*Or@pO&74`&^9sU*4U2|`_A)AF(_wsyptTkb+^_!IZ)V?*W|bsu
zzxZoRE{W!cpdCl{Pr27Zqnvg8jvN}v8VhQ?WWPxnXdlHU?%3Oe-OofvUz&}h>YMUI
zU;1hA%kZW-`Ad6o-k;pM=bL8MAdJ*!^5IG=zMvP4uNNV8EpJxIi?v$6G2n!Xh=rKb
zMLKRZXA|um21HqnTz6pD;O8h3Q|8H9UD$UHVXRsIHJx?VciToN`Sx|6MkXlCm5QTd
zgaBloHKZ^Y-l=obD;bhf(4eO4a$K`X$rb#WdsbaEHSoKXF`g0eomplFN}#<@%o1O$
zaa`ACBUtpQDRgw)n2)N_<PKgN(6O@a{Y64dFlDzd3&Y<SN~qxe(^KrnvzW})+Pd=1
zddAwp1C7j2`gF7pW4YC*xre0~#=DYb+^wbIH}{Ol?)tpb5j)6O7ILMj%8>rVFLV8x
zRlh^-4m2Zob$uOL$B5^apOR+?04h#zIJ3)6vKw)SELFsm$F&~edDxI@xueVas24h`
zG^*d7g<$<sK$UjMG6Zm2aqkt~K~xm<bmnHN4LaETyh)d_Cp{-8F7@Ub!yWC&7E^d?
z65|Htn<$mn_T};QOqM=9Je1fs%bK4LdhdO4;xPT~T}v=0+=c#bBA?389>ppltb&b4
zexK2dRyW-sNYnV7+@T43-|md2SpW_1dc4|IsW(>-+ihb!0X8#EWsrZ1iliR$v&r;C
zWWB*ATAbK!THKndlu2QE>V3Kq>3e>#(DEK5`K2k1`|eaJ=<_o+<WHX_p@`P<rtwOr
z-jmCAyd;cxq+sb_rI$(LD=xx!j0iqa+E%1l?A9Qc!1Bfa>VZr=Ki&?kE>wwJP+WYf
zUclA)XkFE!H}Ns~Yme6V7pGi)h(`u>-cK!i5>+ooL!-;fMLII3e{#95Dv$|z;`)1B
zs$`3yzI6P3zt(kaeA;?2wX{R<LCeSp0jqYIq?j1Wa(xwi6tFp32+Sx@&NOQc!JLFx
zhL>qqsJ&^JolQa}=N7XLZ%l?_TD+5Hg?+yGemFQ=iWW_nbI(&q!GFr4C6)mJ;&EiI
zoc6bSv|OG~LV&D}22DXZ?Voe}LUCj=g=!lLEQRkZ9+w`q0KL0AjsYO9Q+u#7lx-?u
zQ16Ln1I-&|bIN$_4qf;*Y#kXx1wiXdd#(H-UzAe<9r7!TU}=A;bF#sXNQq1|%A4g#
z)-zSafy8#A<iql8_i#4go@OUy9D`Dbf}YJpqj2#1;CHKi#BTO;fKVY!GgnQqxIs0N
zSGJ!tb{j&w2^be@1b0fNDv!NS`JIm{epfq$*6c5u?Q97=7q*SBy*k;}*Qs_RhUP1V
zLyk9F+S}1b@|D^P;|e(4FZul<@Ms%5J06n`mj{S?`V^=fCoRTc<!csej!n~g*Loc?
zup88yXvNJpn0MkVcc*E8XgjHK+raOLA}(g!ed#c+Fp(x;{t+t{d#Fa%JWmEBK4*7Y
z2IDjzSE#9by=})^4#NIpe#~JKR;==$;&CS{wUtR%8hlRXm%HQ6np8z|Jogv9^()NU
zRho?a$SGL03(dxN#~bP#!{VN<4P>-Ks^D&(y(v5eWv(VS{(di9F{)IGwb+g}rlreW
zTwOb3THX)KR>{3`gi4kl*12M+Gbj%SjgO5zm5pO)A2OBbmynS+9^4V8S{Qgsoe*i>
z5%~sjv;h>xOu}Exlac=#(v{zzn)A^XkPyqOucc9Xc_4Bmhhbb_U(ac|N$6UR6m@a3
z!W>a~rj)_0S+!U_#8&$q+RG{c@qp*24^Z2Um#q5#g}4Xs-^s<qKYPiHF2cUo12nFA
zr&`VfiCSs95D{T{=vA2QMm7#mLrYQRw(9#z1g`tdM9gE^x}jbW5seU*9w1w_rUV)=
zL%&-SQc@Z>FtMdTq0GC}8mD^;ZK2Lf9g1TOe$q|>m+K&6I`G&_Lx@`kbqu}yvxXPZ
zyS4sT5ToiwN+&0$v4kvW31!NMXzXV{rjW^zt(ueF+DCKSwv){jxry(X4R_S81p+bw
zP^l=&TcY(YF;G2td89!3_?Y1n<xK+I9awd_r9?IcwkO<RcaL6*Dp1aPUVP-!Ls)I9
z&}t<Kt7cZ$>(JGsWKzwM9H(?h41G-e8CK`96uxSlEd!!~(5vYwl!ix_NAEyijdvfD
z(8~Y|<-;gNgDT{jeCQ9qpKq;Wm|ucxv&IA-&mkQRjdWB}ORZEtNmmL_QY|*otz_AO
zJm~58bdlo{#HY_8mTdafTL}NC!fwuvYSJR`_ISU35&X>0dKS*wnRw{<`v)fZYoIs*
zZ;RCDhzYm6=dd|wPD+!Qe?xIoQ`3&iV7x#a5**bzuJ)w>4WC5U*pgZC)}5Nax!c@(
z4F3!V?ya%tj@7wrYKMT!CK=n`UHt~;$!94=Q}$&;3Z<jS!p2MWX-!*0l1mwCWD3=I
zZI`gfKgfQul8|RDaEmssbAQaJobGnkGLKJpxHcF~Z<|>AGxZ@IY@;`k?Po0^u@f^-
z1$eB|Ert8lG|gcP^7Lh_NV_d{toV324{9j~XGhFEA%_w~Mx?+%0<TX0ppz4<n&0}v
z!`>31Pb5G&Z#eyD_+Q!%sVLtE8M}dEc#Qhpm9C6zAFYd`7>;o?&osb8yKT+FgjPH9
z>$d>a8+xxcbv(F8;Spu7=k`Yr>S`gxX{Po`ez2LDA+Q}0nHp+|R%GgP5&Ps+vQha7
zpeliL#G-9gQ^f${3J$n;ESbL0_Az%XsdR5kH;@FbJ5@qcIRvgVurd$T7SC$y-(ERy
z`@L4|e|03VI+zyvaT8BQk(96H<1uM#Q4jDhr+~(8n|Khu7xh9vcr+xoAc)#?@8v^c
zAE(Zhij}rvidF9vQ{UYkLps&U+|tfBa+WDn2SR(b{x}xNubaRL;(L1w5_Gb$baK}5
z%}nO}ZMJyzKzO2U#gP`^<QR2$7(2!;DP<{hUuc1NZe$pyn{^kw-v%9J@GV_-L1h*<
zaFm~D*A(}ez3llQy&PZW0FRR`&id&+V5;*5O<U&+YYAk)fUz`A^)blB52{FM<OQzc
zt^bTumSmT-<Mr&1%~Ydr*-~H^W1l-1GYv}L<>;7@`M3Wd0enw9(~<l`r*P}r!zCnI
zc$XgtW_>-Q8eN_)*h<A*sDZO-D{#PyF^_fkVzD3(39*ArNf94?dRm;=o;Ns~JNX@p
z^n1-!K8eOEUVJs4M0Yw3M2p>}Ta%p~F@-9{J`B!tvnlRe{%V{XmWwm<Lq|_x%6)i1
zqLSneJRkuFZjA55kGFamr*x;fdUUiqi~bHVFL7v^Y}dbJ+D#Uwb0``6L;!ln?$u9m
z6BAr>ct+lhMrDB7?HUWGn**}!79VD=Oq8%ihAkkEr#?=INULpjxnhld!6m#z8w?)h
zq0YK*I<tzMT(`!ugTRn-^K~rvgGE2(qd_y+ga@EH$^QkS8#@j}!ozx1bW$obk7B<!
z2_*|jHrx+I861<(M);HkgG1zXIi~;MCKPnDkAVtbxmKII_TFrGMde;EhaN{@@}10t
z83NRB=uA})%)TMOX}DFmB}Ngr-BdPDc;SEO#5%P}N{Rz!BsYT^q!PBAWIwvn{mLgC
zhV1%wV>OX}Y@V47bW;|``+vc3X|dH-o#5R19x<s4$_w)uumk`)DJz~ABKyZIkhGiK
zWbRk$w;gUZ0C&kfXY#*vzlHC)y%b<ZguZ*5`$d{fGal*#S?M1-Nq5$&(v18p<|XrA
zRFi4`6UzHMTD=naKXzt<%nzp${uPM`-$@1npm=QKx5+Q0y>TKl)rweuk^-n${4_{F
z`so>5?GJWMMgmF(^grGg1)U5JiAp8Ifqwy61*DX5!GA)0AX?PJOHtR$b&>3H3)X+W
PTataFBv~eI68wJv!DUC4

literal 0
HcmV?d00001


From 8be96a7070c6f5eb28a51db834ed716bc6c6c77e Mon Sep 17 00:00:00 2001
From: Esther Kim <esther.kim@datadoghq.com>
Date: Thu, 30 Oct 2025 13:14:50 -0400
Subject: [PATCH 2/2] Apply suggestions from code review

Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com>
---
 content/en/logs/log_configuration/parsing.md    | 2 +-
 content/en/logs/log_configuration/processors.md | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/content/en/logs/log_configuration/parsing.md b/content/en/logs/log_configuration/parsing.md
index 3c53aab8648f4..a4ac6c8d9072c 100644
--- a/content/en/logs/log_configuration/parsing.md
+++ b/content/en/logs/log_configuration/parsing.md
@@ -233,7 +233,7 @@ For example, consider a log containing a `command.line` attribute that should be
 
 ### Using helper rules to reuse common patterns
 
-Use the **Helper Rules** field to define tokens for your parsing rules. Helper rules help you to reuse common Grok patterns across your parsing rules. This is useful when you have several rules in the same Grok parser that use the same tokens.
+Use the **Helper Rules** field to define tokens for your parsing rules. Helper rules let you reuse common Grok patterns across your parsing rules. This is useful when you have several rules in the same Grok parser that use the same tokens.
 
 Example for a classic unstructured log:
 
diff --git a/content/en/logs/log_configuration/processors.md b/content/en/logs/log_configuration/processors.md
index 019f769aeccf4..7a1f3ac99d854 100644
--- a/content/en/logs/log_configuration/processors.md
+++ b/content/en/logs/log_configuration/processors.md
@@ -44,7 +44,8 @@ Create custom grok rules to parse the full message or a specific attribute of yo
 
 Define the Grok processor on the [**Pipelines** page][1]. To configure Grok parsing rules:
 
-1. Click **Parse my logs** to automatically generate a set of three parsing rules based on the logs flowing through the pipeline. This feature requires that the corresponding logs are being indexed and actively flowing in. You can temporarily deactivate or sample down exclusion filters to make this work for you.
+1. Click **Parse my logs** to automatically generate a set of three parsing rules based on the logs flowing through the pipeline. 
+   **Note**: This feature requires that the corresponding logs are indexed and actively flowing in. You can temporarily deactivate or sample down exclusion filters to allow the feature to detect logs.
 1. **Log Samples**: Add up to five sample logs (up to 5000 characters each) to test your parsing rules.
 1. **Define parsing rules**: Write your parsing rules in the rule editor. As you define rules, the Grok parser provides syntax assistance:
    - **Matcher suggestions**: As you type `%{`, a dropdown appears with available matchers (such as `word`, `integer`, `ip`, `date`). Select a matcher from the list to insert it into your rule.