When you run critical IT or Security systems, you are still on the hook if an alert is missed or a pipeline drops data. That is why Cribl Copilot never tries to replace you. Instead, it works as a partner you can question, guide, and overrule.
The Problem With Black-Box Automation
Many AIOps and SecOps tools promise “self-healing” or “zero-touch.” Sounds great, until the system fixes the wrong thing or hides the reason it chose one schema over another. Teams then burn hours undoing “automatic” changes that no one can fully trace.
The lesson is clear: speed without clarity raises risk. We believe a better path is to let AI handle the heavy lifting while people make every final decision.
Cribl AI Keeps Humans in the Loop
Our Human-in-the-loop (HITL) philosophy is based on two fundamental guiding principles:
Explainable AI – the system must show its work.
Steerable AI – you must be able to change its course at any time.
Below, I share how we bake these ideas into Copilot and how we track whether the approach is working.
Let’s dive deeper!
Explainable AI
Copilot narrates in plain language every step it takes, so you can see what it's doing and why. At any point in the flow, you can inspect:
Why it classified a log sample a certain way: for example, “These events include the 'TRAFFIC' keyword, detailed session fields (source/destination IPs, ports, protocol, action, session end reason), and match the structure of Palo Alto Firewall Traffic Logs.”
Why a specific transformation was applied: Copilot explains decisions like field renaming, type coercion, or flattening nested objects.
What assumptions were made: for example, “severity_id is set to 1 (Informational) because no severity field was found in the input.”
What rules were used: Regex patterns, field mappings, and sample outputs are all visible and auditable.
Why This Matters
You can audit decisions before they go live.
You understand assumptions and override them if needed.
You build trust as nothing is hidden or hardcoded.
You gain control over your data and its transformations.
Steerable AI
Explainability means nothing if you cannot push back. Copilot gives you “knobs and levers” at every stage:
Prompt refinement – chat back: “Treat src_ip as text, not number.” Copilot rewrites the plan and uses your input when creating a pipeline.
Schema override – pick ECS instead of OCSF with one dropdown.
Preview and rollback – run the transform on sample data, inspect the result, and undo with one click if it is wrong.
Complete manual override – Manually edit the pipeline to guide Copilot when needed, similar to deactivating cruise control in heavy traffic. Take over, make adjustments, and allow Copilot to continue from your refined state.
Why This Matters
You stay in the decision loop: Copilot assists, not dictates.
You can course-correct instantly without waiting for retraining or redeployment.
You preserve data integrity by validating changes before they impact production.
You maintain agency in environments where stakes are high and errors are costly.
How We Measure Copilot’s Success
We don’t train models on customer data, period. Your logs stay your own. Instead, we rely on clear, privacy-respecting metrics to guide Copilot’s evolution:
Time to First Event: Median time it takes to go from a blank slate to a working pipeline. The faster this number drops, the sooner Cribl delivers value.
Override Rate: The percentage of Copilot suggestions accepted without edits. A lower override rate means Copilot is helping instead of getting in the way.
Adoption Share: How often new pipelines are started with Copilot vs. the manual UI. More usage signals better usability and relevance.
We publish these numbers internally and use them to drive every release decision. We focus on real-world outcomes, not abstract AI benchmarks
Closing Thoughts
AI can already save admins from the grind of manual parsing, schema mapping, and endless regex tweaks. The trick is to keep the human firmly in the driver’s seat. By pairing crystal-clear explanations with fine-grained steering, Copilot lets you move faster and stay accountable.
That is why we love to say “Copilot, not autopilot.” We do not drop or route data without you. We show our math. We give you the wheel whenever you want it. And together, we build data pipelines you can trust when the stakes are highest.
If you want to see the loop in action, reach out. I would love to walk you through a live demo and hear how you would steer Copilot in your own environment.
