These three log processing tasks play an important role in enterprise security. The most difficult part is the investigation, involving archived or non-centrally managed log data. We are never fully prepared - some log data is missing, or the format is too complex. Maybe the logs were even poisoned? How to succeed without copying / exporting everything for “advanced” grep/awk/python/hive magic?