[Rules, Log Explorer] Add Log Explorer and Trace usage guidance (#28802)

* Add Log Explorer and Trace usage guidance (SPM-2171)

---------

Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>

Author: zeinjaber

src/content/docs/log-explorer/log-search.mdx

@@ -9,6 +9,14 @@ import { TabItem, Tabs, Render, DashButton } from "~/components";
 
 Log Explorer enables you to store and explore your Cloudflare logs directly within the Cloudflare dashboard or API, giving you visibility into your logs without the need to forward them to third-party services. Logs are stored on Cloudflare's global network using the R2 object storage platform and can be queried via the dashboard or SQL API.
 
+## When to use Log Explorer
+
+<Render file="log-explorer-use-cases" product="rules" />
+
+<Render file="trace-use-cases" product="rules" params={{ addLink: true }} />
+
+The key difference is that Log Explorer shows actual traffic, while Trace shows simulated "what-if" scenarios.
+
 ## Use Log Explorer
 
 You can filter and view your logs via the Cloudflare dashboard or the API.
@@ -27,33 +35,32 @@ You can filter and view your logs via the Cloudflare dashboard or the API.
 For example, to find an HTTP request with a specific [Ray ID](/fundamentals/reference/cloudflare-ray-id/), go to **Custom SQL**, and enter the following SQL query:
 
 ```sql
-SELECT 
-	clientRequestScheme, 
-	clientRequestHost, 
-	clientRequestMethod, 
-	edgeResponseStatus, 
-	clientRequestUserAgent 
-FROM http_requests 
-WHERE RayID = '806c30a3cec56817' 
+SELECT
+	clientRequestScheme,
+	clientRequestHost,
+	clientRequestMethod,
+	edgeResponseStatus,
+	clientRequestUserAgent
+FROM http_requests
+WHERE RayID = '806c30a3cec56817'
 LIMIT 1
 ```
 
-
 As another example, to find Cloudflare Access requests with selected columns from a specific timeframe you could perform the following SQL query:
 
 ```sql
-SELECT 
-	CreatedAt, 
-	AppDomain, 
-	AppUUID, 
-	Action, 
-	Allowed, 
-	Country, 
-	RayID, 
-	Email, 
-	IPAddress, 
-	UserUID 
-FROM access_requests 
+SELECT
+	CreatedAt,
+	AppDomain,
+	AppUUID,
+	Action,
+	Allowed,
+	Country,
+	RayID,
+	Email,
+	IPAddress,
+	UserUID
+FROM access_requests
 WHERE Date >= '2025-02-06' AND Date <= '2025-02-06' AND CreatedAt >= '2025-02-06T12:28:39Z' AND CreatedAt <= '2025-02-06T12:58:39Z'
 ```
 
@@ -92,26 +99,26 @@ All the tables supported by Log Explorer contain a special column called `date`,
 
 ```sql
 SELECT
-	clientip, 
-	clientrequesthost, 
-	clientrequestmethod, 
-	clientrequesturi, 
-	edgeendtimestamp, 
-	edgeresponsestatus, 
-	originresponsestatus, 
-	edgestarttimestamp, 
-	rayid, 
-	clientcountry, 
-	clientrequestpath, 
+	clientip,
+	clientrequesthost,
+	clientrequestmethod,
+	clientrequesturi,
+	edgeendtimestamp,
+	edgeresponsestatus,
+	originresponsestatus,
+	edgestarttimestamp,
+	rayid,
+	clientcountry,
+	clientrequestpath,
 	date
-FROM 
+FROM
 	http_requests
-WHERE 
+WHERE
 	date = '2023-10-12' LIMIT 500
 ```
 
 ### Additional query optimization tips
 
 - Narrow your query time frame. Focus on a smaller time window to reduce the volume of data processed. This helps avoid querying excessive amounts of data and speeds up response times.
 - Omit `ORDER BY` and `LIMIT` clauses. These clauses can slow down queries, especially when dealing with large datasets. For queries that return a large number of records, reduce the time frame instead of limiting to the newest `N` records from a broader time frame.
-- Select only necessary columns. For example, replace `SELECT *` with the list of specific columns you need. You can also use `SELECT RayId` as a first iteration and follow up with a query that filters by the Ray IDs to retrieve additional columns. Additionally, you can use `SELECT COUNT(*)` to probe for time frames with matching records without retrieving the full dataset.
+- Select only necessary columns. For example, replace `SELECT *` with the list of specific columns you need. You can also use `SELECT RayId` as a first iteration and follow up with a query that filters by the Ray IDs to retrieve additional columns. Additionally, you can use `SELECT COUNT(*)` to probe for time frames with matching records without retrieving the full dataset.

src/content/docs/rules/trace-request/index.mdx

@@ -8,7 +8,12 @@ head:
     content: Trace a request with Cloudflare Trace
 ---
 
-import { DirectoryListing, Plan, ProductAvailabilityText } from "~/components";
+import {
+	DirectoryListing,
+	Plan,
+	ProductAvailabilityText,
+	Render,
+} from "~/components";
 
 <Plan type="all" />
 
@@ -18,6 +23,18 @@ You can define specific request properties to simulate different conditions for
 
 Cloudflare Trace is available to users with an Administrator or Super Administrator role.
 
+## When to use Trace
+
+<Render file="trace-use-cases" product="rules" />
+
+<Render
+	file="log-explorer-use-cases"
+	product="rules"
+	params={{ addLink: true }}
+/>
+
+The key difference is that Trace simulates "what-if" scenarios, while Log Explorer shows actual historical traffic.
+
 ## Resources
 
 <DirectoryListing />

src/content/partials/rules/log-explorer-use-cases.mdx

@@ -0,0 +1,12 @@
+---
+params:
+  - addLink?
+---
+
+Use { props.addLink ? <a href="/log-explorer/">Log Explorer</a> : "Log Explorer" } when you need to investigate what actually happened with real production traffic:
+
+- Analyzing historical data and trends
+- Investigating security incidents after they occur
+- Searching for patterns across thousands of requests
+- Monitoring application performance over time
+- Providing forensic evidence to support teams

src/content/partials/rules/trace-use-cases.mdx

@@ -0,0 +1,11 @@
+---
+params:
+  - addLink?
+---
+
+Use { props.addLink ? <a href="/rules/trace-request/">Trace</a> : "Trace" } when you need to test what would happen with a simulated request:
+
+- Understanding why a rule did not trigger as expected
+- Testing how your rules handle different request scenarios
+- Seeing the evaluation order of your rules
+- Simulating requests from different geolocations or conditions