Splunk® AI Assistant for SPL

Install and use Splunk AI Assistant for SPL

This documentation does not apply to the most recent version of Splunk® AI Assistant for SPL. For documentation on the most recent version, go to the latest release.

Using the Splunk AI Assistant

The Splunk AI Assistant uses Natural Language Processing (NLP) to help users gain familiarity and confidence when using the Splunk Search Processing Language (SPL). You can enter a search you want to make in plain English and have that translated into a usable SPL search, or paste an SPL search and have that translated into plain English.

Version compatibility

The Splunk AI Assistant relies on the Python for Scientific Computing (PSC) add-on. See the following table for the compatible combinations of the Splunk AI Assistant, the PSC add-on, and the Splunk platform:

Splunk AI Assistant version PSC version Splunk platform version
0.2.5 4.0.0 or higher Splunk Enterprise 9.0.0 or higher or

Splunk Cloud Platform

0.2.4 4.0.0 or higher Splunk Enterprise 9.0.0 or higher or

Splunk Cloud Platform

0.2.3 4.0.0 or higher Splunk Enterprise 9.0.0 or higher or

Splunk Cloud Platform

0.2.2 4.0.0 or higher Splunk Enterprise 9.0.0 or higher or

Splunk Cloud Platform

Accessing and installing the app

The Splunk AI Assistant is offered as a preview. This version is accessible only to registered users through the Splunk Voice of the Customer (VOC) program page. See, Splunk AI Assistant (Preview). to find more information and access the download.

Install the app on the search head only. You can install the app using your browser. You aren't required to download the app using the command line interface (CLI).

Installing the PSC add-on

The Splunk AI Assistant relies on the Python for Scientific Computing (PSC) add-on, version 4.0.0 or higher.

The Python for Scientific Computing (PSC) add-on is a free app from Splunkbase. Choose the appropriate operating system version of the PSC add-on for your environment:

On some Windows installations, installing PSC through the Splunk Manage Apps user interface results in an error. This error is usually benign and you can ignore it. In some cases, you might need to manually unpack the package in the apps directory to get past the error.

PSC version 4.0.0 upload limit

The installer for version 4.0.0 in particular of the PSC add-on is bigger than the default upload limit for Splunk Web. Higher versions of PSC do not have this issue. To use PSC version 4.0.0, increase the Splunk Web upload limit to at least 1 GB. Perform the following steps:

  1. Create a configuration file called $SPLUNK_HOME/etc/system/local/web.conf with the following stanza: 
    [settings]
max_upload_size = 1024
  2. Restart the Splunk platform from the toolbar. Select Settings > Server controls and click Restart Splunk.

App navigation

The app includes the following pages:

Page name Description
Chat Write SPL tab: Use the field to input plain English to translate into SPL.
Explain SPL tab: Use the field to paste an SPL search to translate into plain English.
Usage guidelines Review high-level guidelines for using the Splunk AI Assistant.
Settings Choose to opt-in and share your anonymized data to help improve app development. You are opted-out by default. To learn more, see Share data in the Splunk AI Assistant.

Usage guidelines for creating SPL searches from plain English

On the Write SPL tab, you can input a search in plain English for translation into an SPL search. As a best practice, follow these guidelines when composing your plain English search:

Guideline Good example Bad example
Ensure that you input the correct names of your indexes, sources, source types, and fields. Say that you have a field named ip_address and you want to find the most common IP address. Show me the most common ip_address Show me the most common IP Address
Be as descriptive as possible with your plain English query. search source tutorialdata* and create a time series chart of event count create a timechart of IP Addresses
Compose your plain English search as programmatically as possible. This is especially necessary for longer tasks involving multiple components. search source tutorialdata* and sort the first 100 results in descending order of the "host" field and then by the clientip value in ascending order sort tutorialdata and give me the first 100 results sorted by descending host and ascending client IP
You do not need to enter your plain English search as a question. Show me the most common value of ip_address What is the most common value of ip_address?

Usage guidelines for translating existing SPL searches into plain English

On the Explain SPL tab you can copy and paste an SPL search for translation into plain English. As a best practice when pasting in SPL, exclude superfluous text or characters, and only include the SPL search itself.

Example 1

The following is a good example of SPL you can paste into the field. 

| rest splunk_server=local /services/cluster/master/peers | stats sum(bucket_count) by label | rename label as peer

This search produces the following results:

This image shows the Explain SPL tab of the AI Assistant. Example SPL and results produced by the app are displayed.

Example 2

The following is a good example of SPL you can paste into the field. 

index=_audit action=search info=granted search=* NOT "search_id=scheduler" NOT "search=|history" NOT "user=splunk-system-user" NOT "search=typeahead" NOT "search=| metadata type=* | search totalCount>0" | stats count by user search _time | sort _time | convert ctime(_time) | stats list(_time) as time list(search) as search by user

This search produces the following results:

This image shows the Explain SPL tab of the AI Assistant. Example SPL and results produced by the app are displayed.

Example 3

The following is a bad example of content for the AI Assistant. This example does not generate good results in the app because it includes words and quotation marks that aren't part of an SPL search. 

What is est splunk_server=local /services/cluster/master/peers in SPL?

This search produces the following results:

This image shows the Explain SPL tab of the AI Assistant. Example SPL and results produced by the app are displayed. Because this example includes words and quotation marks that aren't part of an SPL search, the app has produced no results.

Example 4

The following is a bad example of content for the AI Assistant. This example does not generate good results in the app because it includes words and quotation marks that aren't part of an SPL search. 

Please explain "stats sum(bucket_count) by label"

This search produces the following results:

This image shows the Explain SPL tab of the AI Assistant. Example SPL and results produced by the app are displayed. Because this example includes words and quotation marks that aren't part of an SPL search, the app has produced no results.

Last modified on 06 November, 2023
About the Splunk AI Assistant   Share data in the Splunk AI Assistant

This documentation applies to the following versions of Splunk® AI Assistant for SPL: 0.2.4

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters