Using the Splunk AI Assistant
The Splunk AI Assistant uses Natural Language Processing (NLP) to help users gain familiarity and confidence when using the Splunk Search Processing Language (SPL). You can enter a search you want to make in plain English and have that translated into a usable SPL search, or paste an SPL search and have that translated into plain English. You can also use the "Tell me about" tab to learn more about any Splunk platform term or product.
The following image shows the Splunk AI Assistant view when you select +New Chat:
The Splunk AI Assistant includes the following components:
| Component name | Description |
|---|---|
| New Chat | Write SPL option: Choose this option to have the app translate plain English into usable SPL. |
| Explain SPL option: Choose this option to have the app translate SPL into plain English. | |
| Tell me about... option: Choose this option to learn more about a Splunk platform term or product. | |
| Usage guidelines | Review high-level guidelines for using the Splunk AI Assistant. |
| Settings | Choose to opt-in and share your anonymized data to help improve app development. You are opted-out by default. To learn more, see Share data in the Splunk AI Assistant. |
Usage guidelines for creating SPL searches from plain English
On the Write SPL tab, you can input a search in plain English for translation into an SPL search. As a best practice, follow these guidelines when composing your plain English search:
| Guideline | Good example | Bad example |
|---|---|---|
Ensure that you input the correct names of your indexes, sources, source types, and fields. Say that you have a field named ip_address and you want to find the most common IP address.
|
Show me the most common ip_address
|
Show me the most common IP Address
|
| Be as descriptive as possible with your plain English query. | search source tutorialdata* and create a time series chart of event count
|
create a timechart of IP Addresses
|
| Compose your plain English search as programmatically as possible. This is especially necessary for longer tasks involving multiple components. | search source tutorialdata* and sort the first 100 results in descending order of the "host" field and then by the clientip value in ascending order
|
sort tutorialdata and give me the first 100 results sorted by descending host and ascending client IP
|
| You do not need to enter your plain English search as a question. | Show me the most common value of ip_address
|
What is the most common value of ip_address?
|
Usage guidelines for translating existing SPL searches into plain English
On the Explain SPL tab you can copy and paste an SPL search for translation into plain English. As a best practice when pasting in SPL, exclude superfluous text or characters, and only include the SPL search itself.
Example 1
The following is a good example of SPL you can paste into the field.
| rest splunk_server=local /services/cluster/master/peers | stats sum(bucket_count) by label | rename label as peer
This search produces the following results:
Example 2
The following is a good example of SPL you can paste into the field.
index=_audit action=search info=granted search=* NOT "search_id=scheduler" NOT "search=|history" NOT "user=splunk-system-user" NOT "search=typeahead" NOT "search=| metadata type=* | search totalCount>0" | stats count by user search _time | sort _time | convert ctime(_time) | stats list(_time) as time list(search) as search by user
This search produces the following results:
Example 3
The following is a bad example of content for the Splunk AI Assistant. This example does not generate good results in the app because it includes words and quotation marks that aren't part of an SPL search.
What is est splunk_server=local /services/cluster/master/peers in SPL?
This search produces the following results:
| Install the Splunk AI Assistant | Share data in the Splunk AI Assistant |
This documentation applies to the following versions of Splunk® AI Assistant for SPL: 0.3.4, 0.3.5
Download manual
Feedback submitted, thanks!