Splunk® AI Assistant for SPL

Install and use Splunk AI Assistant for SPL

This documentation does not apply to the most recent version of Splunk® AI Assistant for SPL. For documentation on the most recent version, go to the latest release.

Using the Splunk AI Assistant

The Splunk AI Assistant uses Natural Language Processing (NLP) to help users gain familiarity and confidence when using the Splunk Search Processing Language (SPL). You can enter a search you want to make in plain English and have that translated into a usable SPL search, or paste an SPL search and have that translated into plain English. You can also use the "Tell me about" tab to learn more about any Splunk platform term or product.

The following image shows the Splunk AI Assistant view when you select +New Chat:

This image shows the main page for the Splunk AI Assistant. From this view you can start a New Chat. This new chat can perform one of three tasks - Write SPL, Explain SPL, or Tell me more about. All chats are saved and can be renamed or deleted from the left side of the page.

App navigation

The Splunk AI Assistant includes the following components:

Component name Description
New Chat Write SPL option: Choose this option to have the app translate plain English into usable SPL.
Explain SPL option: Choose this option to have the app translate SPL into plain English.
Tell me about... option: Choose this option to learn more about a Splunk platform term or product.
Usage guidelines Review high-level guidelines for using the Splunk AI Assistant.
Settings Choose to opt-in and share your anonymized data to help improve app development. You are opted-out by default. To learn more, see Share data in the Splunk AI Assistant.

Usage guidelines for creating SPL searches from plain English

On the Write SPL tab, you can input a search in plain English for translation into an SPL search. As a best practice, follow these guidelines when composing your plain English search:

Guideline Good example Bad example
Ensure that you input the correct names of your indexes, sources, source types, and fields. Say that you have a field named ip_address and you want to find the most common IP address. Show me the most common ip_address Show me the most common IP Address
Be as descriptive as possible with your plain English query. search source tutorialdata* and create a time series chart of event count create a timechart of IP Addresses
Compose your plain English search as programmatically as possible. This is especially necessary for longer tasks involving multiple components. search source tutorialdata* and sort the first 100 results in descending order of the "host" field and then by the clientip value in ascending order sort tutorialdata and give me the first 100 results sorted by descending host and ascending client IP
You do not need to enter your plain English search as a question. Show me the most common value of ip_address What is the most common value of ip_address?

Usage guidelines for translating existing SPL searches into plain English

On the Explain SPL tab you can copy and paste an SPL search for translation into plain English. As a best practice when pasting in SPL, exclude superfluous text or characters, and only include the SPL search itself.

Example 1

The following is a good example of SPL you can paste into the field.

| rest splunk_server=local /services/cluster/master/peers | stats sum(bucket_count) by label | rename label as peer

This search produces the following results:

This image shows the Explain SPL tab of the Splunk AI Assistant. Example SPL and results produced by the app are displayed.

Example 2

The following is a good example of SPL you can paste into the field.

index=_audit action=search info=granted search=* NOT "search_id=scheduler" NOT "search=|history" NOT "user=splunk-system-user" NOT "search=typeahead" NOT "search=| metadata type=* | search totalCount>0" | stats count by user search _time | sort _time | convert ctime(_time) | stats list(_time) as time list(search) as search by user

This search produces the following results:

This image shows the Explain SPL tab of the Splunk AI Assistant. Example SPL and results produced by the app are displayed.

Example 3

The following is a bad example of content for the Splunk AI Assistant. This example does not generate good results in the app because it includes words and quotation marks that aren't part of an SPL search.

What is est splunk_server=local /services/cluster/master/peers in SPL?

This search produces the following results:

This image shows the Explain SPL tab of the Splunk AI Assistant. Example SPL and results produced by the app are displayed. Because this example includes words and quotation marks that aren't part of an SPL search, the app has produced no results.

Last modified on 28 May, 2024
Install the Splunk AI Assistant   Share data in the Splunk AI Assistant

This documentation applies to the following versions of Splunk® AI Assistant for SPL: 0.3.4, 0.3.5


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters