About Splunk AI Assistant for SPL
Splunk platform users interact with Splunk products using the domain-specific Search Processing Language (SPL). It can take time and effort to learn how to write SPL and how to interpret SPL searches. Splunk AI Assistant for SPL offers bi-directional translation between natural language (NL) and Splunk Search Processing Language (SPL).
Splunk AI Assistant for SPL is a generative AI-powered assistive app. Generative AI is a subset of AI that uses algorithms and other techniques to generate new data. Splunk AI Assistant for SPL leverages generative AI to improve your productivity and outcomes by making SPL more accessible.
New Splunk platform users can use Splunk AI Assistant for SPL to help create searches, understand searches, and learn SPL. More advanced users can use the assistant to make more efficient SPL searches and learn more about what their current SPL searches are doing with detailed breakdowns. All levels of users can use the assistant to learn more about Splunk platform products and features.
Splunk AI Assistant for SPL is an option for customers looking for SPL assistance without sharing private company data with public AI and chatbot offerings available. While data collected by Splunk for research and development goes into a separate Splunk-controlled environment as outlined in the Splunk AI Assistant for SPL terms, data is not sent to third-party LLM service providers, and customers can opt out of data collection for research and development through the assistant's user settings. See Splunk Protects for full details on data privacy at Splunk.
Version 1.0.5 is free to use for a limited time. When using the free version of the assistant Splunk can throttle usage in our sole discretion.
Requirements for Splunk AI Assistant for SPL
Customers must sign a specialized End-User License Agreement (EULA) covering data use. Once the EULA is signed, Splunk AI Assistant for SPL application is unrestricted on Splunkbase for download for the account associated with the signed EULA.
You must be a customer with an active Splunk Cloud Platform subscription on an AWS commercial stack who has accepted the Splunk AI Assistant for SPL EULA to access this version.
You can use version 1.0.5 of the app for as long as you have an active Splunk Cloud Platform subscription. Splunk AI Assistant for SPL is not compatible with Splunk Trial stacks. The app can be self-installed by both Classic or Victoria Experience customers.
Splunk AI Assistant for SPL is only available to Splunk Cloud Platform customers in the following regions:
Splunk AI Assistant for SPL runs as a completely separate service in each AWS region.
| Region | Service availability date |
|---|---|
| AWS - AP Singapore | June 28, 2024 |
| AWS - AP Sydney | June 28, 2024 |
| AWS - AP Tokyo | June 28, 2024 |
| AWS - Canada Central | June 15, 2024 |
| AWS - EU Dublin | June 28, 2024 |
| AWS - EU Frankfurt | June 28, 2024 |
| AWS - EU London | June 28, 2024 |
| AWS - EU Paris | June 28, 2024 |
| AWS - US East Virginia | June 11, 2024 |
| AWS - US West Oregon | June 15, 2024 |
For more details, see Install Splunk AI Assistant for SPL.
Splunk AI Assistant for SPL features
You can complete the following tasks with Splunk AI Assistant for SPL:
- Write a task in plain, natural language and have the app convert this task into a usable SPL search.
- Copy and paste an SPL search and have the app convert this search into a detailed breakdown in plain language.
- Input a plain, natural language question, or a Splunk platform term or product name and have the app provide information on Splunk product concepts and product functionality, sourced from Splunk documentation, Community forums, other Splunk training materials and resources.
- Iterate on task responses with a conversational user experience.
- Accelerate these tasks all within a familiar Splunk interface.
Feature preview: Personalization
Version 1.0.5 of the assistant offers a preview of a personalization feature. Participation in this preview feature is optional and the preview is turned off by default. The personalization feature uses your data to provide better results from Splunk AI Assistant for SPL.
If you are a user with administrator privileges, when you install version 1.0.5 or upgrade to version 1.0.5 you see the following modal window describing the personalization preview feature and the option to opt-in:
If you are a user without administrator privileges, when you install version 1.0.5 or upgrade to version 1.0.5 you see the following modal window describing the personalization preview feature and the prompt to select Acknowledge:
Only users with administrator privileges can opt-in or opt-out of this preview. You can opt-in or out at any time and the change takes effect immediately. If you want to opt-in or out of this preview feature, navigate to the Settings tab of the assistant. Select or de-select the Share search history with Splunk option, as shown in the following image:
Users without administrator privileges see the Personalization information and the setting chosen, but cannot change this setting.
If you opt-in for this preview feature, it can take some time before you observe improved app results. The LLMs will gain more context from your shared data over time and app usage.
The personalization feature runs the following search to gather the sourcetype metadata used for personalization:
| tstats count where `saias_field_summary_indexes` by sourcetype index | dedup sourcetype, index | rename index as indexname, sourcetype as sourcetypename | map maxsearches=1000 search="| search index=\"$indexname$\" sourcetype=\"$sourcetypename$\" | `saias_field_summary_limit` | fieldsummary | eval index=\"$indexname$\", sourcetype=\"$sourcetypename$\"" | submitfielddata
The search consists of two parts:
- A
tstatscommand to determine all of the uniqueindexandsourcetypecombinations present. - A
mapsubsearch which runs afieldsummarycommand over each uniqueindexandsourcetypecombination. This determines what fields exist within that index/sourcetype combination.
The following 2 macros within the search are configurable:
These macros can only be configured by your stack administrator.
| Configurable macro | Details |
|---|---|
saias_field_summary_indexes
|
Defaults to (index=* OR index=_*) .
|
saias_field_summary_limit
|
Limits the total number of events scanned over for each unique index and sourcetype combination found by the fieldsummary subsearch.
|
Changing these values can lead to app performance problems. For example, if you find searches are taking too long, your adjusted macro values might need review from your stack administrator.
Where Splunk AI Assistant for SPL runs
Splunk AI Assistant for SPL runs as a separate component of Splunk Cloud Platform (SCP) which is not metered like searches are against data indexed by Splunk.
For version 1.0.0 and higher the SPL generated by the assistant requires a separate step to Open in Search. Searches executed in the Search app work like any other Splunk search, and consume SVC resources accordingly.
Splunk AI Assistant for SPL runs on AI Service, a multi-tenant, cloud service, hosted in Splunk Cloud Platform. This AI Service makes GPUs available for generating responses to customer prompts. All the AI compute is offloaded to AI Service and no AI compute is running on the customer's search head.
| Install or upgrade Splunk AI Assistant for SPL |
This documentation applies to the following versions of Splunk® AI Assistant for SPL: 1.0.5
Download manual
Feedback submitted, thanks!