Splunk® AI Assistant for SPL

Install and use Splunk AI Assistant for SPL

Feature preview: Optimization

Version 1.3.0 of Splunk AI Assistant for SPL offers a preview of a new feature - optimization. Optimization can improve existing SPL searches or generate better searches when used with the Write SPL feature.

Participation in this preview feature is optional and can be turned on or off at any time.

Use optimization to run faster searches and reduce costs with similar results. Through the Write SPL tab you can optimize existing searches, including saved searches, or compose new SPL searches that are then optimized.

Requirements

The optimization feature uses metadata from your Splunk deployment to provide better results from Splunk AI Assistant for SPL. Opting into personalization is a requirement to using optimization. See Configure Personalization settings

In order to participate in the preview, you must also share your AI Service Data so that we can gather the necessary feedback to improve this feature before general availability. See Configure share data settings.

Participating in the preview

If you are a user with administrator privileges, when you install version 1.3.0 or upgrade to version 1.3.0, you will see the following modal window and the option to opt-in:

This image shows the modal window that will display when you open version 1.3.0 of the assistant. Administrator users can choose to turn on the SPL Optimization preview on this window, or opt in or out later through the Settings page.

Only users with administrator privileges can opt-in or opt-out of this preview. You can opt-in or out at any time and the change takes effect immediately.

Whether the optimization preview is turned off or on, that setting applies at the app level, across all users, and not at the individual user level.

When you opt-in for optimization the name of the Write SPL tab updates to be the Write & optimize SPL tab.

If you want to opt-in or out of this preview feature at a later date than the app installation or upgrade, navigate to the Settings tab of the assistant. Select or deselect the Optimize SPL option, as shown in the following image:

This image shows the information available on the Settings tab of the assistant. The toggle for SPL Optimization is highlighted.

Users without administrator privileges see the optimization information and the setting chosen, but cannot change this setting.

Optimization strategies

The following optimization strategies are leveraged in this feature preview:

  • Choosing the right index
  • Using tstat
  • Eliminating unnecessary wildcards

More strategies will be added during the preview stage.

Example searches

To optimize an existing search, you can paste that existing search in the Write & optimize SPL tab. Alternately, you can ask the assistant to perform optimization using the format of Optimize this search <original_search_query>.

The following are examples of SPL searches before and after SPL optimization:

Overview Original search Optimized search
Optimize SPL using tstats 
search index=pdr-aws sourcetype=aws:cloudwatchlogs "Duration"
| rex field=_raw "Billed\sDuration:\s(?<billedDuration>\d+)\sms"
| stats max(billedDuration)

| tstats max(billedDuration) WHERE index=pdr-aws AND sourcetype=aws:cloudwatchlogs
Specify index if missing 
search sourcetype=access_combined status=404 | stats count by clientip<pre>
 
search index=web sourcetype=access_combined status=404 | stats count by clientip<pre>
Specify index if missing 
search index=* error | stats count by host
 
search index=main error | stats count by host
Specify index if missing 
sourcetype=audittrail | stats count by user
 
index=_audit sourcetype=audittrail
| stats count by user
Specify index if missing 
sourcetype IN (splunkd, audittrail) | stats count by sourcetype
 
search index IN (_introspection, _audit) sourcetype IN (splunkd, audittrail)
| stats count by sourcetype
Optimize SPL using tstats 
search index=main sourcetype=ssh_logs action=failed | stats dc(user) AS failed_users by host
 
| tstats dc(user) AS failed_users WHERE index=main AND sourcetype=ssh_logs AND action=failed BY host
Optimize SPL using tstats 
search index=app sourcetype=transactions | timechart span=1h count by transaction_type
 
| tstats count WHERE index=app AND sourcetype=transactions BY _time span=1h, transaction_type
Optimize SPL using tstats 
index=_internal sourcetype=*
 
| tstats count WHERE index=_internal BY sourcetype
Optimize SPL using tstats 
index=_internal sourcetype=* | stats count by host, sourcetype
 
| tstats count WHERE index=_internal BY host, sourcetype
Optimize SPL using tstats 
index=_* sourcetype=audit_ingest-2 
| stats count by _time | bin _time span=1d

| tstats count WHERE index=_* AND sourcetype=audit_ingest-2 BY _time
| bin _time span=1d
Last modified on 30 July, 2025
Personalization in Splunk AI Assistant for SPL   Troubleshoot Splunk AI Assistant for SPL

This documentation applies to the following versions of Splunk® AI Assistant for SPL: 1.3.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters