Skip to main content
Want the ultimate Splunk learning experience? Head to Boston a few days before .Conf25 to attend Splunk University!

Click for registration options.
Lantern Home

 

Splunk Lantern

Enabling the Splunk Enterprise AI Assistant for SPL

  1. Last updated
  2. Save as PDF

 

The Splunk Enterprise AI Assistant for SPL (SAIA) revolutionizes GenAI by securely hosting AI services in Splunk Cloud Platform while transmitting only the minimal data needed. This allows you to take advantage of cutting-edge AI without managing your own GPU. Splunk handles all compute behind the scenes. In addition, every model refresh and performance adjustment that reaches Splunk Cloud Platform rolls out to you automatically.

Key uses for the Splunk AI Assistant for SPL include:

  • Write SPL using natural language: Simplify complex SPL queries by generating them using natural language input.
  • Explain SPL using natural language: Decode the intricacies of SPL queries for enhanced understanding and learning.
  • Answer questions from Splunk Docs: Provide quick, accurate answers to technical questions sourced directly from public Splunk documentation.

This article explains how to enable cloud connectivity and how to get started fast.

Solution

What data leaves my environment

The type of data sent depends on your configuration choices. Below are the key options:

  • Basic SAIA setup (minimal data transfer): At a minimum, SAIA sends only what is required to power core functionality. For more information, see About Splunk AI Assistant for SPL.
  • Personalization (optional): You can choose to opt in or out. Opting in enables the assistant to tailor responses to your data, significantly improving quality. Enabling this feature is highly recommended. For more information, see Personalization in Splunk AI Assistant for SPL.
  • Data sharing for research and development (optional): You can also opt in or out of sharing anonymized usage data to help improve the product. For more information, see Share data in Splunk AI Assistant for SPL.

How to handle firewalls or proxies

Splunk Enterprise customers can integrate in two common ways:

  • Next‑gen proxy: Our onboarding journey, as well as SAIA settings page, have proper proxy URL configuration for you to set up.
  • Allowlist firewall: The connection is established over HTTPS (port 443) to ensure secure communication between your environment and Splunk Cloud Platform. If your Splunk Enterprise deployment is behind a firewall, you’ll need to allow outbound access to the following domain:
    • Host name: *.scs.splunk.com
    • Instances requiring access: Search head or search head cluster instances with the SAIA for SPL app
    • Port: 443

How to get started quickly

For Splunk Enterprise customers, Splunk admins should follow the steps below to get started. There is a pre-download process and in-app onboarding flow.

Pre-download process

  1. Visit Splunkbase: Download the app from the app browser or directly from Splunkbase.
  2. Sign the special legal terms that cover data use. After you sign it, the Splunkbase application will be unlocked by the AI team and you will be sent an email to download the app. This process can take up to 72 hours to complete.
  3. Install the Splunk AI Assistant for SPL application from Splunkbase or in the Splunk platform.

In-app onboarding process

  1. After you install the SAIA application, the app launches an in-app onboarding flow:
    1. The first screen shows FAQs on use cases, data requirements, and proxy settings.
    2. Add company and tenant details. The system generates a unique tenant code.
    3. Email the tenant code to splunkai@splunk.com. Provisioning typically takes 2–3 business days. You will then receive an activation code sent to the email address provided. At this point, the AI team will have created a tenant for you.
  2. Add the activation code into the SAIA app.
  3. (Optional) Configure a proxy server. If you are not using a proxy server, you will need to make firewall changes to reach your new cloud tenant.
  4. Connect to the cloud-connected service.

For more information on the cloud-connected AI Assistant for SPL, see Learn more about Splunk AI Assistant for SPL.

Next steps

Now that you have enabled the Splunk Enterprise AI Assistant, try it out with some of the following queries:

  • Data discovery: Quickly answer questions like “What data is being collected for host <hostname>?”
  • Security investigations: Simplify searches. For example, you can ask, “Search for allowed network traffic from the United States by src_ip IP address.”
  • Observability investigations. Identify application issues fast with queries like “Search for exceptions and stack traces in application logs.”
  • Administrative insights. Generate SPL to manage operations such as “Show the runtime schedule of saved searches.”
  • Master SPL commands. Learn advanced techniques with prompts like “How do I enrich data with fields from a lookup <lookupfile.csv>?”

In addition, you might find the following resources useful for implementing the guidance in this article:

  • Written by Nick Ma
  • Principal Product Manager - Artificial Intelligence at Splunk