Skip to main content
Lantern Home

 

Splunk Lantern

Implementing key use cases for the Splunk AI Assistant for SPL

  1. Last updated
  2. Save as PDF

 

The Splunk AI Assistant for SPL leverages generative AI to help users adopt Splunk software more quickly and effectively. The app makes it easier to read, write, and understand Search Processing Language (SPL) queries, lowering the barrier of getting value from the Splunk platform.

After installing the Assistant, you might ask yourself:

  • What can the assistant do for me?
  • What are some common and useful prompts relevant to my needs?
  • What is the best way to prompt the assistant to obtain meaningful results?

This article answers these questions and sets you on the path of great success with the AI Assistant for SPL and Splunk!

Use case 1: Discover the data in the Splunk platform

When using a Splunk platform instance for the first time, users often wonder how to discover what data is being collected for analysis. You can use the AI assistant to help author SPL queries you can use to discover all sorts of insights about the data being collected into your Splunk platform instance. We’ve curated a list of several great data discovery prompts you’ll find incredibly useful.

► Click to keep reading

Example: What data is being collected for host <hostname>?

The Splunk AI Assistant for SPL returns the following:

image6.png

After the query is returned, you have the option to Open In Search. Make any necessary changes to the query, in this case updating the indexes searched, and run the assistant’s query. Results are returned as shown in the image below. In this table, users can understand which indexes and source types contain data for a given set of hosts.

image5.png

Other useful data discovery prompts

  • What data is being collected in the environment?
  • Provide a sample event for all data in the environment.
  • What metrics are being collected in the environment?
  • What data contains the field <<fieldname>>?
  • Which hosts are sending <<sourcetype>> data?
  • What AWS, Azure, and GCP data is in the environment?

Use case 2: Learn how to parse and enrich data

Deriving new fields from existing data on demand is part of the power of SPL and can lead to incredible new insights. There are many techniques to parse and enrich data, so knowing the right command or the right command parameters can often be a challenge. We’ve curated a list of several great data parsing prompts you’ll find useful below.

► Click to keep reading

Example: How do I parse a timestamp string in the following format "01-Jan-2024 12:34:00 PM"?

The Splunk AI Assistant for SPL returns the following:

timestamp query.png

That’s going to save you a lot of time, because before the AI Assistant for SPL, you’d be searching for and pouring over Splunk Docs pages trying to find the right strptime format to use. In many cases, you’ll find the need to convert string based timestamps into epoch times to facilitate sorting, filtering, and visualizing results.

Other useful data parsing prompts

  • How can I parse an XML string into fields?
  • How can I parse a JSON string into fields?
  • How do I parse the host field o365.prod.buttercup.com into the three new fields app.env.domain?
  • How do I convert a comma separated string field into individual events?
  • Replace all instances of : and _ in the sourcetype field with / and call the new field path.

Use case 3: Perform cyber security investigations and analysis

Having the ability to conduct ad hoc investigations using SPL is the heart of what makes the Splunk platform so powerful to security analysts who often need to dig into data quickly to identify unusual patterns or potential threats. With the AI Assistant, you can create SPL queries to investigate suspicious activity, analyze indicators of compromise, and find answers faster. Below you’ll find a list of prompts that will make your security investigations smoother and more effective.

► Click to keep reading

Example: Search for allowed network traffic from United States by src_ip IP address

The Splunk AI Assistant for SPL returns the following:

location query.png

Building on the AI Assistant’s SPL using the geostats command, the results can be quickly plotted on a map allowing security analysts to quickly see where in the world allowed network traffic is coming from. This could help you identify allowed network traffic from a region where your organization does not conduct business.

map.png

Other useful security prompts

  • Write SPL to detect the creation of a new local user in Windows.
  • Use the Common Information Model to detect password spraying.
  • Use the Common Information Model to search for successful logins.
  • Use the Common Information Model to search for failed logins.
  • Write SPL to find recent configuration modifications in AWS.

Use case 4: Perform observability and ITOps investigations and analyses

Maintaining reliable and high-performing systems is essential for IT Operations analysts, SREs, and systems administrators who need to monitor infrastructure and quickly resolve issues. With the AI Assistant, you can create SPL queries to investigate operational data, identify performance and health issues, and gain insights into application usage. We’ve compiled a list of prompts that will enhance your operational investigations and analysis.

► Click to keep reading

Example: Search for exceptions and stack traces in application logs

The Splunk AI Assistant for SPL returns the following query:

index=<<index>> sourcetype=<<sourcetype>> linecount>3 (unhandled OR exception OR traceback OR stacktrace)

When you click Open In Search to run the assistant’s query, results are returned as shown in the image below. Exceptions and stack traces provide critical context when applications fail, showing the precise error messages and the code paths that led to the problem. By identifying these issues quickly, teams can pinpoint the root cause of failures, understand the impact on system performance, and even predict similar failures in the future. For SREs and ITOps professionals, this means reducing downtime and maintaining reliability.

image7.png

Other useful observability prompts

  • Search for indications of errors and other problems in application logs.
  • Show the trend of log volumes over time from hosts <<host list>>.
  • Show the trend of response codes over time for web traffic.
  • Show the top 10 most frequently viewed web pages.

Use case 5: Gain administrative insights

For Splunk admins, having clear insights into their environment is key to managing resources and ensuring everything runs smoothly. While many administrators already know how best to manage the Splunk platform, new, interim, and part-time Splunk admins may need a little help figuring out how to best understand what’s happening in their instances. The AI Assistant helps you generate SPL queries that provide visibility into user activities, system performance, and resource utilization. We’ve gathered a selection of prompts that will help you gain deeper administrative insights and streamline your management tasks.

► Click to keep reading

Example: Write SPL to show the runtime schedule of saved searches

The Splunk AI Assistant for SPL returns the following query:

| rest /services/saved/searches
| search is_scheduled=1
| table title, eai:acl.app, cron_schedule, next_scheduled_time, is_scheduled, run_every, dispatch.earliest_time, dispatch.latest_time

When you click Open In Search to run the assistant’s query, results are returned as shown in the image below. By viewing the schedule of saved searches, admins can identify peak times when searches are running, detect potential overlaps that could lead to strained resources or skipped searches, and ensure critical searches run as expected. This insight helps balance workloads, prevent search delays, and optimize performance, ensuring the environment remains responsive and efficient, even during heavy usage periods.

image1.png

Other useful administrative prompts

  • Which hosts are sending data to the Splunk platform?
  • Which Univeral Forwarders are sending data to the Splunk platform?
  • Write SPL to visualize the historical performance of saved searches.
  • Write SPL to show poorly performing or high cost searches.
  • Write SPL to show skipped searches.
  • Write SPL to show recent changes made in the Splunk environment and who made them.

Use case 6: Learn and master Splunk commands

Understanding SPL commands is fundamental to unlocking the full potential of the Splunk platform. Whether you're just starting out or looking to refine your skills, learning how to effectively use various commands can significantly improve your data analysis capabilities. With the AI Assistant, you can explore SPL commands, see examples, and get explanations that make learning more accessible. We’ve put together a list of prompts that will support your learning journey and help you become proficient in SPL.

► Click to keep reading

Example: How do I enrich data with fields from a lookup <<lookupfile.csv>>?

The Splunk AI Assistant for SPL returns the following query:

index=<index> sourcetype=<sourcetype>
| lookup <<lookupfile.csv>> <<lookup_field>> AS <<data_field>>

Enriching data with the lookup command is a powerful yet often confounding task, especially for users who aren’t fully familiar with the command's specific parameters. The lookup command requires users to align fields in their main dataset with those in the lookup file, specifying input and output fields in the correct order. By helping users navigate this command, the AI Assistant makes it easier to enrich existing data with additional context—such as location, device details, or user information—from external sources, all without the hassle of manually managing the correct syntax.

Other useful command education prompts

  • How do I plot IP addresses from the src_ip field on a map?
  • How do I plot data in the metrics index on a line over time?
  • How do I plot data in the metrics index on a line over time by a metric dimension?
  • How do I plot data in an index over time using tstats?
  • How do I plot data in an index on a pie chart using tstats?

Next steps

Using these “must-have” prompts as examples, you can see that the Splunk AI Assistant for SPL opens up new possibilities for users of all skill levels to quickly discover, parse, investigate, and optimize their data. With its ability to simplify SPL query writing and offer tailored guidance, the AI Assistant empowers everyone to unlock deeper insights and tackle complex questions in a fraction of the time.

The following additional resources might be of interest to you:

  • To install the Splunk AI Assistant in your environment, head over to the app page on Splunkbase and follow the installation tab instructions.
  • To learn more about the AI Assistant for SPL, visit the product page on splunk.com.
  • Explore our FAQ page to find answers to common questions, including data collection and data privacy, product architecture, and more.

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.