Using generative AI to write and explain SPL searches
You have been asked to build a report that will check for free space on hosts in WinHostMon. Often, this would take an exploratory search, while iteratively building the search parameters. This approach can be time-consuming, especially for users who might not be familiar with Splunk Search Processing Language (SPL) syntax or best practices in Splunk Cloud Platform.
Solution
Splunk AI Assistant for SPL is the first generative AI offering created by Splunk that can create SPL searches from a natural language prompt. Splunk AI Assistant for SPL can also increase a user's knowledge by explaining the SPL with both a brief summary and a detailed breakdown of the search.
Splunk AI Assistant for SPL contains three different sections:
- Write SPL. Writes SPL needed for the solution using a natural language prompt.
- Explain SPL. Provides explanations for SPL that a user might have found in a separate dashboard, a saved search, or shared by another user.
- Tell me about. Provides additional search command, product, or process information.
While this example focuses specifically on measuring disk space as a use case, Splunk AI Assistant for SPL can generate SPL for nearly any imaginable use case by Splunk users of all skill levels and roles.
Prerequisites
- Splunk Cloud Platform
- Splunk AI Assistant for SPL
- Splunk Add-on for Microsoft Windows
- Microsoft: Windows host monitoring data
Procedure
Write SPL
In Splunk AI Assistant for SPL, click the Write SPL section and enter the following prompt: “What disk has the least amount of free space in WinHostMon?”
A template SPL query is automatically generated, with a line-by-line explanation of the search. In this case, the SPL also includes conversions from kilobytes to gigabytes for added clarity. The SPL summarizes the information in a table, and only displays the top result. The Open in Search button launches this query in a new tab, and related content for the search commands is linked.
Splunk AI Assistant for SPL processing is powered by a separate Splunk Cloud Services (SCS) backend, instead of running locally on the search head. The SPL results might represent more generalized building blocks and not reflect each unique environment. As a result, you might need to refine your prompts to obtain results directly aligned with your specific environment, or in this case, populate the index and source type placeholders.
Explain SPL
While the previous Write SPL section effectively explains the commands included in the generated search, imagine that you found a pre-existing search and are trying to better understand what it is doing. The Explain SPL section allows you to paste in SPL and get a similar explanation of the data sources and content.
We can paste the search generated from the Write SPL section above to see a detailed explanation of the SPL components.
Tell me about
The Tell me about section makes it easy to gain additional information on search commands, products, or technical information. For example, if you're interested in learning more about the WinHostMon data referenced above, you can ask: Tell me about... “the WinHostMon sourcetype”.
In this example, the results provide information on how to install and configure the Splunk Add-on for Windows, including examples of input.conf stanzas and related information in Splunk Docs.
Next steps
These resources might help you understand and implement this guidance:
- Blog: Supercharge insights with generative AI: Splunk AI Assistant for SPL is now GA
- Blog: Unlocking efficiency: How the Splunk AI Assistant for SPL transforms the IT analyst role
- Blog: Accelerate digital resilience with Splunk AI Assistant for SPL
- Splunk Docs: Splunk AI Assistant for SPL
- YouTube: Meet the Splunk AI Assistant for SPL
- Splunkbase: Splunk AI Assistant for SPL