Use Splunk AI Assistant for SPL in the Search app

Splunk AI Assistant for SPL is an optional generative AI feature in Splunk Web that helps users write, interpret, and optimize SPL searches. The assistant is displayed on the right side of the search bar.

Splunk AI Assistant for SPL is optional generative AI-powered assistance that provides bi-directional translation between natural language (NL) and Splunk Search Processing Language (SPL) to help users learn how to write, understand, interpret, and optimize SPL searches. More advanced users can use Splunk AI Assistant for SPL to make their searches more efficient and get detailed explanations of what their SPL searches are doing. To learn more about Splunk AI Assistant for SPL, see About Splunk AI Assistant for SPL.

Note: Splunk AI Assistant for SPL gives users SPL assistance without compromising customer confidentiality and security. If you choose a third-party hosted LLM (such as Microsoft Azure OpenAI) to power the AI Assistant, your selected third party will process some of the data to provide the services, but your data will not be used to train, fine tune, or improve the third-party model. Third-party models will only be used if your administrator chooses such a model, as discussed in Feature preview: Third-party LLM Usage. Users can opt out of having their data used by Splunk for research and development by configuring the assistant's user settings at any time. See Splunk Protects for full details on data privacy at Splunk.

Find Splunk AI Assistant for SPL in the Search app

In order to use the AI Assistant in searches, the Splunk AI Assistant for SPL app must be set up and activated. When users who don't have administrator privileges click on the Splunk AI Assistant for SPL icon in the search bar, the following screen is displayed on the right side of the Search app indicating that the AI Assistant has not been activated yet:

When administrators click on the Splunk AI Assistant for SPL icon, a link in the right side of the Search app takes them to activation information:

Activate Splunk AI Assistant for SPL in the Search app

Splunk AI Assistant for SPL is an optional generative AI feature in Splunk Web that helps users write and interpret SPL searches. The assistant is displayed on the right side of the search bar.

Before you can use Splunk AI Assistant for SPL in your searches in Splunk Web, your Splunk administrator must activate the application by following these steps.

  1. Review and sign the End-User License Agreement (EULA) for Splunk AI Assistant for SPL. See Install or upgrade Splunk AI Assistant for SPL.
  2. Install the latest version of the Splunk AI Assistant for SPL app. The Splunk AI Assistant for SPL app version 1.3.2 or higher must be installed before you can use the AI Assistant in searches in Splunk Web. See Install or upgrade Splunk AI Assistant for SPL.
    Note: The Splunk platform instance must be restarted after installing the Splunk AI Assistant for SPL app, in order for changes to take effect.
  3. Set data sharing preferences for users in the Splunk AI Assistant for SPL app. See Configure Splunk AI Assistant for SPL.
  4. Ensure that all users who need access to Splunk AI Assistant for SPL on the search page are granted at least read permission for the Splunk AI Assistant for SPL app. See Manage knowledge object permissions.
    Note: If AI assistant skills are not visible on the search page after the Splunk AI Assistant for SPL app has been activated, contact your administrator to confirm you have the necessary permissions to use the app.
Now that Splunk AI Assistant for SPL has been activated, you can start using it to help you run your searches. To open Splunk AI Assistant for SPL, click on the icon that is located to the right of the search bar. Screenshot of the search page with the Splunk AI Assistant for SPL icon. A window is displayed next to the icon that indicates that the app is now active and can be used to write, explain, or optimize SPL, or answer questions about Splunk Platform documentation.

Turn off the sparkle icon for Splunk AI Assistant for SPL

Splunk platform deployments that aren't ready to use the Splunk AI Assistant for SPL yet can turn off the AI sparkle icon from the Search bar in the Search app.

  • Have the permissions to edit configuration files. Only users with file system access, such as system administrators, can edit configuration files.
  • Know how to edit configuration files. Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.
  • Decide which directory to store configuration file changes in. There can be configuration files with the same name in your default, local, and app directories. See Where you can place (or find) your modified configuration files in the Splunk Enterprise Admin Manual.
Splunk Enterprise deployments that aren't ready to use the Splunk AI Assistant for SPL yet can turn off the AI sparkle icon that appears in the Search bar in the Search app. Turning off the icon removes the icon and its tooltip from the Search app.
  1. Open the local web-features.conf file at $SPLUNK_HOME/etc/system/local.
  2. In the [feature:search_ai_assistant] stanza, set enable_search_ai_assistant = false.
    1. If you're using Splunk Enterprise in a distributed search deployment, you must set enable_search_ai_assistant=false in the web-features.conf file on all search heads.
  3. Restart Splunk Enterprise, so the change to the configuration file takes effect.
    1. To make the AI sparkle icon and its corresponding tooltip reappear in the Search bar, remove enable_search_ai_assistant = false from the web-features.conf file to return the setting to its default.

The Splunk AI Assistant for SPL sparkle icon and its corresponding tooltip no longer appear in the Search app.

To make the AI sparkle icon and its corresponding tooltip reappear in the Search bar, remove enable_search_ai_assistant = false from the web-features.conf file to return the setting to its default.