Feature preview: AI Toolkit Agent Builder

AI Toolkit Agent Builder preview is in a non-released on Splunkbase version, probably 5.6.5. Plans to go GA in July 2026. PM asked for docs in the 5.6.4 docs. And will carry to 5.7.0 docs set for GA Feb 18.

Users of AI Toolkit can sign up for access to an Alpha version which includes the AI Toolkit Agent Builder.

The AI Toolkit Agent Builder lets you create, test, and deploy an AI agent. AI Agents use large language models (LLMs) and external tools to perform complex, multi-step tasks such as data analysis.

Note: Participation in this feature preview is completely optional.
Agents you create can analyze data across your technology stack without the need to write any code. You can leverage agents to convert manual, repetitive tasks into consistent and automated tasks that are unique to your organization and workflows.

Requirements

You must be a Splunk Cloud Platform customer to use this version and try the preview of the AI Toolkit Agent Builder feature.

You must also upgrade the Python for Scientific Computing (PSC) add-on to version 4.2.5 from Splunkbase

Note: The expectation is that this feature will be generally available later this calendar year

Permissions

  • You must have the edit_agent_connections capability to add Knowledge Base and MCP connections.

  • You must have the run_agents capability to create and run an AI Agent.

Note: Users with the mltk_admin role have both these capabilities by default.

Participating in the preview

This version of the toolkit is not available on Splunkbase and requires the signing of an end-user license agreement (EULA) through the Splunk Voice of the Customer (VOC) portal.

Complete the following steps:

  1. From Splunkbase download and install version 4.2.5 of the Python for Scientific Computing (PSC) add-on.

  2. Splunk Cloud Platform users with admin privileges can go to the VOC page and select the AI Agent Builder from the list of preview features available.

  3. Review and sign the EULA.

  4. Email your stack ID (stack name) and which AWS region it is present in to splunkai@cisco.com.

  5. Your stack ID and AWS region are reviewed by members of the Splunk team and onboarding you to the preview version is completed.

  6. You will be notified by email with access to the preview version of the AI Toolkit which includes the Agent Builder feature.

Configure Connections

Before you can create an agent you must first configure a connection to at least 1 knowledge base and 1 MCP server.

Configure Knowledge Base connection

Complete the following steps:

  1. Open the AI Toolkit app.

  2. From the Agentic AI tab select Configuration.

  3. From the top right select +Connection and choose Knowledge Base.

    This image shows the AI Toolkit and the preview for Agent Builder. The screen shows the modal window and fields to complete when adding a knowledge base connection.

  4. Complete the fields on the Add Knowledge Base page. Fields marked with an asterisk as required:

    FieldDescription
    Connection Name Type in or paste in an alphanumeric Connection Name.
    Knowledge Base Type Select a Knowledge Base Type from the drop-down menu.
    Region Enter the region where your knowledge base is located. For example, Asia, Canada, Europe.
    Knowledge Base ID Enter the unique KB ID.
    Knowledge Base ID description Add a description to help identify this knowledge base.
    AWS Access Key Enter the unique AWS information.
    AWS Secret Key Enter the unique AWS information.
    Role ARN Enter the unique Amazon Resource Name (ARN) information.

  5. (Optional) Test the connection and edit field information as needed.

  6. Select Save Connection when ready.

Configure MCP connection

Complete the following steps:

  1. Open the AI Toolkit app.

  2. From the Agentic AI tab select Configuration.

  3. From the top right select +Connection and choose MCP server.

    This image shows the AI Toolkit and the preview for Agent Builder. The screen shows the modal window and fields to complete when adding an MCP server connection.

  4. Complete the fields on the Add MCP Connection page. Fields marked with an asterisk as required.

    FieldDescription
    Connection Name Type in or paste in an alphanumeric Connection Name.
    MCP Provider Select an MCP Provider from the drop-down menu. Both Splunk and Atlassian are supported.
    MCP URL Enter the unique URL for the MCP server.
    Calls to endpoint confirmation Select to confirm calls will be made by the agent to this endpoint.
    Authorization Token Enter the unique key or credential.
    Auto refresh token Applicable to Altassian only. Select to confirm that the Authorization Token will automatically refresh.

  5. (Optional) Test the connection and edit field information as needed.

  6. Select Save Connection when ready.

Create an Agentic AI Agent

After configuring connections to a Knowledge Base and MCP server you can create an AI Agent. That agent can then be manually triggered using ML-SPL commands.

Create a new agent

Complete the following steps. Fields marked with an asterisk as required:
Note: Agents are set as Private by default.

  1. Open the AI Toolkit app.

  2. From the Agentic AI tab in the AI Toolkit, select Agents.

  3. From the top right corner select Add Agent.

  4. Provide an Agent title. Title must be alphanumeric and less than or equal to 24 characters.

  5. (Optional) Add a description of this new agent.

  6. Prompt: Create a prompt. Describe what you want the agent to accomplish. Prompts defined in the prompt input instruct the agent unless a separate prompt is provided during agent invocation using ML-SPL commands.

  7. MCP servers: From the drop-down menu, select which MCP servers connections your agent can access.

  8. Knowledge bases: From the drop-down menu, select which knowledge base connections your agent can access.

  9. LLM: Select the large language model (LLM) the agent uses. Supported platforms include OpenAI, Bedrock, AzureOpenAI, and Anthropic.

  10. Additional settings: Choose from the following optional settings for your agent:

    Additional setting option Description
    Maximum Invocations per row Maximum value is 25.

    ML-SPL can be used to invoke an agent multiple times based on search results.
    System Prompt Define the identity of the agent, and provide high level guardrails.
    Agent Timeout DurationThe maximum amount of time in seconds that the agent runs in before timing out.

View and manage agents

Agents you create are listed on the Agentic AI tab under Agents. Filter the list by Agent name or Owner. You can drill in to view details of any listed Agent, as well as make edits or delete from this list view.

Agent run history

You can view the agent run history from Agentic AI tab under Agent run history. You can filter the listed results by time range, Agent name, and owner.

CAUTION: You must first create an index for this run history page to function and populate.
Complete these steps to create an index:

  1. From the Splunk Cloud platform top navigation bar choose Settings and select Indexes from the drop-down menu.

    This image shows an example instance of Splunk Cloud Platform. From the top navigation bar Settling has been selected. This generates a modal window of many options. The option for Indexes is highlighted.

  2. From the resulting Indexes page, select New Index.

  3. On the Add New Index modal window put the name of index as ai_agent_run_history_index.

  4. For Index data type choose Events.

  5. Add Max raw data size and Searchable retention (days):

    1. For Max raw data size enter 100MB.

    2. For Searchable retention (days) choose 30 days.

  6. Select Save.

Call the AI Agent with ML-SPL commands

The Agent Builder feature ships with the new ML-SPL command of aicommand. Use this command in combination with the Agent name in your Splunk platform search to run the agent on your chosen data.

The aiagent command can take in 2 parameters:

ParameterDescription
agent_name Name of the agent. Determined when the agent is created.
promptTask for the agent to run on. Described in natural language.

Note: This parameter is optional if you defined the task prompt during the create agent step.

The following is an example search using the aiagent command: 

index=alerts   
| aiagent   
prompt="An alert has been received: {alert_description}. Fetch all relevant resources from Confluence, Jira, and related knowledge sources for this alert. Then format a summary of those resources and provide it"   
agent_name="ExampleAgentName"