Use Splunk AI Assistant in the Search app

Splunk AI Assistant is an optional generative AI feature in Splunk Web that helps users write, interpret, and optimize SPL searches. The assistant is displayed on the right side of the search bar.

Splunk AI Assistant is optional generative AI-powered assistance that provides bi-directional translation between natural language (NL) and Splunk Search Processing Language (SPL) to help users learn how to write, understand, interpret, and optimize SPL searches. More advanced users can use Splunk AI Assistant to make their searches more efficient and get detailed explanations of what their SPL searches are doing. To learn more about Splunk AI Assistant, see About Splunk AI Assistant.

Note: Splunk AI Assistant gives users SPL assistance without compromising customer confidentiality and security. If you choose a third-party hosted LLM (such as Microsoft Azure OpenAI) to power the AI Assistant, your selected third party will process some of the data to provide the services, but your data will not be used to train, fine tune, or improve the third-party model. Third-party models will only be used if your administrator chooses such a model, as discussed in Feature preview: Third-party LLM Usage. Users can opt out of having their data used by Splunk for research and development by configuring the assistant's user settings at any time. See Splunk Protects for full details on data privacy at Splunk.

Find Splunk AI Assistant in the Search app

In order to use the AI Assistant in searches, the Splunk AI Assistant app must be set up and activated. When users who don't have administrator privileges click on the Splunk AI Assistant icon in the search bar, the following screen is displayed on the right side of the Search app indicating that the AI Assistant has not been activated yet:

This image shows the Splunk AI Assistant icon on the right side of the Search bar with text in the panel on the far right of the Search window instructing users to contact their administrator to activate the Splunk AI Assistant.

When administrators click on the Splunk AI Assistant icon, a link in the right side of the Search app takes them to activation information:

This image shows the Splunk AI Assistant icon on the right side of the Search bar with a button in the panel in the lower right corner of the Search window linking administrators to activation documentation, so they can activate the Splunk AI Assistant.

Activate Splunk AI Assistant in the Search app

Splunk AI Assistant is an optional generative AI feature in Splunk Web that helps users write and interpret SPL searches. The assistant is displayed on the right side of the search bar.

Before you can use Splunk AI Assistant in your searches in Splunk Web, your Splunk administrator must activate the application by following these steps.

  1. Review and sign the End-User License Agreement (EULA) for Splunk AI Assistant. See Install or upgrade Splunk AI Assistant.
  2. Install the latest version of the Splunk AI Assistant app. The Splunk AI Assistant app version 1.3.2 or higher must be installed before you can use the AI Assistant in searches in Splunk Web. See Install or upgrade Splunk AI Assistant.
    Note: The Splunk platform instance must be restarted after installing the Splunk AI Assistant app, in order for changes to take effect.
  3. Set data sharing preferences for users in the Splunk AI Assistant app. See Configure Splunk AI Assistant.
  4. Ensure that all users who need access to Splunk AI Assistant on the search page are granted at least read permission for the Splunk AI Assistant app. See Manage knowledge object permissions.
    Note: If AI assistant skills are not visible on the search page after the Splunk AI Assistant app has been activated, contact your administrator to confirm you have the necessary permissions to use the app.
Now that Splunk AI Assistant has been activated, you can start using it to help you run your searches. To open Splunk AI Assistant, click on the icon that is located to the right of the search bar:
Screenshot of the search page with the Splunk AI Assistant icon. A window is displayed next to the icon that indicates that the app is now active and can be used to write, explain, or optimize SPL, or answer questions about Splunk Platform documentation.

Turn off the sparkle icon for Splunk AI Assistant

Splunk platform deployments that aren't ready to use the Splunk AI Assistant yet can turn off the AI sparkle icon, so it doesn't appear in the Search bar in the Search app.

Splunk platform deployments that aren't ready to use the Splunk AI Assistant yet can turn off the AI sparkle icon that appears in the Search bar in the Search app in Splunk Web. Turning off the icon removes the icon and its tooltip from the Search app for all users of the deployment.

By default, to turn on or off the AI sparkle icon for the Splunk AI Assistant, you must be a member of the admin or sc_admin role.

  1. In Splunk Web, select Settings and then Server settings and then Search preferences.
  2. Turn off the toggle for the Splunk Search AI Assistant.
    1. If you're using Splunk Enterprise in a distributed search deployment, you must turn off the toggle on all search heads.
    2. To make the AI sparkle icon and its corresponding tooltip reappear in the Search bar, return the toggle for the Splunk Search AI Assistant to its default.

The Splunk AI Assistant sparkle icon and its corresponding tooltip no longer appear in the Search app.