Install Splunk AI Assistant for SPL for Splunk Enterprise customers with Cloud Connected
Splunk AI Assistant for SPL version 1.3.0 and higher offers Splunk Enterprise on-premises customers the option to use the app through a cloud connected solution.
The cloud connected solution leverages Splunk-managed AI services in the cloud, with on-premises environments connecting to it. This solution offers a secure connection between your environment and Splunk managed cloud, with no GPU requirements.
For installation instructions for Splunk Cloud Platform users, see Install Splunk AI Assistant for SPL for Splunk Cloud customers.
Version compatibility
See the following table for the compatible combinations of Splunk AI Assistant for SPL through cloud connected and Splunk Enterprise:
| Splunk AI Assistant for SPL version | Splunk Enterprise version |
|---|---|
| 1.5.0 | 9.2.x, 9.3.x, 9.4.x, or 10.x, 10.1.x., 10.2.x |
| 1.4.0 | 9.2.x, 9.3.x, 9.4.x, or 10.x, 10.1.x. |
| 1.3.2 | 9.2.x, 9.3.x, 9.4.x, or 10.x, 10.1.x. |
| 1.3.1 | 9.2.x, 9.3.x, 9.4.x, or 10.x. |
| 1.3.0 | 9.2.x, 9.3.x, 9.4.x, or 10.x. |
How is the connection made?
The cloud connection is established over HTTPS port 443 to ensure secure communication between your environment and Splunk Cloud Platform.
If your Splunk Enterprise deployment is behind a firewall, you must allow outbound access to the following domain:
| Host name | Instances requiring access | Port |
|---|---|---|
| *.scs.splunk.com | Search head or search head cluster with Splunk AI Assistant for SPL | 443 |
The following domains must be allow listed for communication to the Splunk Cloud Platform Splunk AI Assistant for SPL service:
| Tenant ID | Domain |
|---|---|
scs_tenant |
https://<scs_tenant>.api.scs.splunk.com/<scs_tenant>/saia-api/v1alpha1/api/search |
scs_tenant |
https://<scs_tenant>.api.scs.splunk.com/<scs_tenant>/saia-api/v1alpha1/api/metadata |
scs_tenant |
https://<scs_tenant>.api.scs.splunk.com/<scs_tenant>/saia-api/v1alpha1/data/upload |
scs_tenant |
https://<scs_tenant>.api.scs.splunk.com/<scs_tenant>/saia-api/v1alpha1/data/status |
Installation process
Complete the following to access, install, and activate Splunk AI Assistant for Splunk Enterprise customers with the Cloud Connected solution:
-
Download Splunk AI Assistant for SPL from Splunkbase.
-
Install Splunk AI Assistant for SPL with the in-product app browser. The command line interface (CLI) is not required. When using the in-product app browser search by "AI Assistant" to find the listing for Splunk AI Assistant for SPL.
Activation steps
Complete the in-app onboarding process. This process includes the steps of Getting started, Create tenant code, Email tenant code, and Connect to cloud:
- Launch the app to get to the App configuration page. Select Continue to app setup page.
- On the resulting Getting started page, select Begin setup.
-
On the Create tenant code page, add your deployment information. Add the company name, select a Splunk Cloud region, and provide your work email address.
-
Under Tenant configuration, select the box to agree to the Splunk General Terms and then select Next
-
On the Submit tenant code page copy and paste the generated tenant code into the tenant code submission form: www.splunk.com/en_us/form/tenantcodesubmit.html
-
The tenant code you submit is reviewed and an activation code is then provisioned and sent to the email address you provided.
Note: Provisioning typically takes 2 business days
-
- On the Connect to cloud page, enter the activation token you received by email. Select Connect to cloud when ready.
Note: If you haven't received your activation token after 2 business days, contact splunkai@cisco.com for assistance.
- (Optional) If your environment uses a proxy, you can configure a proxy server. This allows for the routing of traffic through your proxy and ensure a successful connection.
Note: You can also configure this later through the Settings page of the app.
After set-up is complete, you can use the assistant to create SPL searches, better understand SPL searches, and learn SPL. See Use Splunk AI Assistant for SPL.
Install or upgrade on the search head cluster
Splunk AI Assistant for SPL version 1.4.0 and higher supports installation of cloud connected on the search head cluster (SHC). Complete installation of the app on the Deployer and push to search head members. No per-member cloud registration is required.
If you have several search heads and search head clusters in your environment, follow these guidelines:
-
For each search head that does not belong to a search head cluster setup, you must request and Activation token for each of those search heads.
-
For search head cluster setups that include several search head nodes, you must request only 1 Activation token per search head cluster setup.
SHC installation steps
-
Confirm you are using Splunk AI Assistant for SPL version 1.4.0 or higher.
-
On the Deployer, copy the
Splunk_AI_Assistant_Cloudapp frometc/appstoetc/shcluster/apps. -
Push the SHC bundle from the Deployer to the Search Head members, replacing placeholders
-
On any search head member, open the Splunk AI Assistant for SPL app page, submit the Tenant Code Activation form, and then submit the Activation Token received from Splunk.
Upgrade to version 1.5.0 on the SHC
-
Update the Splunk AI Assistant for SPL app on the Deployer to the latest version. Version 1.5.0 or higher.
-
Copy the updated app from
etc/appstoetc/shcluster/apps. -
Push the bundle from the Deployer to the SHC member captain.
Uninstall the app on the SHC
Complete the following steps:
-
On the Deployer, remove the app from the SHC bundle directory.
-
Push the updated bundle, without the app, to search head (SH) members.
-
Verify removal on each SH member.
-
Remove the app from the Deployer apps folder.
-
Restart Splunk on the Deployer.
Add a new search head member to an existing SHC
Complete the following steps:
-
Ensure the conf files under
etc/apps/Splunk_AI_Assistant_Cloud/localreplicate to the new member. -
If replication did not occur, copy the files manually from an existing search head member to the same path on the new member.
-
Restart Splunk on the new member. The Splunk AI Assistant for SPL app inference search should function properly.
What data leaves your environment
Splunk AI Assistant for SPL through cloud connected solution sends data from the customer managed platform environment to Splunk Cloud Platform. The type of data shared depends on your configuration choices.
You can choose from the following options:
| Data sharing option | Description |
|---|---|
| Basic app setup with minimal data transfer | At a minimum, when you do not opt-in to share AI service data or personalization data, the app sends only what is required to power core functionality. |
| Data sharing for research and development | You can opt in or out of sharing anonymized service data to help improve the product. Data sharing for research and development is required to provide feedback on individual interactions. To learn more, see What data is collected - share data. |
| Personalization data | Personalization lets the assistant tailor responses to your data, which can improve the quality of app responses. You can opt in or out of this feature. To learn more, see What data is collected - personalization data. |
Configurations can be changed by an administrator at any time on the Settings page. See Configure Splunk AI Assistant for SPL.
Splunk AI Assistant for SPL uses the Splunk platform proprietary model. The assistant uses an open source LLM and performs inference in Splunk Cloud services. It does not leverage or send your data to third party services or APIs. Data remains within the Splunk platform cloud environment.
Splunk does not share customer data between customers. Customer metadata is not mixed or used for model training.
The assistant fully honors Splunk platform role-based access controls (RBAC). It does not execute SPL on behalf of a user, but routes users to search and reporting where RBAC and workload management are fully honored.