Optimization in Splunk AI Assistant for SPL

Version 1.4.0 and higher of Splunk AI Assistant for SPL offers a search optimization feature. This feature was previously offered as a preview.

Optimization can improve existing SPL searches or generate better searches when used with the Write SPL feature.

Use optimization to run faster searches and reduce costs with similar results. Through the Write SPL tab you can optimize existing searches, including saved searches, or compose new SPL searches that are then optimized.

Requirements

The optimization feature uses metadata from your Splunk deployment to provide better results from Splunk AI Assistant for SPL. Opting into personalization is a requirement to using optimization. See Configure Personalization settings for more information.

Optimization strategies

The optimization feature leverages the following optimization strategies:

Choosing the right index
Using tstat
Eliminating unnecessary wildcards

Optimization examples

To optimize an existing search, you can paste that existing search in the Write & optimize SPL tab or you can ask the assistant to perform optimization using the format of Optimize this search <original_search_query>.

See the following examples of SPL searches before and after SPL optimization:


Use case	Input	GPT Output	Llama Output
Select correct index	`sourcetype=access_combined status=404 \| stats count by clientip`	`index=web_logs sourcetype=access_combined status=404 \| stats count by clientip`	`index=web sourcetype=access_combined status=404 \| stats count by clientip`
	`search index=* error \| stats count by host`	`index IN (_audit, _introspection, _cmc_summary, _telemetry, summary) message="error" \| stats count by host`	`search index=main sourcetype=error \| stats count by host`
	`index=* \| fields _time userIdentity.arn eventName`	`index="aws" sourcetype="aws:cloudtrail" \| fields _time userIdentity.arn eventName`	`search index=_internal sourcetype=stash earliest=-1h@h latest=-0h@h \| fields _time userIdentity.arn eventName`
Optimize stats > tstats	`index=_internal sourcetype=* \| stats count by host, sourcetype`	`\| tstats count FROM index=_internal WHERE sourcetype IN ("splunkd", "splunk_web_access") BY host, sourcetype`	`\| tstats count WHERE index=_internal BY host, sourcetype`
Optimize stats > tstats	`index=_internal sourcetype=* \| stats latest(_time) as last_seen by sourcetype`	`\| tstats latest(_time) as last_seen FROM index=_internal WHERE isnotnull(sourcetype) BY sourcetype<pre>`	`\| tstats latest(_time) AS last_seen WHERE index=_internal BY sourcetype`
Wildcard replacement	`index=* sourcetype=audittrail user=*admin \| stats count by action`	`index=_audit sourcetype=audittrail user=*admin \| stats count by action`	`\| tstats count WHERE index=audittrail AND sourcetype=audittrail AND user=*admin BY action`

Use case	Input	GPT Output	Llama Output
Select correct index	`sourcetype=access_combined status=404 \| stats count by clientip`	`index=web_logs sourcetype=access_combined status=404 \| stats count by clientip`	`index=web sourcetype=access_combined status=404 \| stats count by clientip`
	`search index=* error \| stats count by host`	`index IN (_audit, _introspection, _cmc_summary, _telemetry, summary) message="error" \| stats count by host`	`search index=main sourcetype=error \| stats count by host`
	`index=* \| fields _time userIdentity.arn eventName`	`index="aws" sourcetype="aws:cloudtrail" \| fields _time userIdentity.arn eventName`	`search index=_internal sourcetype=stash earliest=-1h@h latest=-0h@h \| fields _time userIdentity.arn eventName`
Optimize stats > tstats	`index=_internal sourcetype=* \| stats count by host, sourcetype`	`\| tstats count FROM index=_internal WHERE sourcetype IN ("splunkd", "splunk_web_access") BY host, sourcetype`	`\| tstats count WHERE index=_internal BY host, sourcetype`
Optimize stats > tstats	`index=_internal sourcetype=* \| stats latest(_time) as last_seen by sourcetype`	`\| tstats latest(_time) as last_seen FROM index=_internal WHERE isnotnull(sourcetype) BY sourcetype<pre>`	`\| tstats latest(_time) AS last_seen WHERE index=_internal BY sourcetype`
Wildcard replacement	`index=* sourcetype=audittrail user=*admin \| stats count by action`	`index=_audit sourcetype=audittrail user=*admin \| stats count by action`	`\| tstats count WHERE index=audittrail AND sourcetype=audittrail AND user=*admin BY action`