BUILT FOR SPLUNK · POWERED BY AI

Query Splunk in plain English.

AI Query Assistant turns natural language into production-ready SPL. Multi-provider AI, template management, query history, and security validation — all native to your Splunk workspace.

Install on Splunkbase Read the docs

splunk › ai-query-assistant

ASK IN ENGLISH · SECURITY OPS

Show failed SSH logins by source IP in the last 24 hours, sorted by count.

Claude Sonnet 4.6

GENERATED SPL

index=linux sourcetype=linux_secure "Failed password"
| rex field=_raw "from (?<src_ip>\d+\.\d+\.\d+\.\d+)"
| stats count by src_ip
| sort - count
| head 20

中文提问 · SRE 可观测性

列出过去一小时内 API 响应时间 p95 超过 500 毫秒，且错误率高于 2% 的接口。

GPT-4o · Azure OpenAI

GENERATED SPL

index=apps sourcetype=access_log earliest=-1h
| stats perc95(response_ms) as p95,
        count(eval(status>=500)) as errors,
        count as total by endpoint
| eval error_rate=round(errors/total*100, 2)
| where p95 > 500 AND error_rate > 2
| sort - p95

日本語で質問 · IT 運用

ディスク使用率が 90% を超えているサーバーと、24 時間以内の伸び率を一覧表示して。

Gemini 2.0 Pro

GENERATED SPL

index=os sourcetype=df earliest=-24h
| stats earliest(usage_pct) as start,
        latest(usage_pct) as now by host, mount
| eval delta=round(now-start, 1)
| where now > 90
| sort - now
| table host mount now delta

PREGUNTA EN ESPAÑOL · BUSINESS ANALYTICS

Muéstrame las conversiones de compra por país en los últimos 7 días, con la tasa respecto a las visitas.

DeepSeek V3

GENERATED SPL

index=web earliest=-7d
| iplocation clientip
| stats count(eval(action="purchase")) as purchases,
        dc(session_id) as visits by Country
| eval conv_rate=round(purchases/visits*100, 2)
| sort - purchases
| head 15

FRAGE AUF DEUTSCH · AUDIT & COMPLIANCE

Finde alle Admin-Anmeldungen außerhalb der Geschäftszeiten aus den letzten 30 Tagen.

Llama 3 · Ollama (local)

GENERATED SPL

index=audit action=login user_role=admin earliest=-30d
| eval hr=tonumber(strftime(_time, "%H")),
        dow=strftime(_time, "%A")
| where hr < 8 OR hr > 18
          OR match(dow, "Saturday|Sunday")
| table _time user host src_ip dow hr

QUESTION EN FRANÇAIS · DÉTECTION DE FRAUDE

Signale les cartes bancaires avec plus de 5 transactions dans 3 pays différents en moins d'une heure.

GPT-4o · OpenAI

GENERATED SPL

index=payments earliest=-1h
| iplocation merchant_ip
| stats count as tx,
        dc(Country) as countries,
        values(Country) as geo by card_hash
| where tx > 5 AND countries >= 3
| sort - tx

SUPPORTS LEADING AI PROVIDERS

OpenAI Anthropic Claude Azure OpenAI Gemini DeepSeek Ollama

EVERYTHING YOU NEED

An AI copilot that speaks SPL fluently.

From natural-language prompts to battle-tested SPL — with the security, templates, and history your team expects from production tooling.

Natural language queries

Ask in plain English, get valid SPL. No cheat sheets, no syntax wrangling.

Multi-provider AI

Switch between OpenAI, Anthropic, Azure, Gemini, DeepSeek, and local Ollama with a single dropdown.

Template management

Save proven query patterns as reusable templates. Share them across your team or keep them private.

Query history

Every query is logged, searchable, and rerunnable. Rebuild past investigations without rewriting a single pipeline.

Security validation

Built-in SPL safety checks flag destructive commands, unsafe rex, and injection risks before they run.

Enterprise licensing

Per-seat license keys, usage metering, and custom quota enforcement for regulated environments.

HOW IT WORKS

Three steps from question to insight.

The assistant lives inside Splunk. Ask a question, review the generated SPL, and run it against your indexes — with every result cached and ready to share.

01

Describe what you need

Type a question in natural language. The assistant understands your indexes, sourcetypes, and field names from context.

02

Review & refine the SPL

The model returns SPL with inline explanations. Edit directly, ask for alternatives, or pass it through the security validator.

03

Run, save, and share

Execute in a single click. Save as a template for next time, or hand the query off to a dashboard or alert.

Splunk Enterprise / AI Query Assistant

YOUR QUESTION claude-sonnet-4.6

Which source IPs had more than 10 failed SSH logins in the last 24h? Include country info.

Safe

Generated in 1.8s · 6 pipelines · 98% confidence

WHO IT'S FOR

Built for the teams that live in Splunk.

Security operations

Investigate incidents in seconds. Hunt across indexes, correlate across sourcetypes, and walk away with hardened SPL you can pin to an alert.

→ Phishing campaigns, brute-force, lateral movement

SRE & observability

Answer the on-call question faster. Surface p95 latencies, error budgets, and noisy tenants without memorizing a single stat command.

→ Latency, error rates, capacity, saturation

Analytics & BI

Let PMs and analysts explore Splunk data directly. Ship dashboards from questions, not tickets — with the guardrails IT needs.

→ Usage, conversion, revenue, cohort analysis

10×

Faster time-to-query vs. writing SPL by hand

50+

Pre-built templates across SOC, SRE, and analytics workloads

100%

Self-hosted inside your Splunk instance — nothing leaves your network

AVAILABLE ON SPLUNKBASE

Ship Splunk queries at the speed of a conversation.

Install the AI Query Assistant in minutes. Bring your own API key. Keep your data inside your Splunk instance.

Install on Splunkbase Talk to sales