Flatten the SPL Learning Curve: Introducing Splunk AI Assistant for SPL

At .conf23, we announced the preview release of Splunk AI Assistant - Splunk's first offering powered by generative AI. This app offers an intuitive and easy-to-use chat experience to help you translate a natural language prompt into SPL query that you can execute or build on, all within a familiar Splunk interface. Splunk AI Assistant also explains what a given SPL query is doing in plain English with a summary as well as a detailed breakdown of the query. This is the crucial first step towards enabling more powerful and efficient data discovery and investigation via natural language. The Splunk AI Assistant uses an open-source Transformer-based large language model (LLM) which was fine-tuned by Splunk to assist SPL users, lowering the barriers to realizing value.

SPL is a very powerful but complex, domain-specific language designed by Splunk for use with Splunk software. New users face a steep learning curve in getting started with SPL if they are unfamiliar with its syntax which is based on the Unix pipeline and SQL. Even experienced users also run into issues trying to unlock the true power of SPL. For example, they may not recall a specific command, know what a command really does, or their queries may not be optimized. As a result, users have to dig through documentation or search for examples to craft their perfect SPL query which ends up wasting valuable time that could be dedicated to finding and remediating security threats or IT operations issues.

Splunk AI Assistant provides an assistive and intelligent chatbot experience to empower SPL users to easily craft their queries by simply writing plain English prompts. Splunk AI Assistant uses an open-source LLM which was fine-tuned by Splunk for conversational discussions around the following modalities:

• Writing an SPL query in response to a plain English prompt by the user 
• Describing a given SPL query in plain English

Additionally, when you provide a natural language prompt and the assistant generates an SPL query, you can click on a button to get an explanation of the generated SPL. Not only that, the assistant will provide links to relevant documentation for the important SPL commands used in the query.

When you use the app to describe a given SPL query in plain English, the assistant generates a concise one sentence summary of what the query is trying to achieve and also a deep dive into each SPL command in the query. This can be an effective way for new and experienced SPL users to understand and break down complex SPL queries.

Training the Splunk AI Assistant

As a first step, the model was fine-tuned using a combination of manually created and synthetically-generated data extracted from Splunk docs, forums, training materials, and a wealth of other Splunk resources. It goes without saying that Splunk is uniquely positioned to train an LLM for writing and explaining SPL. The telemetry dashboards at Splunk are powered by, you guessed it, Splunk! When internal users (who have consented to share Splunk telemetry) search in their telemetry stacks, we record their SPL searches to get a better understanding of user needs. This is just one example of how we were able to fine-tune the model. 

To further aid the fine-tuning, we leveraged another very important resource here at Splunk, our Splunkers. There was huge excitement around the Splunk AI Assistant and we cashed in on this momentum by creating an internal portal. Splunkers were encouraged to interact with the Splunk AI Assistant, ask it to write and explain SPL queries and provide feedback on the responses. This feedback was incorporated into the model to continue refining it.

Data Privacy and Security

We do not use, have not used, and do not plan to use customers’ SPL searches or data to train the Assistant. Customers’ data and searches are their own and are governed by the Splunk General Terms which are industry leading in data privacy and security. 

Furthermore, the Splunk AI Assistant model has been trained and is owned by Splunk. This means that when you use the Assistant, you can feel at ease in knowing that your data is safe with Splunk and is not being sent or used elsewhere.

There Is Lot More To Look Forward To

The Splunk AI Assistant is Splunk’s first offering in the space of LLMs and generative AI. This app is currently a standalone offering in this preview release. However, we plan to integrate it into Splunk’s products wherever there is a use case to create or edit SPL queries so that it is a seamless user experience. 

Within the product roadmap, the assistant will be trained for other tasks as well. The first among these is answering users’ questions about Splunk, its products and features as well as how to use them, thus improving the discoverability and usability of Splunk. The assistant will be able to perform contextual summarization so that it can answer your question intelligently and succinctly. Another task that the assistant is being trained on is generating a prompt book related to the user’s question which will help the user generate more SPL queries related to their original prompt or allow the user to dive deeper into Splunk’s products and features. 

Next Steps

The Splunk AI Assistant 0.2.1 is available today as a preview on Splunkbase for use with Splunk Cloud Platform as well as with Splunk Enterprise. For more information on how to use this app, refer to the documentation (You need to have a Splunk login to view the documentation). To get started with this app today, visit https://pre-release.splunk.com/preview/aiassist.