Overview, Availability, and Onboarding
Splunk AI Assistants are designed to help customers get more out of Splunk. Splunk AI Assistant for SPL (SAIA) is our new generative AI-powered chat experience that is designed to help new users learn and use SPL quickly. SAIA is powered by GPU-based cloud AI service and it uses natural language to write and explain SPL, in addition to answering product questions.
SAIA is available for Splunk Cloud Platform customers on AWS commercial stack in all regions. Details on latest stack availability are available in documentation.
The Splunk AI Assistant will work in compliance environments. However, it can not be used on FedRamp stacks or Splunk Free Trial stacks.
SAIA is available for all Splunk Enterprise Platform customers through a cloud connected solution.
Customers need to follow the following steps to install and use the app. Here is the documentation to install the application.
- Review & Sign EULA - Customers will need to sign legal terms covering the app and its use. The link for the EULA is https://www.splunk.com/en_us/download/ai-assistant.html. Once signed, the splunkbase application will be unlocked by Splunk on Splunkbase.com and the customer will be sent an email to confirm. This process may take 72 hours to complete.
- Install SAIA - Customer will then install the Splunk AI Assistant for SPL application from Splunkbase or in product.
For Splunk Enterprise customers onboarding to SAIA through the cloud connected solution:
- Install SAIA from Splunkbase and sign the license agreement: Download the app from the app browser or directly from Splunkbase. Customers will then install the Splunk AI Assistant for SPL application from Splunkbase or in product.
- Sign EULA & install: Follow the same EULA acceptance and installation steps used for Splunk Cloud onboarding.
- In-app onboarding: After installation, SAIA opens an onboarding flow. Complete the intake form; the system generates a tenant code. Send tenant code to Splunk AI. Provisioning usually takes 2–3 business days. Splunk emails an activation code to the address you provided. If your environment needs a proxy, you can set it up in the onboarding journey or later in SAIA’s setting. Cloud connection is established; SAIA is now up and running.
At this time, the SAIA application is only available to Splunk Cloud Platform customers. We are evaluating approaches that will enable us to bring SAIA to Splunk Enterprise customers in the future and will provide updates as soon as we have solidified plans.
The cloud connected solution runs Splunk-managed AI services in Splunk Cloud Platform while allowing on-premises environments to access them over a secure connection. Your data stays on-prem; only the AI requests and results travel to the cloud service.
The connection is established over HTTPS (port 443) to ensure secure communication between your environment and Splunk Cloud.
If your Splunk Enterprise deployment is behind a firewall, you’ll need to allow outbound access to the following domain:
| Host Name | Instances Requiring Access | Port |
|---|---|---|
*.scs.splunk.com
|
Search head or search head cluster instances with the SAIA for SPL app |
443 |
The assistant supports English, Spanish, French, and Japanese.
Data collection and data privacy
SAIA collects different data depending on whether or not the customer has opted into usage data sharing and the personalization feature in the app settings . The usage data allows Splunk to improve the AI Assistant for SPL to provide better results in the future.
Opting in to the personalization feature allows SAIA to generate responses that are specific to the customer’s environment.
Customers can find details on how to share information and what is collected in Share data in Splunk AI Assistant for SPL.
No. SAIA architecture is fully managed within Splunk’s infrastructure. We do not leverage external third party LLM services.
SAIA through a cloud connected solution’s data-collection practices follow the exact same policy as SAIA Cloud.
The type of data sent depends on your configuration choices. Below are the key options:
- Basic SAIA Setup (Minimal Data Transfer)
At minimum, SAIA sends only what is required to power core functionality: your input and your response.
Learn more: SAIA Overview
- Personalization (Optional)
You can choose to opt in or out. Opting in enables the assistant to tailor responses to your data, significantly improving quality. Enabling this feature is highly recommended.
Details: Personalization
- Data Sharing for R&D (Optional)
You may also opt in or out of sharing anonymized usage data to help improve the product.
Info: Data Sharing
There are safeguards in place to protect customer data including administrative, physical and technical measures.
Beyond the information stated above, SAIA does NOT collect any data ingested into the customer’s Splunk instance. Ingested customer data continues to be treated in accordance with the Splunk General Terms.
Q: Can the assistant see my ingested data?
A: No, it can not see a customer’s ingested data.
Q: Can the assistant see any of my logs?
A: The application does not view any event information. It does not see logs.
Customers can help improve the quality of responses generated by SAIA by sharing certain data, as noted, with us. They can also provide feedback in the form of thumbs-up/thumbs-down along with additional feedback on assistant responses.
Customers can’t provide feedback unless they opt into sharing data.
Opting-in to the personalization feature allows SAIA to fetch additional metadata to understand the customer environment, and instead of generating generic SPL queries, generate queries in the unique context of their metadata, such as index, sourcetypes and field names. This improves the quality of the responses leading to improved productivity.
Q: If the customer has previously opted out of data sharing and wants to opt in, what should they do?
A: The option to share usage data is in the Settings tab. Data collection starts once the option is selected.
Q: If the customer has previously opted-in to data sharing and wants to opt out, what should they do?
A: The option to share usage data can be turned off in the app settings. Once a customer opts out, data collection stops, but the previously collected data remains.
Q: If the customer has previously opted out of personalization and wants to opt in, what should they do?
A: The option to opt-in to personalization is in the Settings tab. Data collection starts when the option is selected.
Q: If the customer has previously opted-in to personalization and wants to opt out, what should they do?
A: The option to opt-in to personalization can be turned off in the app settings. Any metadata collected to personalize will be deleted within one week.
Data is stored in accordance with the Responsible AI for SAIA guidelines.
We use a layered, industry-best-practice security framework to safeguard connections between your on‑premises environment and Splunk‑managed AI services in the cloud.
- HTTPS secure connection: Every connection is established over HTTPS and port 443, ensuring end‑to‑end encryption so that no data ever crosses the public internet in plaintext.
- Customer‑owned key pair: During onboarding you create an ECDSA public/private key pair locally and share only the public key with Splunk. Your private key never leaves your environment.
- Signed, short‑lived JWTs: When your system initiates a session, it signs a JSON Web Token (ES256) with its private key. Our Identity & Access Control service verifies the signature with your public key and, on success, returns a time‑limited bearer token for API calls.
- Least‑privilege token access: Each token scoped only to the tenant it’s assigned to and the endpoints it needs, reducing blast radius and simplifying key rotation or revocation.
- Cryptographic integrity and authenticity: ES256 signatures guarantee that each request is both unaltered and genuinely issued by your tenant.
- Continuous logging and monitoring: All authentication events and API requests are logged, with monitoring to detect and alert on anomalies.
There are no mechanisms to review data provided by customers.
SAIA Product Architecture
SAIA for SPL is using open source pretrained LLMs that are fine tuned with our own domain specific data and further augmented with RAG. The models are ours and not from a third party. We use multiple models, choosing the best ones to deliver the best outcomes for the specific tasks.
The model is trained on open source and hand crafted data.
The model goes through rigorous internal evaluation for quality and is constantly being improved based on feedback. See more details on guardrails in the product docs here.
SAIA Pricing
Splunk provides active Splunk Cloud Platform and Splunk Enterprise customers with access to Splunk AI Assistant for SPL at no additional fee (aside from your standard subscription fees) for the current skills:
- Write SPL
- explain SPL
- tell me about
Customers on workload pricing will see little to no impact on SVC consumption while using the assistant. User prompts and generative AI results run within services hosted on Splunk Cloud Platform (SCP), not within the customers Cloud stack. However, a primary use of the Assistant is to generate SPL which can then be executed as a search. For the 1.0 release and higher, SPL generated by the Assistant will require a separate step to “open in search”. Searches executed in the Search app will work like any other Splunk search, and will consume SVC resources accordingly.
For the 1.1 release and higher, if the customer opts-in to the personalization feature, some scheduled searches will be executed on the customer’s stack to collect the metadata needed to personalize the results. These will consume SVC like any other scheduled searches.
SAIA Product Development and Roadmap
When a customer enters a prompt into the assistant and a response is generated, the application also provides the customer an opportunity to provide feedback. This is only available to customers who have opted into data sharing.
If the customer selects the “thumb down” they will further be given a chance to provide more details. This data will be sent and stored by Splunk only if the customer has opted into data collection.
Enhancements and feature request for the Splunk AI Assistant for SPL should be added to ideas.splunk.com
Please reach out to your account manager for this discussion.
Chat Service Alternatives
SAIA is a secure option for customers looking for SPL assistance without sharing private company data with third party LLM services. Instead, their data is kept within their secure Splunk environment. Additionally, if the customer opts in to the personalization feature, SAIA can generate responses that are unique to the customer environment that can be more accurate than generic responses from third party LLM services.
See how we use your data above and explore Splunk Protects for full details on data privacy in Splunk.
