Overview, Availability, and Onboarding
Splunk AI Assistant is our agentic AI-powered user experience that is designed to enhance productivity, effectiveness, and overall digital resilience with the full power of the Splunk Platform. Think of Splunk AI Assistant as your digital teammate, designed to help you work through complex requests all while providing the relevant context, reasoning, and recommendations to help you reduce your mean time to resolution.
Splunk AI Assistant is available to both Splunk Cloud Platform and Splunk Enterprise customers.
For Splunk Cloud Platform (SCP) customers, Splunk AI Assistant is available in many AWS and Azure regions. The list expands regularly, and updated information is available in our list of Supported regions. See install Splunk AI Assistant for SPL for Splunk Cloud customers.
Splunk Enterprise customers can leverage our cloud connected option to connect to existing regions. Information is available in Install Splunk AI Assistant for SPL for Splunk Enterprise customers with Cloud Connected.
Please refer to the latest version of the Splunk AI Assistant product documentation for instructions on installation for various deployment methods.
Yes, as of version 1.3, Splunk Enterprise (on premises) customers can use the Splunk AI Assistant, but it requires a specific setup known as the Cloud Connected solution.
The Cloud Connected solution splits the workload to maintain data privacy while leveraging cloud-scale compute:
- Local Data (On-Prem): Your raw logs, events, and sensitive data remain entirely within your on-premises environment.
- Cloud Compute (Splunk Cloud): The "heavy lifting" of the AI—processing natural language and generating SPL—happens in a secure, multi-tenant AI service hosted by Splunk in the cloud.
- The Bridge: Your on-premises Search Head sends a request (the user's prompt and relevant metadata) over a secure HTTPS connection (Port 443) to the Splunk AI service. The service returns the generated SPL or explanation back to your local instance.
The cloud connected solution runs Splunk-managed AI services in Splunk Cloud Platform while allowing on-premises environments to access them over a secure connection. Your data stays on-prem; only the AI requests and results travel to the cloud service. Any searches are still executed within the on-prem environment.
The connection is established over HTTPS (port 443) to ensure secure communication between your environment and Splunk Cloud.
If your Splunk Enterprise deployment is behind a firewall, you will need to allow outbound access to the following domain:
| Host Name | Instances Requiring Access | Port |
|---|---|---|
*.scs.splunk.com
|
Search head or search head cluster instances with the Splunk AI Assistant app |
443 |
The full list of supported languages can be found here.
Data collection and data privacy
Splunk AI Assistant collects different data depending on whether the customer has opted into usage data sharing and the personalization feature in the app settings. The usage data allows Splunk to improve the Splunk AI Assistant to provide better results.
Opting in to the context feature (formerly called Personalization) allows Splunk AI Assistant to generate responses that are specific to the customer’s environment.
Customers can find details on how to share information and what is collected in Share data in Splunk AI Assistant.
In addition to the large language models (LLMs) hosted in Splunk Cloud Platform, version 1.4.0 and higher of Splunk AI Assistant provides the option to use models hosted in Azure OpenAI.
Splunk AI Assistant determines when to use a Splunk platform-hosted LLM, and when to use a model hosted outside Splunk with the default model runtime setting. This can provide better response quality through the assistant, depending on factors such as use cases. When you install or upgrade to version 2.0, you are opted in to this functionality by default. You can disable this functionality at any time. However, if you limit to Splunk-hosted models, then the new Agent Mode will not be available to you.
Splunk AI Assistant through a cloud connected solution’s data collection practices follow the exact same policy as Splunk AI Assistant for cloud.
The type of data sent depends on your configuration choices. Below are the key options:
- Basic Splunk AI Assistant Setup (Minimal Data Transfer)
At minimum, Splunk AI Assistant sends only what is required to power core functionality: your input and your response.
Learn more: Splunk AI Assistant Overview
- Context (Optional)
You can choose to opt in or out. Opting in enables the assistant to tailor responses to your data, significantly improving quality. Enabling this feature is highly recommended.
Details: Personalization
- Data Sharing for model training and fine-tuning (Optional)
You may also opt in or out of sharing AI Service data for the purposes of model training and fine-tuning.
Info: Data Sharing
There are safeguards in place to protect customer data including administrative, physical, and technical measures. Splunk AI Assistant also meets the following compliance certifications:
- SOC2
- PCI
- HIPAA
Beyond the information stated above, Splunk AI Assistant does NOT collect any data ingested into the customer’s Splunk instance. Ingested customer data continues to be treated in accordance with the Splunk General Terms.
Q: Can the assistant see my ingested data?
A: No, it cannot see a customer’s ingested data. If Agent Mode is turned off, then AI Assistant cannot see any ingested data, except for the aggregated context. In the Agent Mode, the user approves executing certain tools, then relevant data from the environment will be processed through the AI Assistant to generate a summary and to answer the user’s questions.
Customers can help improve the quality of responses generated by Splunk AI Assistant by sharing certain data, as noted, with us. This anonymized data can be used to improve the quality of the models used in the product. This is turned off by default and can only be turned on explicitly by the customer administrator.
Opting-in to the context feature allows Splunk AI Assistant to fetch additional metadata to understand the customer environment, and instead of generating generic SPL queries, generate queries in the unique context of their metadata, such as index, sourcetypes and field names, past search logs as well as existing content like dashboards and saved searches. This improves the quality of the responses, leading to improved productivity.
Q: If the customer has previously opted out of data sharing and wants to opt in, what should they do?
A: The option to share usage data is in the Settings tab. Data collection starts once the option is selected.
Q: If the customer has previously opted in to data sharing and wants to opt out, what should they do?
A: The option to opt-in to context is in the Settings tab. Data collection starts when the option is selected. There are more granular controls available in the Context Settings starting v2.0.
Q: If the customer has previously opted in to context and wants to opt out, what should they do?
A: The option to opt-in to personalization can be turned off in the app settings. Any metadata collected to personalize will be deleted within one week.
Data is stored in accordance with the Responsible AI for Splunk AI Assistant guidelines.
We use a layered, industry-best-practice security framework to safeguard connections between your on‑premises environment and Splunk‑managed AI services in the cloud.
- HTTPS secure connection: Every connection is established over HTTPS and port 443, ensuring end‑to‑end encryption so that no data ever crosses the public internet in plaintext.
- Customer‑owned key pair: During onboarding you create an ECDSA public/private key pair locally and share only the public key with Splunk. Your private key never leaves your environment.
- Signed, short‑lived JWTs: When your system initiates a session, it signs a JSON Web Token (ES256) with its private key. Our Identity & Access Control service verifies the signature with your public key and, on success, returns a time‑limited bearer token for API calls.
- Least‑privilege token access: Each token scoped only to the tenant it is assigned to and the endpoints it needs, reducing blast radius and simplifying key rotation or revocation.
- Cryptographic integrity and authenticity: ES256 signatures guarantee that each request is both unaltered and genuinely issued by your tenant.
- Continuous logging and monitoring: All authentication events and API requests are logged, with monitoring to detect and alert on anomalies.
There are no mechanisms to review data provided by customers.
Splunk AI Assistant Product Architecture
Splunk AI Assistant uses a combination of open source pretrained LLMs that are fine-tuned with our own domain specific data and frontier models from Azure OpenAI. These models are further augmented with RAG – both from our proprietary knowledge base, as well as from the environment-specific context data if the context feature is turned on. We use multiple models, choosing the best ones to deliver the best outcomes for the specific tasks.
The model is trained on open source and hand-crafted data.
The model goes through rigorous internal evaluation for quality and is constantly being improved based on feedback. See more details on guardrails in the product docs here.
With the release of Splunk AI Assistant 2.0, we have added a new feature known as Agent Mode. When enabled, Splunk AI Assistant can perform actions like executing a search on the user’s behalf with their permission or help them search for existing content like dashboards and alerts.
Agent Mode requires the Model Runtime to be set to “Let Splunk determine the best model to deliver the outcome based on your prompt (this may include models hosted outside Splunk Cloud Platform.” Administrators can also enable or disable Agent Mode in the Settings anytime.
Splunk AI Assistant Pricing
Splunk provides active Splunk Cloud Platform and Splunk Enterprise customers with access to Splunk AI Assistant at no additional fee. (aside from your standard subscription fees)
Customers on workload pricing will see little to no impact on SVC consumption while using the assistant. User prompts and generative AI results run within services hosted on Splunk Cloud Platform (SCP), not within the customers Cloud stack. However, a primary use of the Assistant is to generate SPL which can then be executed as a search. For the 1.0 release and higher, SPL generated by the Assistant will require a separate step to “open in search.” Searches executed in the Search app will work like any other Splunk search and will consume SVC resources accordingly.
From the version 1.1 release and onward, if the customer opts-in to the personalization feature, some scheduled searches will be executed on the customer’s stack to collect the metadata needed to personalize the results. These will consume SVC like any other scheduled searches.
From version 2.0 and onwards, in the Agent Mode – there will be minimal SVC impact of the automatic searches the assistant runs to validate the searches. Any other searches will require explicit user permission and will consume the same SVCs as if the user had run those searches manually.
Splunk AI Assistant Product Development and Roadmap
When a customer enters a prompt into the assistant and a response is generated, the application also provides the customer with an opportunity to provide feedback. This is extremely useful for us to improve the product through our manual evaluation and improvement processes. This data is not used for training or fine-tuning a model, unless explicitly granted permission to do so.
If the customer selects the “thumb down” they will further be given a chance to provide more details. This data will be sent and stored by Splunk only if the customer has opted into data collection.
Enhancements and feature request for the Splunk AI Assistant should be added to ideas.splunk.com.
Please reach out to your account manager for this discussion.
Chat Service Alternatives
SAIA is a secure option for customers looking for SPL assistance without sharing private company data with third party LLM services. Instead, their data is kept within their secure Splunk environment. Additionally, if the customer opts in to the personalization feature, SAIA can generate responses that are unique to the customer environment that can be more accurate than generic responses from third party LLM services.
See how we use your data above and explore Splunk Protects for full details on data privacy in Splunk.
