AI Query Assistant for Splunk

Natural-language to SPL with templates and history.

Start Free Trial →Visit landing page ↗

5,420

Downloads

4.8

Rating

342

reviews

AIQueryProductivity

What it does

Operators describe an intent in plain English; AI Query Assistant translates it into an optimized SPL query. Multi-provider AI (OpenAI, Anthropic, custom presets), KV-backed query history per user, savable templates, and a security guardrail that catches dangerous time-range and SSRF patterns before they hit Splunk. Ships with full Chinese + English localization (198 i18n keys across 7 views) and works across Splunk Enterprise 10.0+, Splunk Cloud, and Search Head Cluster deployments.

Features

Natural-language to SPL

Operators ask in plain English; the assistant emits an optimized SPL query with caveats and field hints. The translation accepts intent ("failed logins from China today"), not just literal field names.

Multi-provider AI

Compatible with OpenAI, Anthropic / Claude, and custom presets. Provider configurations live in a KV-backed `mcp_provider_presets` collection — admins can add, rename, or remove vendors without re-installing the app.

Per-user query history

Server-side filtered by user (`{user: self.userName}` enforced in the REST handler). Survives Splunk Web restarts because history records live in the KV store, not in-process Python dicts.

Saved templates

Save and reuse common query patterns. Trial = 5 templates, Professional = 30, Enterprise unlimited. Tier-aware caps surface in the UI before you hit them.

Security guardrail

SPL validation rejects dangerous time-range patterns (the `-30mon` bug from 2.x is fixed: every relative unit s/m/h/d/w/mon/y is now anchored). SSRF guard rejects integration-platform URLs that resolve to private/loopback/link-local IP ranges.

Locked-down KV ACLs

KV collections (`mcp_ai_providers`, `mcp_license_status`, etc.) cannot be mutated outside the validating REST handlers. The legacy `debug_keys` endpoint that exposed the licence signing key was removed in 3.0.1.

RSA-PSS signed licenses

Licences carry a 2048-bit RSA-PSS signature verified locally on the customer's install. Optional AES decryption is retained for legacy issuers; new deployments verify with `public_key_pem` only — no SaaS round-trip.

Splunk Cloud + SHC

`metadata/default.meta` grants `sc_admin` alongside `admin` so KV collections work on Splunk Cloud. `default/server.conf` adds `[shclustering] conf_replication_include.mcp = true` so Setup-page edits propagate across SHC members.

Choose Your License

Trial License

Free

Start Free Trial

Recommended

Standard License

$19/yr

Auto-renews each year. Cancel anytime.

Enterprise License

$39/yr

Auto-renews each year. Cancel anytime.

30-day money-back guaranteeFree updates and supportCancel anytime

Try AI Query Assistant for Splunk for free.

14-day trial on every app. RSA-PSS signed, hardware-bound, with a self-serve dashboard from day one.

Start Free Trial Browse More Apps →