Optimization in Splunk AI Assistant for SPL

Version 1.4.0 and higher of Splunk AI Assistant for SPL offers search optimization.

Optimization can improve existing SPL searches or generate better searches when using the app to create new SPL searches. Optimization uses metadata from your Splunk deployment to provide better results from Splunk AI Assistant for SPL.

Optimization leverages the following optimization strategies:

Choosing the right index
Using tstat
Eliminating unnecessary wildcards

Optimization examples

To optimize an existing search, you can ask the assistant to perform optimization using the format of Optimize this search <original_search_query>.

See the following examples of SPL searches before and after SPL optimization:


Use case	Input	GPT Output	Llama Output
Select correct index	CODE sourcetype=access_combined status=404 \| stats count by clientip `sourcetype=access_combined status=404 \| stats count by clientip`	CODE index=web_logs sourcetype=access_combined status=404 \| stats count by clientip `index=web_logs sourcetype=access_combined status=404 \| stats count by clientip`	CODE index=web sourcetype=access_combined status=404 \| stats count by clientip `index=web sourcetype=access_combined status=404 \| stats count by clientip`
	CODE search index=* error \| stats count by host `search index=* error \| stats count by host`	CODE index IN (_audit, _introspection, _cmc_summary, _telemetry, summary) message="error" \| stats count by host `index IN (_audit, _introspection, _cmc_summary, _telemetry, summary) message="error" \| stats count by host`	CODE search index=main sourcetype=error \| stats count by host `search index=main sourcetype=error \| stats count by host`
	CODE index=* \| fields _time userIdentity.arn eventName `index=* \| fields _time userIdentity.arn eventName`	CODE index="aws" sourcetype="aws:cloudtrail" \| fields _time userIdentity.arn eventName `index="aws" sourcetype="aws:cloudtrail" \| fields _time userIdentity.arn eventName`	CODE search index=_internal sourcetype=stash earliest=-1h@h latest=-0h@h \| fields _time userIdentity.arn eventName `search index=_internal sourcetype=stash earliest=-1h@h latest=-0h@h \| fields _time userIdentity.arn eventName`
Optimize stats > tstats	CODE index=_internal sourcetype=* \| stats count by host, sourcetype `index=_internal sourcetype=* \| stats count by host, sourcetype`	CODE \| tstats count FROM index=_internal WHERE sourcetype IN ("splunkd", "splunk_web_access") BY host, sourcetype `\| tstats count FROM index=_internal WHERE sourcetype IN ("splunkd", "splunk_web_access") BY host, sourcetype`	CODE \| tstats count WHERE index=_internal BY host, sourcetype `\| tstats count WHERE index=_internal BY host, sourcetype`
Optimize stats > tstats	CODE index=_internal sourcetype=* \| stats latest(_time) as last_seen by sourcetype `index=_internal sourcetype=* \| stats latest(_time) as last_seen by sourcetype`	CODE \| tstats latest(_time) as last_seen FROM index=_internal WHERE isnotnull(sourcetype) BY sourcetype<pre> `\| tstats latest(_time) as last_seen FROM index=_internal WHERE isnotnull(sourcetype) BY sourcetype<pre>`	CODE \| tstats latest(_time) AS last_seen WHERE index=_internal BY sourcetype `\| tstats latest(_time) AS last_seen WHERE index=_internal BY sourcetype`
Wildcard replacement	CODE index=* sourcetype=audittrail user=admin \| stats count by action `index= sourcetype=audittrail user=*admin \| stats count by action`	CODE index=_audit sourcetype=audittrail user=admin \| stats count by action `index=_audit sourcetype=audittrail user=admin \| stats count by action`	CODE \| tstats count WHERE index=audittrail AND sourcetype=audittrail AND user=admin BY action `\| tstats count WHERE index=audittrail AND sourcetype=audittrail AND user=admin BY action`

Use case	Input	GPT Output	Llama Output
Select correct index	CODE sourcetype=access_combined status=404 \| stats count by clientip `sourcetype=access_combined status=404 \| stats count by clientip`	CODE index=web_logs sourcetype=access_combined status=404 \| stats count by clientip `index=web_logs sourcetype=access_combined status=404 \| stats count by clientip`	CODE index=web sourcetype=access_combined status=404 \| stats count by clientip `index=web sourcetype=access_combined status=404 \| stats count by clientip`
	CODE search index=* error \| stats count by host `search index=* error \| stats count by host`	CODE index IN (_audit, _introspection, _cmc_summary, _telemetry, summary) message="error" \| stats count by host `index IN (_audit, _introspection, _cmc_summary, _telemetry, summary) message="error" \| stats count by host`	CODE search index=main sourcetype=error \| stats count by host `search index=main sourcetype=error \| stats count by host`
	CODE index=* \| fields _time userIdentity.arn eventName `index=* \| fields _time userIdentity.arn eventName`	CODE index="aws" sourcetype="aws:cloudtrail" \| fields _time userIdentity.arn eventName `index="aws" sourcetype="aws:cloudtrail" \| fields _time userIdentity.arn eventName`	CODE search index=_internal sourcetype=stash earliest=-1h@h latest=-0h@h \| fields _time userIdentity.arn eventName `search index=_internal sourcetype=stash earliest=-1h@h latest=-0h@h \| fields _time userIdentity.arn eventName`
Optimize stats > tstats	CODE index=_internal sourcetype=* \| stats count by host, sourcetype `index=_internal sourcetype=* \| stats count by host, sourcetype`	CODE \| tstats count FROM index=_internal WHERE sourcetype IN ("splunkd", "splunk_web_access") BY host, sourcetype `\| tstats count FROM index=_internal WHERE sourcetype IN ("splunkd", "splunk_web_access") BY host, sourcetype`	CODE \| tstats count WHERE index=_internal BY host, sourcetype `\| tstats count WHERE index=_internal BY host, sourcetype`
Optimize stats > tstats	CODE index=_internal sourcetype=* \| stats latest(_time) as last_seen by sourcetype `index=_internal sourcetype=* \| stats latest(_time) as last_seen by sourcetype`	CODE \| tstats latest(_time) as last_seen FROM index=_internal WHERE isnotnull(sourcetype) BY sourcetype<pre> `\| tstats latest(_time) as last_seen FROM index=_internal WHERE isnotnull(sourcetype) BY sourcetype<pre>`	CODE \| tstats latest(_time) AS last_seen WHERE index=_internal BY sourcetype `\| tstats latest(_time) AS last_seen WHERE index=_internal BY sourcetype`
Wildcard replacement	CODE index=* sourcetype=audittrail user=admin \| stats count by action `index= sourcetype=audittrail user=*admin \| stats count by action`	CODE index=_audit sourcetype=audittrail user=admin \| stats count by action `index=_audit sourcetype=audittrail user=admin \| stats count by action`	CODE \| tstats count WHERE index=audittrail AND sourcetype=audittrail AND user=admin BY action `\| tstats count WHERE index=audittrail AND sourcetype=audittrail AND user=admin BY action`

Splunk Cloud Platform

Optimization in Splunk AI Assistant for SPL

Optimization examples

ON THIS PAGE

Splunk Enterprise

Splunk Cloud Platform

Splunkbase

Enterprise Security

SOAR

IT Service Intelligence

Content Packs

Splunk Observability Cloud

AppDynamics SaaS

AppDynamics On-Premises

SAP Agent

Developer Documentation

Splunkbase

Splunk Enterprise

Splunk Cloud Platform

Splunkbase

DATA MANAGEMENT

SEARCH AND ANALYTICS

ADMINISTRATION

Enterprise Security

SOAR

ENTERPRISE SECURITY

SOAR

RELATED APPS

IT Service Intelligence

Content Packs

ITSI

IT Ops

ADMINISTRATION

EXTENSIONS

Splunk Observability Cloud

MONITORING

DATA MANAGEMENT

ADMINISTRATION

AppDynamics SaaS

AppDynamics On-Premises

SAP Agent

ESSENTIALS

MONITORING

ADMINISTRATION

Developer Documentation

Splunkbase

PLATFORM

OBSERVABILITY

REFERENCE

Resources

REFERENCE

Learn More

Support

Optimization in Splunk AI Assistant for SPL

Optimization examples