AWS Partner Network (APN) Blog
Unlocking the power of Splunk with Amazon Bedrock – Build AI assistant using agents
 |
| Splunk |
 |
By Ranjit Kalidasan, Principal Solutions Architect –AWS
By Edwin Gifty, Senior Solutions Architect – AWS
The world of data analytics and security operations is rapidly evolving, and organizations are increasingly turning to innovative technologies to unlock new levels of insights and efficiency. In this data-driven world, efficiently querying and analyzing logs is crucial for maintaining system health and security. Splunk’s Search Processing Language (SPL) is one such powerful query process language. Writing optimal SPL queries requires expertise and time. To address this challenge, we developed a Generative AI assistant that not only transforms natural language requests into efficient SPL queries, also executes the query, analysis the logs and generate findings. This AI assistant is built to interact with Splunk to query different AWS security and operational logs like AWS VPC FlowLogs, AWS CloudTrail, AWS CloudWatch logs and more.
This solution leverages Amazon Bedrock agents, combined with action groups and knowledge base using vector database integration, to create a powerful and intelligent Splunk query assistant. The system’s ability to understand both the user’s intent and the Splunk environment enables it to generate and execute efficient queries while providing meaningful results. Amazon Bedrock Agents offer you the ability to build and configure autonomous agents for your Gen AI application. Agents orchestrate interactions between foundation models (FMs), data sources, software applications, and user conversations. In addition, agents automatically call APIs to take actions and invoke knowledge bases to supplement information for these actions. An agent built to interact with Splunk helps the Generative AI LLM to invoke actions for understanding your Splunk environment like learning source types, schema, lookups etc. and use the information to build an efficient SPL query.
You can test and deploy this solution from aws-samples repository linked here.
Architecture
Figure 1: Architecture for Splunk AI assistant using Bedrock agents
The solution combines multiple AWS services in a seamless workflow that enhances Splunk query generation and execution.
- User Interaction Layer
- Users submit natural language queries describing their log analysis needs
- The system returns comprehensive responses based on Splunk query results
- Maintains interactive dialogue for query refinement and clarification
- Amazon Bedrock
- Utilizes the Bedrock Claude foundational model (Claude 3.5 Sonnet)
- Processes the natural language input and infers user intent and context
- Bedrock Agent
- Orchestrates user requests processing workflow executing Splunk operations
- Coordinates with action groups for query execution
- Maintains conversation context and state
The Bedrock Agent action group is at the core of our solution, containing several specialized actions that work together to understand, query, and analyze Splunk data. The solution leverages an embeddings datastore in Amazon OpenSearch Serverless (AOSS) that contains the Splunk source type mappings for all the AWS data sources. The Splunk Action Group leverages a Lambda function which serves as an execution engine for agent actions providing secure communication with Splunk endpoints and returns the results from Splunk and AOSS database, to the Bedrock Agents. AWS Secrets Manager stores the API tokens and credentials for Splunk access. The various actions in the action group are described below:
- Source Type Discovery (search_aws_sourcetypes) : The LLMs use this action to identify the right Splunk source type for a given natural language query. This is a query to AOSS VectorDB. Identifying the right source types helps narrow down the scope for SPL query.
- Fields Discovery (get_splunk_fields) : This action retrieves the available field for a given source types. This information help the LLMs to understand a schema for a source type and generate queries with valid fields.
- Lookups Discovery (get_splunk_lookups, get_splunk_lookup_values) : These actions help the LLMs to understand if there any lookups used for a given source type and get the values of the lookups. This is useful if a SPL query fails to fetch any results and enables the LLMs to build more contextual queries.
- Query Execution and Results (get_splunk_results) : This action executes the generated SPL query, process and formats the query results. The action returns the formatted results to the LLMs for analysis and produce the right inferences to the user.
Refer to the code repository in aws-samples on how to deploy this solution using a Jupyter notebook or automate with CDK. You can also deploy and run the streamlit app to test the AI assistant with sample queries. Here are some of the sample queries you can test on AWS logs:
- Can you write a SPL and query the AWS CloudTrail data, to get list of top 10 AWS events and summarize the result.
- Can you write a SPL and query the VPC Flow logs data to get a list of top 10 external IPs with failed access to SSH port.
- Can you write and execute SPL to query AWS CloudTrail data. I need to see which AWS account produces the highest count of non-success error code, and by which AWS service and event. Give me a table of final results and provide your summary.
Figure 2: Streamlit app interface
Conclusion
The integration of Amazon Bedrock LLMs and Agents with Splunk demonstrates how AI can transform complex data operations into intuitive interactions. Try out deploying, building and using AI assistant using the instructions from aws-samples repository. Contribute to this repository for any improvements or changes. This solution not only simplifies Splunk queries and monitoring but also serves as a springboard for developing more advanced applications—from automated saved searches to sophisticated data model analysis.
As organizations continue to evolve their data operations, this framework provides a solid foundation for building more intelligent, efficient, and customized monitoring solutions. The possibilities are limitless, and the journey toward AI-enhanced data management starts here.
.
Splunk – AWS Partner Spotlight
Splunk is an AWS Specialization Partner with Competencies in Cloud Operations, Data and Analytics, DevOps, and more. Leading organizations use Splunk’s unified security and observability platform to keep their digital systems secure and reliable.