AI and Splunk: From Natural-Language Queries to the Autonomous SOC

Splunk built its reputation on one deceptively simple idea: collect all your machine data in one place and make it searchable. Two decades later, that data has become something more valuable than anyone expected - the fuel for artificial intelligence. Since Cisco completed its acquisition of Splunk, the pace of AI integration has accelerated sharply, and the platform now spans everything from plain-English query writing to security operations that investigate themselves.

For teams that already run Splunk, this is not a future to wait for. Most of these capabilities exist today. Here is a practitioner's tour of where AI and Splunk actually meet, and what is worth adopting.

Writing SPL in plain English

The most immediately useful AI feature for most Splunk users is the AI Assistant for SPL. Search Processing Language is powerful but unforgiving, and its learning curve has always been a barrier. The assistant translates in both directions: describe what you want in plain English and it drafts the SPL, or paste an unfamiliar query and it explains, line by line, what the search does and why.

It can also edit an existing query conversationally - add a field or change a time range rather than rewriting from scratch - and answer how-to questions straight from Splunk's documentation. For organizations running Splunk Enterprise on-premises, a cloud-connected version delivers the same help without forcing you to buy and manage GPUs; Splunk hosts the model and moves only what each prompt requires.

Two practical notes. First, the model can be confidently wrong - generated SPL may be inefficient or simply incorrect, so treat it as a strong first draft and verify before running it in production. Second, Splunk has been clear that it does not train the assistant on customer searches or data, which matters in any regulated environment.

Machine learning inside the search pipeline

Long before generative AI, Splunk shipped machine learning through the Machine Learning Toolkit, now rebranded as the Splunk AI Toolkit. It exposes more than thirty algorithms as native SPL commands - fit to train a model, apply to score new data, and score to validate it - covering both supervised and unsupervised learning. The classic security and operations use case is anomaly detection: baselining normal behavior, then flagging the account that suddenly reaches systems it never touches, or the error rate that spikes outside its seasonal pattern.

For heavier work, the Splunk App for Data Science and Deep Learning extends the toolkit with prebuilt containers for TensorFlow and PyTorch, Jupyter notebooks, and GPU support, so data scientists can build and operationalize custom models against Splunk data. More recently, the AI Toolkit gained generative AI support, letting teams call large language models and time-series foundation models directly inside a search pipeline - sending Splunk data through an external model and getting the response back as part of the results.

The agentic SOC

Security operations is where Splunk's AI investment is most aggressive. The reasoning is blunt: adversaries already use AI, so defenders cannot afford to do everything by hand. Enterprise Security 8.2 unifies SIEM and SOAR into a single workspace and embeds AI agents across detection, investigation, and response.

The headline pieces include an AI triage agent that investigates incoming alerts automatically, a malware reversal agent that analyzes suspicious scripts, AI-assisted authoring of SOAR response playbooks, and a detection library that can generate logic tuned to your environment. The goal security leaders keep repeating is collapsing investigation time from hours to minutes and cutting the alert noise that buries analysts. Used well, this does not remove humans from the loop - it removes the tedious first pass so analysts spend their time on judgment calls rather than triage.

AIOps and observability

The same pattern shows up on the operations side. Splunk's IT Service Intelligence and observability tools now use AI to summarize grouped alerts into a readable episode, correlate noisy events, and propose root-cause analysis when something breaks - explaining what is happening, why, and how to fix it, rather than just flagging that a metric moved. For teams running complex hybrid environments, that context is often the difference between a fast recovery and an hour of dashboard-hopping.

Connecting AI agents to Splunk: the MCP server

The most forward-looking development is the Splunk MCP Server, now generally available. Model Context Protocol is an open standard, originally created by Anthropic, that lets AI assistants connect to external tools and data through a common interface. Splunk's implementation lets an AI agent - Claude, ChatGPT, or a custom one - query Splunk data in natural language, run and explain searches, and pull knowledge objects such as saved searches and lookups, without anyone writing custom integration code.

Crucially, it respects Splunk's existing access controls. The server enforces role-based access, supports OAuth 2.1, and uses encrypted tokens, so an agent can only reach the data the underlying user is permitted to see. This is what turns Splunk from a place you query into a tool an autonomous workflow can operate - the foundation for the agentic operations Cisco and Splunk are building toward, alongside the Cisco Data Fabric and an open-source time-series foundation model for machine data.

The other side: using Splunk to secure AI

There is a mirror image worth naming. As organizations deploy AI agents and MCP servers of their own, those become a new attack surface - prompt injection, data leakage, and command injection that now originate at the AI layer rather than the network edge. Splunk has leaned into this too. Its threat research team published an add-on for monitoring the traffic between AI agents and MCP servers, and new AI agent monitoring, paired with Cisco AI Defense, gives teams visibility into prompt injection and data-leakage risks across the models and agents they run. The platform that helps you adopt AI can also help you watch it.

Where to start

If you run Splunk and want to put this to work, sequence it by leverage. Turn on the AI Assistant for SPL first; it pays off immediately and lowers the barrier for newer analysts. Pull the AI Toolkit into one or two high-value anomaly-detection use cases rather than trying to model everything at once. Pilot the MCP server in a read-only, tightly scoped role before letting any agent take action. And keep a human in charge of consequential decisions throughout - the value of AI here is speed and reach, not unattended autonomy.

Splunk has quietly become one of the most AI-infused platforms in the enterprise. The organizations that benefit will be the ones who treat these tools as force multipliers for skilled people, not as replacements for the expertise that makes the data meaningful in the first place.

If your team is weighing how to bring AI into a Splunk environment safely, that intersection of deep Splunk engineering and practical AI is exactly where we work.