SPL Assistance
Context-aware SPL generation with Search Ninja — connected to your live Splunk via MCP
SPL Assistance
Deslicer agents connect to your live Splunk via MCP and see your actual indexes, sourcetypes, and fields. You get SPL that works in your environment, not generic guesses.
Navigation
- Parent: Use Cases
- Related: Search Ninja | Connecting Splunk
The Scenario
You need to write complex SPL for a report or investigation. You have multiple indexes, custom sourcetypes, and field extractions. Generic AI tools don't know your environment — they guess field names and produce SPL that fails or returns empty results.
Which Agent to Use
Search Ninja is the dedicated SPL agent. It generates, optimizes, and explains SPL queries. It runs queries against your live Splunk, generates and tests regex for field extractions, and references CIM data models.
Search Ninja uses:
- Splunk MCP — runs SPL, inspects fields, reads CIM models and docs
- Regex for Splunk MCP — generates, tests, and optimizes regex for field extraction
Walkthrough
- Connect Splunk — configure your Splunk MCP integration. The agent needs live access.
- Open Search Ninja — from the agent list or create a new conversation.
- Describe your goal — "Find failed logins in the last 24 hours from index=main, sourcetype=linux_secure."
- Review reasoning — the agent inspects your environment, checks field names, and explains its approach before generating SPL.
- Run and iterate — the agent can execute the query directly via MCP. Share results or errors for refinement.
What Search Ninja Does That ChatGPT Cannot
| Generic AI | Search Ninja |
|---|---|
| Guesses field names and sourcetypes | Inspects your actual indexes, sourcetypes, and fields via MCP |
| No visibility into your configs | Reads props.conf, transforms.conf configurations |
| Produces plausible but often broken SPL | Generates SPL validated against your environment |
| Cannot run queries | Executes SPL against your live Splunk and shows results |
| No regex testing | Generates regex and tests it against sample events |
| No CIM awareness | References CIM data models and suggests field mappings |
| No audit trail | Full conversation history for compliance |
Regex for Field Extractions
Search Ninja integrates with the Regex for Splunk MCP to:
- Generate regex patterns from sample events
- Test regex against your data
- Explain regex syntax
- Optimize for Splunk performance patterns
This lets you build field extractions interactively — describe the fields you need, and the agent builds and tests the regex.
