Running CoPilot from Splunk

What is Query CoPilot

Query CoPilot is an optional AI-driven capability available in various contexts to provide relevant answers, follow-ups, and/or perform specific tasks and investigations on your behalf.

The Query App for Splunk uses Query CoPilot to:

• Run natural language searches
• Answer follow-up questions from the search results' data

How to run a natural language search from Splunk

You can express your search intent in natural language, specifying the query criteria, time range, connectors to search from, etc. A simple example below:

| queryai search="Show me all authentication failures from last hour"

You can run above from the Splunk search console or expose via a custom dashboard. See the Query FSQL CoPilot view in the app for an example.

The CoPilot translates the search into FSQL and runs that transparently.

How to ask follow-up questions on search results

Search results can be piped into the queryagent command that can be used to ask a follow-up question on those results. For example:

| queryai search="Show me alerts from last hour from CrowdStrike" | queryagent ask="Summarize and suggest followup action."

You can apply the queryagent command to any results coming through the pipeline. Here is how you can use it with FSQL:

| fsql <your query> | queryagent ask="<your question>"