AI Workbench

AI Workbench is a generative workspace for Splunk. Not a chatbot bolted onto search but a real workbench, where you investigate, analyse and build using tools that understand Splunk natively. The Workbench is built as a host shell. It has no use-cases of its own — it derives everything from the Splunk app a user opens it from and the Splunk roles they hold. Install it once on the Search Head, then embed it into the apps your users already live in: Search, ITSI, Enterprise Security, your SOC apps, your MSP customer apps. The same engine renders a different experience per calling app, with different templates, different LLMs, different tools, and writes its outputs into that calling app's namespace. End users never leave the app they came from. Ask in plain English. Get back validated SPL searches, Simple XML dashboards, alerts, lookups, reports and Splunk AI Toolkit (MLTK) pipelines. Every artefact is run for real before it is saved, and every artefact is a normal Splunk knowledge object — owned by the calling user, in the calling app, findable in Splunk's own UI. The depth is the difference. Where a generic MCP-only assistant talks to Splunk through one broad door, AI Workbench ships with fine-grained, Splunk-aware tools across Core, Enterprise Security, ITSI, TrackMe and the AI Toolkit — roughly fifty of them, each scoped to one job a Splunk admin actually does. The LLM picks the right tool for the question, runs it under your existing Splunk ACLs, and shows its work. Extend it further by adding HTTP tools or registering any MCP server in the Tools tab. Two audiences benefit immediately. Splunk users who know what they want but find SPL foreign get production-quality searches and dashboards generated and validated panel-by-panel. Splunk users who bounce off MLTK get an outlier detector, forecaster, classifier or clusterer built end-to-end, with a companion dashboard that proves the model is doing something sensible. Bring your own LLM: Anthropic, OpenAI, Azure OpenAI, Groq, Google Gemini, AWS Bedrock, Ollama (local, fully offline) or OpenRouter. Browser-direct for speed, or Splunk-server-side proxy mode so API keys never leave the search head. Bring your own corporate IAM — WebEAM.Next, Ping, Okta, AzureAD, internal SAML — via a customer-supplied Python hook that mints fresh auth headers per request. Multi-tenant by design. Organisations and Business Units are resolved automatically from the calling app and the user's roles — end users don't pick a tenant. Templates, LLM configurations and tool availability all scope per Org or BU. Run one Splunk environment for many teams or many customers without them seeing each other. Tokens and Costs breaks spend down by App, User, Model, Provider, Organisation, BU or LLM configuration — over time, with real per-model pricing. Free, Professional, Enterprise and MSP licence tiers, activated self-serve, air-gap-friendly.