AI-Powered Splunk SPL Query Generator
Natural Language → Production-Grade SPL — Instantly.
SPL Query Generator is a desktop application that converts natural language queries (English, Hindi, Urdu, Hinglish) into production-ready Splunk SPL queries — powered by AI with built-in validation, auto-correction, and syntax highlighting.
No more memorizing SPL syntax. Just describe what you need, and Forge delivers.
|
|
Splunk Forge understands queries in multiple languages natively:
English → "show failed login attempts in last 24 hours"
Hindi → "pichle 24 ghante ke failed login dikhao"
Urdu → "brute force attacks detect karo"
Hinglish → "index botsv3 mein se count by src_ip dikhao"
All produce valid, optimized SPL — no translation step needed.
Built-in threat detection intelligence for SOC analysts:
| Threat Category | Example Prompt |
|---|---|
| 🔑 Brute Force | "failed login attempts detect karo" |
| 🌐 Port Scan | "port scan detect karo network mein" |
| 🔄 Lateral Movement | "lateral movement detect karo" |
| 📤 Data Exfiltration | "large outbound transfers dikhao" |
| 🦠 Malware | "suspicious process creation events" |
| 🔍 DNS Tunneling | "suspicious DNS queries dikhao" |
| ⬆️ Privilege Escalation | "admin access changes track karo" |
| 🕸️ Web Attacks | "SQL injection attempts detect karo" |
| 📧 Phishing | "suspicious email patterns dikhao" |
| 👤 Account Creation | "new user accounts pichle 30 din" |
No Python needed — just download and run:
- Download the latest
SPLQueryGenerator.exefrom Releases - Run the
.exe— if Windows SmartScreen appears, click "More info" → "Run anyway" - Get a free API token from OpenRouter
- Paste your token on the setup screen and hit ACTIVATE
- Start generating SPL queries in any language!
On first launch, you'll see the One-Time Setup screen — paste your OpenRouter API token and hit ACTIVATE. Done. You won't be asked again.
| You Type | SPL Query Generator Output |
|---|---|
top 10 source IPs with most traffic |
index=* | stats sum(bytes) as total_bytes by src_ip | sort -total_bytes | head 10 |
pichle 1 ghante ke error logs |
index=main earliest=-1h (error OR ERROR) | table _time, host, source, _raw |
brute force detect karo |
index=* sourcetype="WinEventLog:Security" EventCode=4625 | stats count as failed_attempts by src_ip, user | where failed_attempts > 5 | sort -failed_attempts |
DNS queries jo suspicious hain |
index=* sourcetype="stream:dns" | stats count by query | where count > 100 | sort -count | table query, count |
har host pe events timechart |
index=* | timechart span=1h count by host |
data exfiltration detect karo |
index=* action=allowed | stats sum(bytes_out) as total_out by src_ip | where total_out > 104857600 | eval total_out_MB=round(total_out/1048576,2) | sort -total_out_MB |
graph LR
A[🗣️ User Prompt] --> B[🧠 Intent Extraction]
B --> C[📡 AI Streaming API]
C --> D[✅ SPL Validator]
D --> E[🔧 Auto-Corrector]
E --> F[📊 Quality Check]
F -->|Issues Found| G[🔄 Self-Heal Retry]
G --> D
F -->|Clean| H[⚡ Output with Syntax Highlighting]
5-Stage Pipeline:
- Intent Extraction — Parses index, time range, security patterns, limits from natural language
- AI Generation — Streams SPL via OpenRouter API with optimized system prompt
- Validation — Checks every pipe command against 150+ whitelisted SPL commands
- Auto-Correction — Fixes missing stats functions, unbalanced quotes/parens, spacing issues
- Quality Check — Warns about broad searches, missing indexes, conflicting commands. Self-heals critical issues with a targeted retry.
Developed with ⚡ by
This project is licensed under the MIT License — see the LICENSE file for details.
SPL QUERY GENERATOR — Stop writing SPL. Start generating it. ⚡