More AI. More Analytics. Powered by the Security Data Mesh.
Security teams are under pressure to move faster without waiting to move more and more data.
Today, we’re excited to announce Query Splunk App 3.0, a major step forward in how security teams investigate, analyze, and operationalize data across a federated security data mesh.
This release doubles down on what matters most:
- AI-native investigation process
- More powerful analytics, without more SPL
- Cleaner, faster, more intentional search experiences
Query Splunk App 3.0 isn’t just an upgrade, it’s a shift toward AI-assisted, analytics-driven security operations, delivered where analysts already work – inside Splunk. Let’s start with a quick primer on the core app itself:
What is the Query Splunk App
The Query Splunk App enables you to add access to any connected data source into Splunk without increasing ingestion or compute expenses. The Query Security Data Mesh expands Splunk’s reach to all the data you need, including from data lakes, warehouses, object storage, or any other connected source with security-relevant and observability data to support your Security Data Operations use cases, and more. The Splunk app deploys Query capabilities into Splunk, so you can search data sources not ingested into Splunk, see the results as part of your Splunk console search results, and trigger detections without centralizing data. Learn more about the Query Splunk App here.
What’s New in Version 3.0:
A New Copilot Experience Built for Security Investigations
We’ve introduced an all-new Copilot view, modeled after the Query UI experience and purpose-built for security investigations.
This new interface gives analysts:
- A dedicated AI workspace for investigations
- Run searches and ask followup questions – all in plain english
- Power users can optionally run FSQL-based advanced searches
The result? Less cognitive overhead. Faster answers and insights.
Search Using Natural Language (No SPL Required)
With Query Splunk App 3.0, analysts can now search using natural language.
Ask your data and follow-up analysis questions like:
- “Show me detection findings from the last hour”
- “Show results for email <email-address>”
- “Investigate file hash <file-hash>”
No SPL gymnastics. No data duplication. Just answers.
Behind the scenes, Query translates intent into optimized FSQL queries executed directly against the underlying data sources. To learn more about FSQL, visit here.
Follow-Up Questions on Results
Security investigations are iterative, with analysts wanting to dig in deeper. Their tools should be like that too.
Query Splunk App 3.0 supports follow-up questioning directly on results. Some examples:
- “Is this malicious?”
- “Highlight corresponding MITRE ATT&CK TTPs”
- “Recommend next steps”
Expanded Support for FSQL Analytics Operations
For power users, we’ve expanded support for FSQL analytics operations in the Splunk app, all executed federated, across distributed data stores. For more details on FSQL and its analytics capabilities, please refer to:
- Introduction to FSQL
- Analytics Functions
- Subqueries
- FSQL Technical Reference
- From SPL to FSQL: A Security Analyst’s Guide
This unlocks richer analytics from querying remote data sources, without forcing teams to centralize everything into Splunk.
Here is an example of how you can run the FSQL SUMMARIZE function from the Splunk search input:
| fsql SUMMARIZE COUNT authentication with %email contains 'query.ai' group by %email SINCE 1mo
Cleaner results, less noise
Security data is big and noisy. Query Splunk App 3.0 helps cut through clutter by presenting OCSF-normalized results while hiding empty fields. The improved readability commonly applicable to all data sources makes it easier to investigate.
Auto-cancel queries once you have enough results
Not every query needs to run to completion. After retrieving your desired initial number of results, the app stops processing further results and auto-cancels remaining queries.
For example, here is how you can constraint it to only bring max 1000 results:
| queryai search=”network_activity.action_id=DENIED” limit=1000
This more optimized query management is not only more user-friendly, it lowers compute consumption and improves cost control.
3.0 Release Summary: More AI. More Analytics. Easier to use. Powered by the Security Data Mesh.
Query Splunk App is built with a modern security architecture:
- Data lives at its most natural locations
- Query security mesh gives centralized access to decentralized security data
- Splunk and data processing costs are controlled
- Analysts get speedy answers directly from the sources of truth
By combining AI-assisted investigation with federated analytics over the data mesh, the 3.0 release makes it possible to:
- Run faster investigations
- Run advanced analytics with ease
- Use AI to review/validate outcomes
- More signals and less noise
Get Started with Query Splunk App: Query Splunk App 3.0 is available now. You can access the app on Splunkbase here. View the product documentation here and contact us for help setting it up.
