AWS Partner Network (APN) Blog

Transform Splunk Data Analysis with Amazon Bedrock’s Generative AI Integration

Splunk

By: Alan Peaty, Senior Partner Solutions Architect – AWS
By: Greg Ainslie-Malik, Field CTO – Splunk
By: Varun Rajan, Senior Solutions Architect – AWS

According to the World Economic Forum (WEF), global data volumes are expected to reach 181 zettabytes by 2025, nearly three times the amount created in 2020. This growth is particularly evident in machine-generated data, which includes everything from security logs to system metrics. Every day, security and operations teams must navigate these vast information streams to identify potential business resilience risks and drive action.

Amazon Web Services (AWS) partner, Splunk, has a data system for searching, monitoring, and analyzing machine data at scale. However, deriving actionable insights can require resources for contextual analysis, expertise in multi-source correlation, and additional effort to translate technical findings into action. According to the WEF, the global cybersecurity talent shortage exceeds 4 million professionals, with 67% of organizations reporting a moderate-to-critical skills gap in cybersecurity. In a separate WEF report, nearly 70% of security leaders say they face additional risks because of cybersecurity skills shortages, and more than half struggle to recruit and retain new talent.

Large Language Models (LLMs) are particularly useful in contextualizing large datasets and its ability to transform raw, unstructured data into meaningful insights and actionable intelligence. Amazon Bedrock is a fully managed service in AWS that provides access to high-performing foundation models (FMs) through a unified API, making it easier for organizations to build and scale generative AI applications. The service integrates various models from leading AI companies like Anthropic, AI21 Labs, and Amazon’s own Nova models, allowing developers to experiment with different FMs and choose the best one for their specific use case.

Integrate Splunk Machine Learning Toolkit with Amazon Bedrock

The integration between Splunk Machine Learning Toolkit (MLTK) and Amazon Bedrock can address these challenges. By bringing FMs into Splunk workflows via Amazon Bedrock, security analysts can now supplement traditional Splunk Search Processing Language (SPL) searches with natural language processing capabilities. This combination enables automatic extraction of contextual insights from raw events, correlation of information across various sources, and translation of complex technical findings into clear next steps, all without requiring specialized AI expertise. This can help organizations find security threats faster and focus security teams on high-priority work while maintaining their security posture.

With the release of Splunk MLTK 5.6.0, Splunk users can integrate FMs directly from Amazon Bedrock into their search workflows.

With this new integration, Splunk users can:

  • Transform raw machine data into natural language insights
  • Accelerate security investigations by automatically contextualizing alerts and logs
  • Generate narrative explanations of complex technical events for non-technical stakeholders
  • Enhance SPL queries with natural language processing capabilities for deeper analysis

Solution Overview

The integration enables exchange of prompts and responses between Splunk MLTK, a Splunk application that allows users to apply machine learning (ML) models to their data, and Amazon Bedrock through a predefined authentication and data flow process. This ensures both secure access to foundation models and simple incorporation of its output back into your Splunk workflow.

Authentication and data flow architecture between Splunk MLTK and Amazon Bedrock

Figure 1: Authentication and data flow architecture between Splunk MLTK and Amazon Bedrock

Figure 1 illustrates how Splunk MLTK securely communicates with Amazon Bedrock. Let’s examine the four key steps in this process:

  1. Splunk MLTK assumes AWS Identity and Access Management (IAM) role using IAM user credentials: Splunk MLTK initially uses IAM user credentials to make an sts:AssumeRole API call to AWS Security Token Service (STS), with permissions restricted to only this action.
  2. AWS STS returns temporary credentials for the assumed IAM role: AWS STS validates the request against the IAM role’s trust policy and generates temporary security credentials. Splunk MLTK assumes an IAM role that only has permissions to list available models (bedrock:ListFoundationModels) and invoke only the chosen foundation model (bedrock:InvokeModel).
  3. Splunk MLTK invokes foundation model with prompt using temporary credentials: Splunk MLTK uses these temporary credentials to send user prompts to the selected foundation model in Amazon Bedrock.
  4. Amazon Bedrock returns foundation model-generated response: The foundation model processes the prompt and returns the generated response, which Splunk integrates into the search results with the new | ai prompt="prompt" command.

Real-World Example

Splunk MLTK and Amazon Bedrock integration enables powerful new capabilities that transform how security analysts interact with machine data.

The example below is demonstrated using Amazon Nova Lite, a low-cost multimodal model from AWS that is optimized for processing image, video, and text inputs at speed.

Investigating HTTP 400 Errors

When investigating potential security incidents, analysts need to quickly identify patterns in error logs that could indicate malicious activity. Amazon Bedrock enhances this process by bringing advanced generative AI capabilities directly into Splunk workflows.

For instance, after filtering HTTP 400 error logs in Splunk, analysts can extend their query with the new ai command. By simply adding a prompt asking the model to “analyze the log entries as a SOC analyst performing threat modeling”, they can request the top five notable findings with recommended actions. The prompt can direct the model to focus on prevalent issues and those with the highest risk, substantiated with metrics like occurrence counts or important identifiers such as web servers, IP addresses, and URL paths.

This approach helps security teams quickly identify potential threats that would normally require manual review and deep security expertise to detect. The foundation model automatically formats the output with clear findings and actionable recommendations, as shown in Figure 2.

Threat analysis of HTTP 400 error logs with findings and recommended actions identified by Amazon Bedrock

Figure 2: Threat analysis of HTTP 400 error logs with findings and recommended actions identified by Amazon Bedrock

For more information about Splunk MLTK’s supported prompt patterns, visit the user guide.

Getting Started

Our GitHub repository provides guidance for implementing the Splunk MLTK and Amazon Bedrock integration, featuring an AWS CloudFormation template for automated deployment. It also contains step-by-step instructions with screenshots, example use cases, cost management and security recommendations, as well as troubleshooting assistance.

After deployment of the CloudFormation template, configuration continues within Splunk MLTK’s Connection Management tab as shown in Figure 3. The Connection Management tab in Splunk MLTK allows you to configure and manage Amazon Bedrock connectivity and external machine learning runtimes or environments, enabling Splunk to securely connect with external frameworks for model training and inference. Here, administrators can select Bedrock as the service, enter their AWS Region and IAM credentials, and choose their preferred foundation model along with any custom settings. AWS Secrets Manager stores IAM credentials required for the integration.

Splunk MLTK Connection Management interface configured for Amazon Bedrock integration

Figure 3: Splunk MLTK Connection Management interface configured for Amazon Bedrock integration

Once configured, analysts can immediately leverage the new ai command in their SPL queries, unlocking the natural language processing capabilities of Amazon Bedrock models directly within Splunk workflows.

Cost Management Considerations

Each row in your SPL search results will trigger a separate call to Amazon Bedrock which incurs usage costs.

Best practices include:

  • Testing your SPL query first to understand how many API calls will be generated
  • Using commands like stats, dedup, or head to aggregate and reduce your result set before the ai command
  • Scheduling your query to run automatically for predictable and controlled generative AI use
  • Using the Maximum Result Rows and Max Tokens settings of your model in Splunk MLTK’s Connection Management tab to restrict the amount of data sent to Amazon Bedrock

While Secrets Manager is used to securely store IAM credentials during initial configuration, you can safely delete the secret after Amazon Bedrock integration is configured to reduce ongoing storage charges.

Security Considerations

Amazon Bedrock

The integration implements multiple security best practices as outlined below. For a detailed breakdown of IAM roles, policies and trusts that enable this secure configuration, refer to the Security Considerations section in our GitHub repository:

  • IAM least-privilege permissions for Amazon Bedrock access
  • AWS STS temporary credentials through IAM role assumption
  • TLS 1.2+ encryption for communications between Splunk MLTK and Amazon Bedrock

While these security measures provide a solid foundation, it’s important to understand that Splunk MLTK sends data processed by foundation models outside of your Splunk environment. Before implementing this solution:

  • Confirm that the integration meets your specific security and compliance requirements
  • Validate what data will be included in your AI prompts and ensure its use complies with your organization’s data governance policies

To learn more about security and compliance features in Amazon Bedrock, visit the Security in Amazon Bedrock page.

Secrets Manager

Remember to follow Secrets Manager best practices by safeguarding the IAM credentials retrieved from Secrets Manager during configuration, using them only for the initial setup process, and deleting or rotating the secret once Splunk MLTK has been successfully configured.

Conclusion

By combining Splunk’s data processing system with Amazon Bedrock’s foundation models, organizations can now unlock deeper insights from their machine data without requiring extensive data science expertise.

Security teams can accelerate investigations, operations teams can streamline root cause analysis, and business teams can generate next steps from technical data, all using natural language within existing Splunk workflows.

As generative AI continues to evolve, this integration provides Splunk users with a secure, scalable pattern to incorporate these capabilities into their existing data analysis practices, ultimately driving faster time-to-insight and improved operational outcomes.

Ready to get started? Visit our GitHub repository for step-by-step deployment instructions and example usage.

.

Splunk – AWS Partner Spotlight

Splunk is an AWS Specialization Partner with Competencies in Cloud Operations, Data and Analytics, DevOps, and more. Leading organizations use Splunk’s unified security and observability platform to keep their digital systems secure and reliable.

Contact Splunk | Partner Overview | AWS Marketplace