Aviz Network Copilot integrates with Splunk for natural-language queries

Aviz Network Copilot is presented as an AI layer that connects to Splunk to convert natural-language network questions into structured searches and summarized results. For enterprise IT and security teams, the update centers on faster troubleshooting, real-time anomaly visibility, and scalable analytics across multi-vendor environments.

Research Overview

The white paper describes an integration in which Splunk is positioned as the system of record for operational telemetry and Network Copilot functions as the reasoning and interaction layer. Network Copilot translates operator questions into structured Splunk queries, retrieves relevant results, and returns summarized outputs, including charts and recommendations.

The paper frames the goal as reducing time spent moving across tools and manually building queries for common questions about change, location, and next steps. It also connects the approach to both operational and security workflows using indexed telemetry from network and security sources.

Key Findings

The integration is described as supporting centralized data visibility across logs, metrics, flows, and security events, while also using Splunk’s real-time analytics and alerting to surface anomalies. The paper includes example questions around packet drops, CRC errors, top talkers, and interface-level issues on network devices.

For forecasting and machine learning, the paper states that Network Copilot applies machine learning to Splunk data to identify early warning signals such as capacity constraints on core routers and potential security breaches flagged by SIEM logs. It also describes enriched answers delivered via a chat interface that returns tables and charts for faster analysis.

Technical Breakdown

The reference flow includes Splunk data ingestion for logs, metrics, and NetFlow/sFlow/firewall logs, with forwarding and indexing followed by SPL searches. Network Copilot is then described as querying Splunk APIs to pull contextual results and applying LLM-driven reasoning and machine-learning pipelines to produce summaries and recommended actions.

After enrichment, the paper states that events are streamed into Kafka for scalable persistence and downstream actions. The described pipeline is designed to reduce unnecessary LLM iterations while maintaining accuracy, based on the paper’s discussion of orchestration across the orchestrator, Splunk agent, MCP layer, Splunk query execution, and response generation.

Operational Impact and Performance Notes

The paper lists use cases spanning network monitoring and insights such as top talkers, security operations workflows tied to firewall activity, and security/compliance items like failed login attempts and DoS or policy-violation detection using Splunk SIEM data. It also includes flow analytics examples such as identifying top applications consuming WAN bandwidth and plotting bandwidth utilization by hardware SKU.

For scalability testing, the paper reports representative testing of the integration using real network flow data at four scales: 50 flows (baseline), 1 million, 5 million, and 10 million flows. It states that direct SPL lookups and time-filtered searches remain under half a second at 5M flows, with stats aggregations at 2–4 seconds, and notes that the most expensive query pattern involves field extraction and aggregation, reaching 8–15 seconds at 5M while dropping under 300ms with tstats and data model acceleration.

On end-to-end response time, the paper states that at 1 million flows the total response time ranges from 5 to 10 seconds, with Splunk query execution taking 1–5 seconds, MCP overhead at 0.2–0.5 seconds, and the remaining time attributed to LLM inference tasks such as routing, schema discovery, SPL construction, interpretation, and response generation. It also outlines when optimization is recommended, including enforcing time ranges between 100K and 1M flows and using data model acceleration, tstats, summary indexing, report acceleration, and dedicated search heads beyond 5M flows.

The paper closes by describing the integration as a combined approach for network visibility, analytics, and operational automation using Splunk operational data and Network Copilot AI reasoning. This “Blog Signals brief” is a fact-based summary of the vendor blog.