Inferensys

Integration

AI Integration for Splunk IT Service Intelligence

Apply AI to Splunk ITSI to predict service degradation, auto-generate incident tickets, and suggest root causes by analyzing KPI correlations and metric anomalies.
Get in touchLearn more
Enterprise integration architect reviewing API connections on laptop, diagram showing systems connecting, modern office setup.
ARCHITECTURE AND ROLLOUT

Where AI Fits into Splunk ITSI Operations

A practical guide to integrating AI with Splunk IT Service Intelligence for predictive service health and automated incident management.

AI integration for Splunk ITSI focuses on three primary surfaces: the Service Analyzer for KPI monitoring, the Glass Tables for visualization, and the Event Analytics engine for correlation. The goal is to inject intelligence into the service health lifecycle—before, during, and after degradation. This means connecting AI models to the underlying metric time series data, episodic events, and service dependency maps that ITSI uses to calculate health scores. By analyzing patterns across these data streams, AI can predict service degradation, suggest root causes by correlating anomalous KPIs, and automatically trigger enriched incident creation in ITSI's notable events or downstream ticketing systems like ServiceNow.

A production implementation typically involves deploying lightweight inference services that subscribe to the ITSI Summary Index or consume data via the ITSI REST API. For predictive alerts, models analyze rolling windows of KPI data to forecast breaches of dynamic thresholds, moving beyond static baselines. For root cause analysis, AI can process the service topology and recent metric correlations to rank likely culprits, presenting them as evidence in the incident. Governance is critical: all AI-generated insights should be logged to a dedicated index for audit, and any automated action—like creating a notable event—should be gated by confidence scores and, for critical services, optional human-in-the-loop approval via a webhook or Slack alert.

Rollout should start with a single, non-critical ITSI service or KPIs known for noisy, manual triage. Use this pilot to validate model accuracy, refine prompts for root cause narratives, and establish the operational handoff between AI suggestions and the on-call team. The long-term value isn't just faster MTTR; it's enabling IT Ops to shift from reactive firefighting to proactive service management, using AI to highlight subtle, cross-domain issues that traditional monitoring misses.

SPLUNK IT SERVICE INTELLIGENCE

Key ITSI Surfaces for AI Integration

Service Health Scores and KPI Thresholds

AI integration targets the core service health scores and KPI thresholds that drive ITSI's glass tables and service analyzers. Instead of relying on static thresholds, AI models can analyze historical KPI data, seasonality, and correlated metric behavior to predict impending service degradation before a breach occurs.

Key surfaces include the service_health_score calculation and the kpi_base_search definitions. An AI agent can be triggered by a KPI's status change to analyze the underlying raw metric data, adjacent service dependencies, and recent change tickets to suggest a dynamic, context-aware threshold adjustment or generate a predictive incident. This moves operations from reactive "red/green" monitoring to proactive risk forecasting, allowing teams to address issues during maintenance windows.

PREDICTIVE SERVICE HEALTH

High-Value AI Use Cases for Splunk ITSI

Integrate AI with Splunk IT Service Intelligence (ITSI) to move from reactive monitoring to predictive operations. These use cases focus on applying machine learning and generative AI to KPIs, service health scores, and metric correlations to prevent outages and accelerate resolution.

01

Predictive Service Degradation

Apply time-series forecasting models to KPI data within ITSI service health scores. AI predicts metric breaches hours before they occur, allowing teams to intervene proactively. Models are trained on historical patterns, seasonality, and correlated infrastructure events.

Reactive -> Proactive
Monitoring shift
02

Automated Incident Ticket Generation

Trigger the creation of detailed incident tickets in connected ITSM platforms (e.g., ServiceNow) when AI predicts or confirms a service degradation. Tickets are auto-populated with affected services, root cause hypotheses, and relevant KPI graphs, reducing manual triage.

Minutes -> Seconds
Ticket creation
03

Correlation-Based Root Cause Suggestion

Analyze real-time and historical metric correlations across the service topology. When a KPI breaches, AI suggests the most likely underlying infrastructure component (e.g., a specific database cluster or network segment) by identifying anomalies in correlated metrics, cutting MTTR.

1 sprint
Typical implementation
04

Intelligent Threshold Tuning

Continuously analyze KPI behavior to recommend dynamic, adaptive thresholds instead of static values. AI identifies baseline shifts (e.g., due to application updates or seasonal traffic) and adjusts alerting thresholds in ITSI to reduce noise and maintain sensitivity.

05

Anomaly Detection for Business Services

Deploy unsupervised ML models on the metric streams feeding ITSI's glass tables. Detect subtle, multi-metric anomalies that don't breach individual KPI thresholds but indicate emerging issues, such as gradual latency creep or sporadic error rates across a transaction flow.

Batch -> Real-time
Detection mode
06

Generative AI for Incident Summaries

When an ITSI episode is created, use a generative AI model to synthesize the timeline, impacted KPIs, and correlated events into a plain-language narrative summary. This accelerates handoffs between L1/L2 teams and provides clear context for war rooms.

PRACTICAL AUTOMATIONS

Example AI-Augmented ITSI Workflows

These workflows illustrate how generative AI and machine learning can be embedded into Splunk ITSI's service monitoring and incident management lifecycle to move from reactive alerts to predictive, automated operations.

Trigger: Splunk ITSI's predictive analytics or anomaly detection module flags a deviation in a KPI baseline for a critical business service (e.g., API latency for a payment service).

Context Pulled: The AI agent retrieves:

  • The specific KPI values and deviation magnitude.
  • Related infrastructure metrics (CPU, memory, error rates) from the same service entity.
  • Recent change tickets from a connected ServiceNow instance.
  • Dependency map of upstream/downstream services from ITSI's service topology.

Agent Action: A fine-tuned model analyzes the correlation between metrics and recent changes. It generates a natural language summary: "API latency spike on payment-service correlates with 90% CPU utilization on app-server-05, following a deployment 2 hours ago. Downstream order-service is now showing increased error rates."

System Update: The agent creates a high-priority incident in the connected ITSM platform (e.g., ServiceNow) with the summary, tags it as predicted-degradation, and assigns it to the appropriate platform engineering team. It also updates the ITSI glass table with the AI-generated hypothesis.

Human Review Point: The incident is created for human review, but the AI summary provides immediate, actionable context, reducing triage time from 30+ minutes to seconds.

FROM KPI MONITORING TO PREDICTIVE SERVICE INSIGHTS

Typical Implementation Architecture

A production-ready AI integration for Splunk ITSI connects predictive analytics to service health workflows, creating a closed-loop system for proactive IT operations.

The architecture typically layers AI on top of Splunk ITSI's existing data pipeline. Service health scores, KPI values, and entity metrics from your IT environment are ingested and indexed as normal. An AI service—hosted in your cloud or on-premises—subscribes to this telemetry stream via the Splunk HTTP Event Collector (HEC) or queries the Splunk REST API. This service runs machine learning models to establish behavioral baselines for each KPI, detect subtle anomalies that may indicate impending service degradation, and analyze correlations across metrics to suggest probable root causes. For high-confidence predictions, the system can automatically create ServiceNow incidents or Jira issues via webhook, populating the ticket with the predicted service impact, affected entities, and correlated KPIs.

Implementation focuses on three key integration points: 1) The data feed from ITSI's glass tables and KPI searches, enriched with contextual metadata like business service ownership and dependency maps. 2) The inference engine, which can be a containerized microservice using frameworks like TensorFlow Serving or MLflow, scoring data in near-real-time. 3) The action layer, where predictions trigger workflows in ITSI (e.g., adjusting adaptive thresholding) or external systems via webhooks, email alerts, or Slack messages. A common pattern is to deploy a lightweight vector database alongside the AI service to store and retrieve similar historical incidents, providing analysts with "this looks like last month's database latency issue" context.

Rollout is phased, starting with a non-disruptive "observer mode" where AI predictions are logged to a dedicated Splunk index for validation against actual incidents. Governance is critical: a human-in-the-loop approval step is maintained for automated ticket creation, often managed through a simple dashboard where operations leads can review and approve AI-suggested incidents. Over time, as confidence in the model's precision grows, approved workflows can be automated, with an audit trail of all AI-generated actions and model performance metrics (precision, recall) tracked back in Splunk for continuous tuning. For teams exploring this, we recommend starting with a single, high-impact business service and its 5-10 most critical KPIs.

AI INTEGRATION FOR SPLUNK ITSI

Code and Payload Examples

Detecting Service Health Degradation

Use AI to analyze Splunk ITSI's time-series KPI data for predictive alerting. The workflow involves querying recent KPI values, scoring them with an anomaly detection model, and creating a proactive service ticket if a threshold is breached.

Example Python Payload to an AI Service:

python
import requests

# Payload structure for KPI anomaly scoring
kpi_payload = {
    "service_id": "app-payment-processor",
    "kpi_name": "transaction_error_rate",
    "values": [0.02, 0.015, 0.018, 0.045, 0.12],  # Last 5-minute readings
    "baseline_mean": 0.02,
    "baseline_std": 0.005
}

# Send to an AI inference endpoint
response = requests.post(
    "https://api.your-ai-service.com/anomaly/score",
    json=kpi_payload,
    headers={"Authorization": "Bearer YOUR_API_KEY"}
)

# If anomaly score > 0.9, trigger an ITSI event
if response.json().get('anomaly_score', 0) > 0.9:
    create_itsi_event(
        title="Predicted Service Degradation",
        severity=2,
        details=response.json().get('reasoning')
    )

This pattern moves teams from static thresholds to adaptive, ML-driven alerts.

SPLUNK ITSI AI INTEGRATION

Realistic Time Savings and Operational Impact

How AI integration for Splunk IT Service Intelligence changes key operational workflows, reducing manual effort and accelerating service restoration.

MetricBefore AIAfter AINotes

Service Degradation Detection

Threshold-based alerts after breach

Predictive anomaly detection 15-45 min prior

AI analyzes KPI trends and metric correlations to forecast issues

Incident Ticket Creation

Manual creation by L1/L2 after alert

Automated ticket draft with root cause hypothesis

AI pulls from ITSI glass tables, KPIs, and entity data; human review required

Initial Triage & Correlation

30-60 minutes manual search and pivot

5-10 minutes with AI-generated incident narrative

AI summarizes related metric anomalies, topology changes, and recent deployments

Root Cause Analysis (RCA) Suggestion

Hours of manual log diving and metric comparison

Ranked list of probable causes in minutes

AI correlates service health scores with underlying infrastructure and application metrics

Mean Time to Resolution (MTTR)

Hours to next business day for complex issues

Reduction of 25-50% for correlated incidents

Faster, data-driven initial investigation reduces diagnostic loops

Post-Incident Report Drafting

Manual compilation of timelines and impacts

Automated first draft with key events and metrics

AI synthesizes ITSI episode data, action logs, and KPI recovery graphs

Service Health Score Anomaly Review

Daily manual review of score fluctuations

Automated weekly summary with highlighted deviations

AI identifies and explains significant score changes against baselines and business cycles

OPERATIONALIZING AI FOR SPLUNK ITSI

Governance, Security, and Phased Rollout

A practical approach to deploying AI for service health that maintains control, security, and measurable impact.

Integrating AI with Splunk IT Service Intelligence (ITSI) requires a governance model that respects the criticality of service health data and KPI calculations. Start by defining a read-only AI service account with scoped access to specific ITSI modules—primarily the Service Analyzer, Glass Tables, and the ITSI REST API for KPIs and entity data. AI inferences should be executed asynchronously, with results written to a dedicated ai_insights summary index or a custom ITSI notable event group. This creates a clear audit trail, separating AI-generated hypotheses from core ITSI telemetry and allowing for easy rollback or model retraining without affecting production service monitoring.

A phased rollout is essential for building trust and demonstrating value. Phase 1 focuses on read-only analysis and alerting: deploy AI models to analyze KPI threshold breaches and metric correlations, generating enriched notable events with suggested root causes and confidence scores. These appear alongside traditional alerts for analyst review. Phase 2 introduces controlled automation: after validating Phase 1 accuracy, implement workflows where high-confidence AI insights can automatically create tickets in integrated ITSM tools like ServiceNow via webhook, populating predefined fields with the AI-generated summary and context. Phase 3 enables predictive actions, where the system can suggest proactive measures, like scaling a cloud resource group via an orchestration platform, based on predicted service degradation—but always requiring human approval for execution.

Security is paramount. All AI model calls (e.g., to OpenAI, Azure OpenAI, or private models) must be proxied through a secure gateway that enforces data privacy policies, strips PII from ITSI entity names or metric labels before processing, and logs all prompts and completions for compliance. Implement a human-in-the-loop review queue in a separate dashboard for any AI-recommended action that could impact service availability. Finally, establish a continuous feedback loop by tagging AI-generated insights in ITSI as validated or incorrect. This curated data becomes invaluable for fine-tuning models and proving ROI, moving from "AI suggestions" to "AI-assisted operations" with clear operational guardrails.

Enabling Efficiency, Speed & Accuracy

Intelligent Analysis, Decision & Execution

We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.

Talk to Us

Search across company data

Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.

Useful when people spend too long searching or get different answers from different systems.

Enterprise searchRAGPermissions
Read more

Automate internal workflows

Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.

Useful when repetitive work moves across multiple tools and teams.

AI agentsWorkflow automationGovernance
Read more

Add AI to products and internal tools

Build assistants, guided actions, or decision support into the software your team or customers already use.

Useful when AI needs to be part of the product, not a separate tool.

AI integrationDecision supportModel routing
Read more
AI INTEGRATION FOR SPLUNK ITSI

Frequently Asked Questions

Practical questions about integrating AI with Splunk IT Service Intelligence (ITSI) to predict service degradation, automate incident creation, and accelerate root cause analysis.

AI integration connects at the service, KPI, and entity levels within Splunk ITSI's data model.

Primary Integration Points:

  • KPI Base Searches: AI models consume the time-series data from KPI base searches to detect anomalies and forecast trends. This is typically done via the ITSI REST API or by writing enriched results back to a summary index.
  • Service Health Scores: The composite health score of an IT service is analyzed to predict impending degradation before thresholds are breached.
  • Glass Tables & Deep Dives: AI-generated insights (e.g., "CPU spike on App-Server-05 is correlated with a 40% increase in database latency") can be surfaced as contextual annotations on Glass Tables or within deep dive investigations.

Implementation Pattern:

  1. Data Extraction: Use ITSI's itsi_* REST API endpoints or direct Splunk searches against itsi_summary indexes to pull KPI and entity data.
  2. AI Processing: Stream this data to an external inference service or use the Splunk Machine Learning Toolkit (MLTK) for on-platform model execution.
  3. Result Ingestion: Write predictions, correlations, and suggested root causes back to a custom index or use the ITSI API to create predictive KPIs or annotate services.

Governance: Access requires permissions to the ITSI app and relevant summary indexes. All AI-generated actions (like creating an incident) should be logged to an audit index.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.

LinkedIn
Limited slotsGet a Free AI Consultation

Partnered with leading AI, data, and software stack.

OpenAI
OpenAI
ChatGPT
ChatGPT
Claude
Claude
Anthropic
Anthropic
Google Gemini
Microsoft Azure
Microsoft Azure
Microsoft Copilot
Microsoft Copilot
Meta Llama
Meta Llama
Mistral AI
Mistral AI
LangChain
LangChain
LangGraph
LangGraph
AWS
OpenAI
OpenAI
ChatGPT
ChatGPT
Claude
Claude
Anthropic
Anthropic
Google Gemini
Microsoft Azure
Microsoft Azure
Microsoft Copilot
Microsoft Copilot
Meta Llama
Meta Llama
Mistral AI
Mistral AI
LangChain
LangChain
LangGraph
LangGraph
AWS
OpenAI
OpenAI
ChatGPT
ChatGPT
Claude
Claude
Anthropic
Anthropic
Google Gemini
Microsoft Azure
Microsoft Azure
Microsoft Copilot
Microsoft Copilot
Meta Llama
Meta Llama
Mistral AI
Mistral AI
LangChain
LangChain
LangGraph
LangGraph
AWS
Google Cloud
Google Cloud
Salesforce
ServiceNow
Snowflake
Snowflake
Databricks
Databricks
Postgres
Postgres
Pinecone
Pinecone
Elastic
Elastic
HubSpot
HubSpot
Slack
Slack
Jira
Jira
Stripe
Google Cloud
Google Cloud
Salesforce
ServiceNow
Snowflake
Snowflake
Databricks
Databricks
Postgres
Postgres
Pinecone
Pinecone
Elastic
Elastic
HubSpot
HubSpot
Slack
Slack
Jira
Jira
Stripe
Google Cloud
Google Cloud
Salesforce
ServiceNow
Snowflake
Snowflake
Databricks
Databricks
Postgres
Postgres
Pinecone
Pinecone
Elastic
Elastic
HubSpot
HubSpot
Slack
Slack
Jira
Jira
Stripe

How We Work

Custom AI workflows for your Business

One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.

01

Review the use case

We understand the task, the users, and where AI can actually help.

Read more

02

Pick the right approach

We define what needs search, automation, or product integration.

Read more

03

Build the first useful version

We implement the part that proves the value first.

Read more

04

Improve from there

We add the checks and visibility needed to keep it useful.

Read more

The first call is a practical review of your use case and the right next step.

Talk to Us