Using Splunk® ChatGPT Integration to Analyze Traffic Patterns

This is the second blog post in a series detailing how to use Dataflect to implement AI driven workflows without leaving Splunk®.

This quick example shows how to build a Splunk® ChatGPT Integration using Dataflect to send summarized network activity to ChatGPT and return a plain-English assessment right inside Splunk®. The screenshot above is a single-panel search that asks an LLM to describe “what’s normal vs. unusual” for a host over the last 24 hours—and it answers with a concise analyst-style readout. (If you’re new to calling ChatGPT from Splunk with Dataflect, see our earlier intro: https://www.dataflect.com/post/how-to-use-chatgpt-in-splunk)

What you’ll build - a Splunk® ChatGPT Integration to Analyze Traffic Patterns

• A search that rolls up traffic (sizes, ports, cadence) for a host or subnet

• A compact JSON payload with the important context (not raw packet data)

• A call to ChatGPT using dfenrich that returns a readable summary + highlights

1) Gather the traffic you want the model to review

Use your preferred dataset (e.g., the Network_Traffic data model) and keep it small and structured. Here’s a representative pattern:

| tstats summariesonly=t count, sum(All_Traffic.bytes) as bytes from datamodel=Network_Traffic where All_Traffic.src_ip=10.0.0.0/8 earliest=-24h latest=now() by _time span=1m All_Traffic.src_ip, All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.protocol rename All_Traffic.* as *

That gives the model a time series plus basic shape (who, where, how much).

2) Build a clear dataset the model can follow

Next, we'll package up the information into a format that we can send to ChatGPT for insight:

| tstats summariesonly=t count, sum(All_Traffic.bytes) as bytes from datamodel=Network_Traffic where All_Traffic.src_ip=10.0.0.0/8 earliest=-24h latest=now() by _time span=1m All_Traffic.src_ip, All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.protocol rename All_Traffic.* as *
| rename _time as time 
| tojson
| stats values(_raw) as payload 
| mvcombine payload

3) Ask ChatGPT—right from Splunk® with Dataflect

Finally, we'll send the request out to ChatGPT using the dfenrich command to gain some AI driven insights into what's going on with this traffic. We'll authenticate with a securely stored credential and return just the assistant’s message:

| tstats summariesonly=t count, sum(All_Traffic.bytes) as bytes from datamodel=Network_Traffic where All_Traffic.src_ip=10.0.0.0/8 earliest=-24h latest=now() by _time span=1m All_Traffic.src_ip, All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.protocol rename All_Traffic.* as *
| rename _time as time 
| tojson
| stats values(_raw) as payload 
| mvcombine payload 
| dfenrich url="https://api.openai.com/v1/chat/completions" method=post credential=openai headers="{'Content-Type': 'application/json'}" data="{'model': 'gpt-5-mini', 'messages': [{'role': 'user', 'content': 'Analyze this traffic and describe it to me, do you find anything unusual? What are usual traffic patterns and what stick out? $payload$'}]}" data_format=json containing_field=choices 
| spath input=choices 
| table message.content

That’s it. You’ll get a concise narrative: “regular 15–30s keep-alive to X, occasional web downloads to Y, rare spikes to Z worth checking,” etc.—exactly like in the screenshot.

Why this is useful

• Speed to insight: translate noisy telemetry into analyst-ready notes in seconds.

• Right-sized context: you choose what to send (and redact) before the API call.

• Stay in Splunk®: analysts don’t need to copy/paste into external tools. 

Practical tips

• Scope: start with one host or service; widen as needed.

• Cost control: bucket to 1–5 min granularity and cap rows; keep prompts short.

• Safety: avoid sending PII/content; stick to metadata and summaries.

  • You can mask sensitive data directly in your SPL prior to sending to ChatGPT

• Repeatability: save as a dashboard panel with a host dropdown and a time picker.

If you’d like help implementing this or expanding it (e.g., automatic “unusual pattern” tickets, side-by-side pcap links, or enrichment from IPInfo/AbuseIPDB®), reach out at sales@dataflect.com.