Introducing Druv Prism — Natural Language Analytics for Splunk
If you've ever worked with Splunk, you know the feeling. You have a question — a perfectly clear, simple question like "How many failed login attempts did we get from outside the US in the last 24 hours?" — and somewhere between that question and an answer sits SPL.
Splunk Processing Language is powerful. It is also a skill that takes months to learn, years to master, and that not everyone on a security or IT operations team has the time or background to develop. The result is a bottleneck that shows up in almost every SOC and IT ops team we've talked to: a handful of people who can write SPL, and everyone else who has to ask them.
We built Druv Prism to remove that bottleneck.
What Druv Prism does
Druv Prism is a multi-tenant AI analytics platform that sits on top of your Splunk environment and lets your team ask questions in plain English. Type a question, get a verified answer, a chart, and the SPL query that produced it — all in seconds.
There is no syntax to learn. No query language to master. No waiting for the one person on the team who knows SPL to become available.
But natural language querying is only half the story. The part we're most proud of is what happens before the question is even asked.
The problem with every other NL-to-query tool
Most AI analytics tools work the same way: you ask a question, an LLM generates a query, and you hope it's right. The problem is that LLMs don't know what's actually in your Splunk environment. They don't know your index names, your sourcetypes, your custom field names, or the quirks of how your data is structured. So they guess — and guessing produces wrong field names, syntax errors, and queries that run but return nothing.
This is why SPL generation has historically been so unreliable. It's not a model quality problem. It's a context problem.
Druv Prism solves this with what we call the Schema Intelligence Layer.
Schema Intelligence: knowing your data before you ask
When you connect Druv Prism to your Splunk environment, it doesn't immediately start generating queries. First, it learns.
A background crawler automatically discovers every index, sourcetype, and field in your Splunk environment — no manual configuration required. It profiles each field: data type, sample values, null rate, cardinality. It uses an LLM to semantically annotate the results, giving each field a human-readable description and a semantic category. It identifies likely PII fields and flags them automatically.
The result is a continuously updated knowledge base of your specific Splunk data landscape, stored in a searchable vector index. When you ask a question, the system retrieves the most relevant fields from your environment and injects them directly into the query generation prompt.
The LLM isn't guessing anymore. It knows your field names because it looked them up.
This is why Druv Prism generates accurate SPL where generic LLM tools fail — and why accuracy improves the longer you use it, as the schema knowledge deepens and the system learns from your team's query patterns.
Queries that fix themselves
Even with perfect schema context, queries sometimes fail. A field name slightly off, a time range that returns no results, an aggregation that doesn't match the data structure. In most tools, that's a dead end — you get an error and start over.
Druv Prism uses an agentic execution loop with a built-in critic. When a query fails, the system doesn't stop. It reads the error, understands what went wrong, rewrites the query, and tries again — up to three times, automatically, before surfacing anything to you. If it runs but returns zero results, the agent investigates: it probes the data with simplified queries to check whether the data exists at all, then adjusts the original query to match reality.
Only when all automated recovery fails does Druv Prism pause and ask for your input — and when it does, it tells you exactly what it found and what assumption it needs you to confirm.
The experience from the user's side: you ask a question, and you get an answer. What happened in between — the retries, the self-correction, the schema lookups — is visible in a streaming thought process panel, but it doesn't block you.
Built for teams who can't send data to the cloud
A significant portion of the organizations that need this the most — government agencies, defense contractors, healthcare systems, financial institutions — operate under data sovereignty requirements that make cloud-based AI tools a non-starter. They can't send their log data to an external LLM API. Full stop.
Druv Prism is the only natural language Splunk analytics platform with first-class support for fully local, air-gapped LLM deployment.
Using Ollama, the entire AI stack — query generation, schema annotation, answer synthesis — runs inside your environment. No data leaves. No external API calls. The same continuous learning capabilities, the same schema intelligence, the same agentic query loop — all running on hardware you control.
For teams in regulated industries, this isn't a nice-to-have. It's the only path to using AI at all.
Gets better over time
Druv Prism is designed to compound. Every query your team runs produces signal. Every correction, every thumbs-down, every time someone edits the generated SPL before running it — all of that is captured, reviewed, and fed back into the system.
A curated library of your team's validated (question → correct SPL) pairs grows over time, retrieved dynamically and injected into future queries as examples. Prompt versions are A/B tested against real traffic before promotion. The schema registry deepens as your team reviews and verifies field annotations.
The platform that serves your team in month twelve is measurably more accurate than the one they started with. That's not a marketing claim — it's an architectural property.
Who Druv Prism is for
We built this for:
- SOC analysts and security engineers who spend more time constructing queries than investigating threats
- IT Ops and SRE teams who need Splunk data but don't have dedicated Splunk expertise
- Security leaders who want their entire team — Tier 1, Tier 2, junior analysts — to be productive in Splunk without a six-month learning curve
- Organizations in regulated industries who need AI-powered analytics without cloud dependency
If your team uses Splunk and has ever said "I wish I could just ask it a question," Druv Prism was built for you.
What's next
If you're curious about what Druv Prism could do for your team, we'd love to show you. See the Schema Intelligence Layer in action and walk through a live query in a quick 30-minute demo.
See Druv Prism in action
Walk through a live query, see Schema Intelligence at work, and discover how your team can query Splunk without SPL.
Book a 30-minute Demo →The bottleneck between your team and your data shouldn't be a query language. We're here to remove it.
Druv Prism is a multi-tenant AI analytics platform for security and IT operations teams. Natural language querying, automated schema discovery, agentic self-healing, and continuous learning — built for teams who run Splunk.