The Agentic Intelligence layer for Splunk.
Connect agents to live Splunk context. Generate SPL, onboard data, audit CIM coverage, and govern changes through MCP.
€5 monthly credits · No credit card · First agent in 30 minutes
Splunk is the most powerful observability tool you can't use.
Generic AI is already loose in your SOC. Splunk's own 2024 survey of 1,650 security executives found 91% of security teams using public generative AI in cybersecurity operations[1]. That adoption is moving faster than governance, which makes context-blind AI risky for production Splunk work.
In the same survey, 65% of security professionals admit they don't fully understand the implications of the GenAI tools their teams are running[2]. And 34% of organizations have no GenAI policy at all[3] — leaving many teams without a clear review trail for AI-assisted operational work.
Generic AI doesn't see your indexes, your sourcetypes, your extractions, or your apps. It hallucinates SPL that looks right, cites fields that don't exist, and produces queries that quietly return zero rows. That's not a productivity tool. That's a new category of incident.
Numbers from the Splunk State of Security 2024 survey (1,650 respondents, 9 countries, 16 industries). Full verbatim quotes and methodology on the sources page.
Diagnose. Explain. Generate.
One loop. Live MCP access to your Splunk environment. Every step inspectable, every recommendation justified, every change reviewable.
How it works
- FIG 3.1
Diagnose
The agent connects to your live Splunk via MCP, inspects real indexes, sourcetypes, and field extractions, and forms a hypothesis from your data — not a generic SPL textbook.
- FIG 3.2
Explain
Every step is shown — the search that ran, the rows it returned, the field it correlated against. Reviewers see why a recommendation exists before they decide whether to ship it.
- FIG 3.3
Generate
Once the agent and reviewer agree on the diagnosis, it produces SPL, config packages, reports, or change plans — annotated and gated by your review process.
Production-grade SPL, every time.
Generated from live indexes, sourcetypes, fields, and CIM context. Every line is annotated so a reviewer can approve it, edit it, or push back with specifics.
# Indexer queue saturation around 14:30 UTC, scoped to AWS CloudTrail.Comment block names the diagnosis up front. Reviewers know what they're verifying before reading a pipe.
index=_internal source="*metrics.log" group=queue name=indexqueueTargets Splunk's own `_internal` index — the metrics.log queue stats are the canonical source for indexer-side backpressure.
| where current_size_kb > 0Drops zero-fill rows so timecharts don't average to noise during quiet windows.
| timechart span=1m max(current_size_kb) as queue_kb by hostPer-host queue depth at 1-minute resolution — fine enough to catch the spike, coarse enough to render in a dashboard panel.
| eval saturation = if(queue_kb > 500000, "saturated", "ok")Thresholds can come from your existing alert policy instead of a generic default. The reviewer sees the assumption before saving anything.
Built for Splunk teams that need proof.
High-signal places where an agentic intelligence layer changes the operating model for Splunk teams.
Standard onboarding work gets compressed
GDI agents generate configs, propose CIM mappings, and prepare reviewer-ready packages so engineers spend less time hand-writing standard onboarding artifacts.
Observed impact
A standard log source can move from about 2 days of manual engineering to about 1 hour of automated generation and CIM mapping before ITSM review.
CIM gap work scales beyond spreadsheets
CIM Compliance Agent and DAP help teams audit sourcetypes, draft remediation, and push approved change plans instead of tracking gaps one search at a time.
Observed impact
A 500-sourcetype CIM audit that can take 3-6 months manually can be automated in hours, with one-off custom SPL searches reduced by 60-80% for gap work.
Fleet operations become proactive
Insights Nodes, DAP, and workflow agents turn health checks, certificate monitoring, and rollout tracking into governed operating rhythms.
Observed impact
Certificate issues can shift from reactive discovery to proactive 90-day alerts; weekly admin overhead of 8-15 hours per engineer can be largely freed.
Incidents start with a structured brief
Data Explorer, Search Ninja, and DAP context gather the evidence first, then summarize what changed and what to check next.
Observed impact
Manual context gathering that often takes 20-40 minutes can become a structured brief in under 5 minutes, supporting up to 8x faster response.
Estimates based on Deslicer customer observations and Splunk practitioner experience for environments running full manual pipelines without automation tooling. Actual results vary by log format complexity, team size, and existing tooling. Time and percentage claims apply to standard log formats; complex or proprietary sources take longer.
The Splunk rituals that disappear.
Manual handoffs a Splunk team can shrink once agents, workflows, and governed change plans handle the repeatable parts.
Writing 200-line SPL by hand and then debugging it for an hour
Agents inspect live indexes, sourcetypes, fields, and CIM context before generating SPL you can run, review, and revise.
Onboarding new analysts on SPL syntax with stale runbooks
New analysts ask the agent in plain English. The agent answers and shows the SPL it ran, so they learn the syntax on real production work.
Manually correlating events across three indexes with copy-pasted timestamps
Cross-index correlation is one tool call. The agent inspects every relevant sourcetype and returns the joined view with the SPL that produced it.
Maintaining a private Notion of 'tribal SPL recipes' so the team isn't blocked when one engineer is on PTO
Every diagnostic the agent runs is logged with the question, the SPL, and the diagnosis — searchable, attributable, and never trapped in someone's DMs.
Scrambling to assemble compliance evidence the week before an audit
CIM audits, DAP change plans, workflow runs, and approvals stay attached to the work. Audit evidence becomes the byproduct, not the scramble.
Filing a ticket and waiting two weeks for a Splunk admin to onboard a new data source
The GDI agent analyzes sample logs, generates the multi-app Splunk package, validates Magic 8 coverage, and sends the config archive into review.
Connect the systems your teams already use.
Start with Splunk MCP, Regex for Splunk, GitHub, Slack, and the Observer API. Add marketplace or custom MCP servers when agents need access to another system.
Things people ask.
Splunk, reimagined.
Available today.
Connect Splunk, choose a purpose-built agent, and turn the first source, audit, or runbook into governed work. SaaS is managed; on-premise runs inside your network when data residency requires it.
€5 monthly credits · No credit card · Cloud SaaS or on-premise