Deslicer
All use cases
Use case

Onboard data and keep CIM coverage compliant with one agent loop

Standard log onboarding work compresses from days to under an hour while CIM coverage stays above your target. The GDI Onboarding Agent generates Splunk app packages, the CIM Compliance Agent scores and remediates the schema, and the Deslicer Automation Platform (DAP) governs every config edit through a reviewer-approved change plan.

Last updated .

Outcomes you can expect

  • Standard log onboarding shifts from about 2 days of manual engineering to about 1 hour of governed automation before ITSM review.
  • CIM coverage scoring becomes a continuous metric, not an annual audit.
  • Every config change ships through DAP with reviewer approval, dry-run, and audit trail.
  • GDI artifacts (props.conf, transforms.conf, serverclass.conf) land Magic 8-compliant on first generation.

Estimates based on Deslicer customer observations and Splunk practitioner experience for environments running full manual pipelines. Actual results vary by environment complexity, team size, and existing tooling.

How the workflow runs

  1. 1

    Provide the data sample

    Paste or upload a sample of the new data source, then name the application, expected volume, and retention target. The GDI Onboarding Agent uses this metadata to bias its later proposals — for example, electing a sourcetype name that aligns with your existing TA conventions instead of inventing a new one.

  2. 2

    Generate the multi-app config package

    The agent produces a four-app layout per sourcetype — `_inputs`, `_indexer`, `_search`, `_deployment` — and writes inputs.conf, props.conf, transforms.conf, tags.conf, and serverclass.conf with Magic 8 best practices applied. Every config is annotated so reviewers can read intent, not just stanzas.

  3. 3

    Score CIM coverage and remediate

    The CIM Compliance Agent inspects the existing sourcetype against the relevant CIM data model, scores compliance from 0 to 100, and drafts field-extraction and tagging fixes. Configs scoring below 90 are iterated automatically before the package is finalized for review.

  4. 4

    Run a Splunk readiness check

    With the Splunk MCP integration connected, the agent verifies that the target index exists, no sourcetype collision is pending, and the forwarder hosts are reachable. Pass / warn / fail results appear inline with recommended actions, blocking finalization on critical fails.

  5. 5

    Draft a DAP change plan

    The agent attaches the generated config edits to a DAP change plan with a name, description, and target host group. A confirmation card appears in chat that lists every change item grouped by host, app, file, and stanza. Reviewers approve or reject the card before any change is staged.

  6. 6

    Execute under governance

    Once approved, the plan transitions through executing → completed with per-host status, dry-run replay, and a queryable execution log. If a node fails, the plan surfaces the failing host so the reviewer can re-run only the impacted segment instead of restarting the entire rollout.

  7. 7

    Schedule recurring compliance runs

    Promote the CIM Compliance Agent into a scheduled workflow so the score is recomputed daily or weekly across your fleet. Drift triggers a fresh DAP change plan automatically, keeping coverage compliant between major releases without manual audit cycles.

References

Run this use case in your environment

Start free, connect a Splunk environment, and run the workflow with a reviewer-approved DAP change plan from the first execution.

Start a managed onboarding run