splunk-assistant
Central hub and router for Splunk Assistant Skills. Routes requests to 17 CLI command groups using 3-level progressive disclosure.
Purpose
Routes natural language requests to specialized Splunk skills based on intent. Provides connection verification, authentication validation, and execution strategy recommendations.
Risk Levels
| Operation | Risk | Notes |
|---|---|---|
| Get server info | - | Read-only |
| Verify connection | - | Read-only |
| Route to skill | - | Navigation only |
Triggers
- •Any Splunk-related request
- •"splunk", "search", "query", "SPL"
- •Connection/authentication issues
- •General Splunk questions
Progressive Disclosure
Level 1: Essential Connection & Identification
- •Verify Search Head connection on management port 8089 via HTTPS
- •Validate JWT Bearer token or Basic Auth credentials
- •Detect deployment type (Cloud vs on-prem)
- •Route to appropriate specialized skill
Level 2: Execution Mode Strategy
| Mode | Use Case | Characteristics |
|---|---|---|
| Oneshot | Ad-hoc queries | Results inline, no SID, minimal disk I/O |
| Normal | Long searches | Returns SID, poll for results, progress tracking |
| Blocking | Simple queries | Waits for completion, synchronous |
| Export | Large extracts | Streaming, checkpoint support, ETL |
Level 3: Advanced Optimization & Resource Governance
- •Time Modifiers: Always enforce
earliest_timeandlatest_time - •Field Reduction: Insert
fieldscommand to limit data transfer - •Resource Cleanup: Issue
/control/cancelafter results consumed - •Error Handling: Use
strict=truefor clear errors vs incomplete data
CLI Command Groups
| CLI Command | Skill | Description |
|---|---|---|
search | splunk-search | Execute SPL query |
job | splunk-job | Job lifecycle management |
export | splunk-export | Large data export |
metadata | splunk-metadata | Index/source discovery |
lookup | splunk-lookup | Lookup management |
tag | splunk-tag | Tag operations |
savedsearch | splunk-savedsearch | Saved searches/reports |
alert | splunk-alert | Alert management |
admin | splunk-rest-admin | REST/Server administration |
security | splunk-security | Token/RBAC/ACL |
metrics | splunk-metrics | Metrics (mstats) |
app | splunk-app | App management |
kvstore | splunk-kvstore | KV Store |
dashboard | - | Dashboard management |
input | - | Data input management |
user | - | User management |
config | - | Configuration management |
completion | - | Shell completion (utility) |
Connection Verification
bash
# Get server information (verify connection) splunk-as admin info # Get server status splunk-as admin status # Get server health status splunk-as admin health
Examples
Verify Connection
bash
splunk-as admin info # Output: # ✓ Connected to splunk.example.com:8089 # ✓ Authentication: Bearer token valid # ✓ Deployment: Splunk Enterprise 9.1.0 # ✓ User: admin (capabilities: search, admin_all_objects)
Get Server Info
bash
splunk-as admin info --output json # Output: Server version, build, OS, cluster status, etc.
Common CLI Commands
bash
# Search commands splunk-as search oneshot "index=main | head 10" splunk-as search normal "index=main | stats count" --wait # Job management splunk-as job list splunk-as job status 1703779200.12345 # Metadata discovery splunk-as metadata indexes splunk-as metadata sourcetypes --index main # Security splunk-as security whoami
Best Practices
- •Always include time bounds - Prevent full index scans
- •Use field extraction - Limit data transfer
- •Choose appropriate mode - Oneshot for ad-hoc, Export for ETL
- •Clean up resources - Cancel jobs when done
- •Handle errors gracefully - Use the error hierarchy
Related Skills
- •splunk-job - Job lifecycle
- •splunk-search - Query execution
- •splunk-security - Authentication