Splunk Analyzer
Automate Splunk searches via browser and analyze exported results.
Configuration
code
SPLUNK_URL: https://your-splunk-instance.com
Workflow
1. Navigate to Splunk
code
Navigate to: {SPLUNK_URL}/en-US/app/search/search
If login page appears, inform user: "Please authenticate in the browser. Let me know when you're logged in."
2. Build SPL Query
Convert natural language to SPL. See references/spl-patterns.md for patterns.
Query structure:
spl
index=<index> sourcetype=<sourcetype> <filters> | <transformations>
If user provides raw SPL, use it directly.
3. Execute Search
See references/splunk-ui.md for UI selectors.
- •Find search bar (textarea with
data-test="search-bar"or classace_text-input) - •Clear existing text, enter SPL query
- •Click search button (button with
data-test="search-button"or "Search" text) - •Wait for results (watch for "X events" or results table)
4. Export Results
- •Click "Export" button above results
- •Select "Raw" format
- •Set filename, click "Export"
- •Wait for download to complete
5. Analyze Results
Run analysis script on exported file:
bash
python3 scripts/analyze_splunk.py <exported_file> [--charts]
Analysis includes:
- •Event count and time range
- •Top error patterns / log levels
- •Field value distributions
- •Anomaly detection (spikes, unusual values)
- •Trend visualization (with
--charts)
Quick Reference
| User Request | Action |
|---|---|
| "Check errors in service X" | index=* "error" source="*X*" | stats count by message |
| "Show me logs from last hour" | index=* earliest=-1h |
| "Find slow requests" | index=* duration>1000 | stats avg(duration) by endpoint |
| "Summarize today's exceptions" | Run query + full analysis with charts |