An intelligent AI agent that generates production-ready Splunk SPL queries from natural language. It eliminates hallucination by using RAG (Retrieval-Augmented Generation) to ground every response in real documentation:
- 4,400+ RAG-indexed documents — SPL docs, detection rules, CIM fields, and attack data
- Live Splunk validation — Connects to your Splunk instance to verify queries actually work
- Iterative refinement — Automatically fixes syntax errors and field mismatches
Perfect for: Security analysts, SOC engineers, detection engineers, and threat hunters.
Note: This project is under active development. Contributions and feedback are welcome!
| Feature | Description |
|---|---|
| Natural Language Input | Describe what you want to detect in plain English |
| RAG-Powered Grounding | 4 vector databases: SPL docs, detection rules, CIM fields, attack data |
| Live Splunk Validation | Connects to your Splunk instance to test queries return real results |
| Chain of Thought | See exactly how the agent reasons and builds your query |
| Multi-LLM Support | Groq (free), Mistral, OpenRouter, Claude, OpenAI |
| Web Interface | Modern dark-themed dashboard for interactive use |
- Python 3.11+
- Access to a Splunk Enterprise instance
- LLM API key (Groq recommended - free tier)
# Clone and setup
git clone https://github.com/michaelelizarov/splunk-detection-engineer-agent.git
cd splunk-detection-engineer-agent
python -m venv venv
source venv/bin/activate # Windows: venv\Scripts\activate
# Install dependencies
pip install torch --index-url https://download.pytorch.org/whl/cpu
pip install -r requirements.txt
playwright install chromium
# Configure
cp config/config.yaml.example config/config.yaml
# Edit config/config.yaml with your API keys and Splunk credentials
# Initialize knowledge bases
python -m src.rag_spl_docs ingest
python -m src.rag_detections ingest
python -m src.rag_cim_docs ingest
python -m src.rag_attack_data ingest
# Verify setup
python -m src.agent status# Generate a detection query
python -m src.agent run "Detect brute force login attempts"
# With reasoning trace
python -m src.agent run --reason "Detect credential dumping from LSASS"
# Interactive mode
python -m src.agent interactive
# Web interface
python -m src.api.server
# Open http://localhost:8000| Document | Description |
|---|---|
| Command Reference | Complete list of all CLI commands |
| Usage Guide | Detailed usage examples and query types |
| Configuration | LLM and Splunk configuration options |
| Web Interface | Web dashboard features and API |
| Knowledge Bases | Updating and managing data sources |
| Troubleshooting | Common issues and solutions |
| Architecture | System design and diagrams |
| API Reference | Python library usage |
| Project Structure | Codebase organization |
See CONTRIBUTING.md for development setup and guidelines.
See SECURITY.md for vulnerability disclosure.
Important: Always review AI-generated queries before running in production.
MIT License - see LICENSE
- Splunk for SPL documentation
- Splunk Security Content for detection rules
- Splunk Attack Data for attack datasets
- Groq for free LLM API
- ChromaDB for vector storage


