@dxvapor/pi-splunk-cloud-logs

v1.0.0

Published

18 days ago

Pi coding agent extension for querying Splunk Cloud logs via REST API. Supports OAuth2 client credentials and bearer token auth.

Downloads

0High
0Medium
0Low

dxvapor

pi-package pi-extension splunk splunk-cloud logs observability

pi-splunk-cloud-logs

A pi coding agent extension that gives the LLM direct access to Splunk Cloud logs via the Splunk REST API.

Features

🔍 splunk_search — Async SPL search with live progress polling
⚡ splunk_oneshot — Fast synchronous search for quick/narrow queries
📋 splunk_list_indexes — Discover available indexes before writing queries
🗂️ splunk_list_jobs — Inspect recent search jobs
🔐 OAuth 2 client credentials (preferred) or static bearer token
🖥️ /splunk-config — Interactive TUI setup
🩺 /splunk-test — One-command connectivity check

Installation

pi install npm:@dxvapor/pi-splunk-cloud-logs

Or try it without installing:

pi -e npm:@dxvapor/pi-splunk-cloud-logs

Authentication

Option 1 — OAuth 2 client credentials (recommended)

Create an OAuth 2.1 client in your Splunk Cloud instance (Settings → Identity Provider → Manage OAuth 2.0 Clients), then:

export SPLUNK_HOST=myorg.splunkcloud.com
export SPLUNK_CLIENT_ID=your-client-id
export SPLUNK_CLIENT_SECRET=your-client-secret

The extension automatically obtains and refreshes access tokens.

Option 2 — Bearer token

Generate a token in Splunk Web (Settings → Tokens), then:

export SPLUNK_HOST=myorg.splunkcloud.com
export SPLUNK_TOKEN=eyJ...

Optional

export SPLUNK_PORT=8089   # Default: 8089

Interactive setup

Alternatively, configure inside pi at runtime:

/splunk-config

Credentials entered via /splunk-config are stored in memory only and are never written to disk or the session file.

Usage

After starting pi with the extension loaded, just describe what you need:

Search Splunk for HTTP 5xx errors in the last hour across all hosts.

List all Splunk indexes and show me which ones have data from today.

Show me the top 10 hosts by error count in the past 24 hours.

The LLM uses the registered tools to run SPL queries automatically.

Manual tool calls (for testing)

Run: splunk_list_indexes
Run: splunk_oneshot { "query": "index=main error | head 5", "earliestTime": "-15m" }

Commands

| Command | Description | |---------|-------------| | /splunk-config | Interactive connection setup | | /splunk-test | Test connectivity and show server info |

How it works

User prompt
    │
    ▼
LLM decides to call splunk_search
    │
    ├── POST /services/search/jobs        (create job)
    ├── GET  /services/search/jobs/{sid}  (poll status)  ← repeats
    └── GET  /services/search/jobs/{sid}/results (fetch)
    │
    ▼
Formatted results returned to LLM → answer

For splunk_oneshot, the export endpoint is used instead for a single round-trip response.

Environment Variables

| Variable | Required | Description | |----------|----------|-------------| | SPLUNK_HOST | ✅ | Splunk Cloud hostname (e.g. myorg.splunkcloud.com) | | SPLUNK_PORT | ❌ | Management port. Default: 8089 | | SPLUNK_CLIENT_ID | ✅ (OAuth) | OAuth 2 client ID | | SPLUNK_CLIENT_SECRET | ✅ (OAuth) | OAuth 2 client secret | | SPLUNK_TOKEN | ✅ (token) | Static bearer token |

Requirements

Node.js ≥ 18 (for native fetch)
pi coding agent installed globally
Splunk Cloud Platform instance with REST API access on port 8089

Security notes

Credentials entered via /splunk-config are in-memory only.
OAuth tokens are cached in-process and refreshed automatically before expiry.
TLS is always used (Splunk Cloud enforces it).
Store long-lived secrets in environment variables, not in code or config files.

Contributing

Issues and PRs welcome at github.com/dxvapor/pi-splunk-cloud-logs.

License

MIT — see LICENSE.