-
-
MCP harvests logs, AI maps CIM fields, validators secure output, SDK packages deployment artifacts.
-
From raw logs to CIM-compliant Splunk Technology Add-ons in under 30 seconds.
-
Autonomous Splunk onboarding with AI agents generating, validating, and packaging CIM mappings.
-
One-click generation of a deployable Splunk TA and executive audit report from raw logs.
Inspiration
Every Splunk environment faces the same problem: raw data arrives faster than engineers can onboard it. A single firewall, proxy, or endpoint sourcetype can require hours of manual CIM mapping, regex creation, validation, testing, packaging, and documentation. The process is repetitive, error-prone, and dependent on tribal knowledge held by a handful of experts.
We asked a simple question: What if onboarding a new data source required one click instead of one engineer? That question became CIMForge.
What it does
CIMForge is an autonomous AI-powered onboarding system built natively inside Splunk. A user provides a sourcetype and target CIM data model, and CIMForge automatically generates, validates, secures, packages, and documents a deployable Splunk Technology Add-on.
Workflow
Raw Logs
│
▼
[MCP Agent]
│
▼
[SAIA Agent]
│
▼
[Security Agent]
│
▼
[SDK Agent]
│
┌──┴─────────────┐
▼ ▼
TA Package Executive PDF
Result: From raw logs to a validated, deployable, CIM-compliant Splunk Technology Add-on in under 30 seconds.
How we built it
| Layer | Technology |
|---|---|
| Frontend | React 18 · Splunk React UI v5 · styled-components · Webpack 5 |
| Backend | Python 3.9 · Splunk UCC Framework · PersistentServerConnectionApplication |
| AI / LLM | OpenRouter — GPT-4 · Claude 3.5 Sonnet · Mistral · Ollama (local) |
| PII Detection | scrubadub · Presidio · custom IP detector |
| PDF Generation | reportlab 3.6 (bundled in Splunk Python 3.9) |
| Security | ReDoS static analysis · Cisco Foundation Security Model |
| Deployment | Splunk Enterprise 9.0+ · Splunk Cloud compatible |
Autonomous Agent Pipeline
| Agent | Purpose | Output |
|---|---|---|
| MCP Agent | Retrieves raw events directly from Splunk indexes and analyzes source structure | Event samples and field candidates |
| SAIA Agent | Uses Splunk AI Assistant to generate CIM mappings, EXTRACT regexes, FIELDALIAS rules and configurations | Deployable CIM mapping configuration |
| Security Agent | Validates generated regex patterns using Splunk Foundation Security Model and checks for ReDoS vulnerabilities | Security validation report |
| SDK Agent | Packages validated configurations into a Splunk Technology Add-on and generates an Executive PDF Report | Deployable TA package and audit report |
Security
CIMForge is designed to operate in production Splunk environments where security is non-negotiable.
| Control | Implementation |
|---|---|
| API key storage | Splunk encrypted credential store — never written to config files, logs, or disk |
| PII in logs | Text length and hash only — raw event content never appears in log output |
| CSRF protection | X-Splunk-Form-Key required on every POST request |
| ReDoS prevention | Every generated EXTRACT- pattern is scanned before the TA is packaged |
| Authentication | All REST handlers require a valid Splunk session token |
| Credential isolation | API keys scoped to the CIMForge app namespace in the Splunk credential store |
Business Impact
| Metric | Result | Context |
|---|---|---|
| ⏱ Onboarding time saved | 2.5 hours per sourcetype | Measured against manual process baseline |
| ✗ Manual tasks eliminated | 14 tasks automated | Extraction, mapping, validation, packaging, reporting |
| ⚡ Automation score | 96% | Percentage of pipeline stages with zero human intervention |
| 🗺 CIM field coverage | 94% | 18 of 20 Network Traffic fields mapped on first pass |
| 🔒 Security validation | PASSED | Cisco Foundation Security Model — zero ReDoS detected |
| 🛡 Risk score | LOW | No catastrophic backtracking in any generated extraction |
For a Splunk environment with 20 sourcetypes, CIMForge reclaims 50 engineer-hours that would otherwise produce no detection, no dashboard, and no business value. Those hours return to threat hunting, detection engineering, and observability work.
Why CIMForge Is Different
Most CIM onboarding tools stop at suggestions. They present recommendations that an engineer must still review, refine, and manually deploy. The human is still in the critical path.
CIMForge produces deployable artifacts.
| Capability | Most tools | CIMForge |
|---|---|---|
| Generate field mapping suggestions | ✓ | ✓ |
Produce deployment-ready props.conf |
— | ✓ |
| Validate mappings against live data | — | ✓ |
| Perform ReDoS security scanning | — | ✓ |
| Package an installable Splunk TA | — | ✓ |
| Generate an executive PDF report | — | ✓ |
| Stream agent execution in real time | — | ✓ |
| Operate without human intervention | — | ✓ |
Challenges we ran into
The biggest challenge was turning AI-generated CIM mappings into production-ready Splunk configurations. We had to validate generated regex patterns against real events, prevent extraction failures, and ensure protection against ReDoS vulnerabilities before deployment.
Another challenge was moving beyond recommendations and generating deployable outputs. CIMForge automatically packages validated configurations into installable Splunk Technology Add-ons and produces executive reports, making the entire onboarding process autonomous.
Accomplishments that we're proud of
Built a fully autonomous four-agent onboarding pipeline running natively inside Splunk Enterprise. Reduced CIM onboarding effort from hours to seconds. Generated deployable Splunk Technology Add-ons automatically. Added AI-powered regex security validation before deployment. Produced stakeholder-ready executive reports without human intervention. Demonstrated end-to-end onboarding from raw logs to deployable artifacts in a live Splunk environment.
Most importantly, CIMForge does not stop at recommendations. It produces deployable outcomes.
What we learned
Building agentic systems taught us that autonomy is not enough. Reliable autonomous systems require validation, feedback loops, security controls, and clear recovery paths when AI makes mistakes. We learned that the most valuable AI systems are not the ones that generate ideas—they are the ones that generate trusted outcomes. CIMForge became successful only when every agent could validate, correct, and explain its own work.
What's next for CIMForge : From Raw Logs to Deployable Splunk TA
What's next for CIMForge Support all Splunk CIM data models. Batch onboarding for hundreds of sourcetypes simultaneously. Native Splunk Cloud onboarding workflows. Continuous CIM compliance monitoring. Autonomous onboarding recommendations based on coverage gaps. Community-powered registry of validated onboarding packages.
Our long-term vision is simple: Every new data source should become Splunk-ready automatically.
Built With
- mistral)
- node.js
- python-3.9
- react-18
- reportlab
- splunk-ai-assistant-(saia)
- splunk-enterprise
- splunk-foundation-ai-security-model
- splunk-mcp-server
- splunk-python-sdk
- splunk-react-ui
- splunk-search-api
- splunk-ucc-framework
Log in or sign up for Devpost to join the conversation.