PharmaOps Monitor

AI agents on Splunk catch pharma batch failures in 30 seconds and auto-generate FDA reports — replacing 6-hour manual GMP investigations.

Comment

Inspiration

Indian pharma exports $25 billion a year, but one failed batch can cost ₹50 lakh to ₹1.5 crore. When a coating thermostat drifts 2°C, QA teams still spend 4–6 hours pulling temperature logs, batch QC records, moisture data, and downtime reports — often while the batch remains at risk.

The FDA issues 500+ warning letters annually for weak process monitoring. Existing MES and SCADA systems alert operators; they do not investigate. Someone still has to find root cause, score GMP impact, and write the deviation report by hand.

We built PharmaOps Monitor because observability in pharma is not about server uptime — it is batch insurance. Plant managers deserve an AI investigator on Splunk that never sleeps, never misses a deviation, and never takes six hours to answer one question: Is this batch safe?

What it does

PharmaOps Monitor is an autonomous GMP compliance command center on Splunk.

Live data in Splunk — 2,472 manufacturing events across temperature, moisture, batch QC, and equipment downtime. Dashboard shows BATCH-1027 with 24 temperature deviations from coating thermostat drift on COAT-01.

3-agent autonomous pipeline (one click in Streamlit):

Detection Agent — finds the top GMP anomaly from live Splunk data Investigation Agent — gathers multi-source evidence via Splunk MCP + reasons with Gemini QA Review Agent — validates FDA 21 CFR and ICH Q7/Q8/Q9/Q10; approves or rejects with CAPA Regulatory intelligence — GMP compliance score, QMS risk score, pharmacovigilance assessment, and ICH Q9 RPN in one report.

Ask AI — plant managers type "What batches failed and why?" in plain English. Gemini generates SPL; Splunk returns live data; AI answers with batch IDs, products, and root causes.

Output — FDA-style HTML deviation reports, financial impact (₹5.2L per incident), and a Streamlit UI judges can run in under 3 minutes.

How we built it

HOW WE BUILT IT — copy from here:

Manufacturing data flows into a Splunk index called pharma_manufacturing. Splunk AI Toolkit uses Median Absolute Deviation to detect temperature anomalies on the live dashboard. Python agents query Splunk through MCP Server using the run_query tool with encrypted token authentication. Google Gemini 2.5-flash handles root cause analysis, CAPA generation, and natural language to SPL translation. Everything surfaces in a Streamlit command center and as FDA-style HTML deviation reports.

We used Splunk Enterprise 10.4 as the data backbone. Splunk AI Toolkit 5.7.4 powers MAD-based anomaly detection on temperature panels. Splunk MCP Server 1.2 gives agents secure search access. Google Gemini provides the reasoning layer. Python 3.12 runs the agent orchestration. Streamlit is the plant manager UI.

We built a 3-layer data fallback so demos never break: MCP first, then Splunk REST API, then local CSV. We created FDA-aligned synthetic manufacturing data with 2,472 events, a 5-panel Splunk Studio dashboard, saved search alerts, and full regulatory mapping to ICH Q7, Q8, Q9, Q10 and FDA 21 CFR Part 211.

Key components: multi_agent.py runs the Detection, Investigation, and QA Review pipeline. splunk_mcp.py handles MCP, REST, and CSV with SPL templates. mcp_chat_demo.py powers the Ask AI natural language interface. streamlit_app.py is the one-click judge demo. pharmaops_monitor.xml is the Splunk dashboard with all 5 panels.

Judges clone the repo, set a Gemini API key, run ./run_streamlit.sh, and get the full demo at localhost:8501 in under 3 minutes. Judges run one command: ./run_streamlit.sh → full demo at http://localhost:8501.

Challenges we ran into

  1. Splunk CSV ingest as raw text Indexed CSV did not expose fields like status=DEVIATION. Dashboards returned empty until we rewrote queries with rex field extraction and fixed props.conf — BATCH-1027 then showed 24 deviations correctly.

  2. Splunk MCP integration MCP uses the run_query tool (not search), requires an initialize handshake, Bearer token auth, and built-in tool enablement. We built a 3-URL, dual-auth client and enable_mcp_tools.py for one-command setup.

  3. Production-grade fallback MCP endpoints vary by Splunk version. We implemented MCP → REST → CSV so agents always return real answers — judges see live Splunk data, not a brittle demo.

  4. True agentic behavior Hardcoded batch IDs would fail judge scrutiny. Detection Agent dynamically queries Splunk for the top anomaly batch every run.

  5. Demo UX Terminal scripts confused the story. We moved the full judge demo into Streamlit — one app, one click, report embedded in the UI.

Accomplishments that we're proud of

Built the first autonomous GMP compliance agent on Splunk MCP with full ICH + FDA regulatory mapping — as a solo developer 3-agent pipeline runs end-to-end with zero human input: detect → investigate → QA review → FDA report 99% faster than manual process: 6-hour investigation → 2.5 minutes automated ₹5.2 lakh saved per deviation; ₹21L+ batch loss preventable with early AI detection 2,472 Splunk events verified live; dashboard, agents, and reports all agree on BATCH-1027 / 24 deviations Streamlit command center — judges reproduce the full demo in under 3 minutes from README Regulatory intelligence beyond a typical hackathon: GMP score, QMS risk, PV assessment, industry baseline comparison We did not build a chatbot on logs. We built batch insurance for pharma plants.

What we learned

Splunk MCP is the right agent bridge. Giving LLM agents secure, structured access to Splunk through MCP is more production-ready than pasting SPL into a prompt. The run_query tool with token auth is how enterprise agentic ops will actually run.

Domain beats generic. Pharma GMP observability — batch failures, FDA reports, crore-scale impact — tells a stronger story than monitoring CPU usage. Judges remember "₹1 crore batch saved" more than "another anomaly dashboard."

Detection + reasoning belong together. Splunk AI Toolkit catches the anomaly; Gemini explains why and what to do. Neither alone wins — the combination does.

The last 10% is the pitch. A working MCP pipeline is not enough. Streamlit as command center, a 30-second money hook, and a demo that never opens five browser tabs — that is what makes judges care.

Resilience wins hackathons. Judges test broken setups. MCP → REST → CSV fallback meant our demo worked every time, even when MCP showed yellow and REST carried the load.

What's next for PharmaOps Monitor

Short term, we will connect Splunk saved search alerts directly to the autonomous agent through a webhook trigger, so investigation starts the moment a deviation is detected with no human click required. The watchdog mode in our codebase is the first step toward fully unattended batch monitoring.

We plan to deploy on Splunk Cloud for multi-site Indian pharma plants, so one command center monitors coating, granulation, and packaging lines across multiple factories simultaneously.

We will integrate live production data from LIMS and MES systems through Splunk HTTP Event Collector, replacing synthetic demo data with real manufacturing telemetry from shop floor sensors.

Long term, we want to connect CAPA outputs directly to SAP QM and TrackWise so corrective actions flow from AI investigation into the plant quality management system without manual re-entry.

We will add predictive drift detection using Splunk Machine Learning Toolkit to catch coating thermostat failure before the first DEVIATION event, moving from reactive investigation to proactive batch protection.

We also plan a mobile alert layer for plant QA managers, pushing batch risk scores and investigation summaries when a critical GMP excursion is detected overnight on a running batch.

The vision is simple: every pharma plant in India gets an AI quality investigator on Splunk that works 24 hours a day, costs a fraction of one failed batch, and never lets a crore-scale loss happen because someone was not watching the thermostat.

Built With

  • fda-21-cfr
  • google-gemini-2.5-flash
  • html
  • ich-q10
  • ich-q7
  • ich-q8
  • ich-q9
  • json-rpc
  • localhost
  • macos
  • matplotlib
  • pandas
  • python
  • rest-api
  • spl
  • splunk-ai-toolkit
  • splunk-enterprise
  • splunk-mcp-server
  • streamlit
Share this project:

Updates