Not another alert view: an AI incident commander that proves every claim in Splunk and asks before it acts.
Splunk-grounded incident decisions: cited root cause, blast radius, and human-approved remediation from one command flow.
- Open
reports/latest_control_tower.html. You should see the checkout incident summary, ranked root cause, blast radius, and MCP Remediation Ledger. - Run the local proof path:
python prototype\agentops_control_tower.py run-demo
python scripts\run_local_spl_query_pack.py
python scripts\build_judge_quickstart.pyYou should see synthetic agentops_events regenerated, SPL-equivalent proof rebuilt, and a fresh judge quickstart at reports/latest_judge_quickstart.html.
- Inspect the official MCP evidence:
submission/post_action_evidence/2026-06-09_optional_live_splunk_mcp_proof_readback.md
The official Splunk MCP Server was verified against local Splunk Enterprise Docker using synthetic agentops_events; splunk_run_query returned incident event IDs, evidence refs, risk scores, and approval states. This does not claim production Splunk Cloud deployment.
Boundary phrase for all public materials: Local Splunk Enterprise Docker proof with synthetic data; production Splunk Cloud deployment is not claimed.
Every major claim links to a query or ledger entry a judge can inspect:
| Claim | Evidence path | What to look for |
|---|---|---|
| Root cause is evidence-backed | reports/latest_local_spl_query_results.html |
Timeline and root-cause evidence rows for checkout-api. |
| Blast radius is visible before action | reports/latest_control_tower.html |
Affected services grouped before remediation. |
| Risky remediation remains human-approved | reports/latest_control_tower.html |
MCP Remediation Ledger approval states. |
| Official MCP readback was verified locally | submission/post_action_evidence/2026-06-09_optional_live_splunk_mcp_proof_readback.md |
splunk_run_query rows with event IDs and evidence refs. |
Agentic Incident Command Center is a Splunk Agentic Ops Hackathon project candidate. It turns cross-domain incident signals into an evidence-backed AI command flow: timeline, blast radius, root-cause ranking, and human-approved remediation.
The project is built around a practical problem: during a live outage, the clues are scattered across deployment logs, application errors, APM traces, database pressure, identity/security events, edge networking, and AI/MCP tool calls. Splunk is the natural evidence layer. The AI should not invent a fix; it should ask Splunk, rank likely causes, cite evidence, and keep risky actions behind human approval.
The core innovation is the MCP Remediation Ledger: every AI-proposed rollback, WAF watch, ticket, stakeholder update, or credential-boundary block is tied to Splunk evidence and an explicit approval state.
The product impact is decision compression: scattered deploy, APM, database, security, edge, and MCP/tool-call signals become one reviewable flow from evidence to ranked cause to approval-ready action, without granting the agent unchecked remediation power.
This is an independent hackathon project and is not an official Splunk product. Splunk and related marks belong to their respective owners.
- Ingests synthetic incident events across deploy, application, APM, database, security, network, remediation, communications, and MCP runtime domains.
- Ranks likely root causes for a checkout outage using Splunk-ready evidence fields.
- Produces an MCP Remediation Ledger with evidence-backed proposed actions and approval states.
- Surfaces human action packets: approve rollback, approve a temporary WAF watch rule, review stakeholder update, preserve blocked credential-boundary evidence, or investigate further.
- Exports Splunk-ready CSV and SPL examples for indexing and MCP-based investigation.
- Includes a Splunk app candidate with index, sourcetype, dashboard, and saved-search configuration.
- Renders a local dashboard that demonstrates the complete flow without using private data.
Splunk is the natural operational data layer for this problem:
- Agentic systems create logs, events, traces, approvals, and tool-call records.
- Splunk can unify these signals across developer experience, security, and operations.
- Splunk MCP Server can expose this operational context to AI assistants while keeping the underlying data auditable.
- Human reviewers can ask questions in natural language, but every recommendation should still be grounded in concrete events.
The local demo uses synthetic checkout-incident events:
- A checkout API release completes shortly before a 5xx and latency spike.
- Database pool pressure, identity anomalies, WAF probes, and edge packet loss appear as competing signals.
- The AI incident commander asks for Splunk context and ranks
checkout-api release regressionas the primary cause. - Rollback, WAF watch, stakeholder update, and ticket creation are prepared as evidence-backed actions.
- High-impact remediation stays human-approved, while a credential-boundary tool attempt is blocked and preserved as redacted audit evidence.
No real secrets, accounts, tokens, posts, payments, or external systems are used in the local demo.
python prototype\agentops_control_tower.py run-demo
python scripts\run_local_spl_query_pack.py
python scripts\build_demo_tour.py
python scripts\build_video_readiness_report.py
python scripts\build_video_cue_sheet.py
python scripts\build_video_upload_metadata.py
python scripts\build_video_command_plan.py
python scripts\build_claim_evidence_matrix.py
python scripts\build_external_approval_packet.py
python scripts\build_publication_command_plan.py
python scripts\build_public_repo_metadata.py
python scripts\build_public_repo_publish_brief.py
python scripts\verify_public_repo_publication_gate.py
python scripts\build_public_launch_snapshot.py
python scripts\verify_public_artifact_urls.py
python scripts\build_devpost_submission_packet.py
python scripts\export_devpost_final_copy.py
python scripts\build_final_go_no_go_report.py
python scripts\build_devpost_submit_command_plan.py
python scripts\build_devpost_manual_fill_brief.py
python scripts\build_post_action_evidence_brief.py
python scripts\build_official_source_freshness.py
python scripts\build_release_integrity_manifest.py
python scripts\prepare_submission_urls.py
python scripts\validate_claim_boundaries.py
python scripts\validate_submission_urls.py
python scripts\validate_splunk_app.py
python scripts\package_splunk_app.py
python scripts\build_splunk_mcp_command_plan.py
python scripts\build_splunk_mcp_proof_brief.py
python scripts\build_splunk_mcp_prompt_pack.py
python scripts\build_splunk_mcp_proof_capture_manifest.py
python scripts\build_submission_gate_ledger.py
python scripts\build_submission_deadline_burndown.py
python scripts\build_submission_review_index.py
python scripts\build_judge_quickstart.py
python scripts\build_judge_scorecard.py
python scripts\build_launch_decision_brief.py
python scripts\build_content_rights_audit.py
python scripts\build_video_dry_run.py
python scripts\build_video_recording_preview.py
python scripts\verify_public_video_upload_gate.py
python scripts\build_eligibility_compliance_audit.py
python scripts\build_next_approval_packet.py
python scripts\build_approval_consistency_audit.py
python scripts\build_status_conflict_audit.py
python scripts\build_public_repo_dry_run.py
python scripts\verify_public_repo_publication_gate.py
python scripts\publish_public_repo_after_approval.py
python scripts\build_url_writeback_dry_run.py
python scripts\package_public_candidate_zip.py
python scripts\smoke_test_release_zip.pyOpen:
reports/latest_control_tower.html
reports/latest_claim_boundary_validation.html
reports/latest_devpost_final_copy.html
reports/latest_devpost_final_copy.md
reports/latest_submission_url_validation.html
reports/latest_release_zip_smoke_test.html
reports/latest_submission_review_index.html
reports/latest_demo_tour.html
reports/latest_video_readiness.html
submission/VIDEO_SCREEN_SAFETY_CHECKLIST.md
reports/latest_video_command_plan.html
reports/latest_video_cue_sheet.html
reports/latest_video_dry_run.html
reports/latest_video_recording_preview.html
reports/latest_video_upload_metadata.html
reports/latest_public_video_upload_preflight.html
reports/latest_claim_evidence_matrix.html
reports/latest_external_approval_packet.html
reports/latest_publication_command_plan.html
reports/latest_public_repo_metadata.html
reports/latest_public_repo_publish_brief.html
reports/latest_public_repo_dry_run.html
reports/latest_public_artifact_url_readback.html
reports/latest_url_writeback_dry_run.html
reports/latest_public_launch_snapshot.html
reports/latest_splunk_mcp_command_plan.html
reports/latest_splunk_mcp_proof_brief.html
reports/latest_splunk_mcp_prompt_pack.html
reports/latest_splunk_mcp_proof_capture_manifest.html
reports/latest_splunk_app_package_manifest.html
reports/latest_submission_gate_ledger.html
reports/latest_submission_deadline_burndown.html
reports/latest_judge_quickstart.html
reports/latest_judge_scorecard.html
reports/latest_launch_decision_brief.html
reports/latest_next_approval_packet.html
reports/latest_approval_consistency_audit.html
reports/latest_content_rights_audit.html
reports/latest_eligibility_compliance_audit.html
submission/HUMAN_CONFIRMATION_CHECKLIST.md
reports/latest_devpost_submit_command_plan.html
reports/latest_devpost_manual_fill_brief.html
submission/DEVPOST_FINAL_REVIEW_CHECKLIST.md
reports/latest_post_action_evidence_brief.html
reports/latest_official_source_freshness.html
reports/latest_release_integrity_manifest.html
reports/latest_status_conflict_audit.html
submission/POST_ACTION_EVIDENCE_LOG_TEMPLATE.md
reports/latest_devpost_submission_packet.html
reports/latest_final_go_no_go.html
reports/latest_local_spl_query_results.html
reports/latest_public_candidate_zip_manifest.html
reports/latest_submission_url_apply_plan.html
python -m unittest discover -s testspython scripts\validate_submission_packet.pyThis regenerates local outputs, runs the local SPL-equivalent query pack, validates claim boundaries, tests the package, checks screenshot/HTML essentials, and scans the public candidate for internal paths or secret-like strings.
It also checks the demo video script timing, screen safety checklist, video screen safety checklist, safe Splunk MCP claim wording, claim evidence matrix, explicit video command plan, video cue sheet, video dry run, video recording preview, video upload metadata, public video upload preflight, external approval packet, public repository publication command plan, public repo metadata, public repo publish brief, public repo publication preflight, public repo dry run, guarded public repo publication helper, URL writeback dry run, public launch snapshot, live Splunk/MCP proof command plan, live Splunk/MCP proof brief, live Splunk/MCP prompt pack, live Splunk/MCP proof capture manifest, submission gate ledger, submission deadline burndown, judge quickstart, judge scorecard, launch decision brief, next approval packet, approval consistency audit, status conflict audit, content rights and asset safety, eligibility and compliance, human confirmation checklist, Devpost final submission command plan, Devpost manual fill/readback brief, Devpost final review checklist, post-action evidence brief, post-action evidence log template, official source freshness, and release integrity manifest before any recording, upload, publication, URL writeback, or Devpost submission.
It also validates the local Splunk app candidate, including default/indexes.conf, default/props.conf, saved searches, dashboard XML, and the generated .spl package.
data/synthetic_agentops_events.jsonldata/agentops_event_schema.jsondata/splunk_agentops_events.csvreports/latest_analysis.jsonreports/latest_claim_boundary_validation.htmlreports/latest_claim_boundary_validation.jsonreports/latest_control_tower.htmlreports/latest_devpost_final_copy.htmlreports/latest_devpost_final_copy.jsonreports/latest_devpost_final_copy.mdreports/latest_submission_url_validation.htmlreports/latest_submission_url_validation.jsonreports/latest_release_zip_smoke_test.htmlreports/latest_release_zip_smoke_test.jsonreports/latest_demo_tour.htmlreports/latest_video_readiness.htmlreports/latest_video_readiness.jsonsubmission/VIDEO_SCREEN_SAFETY_CHECKLIST.mdreports/latest_video_command_plan.htmlreports/latest_video_command_plan.jsonreports/latest_video_command_plan.mdreports/latest_video_cue_sheet.htmlreports/latest_video_cue_sheet.jsonreports/latest_video_cue_sheet.mdreports/latest_video_dry_run.htmlreports/latest_video_dry_run.jsonreports/latest_video_dry_run.mdreports/latest_video_recording_preview.htmlreports/latest_video_recording_preview.jsonreports/latest_video_recording_preview.mdreports/latest_video_upload_metadata.htmlreports/latest_video_upload_metadata.jsonreports/latest_video_upload_metadata.mdsubmission/VIDEO_UPLOAD_METADATA.mdreports/latest_public_video_upload_preflight.htmlreports/latest_public_video_upload_preflight.jsonreports/latest_public_video_upload_preflight.mdreports/latest_claim_evidence_matrix.htmlreports/latest_claim_evidence_matrix.jsonreports/latest_claim_evidence_matrix.mdreports/latest_external_approval_packet.htmlreports/latest_external_approval_packet.jsonreports/latest_external_approval_packet.mdreports/latest_publication_command_plan.htmlreports/latest_publication_command_plan.jsonreports/latest_publication_command_plan.mdreports/latest_public_repo_metadata.htmlreports/latest_public_repo_metadata.jsonreports/latest_public_repo_metadata.mdreports/latest_public_repo_publish_brief.htmlreports/latest_public_repo_publish_brief.jsonreports/latest_public_repo_publish_brief.mdreports/latest_public_repo_publication_preflight.htmlreports/latest_public_repo_publication_preflight.jsonreports/latest_public_repo_publication_preflight.mdreports/latest_public_repo_dry_run.htmlreports/latest_public_repo_dry_run.jsonreports/latest_public_repo_dry_run.mdreports/latest_public_artifact_url_readback.htmlreports/latest_public_artifact_url_readback.jsonreports/latest_public_artifact_url_readback.mdreports/latest_url_writeback_dry_run.htmlreports/latest_url_writeback_dry_run.jsonreports/latest_url_writeback_dry_run.mdreports/latest_public_launch_snapshot.htmlreports/latest_public_launch_snapshot.jsonreports/latest_public_launch_snapshot.mdreports/latest_splunk_mcp_command_plan.htmlreports/latest_splunk_mcp_command_plan.jsonreports/latest_splunk_mcp_command_plan.mdreports/latest_splunk_mcp_proof_brief.htmlreports/latest_splunk_mcp_proof_brief.jsonreports/latest_splunk_mcp_proof_brief.mdreports/latest_splunk_mcp_prompt_pack.htmlreports/latest_splunk_mcp_prompt_pack.jsonreports/latest_splunk_mcp_prompt_pack.mdsubmission/SPLUNK_MCP_PROMPT_PACK.mdreports/latest_splunk_mcp_proof_capture_manifest.htmlreports/latest_splunk_mcp_proof_capture_manifest.jsonreports/latest_splunk_mcp_proof_capture_manifest.mdsubmission/SPLUNK_MCP_PROOF_CAPTURE_MANIFEST.mdreports/latest_splunk_app_package_manifest.htmlreports/latest_splunk_app_package_manifest.jsonreports/latest_splunk_app_package_manifest.mdreports/latest_submission_gate_ledger.htmlreports/latest_submission_gate_ledger.jsonreports/latest_submission_gate_ledger.mdreports/latest_submission_deadline_burndown.htmlreports/latest_submission_deadline_burndown.jsonreports/latest_submission_deadline_burndown.mdreports/latest_submission_review_index.htmlreports/latest_submission_review_index.jsonreports/latest_submission_review_index.mdreports/latest_judge_quickstart.htmlreports/latest_judge_quickstart.jsonreports/latest_judge_quickstart.mdreports/latest_judge_scorecard.htmlreports/latest_judge_scorecard.jsonreports/latest_judge_scorecard.mdreports/latest_launch_decision_brief.htmlreports/latest_launch_decision_brief.jsonreports/latest_launch_decision_brief.mdreports/latest_next_approval_packet.htmlreports/latest_next_approval_packet.jsonreports/latest_next_approval_packet.mdsubmission/NEXT_APPROVAL_PACKET.mdreports/latest_approval_consistency_audit.htmlreports/latest_approval_consistency_audit.jsonreports/latest_approval_consistency_audit.mdsubmission/USER_APPROVAL_GATES.mdreports/latest_content_rights_audit.htmlreports/latest_content_rights_audit.jsonreports/latest_content_rights_audit.mdreports/latest_eligibility_compliance_audit.htmlreports/latest_eligibility_compliance_audit.jsonreports/latest_eligibility_compliance_audit.mdsubmission/HUMAN_CONFIRMATION_CHECKLIST.mdreports/latest_devpost_submit_command_plan.htmlreports/latest_devpost_submit_command_plan.jsonreports/latest_devpost_submit_command_plan.mdreports/latest_devpost_manual_fill_brief.htmlreports/latest_devpost_manual_fill_brief.jsonreports/latest_devpost_manual_fill_brief.mdsubmission/DEVPOST_FINAL_REVIEW_CHECKLIST.mdreports/latest_post_action_evidence_brief.htmlreports/latest_post_action_evidence_brief.jsonreports/latest_post_action_evidence_brief.mdreports/latest_official_source_freshness.htmlreports/latest_official_source_freshness.jsonreports/latest_official_source_freshness.mdreports/latest_release_integrity_manifest.htmlreports/latest_release_integrity_manifest.jsonreports/latest_release_integrity_manifest.mdreports/latest_status_conflict_audit.htmlreports/latest_status_conflict_audit.jsonreports/latest_status_conflict_audit.mdsubmission/POST_ACTION_EVIDENCE_LOG_TEMPLATE.mdsubmission/PUBLIC_REPO_METADATA.mdreports/latest_submission_url_apply_plan.htmlreports/latest_submission_url_apply_plan.jsonreports/latest_submission_url_apply_plan.mdreports/latest_devpost_submission_packet.htmlreports/latest_devpost_submission_packet.jsonreports/latest_final_go_no_go.htmlreports/latest_final_go_no_go.jsonreports/latest_local_spl_query_results.htmlreports/latest_local_spl_query_results.jsonreports/latest_public_candidate_zip_manifest.htmlreports/latest_public_candidate_zip_manifest.jsonrelease/agentops-control-tower-public-candidate.zipsplunk_app/agentops_control_tower/default/data/ui/views/agentops_control_tower.xmlsplunk_app/agentops_control_tower/default/savedsearches.confreports/latest_mcp_investigation.mdreports/latest_submission_validation.htmlreports/latest_submission_validation.jsondist/agentops-control-tower-splunk-app.splassets/dashboard_preview.pngsubmission/REQUIREMENTS_MATRIX.mdsubmission/DEVPOST_FIELD_MAP.mdsubmission/DEVPOST_FINAL_REVIEW_CHECKLIST.mdsubmission/DEVPOST_SUBMISSION_DRAFT.mdsubmission/DEMO_VIDEO_SCRIPT.mdsubmission/VIDEO_RECORDING_RUNBOOK.mdsubmission/FINAL_SUBMISSION_CHECKLIST.mdsubmission/JUDGING_ALIGNMENT.mdsubmission/OFFICIAL_REQUIREMENTS_AUDIT.mdsubmission/SPL_QUERIES.mdsubmission/SUBMISSION_DEADLINE_BURNDOWN.mdsubmission/SUBMISSION_LAUNCH_RUNBOOK.mdsubmission/SUBMISSION_REVIEW_QA.mdarchitecture_diagram.md
After importing data/splunk_agentops_events.csv into an agentops_events index, start with:
index=agentops_events risk_score>=70 | table _time component run_id event_type risk_score policy_decision evidence_ref message
See submission/SPL_QUERIES.md for the full demo query pack.
See submission/SPLUNK_MCP_PROMPT_PACK.md for the optional live MCP proof prompts, expected citations, success readbacks, and stop conditions.
The repository also includes a local Splunk app candidate:
splunk_app/agentops_control_tower
It contains a Simple XML dashboard and saved searches for incident timeline, root-cause evidence, human-approved remediation ledger, MCP investigation context, and blast radius. Validate it locally with:
python scripts\validate_splunk_app.pyPackage it locally into a reviewable .spl artifact without installing, uploading, publishing, or connecting it:
python scripts\package_splunk_app.pyThis writes dist/agentops-control-tower-splunk-app.spl and reports/latest_splunk_app_package_manifest.html.
Before live Splunk access is approved, the same query intent can be checked locally with:
python scripts\run_local_spl_query_pack.pyThis writes reports/latest_local_spl_query_results.html and .json as proof that the incident timeline, root-cause evidence, human-approved remediation ledger, Splunk MCP investigation context, and blast-radius queries all return concrete rows over the generated CSV.
Primary track:
- Observability
Secondary relevance:
- Platform & Developer Experience
- Security
Bonus target:
- Best Use of Splunk MCP Server
MCP Remediation Ledger provides auditability and guardrails for AI-proposed incident response actions.
The current repository state is local-only. The following actions require explicit user approval:
- Splunk account, Splunk Cloud, Splunk Enterprise, or Developer License setup.
- Splunk MCP Server configuration involving credentials.
- Public GitHub repository publication.
- Public demo video upload.
- Approved public URL writeback into local submission artifacts.
- Devpost registration, draft save, or final submission.
The preflight gate scripts\verify_public_repo_publication_gate.py records the exact public GitHub approval phrase, source-folder review, isolated staging confirmation, scan confirmation, public visibility confirmation, and explicit public git identity before publication. The guarded helper scripts\publish_public_repo_after_approval.py runs as a local rehearsal by default. Its execute mode is gated by the exact public GitHub approval phrase plus explicit public git identity arguments, and it should only be used after the clean public candidate, isolated TEMP staging, scans, publication preflight, and publication readback plan are reviewed.
Apache-2.0 candidate for public submission.