Start a Splunk investigation. Loads events, runs detectors, returns structured findings for Claude to reason over.

Args: source: Path to a Splunk export file (JSON or CSV). Use this OR spl. spl: SPL query string for a live Splunk query. Requires SPLUNK_URL configured. earliest: Earliest time for live query (default: -24h). latest: Latest time for live query (default: now). repo_path: Optional path to the microservice source repo. When provided, the agent can call splunk__lsp_call_chain to trace error log sites back through the call graph. Leave empty to skip code cross-referencing.

Returns JSON with run_id and findings dict.

Submit your investigation report and follow-up SPL queries to the server. The server stores the report, executes the queries, builds new findings, and returns either next findings (status=continue) or completion (status=done).

Args: run_id: The run_id from splunk__investigate_start. report: Your markdown investigation report including Confidence: High/Medium/Low. queries: List of follow-up SPL query strings. Each starts with a '-- area' comment line.

Returns JSON with status=continue+findings or status=done+ui_url.

Get current findings from the active investigation session. Use this to inspect the latest detector output mid-loop.

Pause the investigation after the current iteration completes.

Return example SPL queries from past investigations stored in splunk.db. Use this to ground follow-up queries in field names and patterns that have actually worked against this Splunk environment.

Args: area: Filter by area label (e.g. "tls", "cert", "auth"). Empty = all areas. limit: Max number of examples to return (default 20).

Returns JSON list of {area, spl, result_rows, run_id, iteration} sorted by most recent first. result_rows is the event count the query returned, or null if it was never executed.

Trace a function or symbol through the microservice call graph using LSP. Use this during the Reason step to find which code path produced a log error.

Args: run_id: Active investigation run_id. symbol: Function or class name to look up (e.g. "validate_cert", "TLSHandler"). file_path: Optional absolute path to the file containing the symbol. Speeds up lookup. line: Optional 1-based line number of the symbol definition. direction: "callers" (who calls this?) or "callees" (what does this call?). Default: callers. depth: How many levels up/down to trace. Default: 3.

Returns JSON with the call chain and file locations, or an error if repo_path was not provided at investigate_start or if the symbol cannot be resolved.

Inject an analyst hint into the investigation for the next iteration. The hint is included in the findings passed to the next reasoning step. Example: "focus on web-01 cert chain errors after 14:30 UTC"