@dxvapor/pi-splunk-cloud-logs
Pi coding agent extension for querying Splunk Cloud logs via REST API. Supports OAuth2 client credentials and bearer token auth.
Package details
Install @dxvapor/pi-splunk-cloud-logs from npm and Pi will load the resources declared by the package manifest.
$ pi install npm:@dxvapor/pi-splunk-cloud-logs- Package
@dxvapor/pi-splunk-cloud-logs- Version
1.0.0- Published
- Apr 22, 2026
- Downloads
- 51/mo ยท 51/wk
- Author
- dxvapor
- License
- MIT
- Types
- extension
- Size
- 36.4 KB
- Dependencies
- 0 dependencies ยท 2 peers
Pi manifest JSON
{
"extensions": [
"./extensions"
]
}Security note
Pi packages can execute code and influence agent behavior. Review the source before installing third-party packages.
README
pi-splunk-cloud-logs
A pi coding agent extension that gives the LLM direct access to Splunk Cloud logs via the Splunk REST API.
Features
- ๐
splunk_searchโ Async SPL search with live progress polling - โก
splunk_oneshotโ Fast synchronous search for quick/narrow queries - ๐
splunk_list_indexesโ Discover available indexes before writing queries - ๐๏ธ
splunk_list_jobsโ Inspect recent search jobs - ๐ OAuth 2 client credentials (preferred) or static bearer token
- ๐ฅ๏ธ
/splunk-configโ Interactive TUI setup - ๐ฉบ
/splunk-testโ One-command connectivity check
Installation
pi install npm:@dxvapor/pi-splunk-cloud-logs
Or try it without installing:
pi -e npm:@dxvapor/pi-splunk-cloud-logs
Authentication
Option 1 โ OAuth 2 client credentials (recommended)
Create an OAuth 2.1 client in your Splunk Cloud instance (Settings โ Identity Provider โ Manage OAuth 2.0 Clients), then:
export SPLUNK_HOST=myorg.splunkcloud.com
export SPLUNK_CLIENT_ID=your-client-id
export SPLUNK_CLIENT_SECRET=your-client-secret
The extension automatically obtains and refreshes access tokens.
Option 2 โ Bearer token
Generate a token in Splunk Web (Settings โ Tokens), then:
export SPLUNK_HOST=myorg.splunkcloud.com
export SPLUNK_TOKEN=eyJ...
Optional
export SPLUNK_PORT=8089 # Default: 8089
Interactive setup
Alternatively, configure inside pi at runtime:
/splunk-config
Credentials entered via /splunk-config are stored in memory only and are
never written to disk or the session file.
Usage
After starting pi with the extension loaded, just describe what you need:
Search Splunk for HTTP 5xx errors in the last hour across all hosts.
List all Splunk indexes and show me which ones have data from today.
Show me the top 10 hosts by error count in the past 24 hours.
The LLM uses the registered tools to run SPL queries automatically.
Manual tool calls (for testing)
Run: splunk_list_indexes
Run: splunk_oneshot { "query": "index=main error | head 5", "earliestTime": "-15m" }
Commands
| Command | Description |
|---|---|
/splunk-config |
Interactive connection setup |
/splunk-test |
Test connectivity and show server info |
How it works
User prompt
โ
โผ
LLM decides to call splunk_search
โ
โโโ POST /services/search/jobs (create job)
โโโ GET /services/search/jobs/{sid} (poll status) โ repeats
โโโ GET /services/search/jobs/{sid}/results (fetch)
โ
โผ
Formatted results returned to LLM โ answer
For splunk_oneshot, the export endpoint is used instead for a single
round-trip response.
Environment Variables
| Variable | Required | Description |
|---|---|---|
SPLUNK_HOST |
โ | Splunk Cloud hostname (e.g. myorg.splunkcloud.com) |
SPLUNK_PORT |
โ | Management port. Default: 8089 |
SPLUNK_CLIENT_ID |
โ (OAuth) | OAuth 2 client ID |
SPLUNK_CLIENT_SECRET |
โ (OAuth) | OAuth 2 client secret |
SPLUNK_TOKEN |
โ (token) | Static bearer token |
Requirements
- Node.js โฅ 18 (for native
fetch) - pi coding agent installed globally
- Splunk Cloud Platform instance with REST API access on port 8089
Security notes
- Credentials entered via
/splunk-configare in-memory only. - OAuth tokens are cached in-process and refreshed automatically before expiry.
- TLS is always used (Splunk Cloud enforces it).
- Store long-lived secrets in environment variables, not in code or config files.
Contributing
Issues and PRs welcome at github.com/dxvapor/pi-splunk-cloud-logs.
License
MIT โ see LICENSE.