AI-driven narrative investigation for Splunk. Ask questions in natural language, and OpsBlaze queries your Splunk instance, analyzes the results, and presents findings as a rich narrative with interactive charts.

Powered by Claude (via the Claude Agent SDK). Connects to Splunk via its REST API.

The Claude CLI uses OAuth with a Claude Pro/Max subscription. Alternatively, set ANTHROPIC_API_KEY in .env for pay-per-use API billing.

# 1. Install and configure
node bin/setup.cjs

# 2. Start the server
node bin/opsblaze.cjs start

# 3. Open in your browser
open http://localhost:3000

The setup wizard walks you through connecting to Splunk, setting the server port, and optionally securing the API endpoint.

All commands are run from the project root:

OpsBlaze uses Chart.js by default for rendering charts (line, area, bar, column, pie, single value, and table). No additional setup is required.

If you have access to the @splunk/visualizations npm packages, you can install them for a premium chart experience:

node bin/opsblaze.cjs install-splunk-viz

This installs the @splunk/visualizations packages and rebuilds the app. The change is automatic -- the app detects which renderer is available at build time and uses it. To switch back to Chart.js, uninstall the Splunk packages and rebuild.

The setup wizard also offers this as an optional step during initial configuration.

Note: The @splunk/* visualization packages are proprietary software published by Splunk Inc. and are subject to Splunk's own license terms. They are not included in or distributed with OpsBlaze. You are responsible for ensuring you have appropriate licensing before installing them.

All configuration lives in .env (created by the setup wizard). Key variables:

See .env.example for the complete list of all available options with inline descriptions.

To configure manually instead of using the wizard, copy .env.example to .env and fill in the required values.

Run node bin/opsblaze.cjs check first -- it validates your entire setup in one shot.

Another process is using the port. Either stop it, or change PORT in .env:

# Find what's using it
lsof -i :3000

Or edit .env and change the PORT value to a different port (e.g. PORT=3001).

If you see "Claude CLI not found or not authenticated" at startup:

# Install the CLI
npm install -g @anthropic-ai/claude-code

# Authenticate (opens browser for OAuth)
claude

Alternatively, set ANTHROPIC_API_KEY in .env to use API key authentication instead of the CLI.

Verify your Splunk settings in .env:

• Is the host reachable? curl -k https://your-splunk-host:8089/services/server/info
• Is the port correct? Default management port is 8089, not 8000.
• Are credentials valid? Try logging into Splunk's web UI with the same credentials.

If the server can't find the frontend:

npm run build
node bin/opsblaze.cjs restart

• Clear your browser cache and hard-refresh (Cmd+Shift+R / Ctrl+Shift+R)
• Verify the build completed: check that dist/client/index.html exists

For active development with hot reload:

node bin/opsblaze.cjs dev

This starts both the Vite dev server (http://localhost:5173) and the Express backend (http://localhost:3000). Work from port 5173 -- Vite proxies API calls to the backend automatically.

Running dev will automatically stop a running production server, and vice versa.

OpsBlaze includes several layers of security hardening:

• Rate limiting -- Per-IP rate limits on chat, API, and skill extraction endpoints.
• Content Security Policy -- Strict CSP with frame-ancestors 'none', no unsafe-eval.
• SPL safety validation -- Allowlist-based SPL command validation prevents dangerous Splunk queries.
• MCP server sandboxing -- Blocklists reject dangerous arguments (--require, --eval) and environment variables (NODE_OPTIONS, LD_PRELOAD) in user-configured MCP servers.
• Error sanitization -- API error responses only surface known validation messages, preventing internal detail leakage.

See SECURITY.md for the vulnerability reporting policy.

Contributions are welcome. Please read CONTRIBUTING.md for guidelines. Open an issue first to discuss what you'd like to change, then submit a pull request.

Splunk is a registered trademark of Splunk Inc. in the United States and other countries. Splunk Inc. is a wholly owned subsidiary of Cisco Systems, Inc. This project is not affiliated with, endorsed by, or sponsored by Splunk Inc. or Cisco Systems, Inc.

All other trademarks are the property of their respective owners.

Jesse Galliers -- @jagalliers

Licensed under the Apache License 2.0.