Purpose-Built Agents

Deslicer ships with purpose-built agents, each tuned for a specific Splunk domain. They come pre-configured with system prompts, tools, and integrations.

Navigation

• Parent: Agents
• Previous: Understanding Agents
• Next: Creating Agents
• Related: Agent Templates | Integrations

---

Search Ninja

SPL query expert. Generates, optimizes, and explains SPL. Runs queries against your live Splunk via MCP, generates and tests regex for field extractions, references CIM data models, and follows best practices.

Requires: Splunk MCP, Regex for Splunk MCP

Use when: You need to write, refine, or debug SPL queries. Ideal for analysts and developers working with Splunk search.

Splunk Sensei

Splunk learning assistant. Runs interactive quizzes, SPL challenges, and certification prep (SPLK-1001 through SPLK-4001). Tracks your progress with points and badges. Builds personalized study plans.

Requires: Exa Web Search, Splunk MCP (optional for live practice)

Use when: You're studying for Splunk certifications, onboarding new team members, or want interactive SPL practice.

BOTS Hunter

SOC analyst for Splunk Boss of the SOC (BOTS) style investigations. Discovers indexes and sourcetypes on first interaction. Runs investigation workflows with IOC enrichment, evidence chains, and MITRE ATT&CK mapping.

Requires: Splunk MCP, VirusTotal MCP, Censys MCP, Exa Web Search

Use when: You're doing security analysis, threat hunting, or investigating anomalous behavior. Built for security analysts and SOC teams.

Splunk Data Explorer

Data exploration agent. Discovers indexes, sourcetypes, and fields. Infers data types and use cases. Suggests KPIs, CIM mappings, saved searches, and dashboards based on your data.

Requires: Splunk MCP

Use when: You're exploring unfamiliar data, assessing what's available in an index, or mapping data to CIM models.

Splunk Docs Copilot

Documentation-only assistant. Searches and cites official Splunk documentation including admin guides, SPL references, troubleshooting guides, CIM references, and Dashboard Studio topics. Does not modify your environment.

Requires: Splunk MCP (docs tools only)

Use when: You need to find specific Splunk documentation, look up SPL commands, or reference admin/troubleshooting guides without searching docs.splunk.com manually.

GDI Onboarding Agent

Splunk data onboarding specialist. Analyzes sample logs, matches CIM data models, and generates a complete deployment-ready config package. See Data Onboarding for the full workflow.

Requires: Splunk MCP, Regex for Splunk, GitHub (optional), Deslicer Observer (optional)

Generates:

• inputs.conf — monitor stanzas for forwarders
• props.conf — index-time and search-time parsing with Magic 8 compliance
• transforms.conf — field extractions and lookups
• tags.conf — CIM tagging
• serverclass.conf — deployment server classes with host whitelists

Multi-app layout: Creates 4 Splunk apps per sourcetype — TA-{sourcetype}_inputs, TA-{sourcetype}_indexer, TA-{sourcetype}_search, TA-{sourcetype}_deployment.

Use when: You're onboarding new data sources, building deployment-ready Splunk app packages, or need CIM-compliant configs.

Splunk App Deployment Agent

Enterprise assistant for Splunk app onboarding and configuration management via the Deslicer Observer API. Inspects hosts, manages change plans with human-in-the-loop approvals, and generates reconciliation reports.

Requires: Deslicer Observer API

Use when: You're managing Splunk app deployments across multiple hosts and need change management with approval workflows.

Choosing the Right Agent

You can also create custom agents or start from templates.