Workflow Templates
Pre-built workflow templates — Daily Health Check, Data Ingestion Monitor, ITSI Episode Analysis, Data Quality Check
Workflow Templates
Pre-built workflow templates automate common Splunk checks. Each template uses a DAG of nodes — tool calls, evaluators, routers, and parallel branches — to produce structured reports.
Navigation
- Parent: Workflows
- Related: Understanding Workflows | Running Workflows | Visual Workflow Builder
Available Templates
Daily Health Check
Duration: 2–5 minutes | Complexity: Intermediate | Schedule: Recommended daily (0 9 * * * UTC)
Runs parallel checks across your Splunk deployment:
| Check | What It Does |
|---|---|
| Infrastructure Discovery | Maps search heads, indexers, and forwarders via REST |
| Indexer Health | Cluster health and searchability status |
| Search Head Resources | CPU and memory on search heads |
| License Usage | Consumption vs. quota |
| Data Ingestion | Ingestion rates and data freshness |
| Forwarder Connectivity | Connection status and throughput |
| Search Performance | Identifies slow searches |
All checks run in parallel, then merge at a join node. An evaluator assesses overall severity and a router branches to critical alert, warning report, or healthy summary.
Requires: Splunk MCP
Data Ingestion Monitor
Duration: 1–3 minutes | Complexity: Beginner
Identifies indexes and sourcetypes with no data in the last 60 minutes:
- Queries all indexes/sourcetypes and their latest event times.
- Evaluator flags any source as STALE if no events in >60 minutes.
- Router branches to stale-source analysis or healthy report.
Output: List of stale indexes/sourcetypes, suggested SPL for investigation, and troubleshooting hints.
Requires: Splunk MCP
ITSI Episode Analysis
Duration: 2–5 minutes | Complexity: Intermediate
Analyzes IT Service Intelligence (ITSI) episodes for degraded services:
- Fetches episodes from
itsi_summaryindex. - Fetches KPI health per service (runs in parallel with step 1).
- Joins episode and KPI data.
- Agent analyzes: prioritizes by severity, infers root causes, outputs structured JSON.
- Agent generates a human-readable action plan with runbook steps.
Configuration: lookback_hours (default 24), min_severity (default 3)
Requires: Splunk MCP (with ITSI)
Data Quality Check
Duration: 5–7 minutes | Complexity: Intermediate | Schedule: Recommended hourly (0 * * * * UTC)
Runs 7 parallel data quality checks:
| Check | What It Detects |
|---|---|
| Ingestion Latency | Lag between event time and index time |
| Timestamp Parsing | Parsing errors and timezone mismatches |
| Line Breaking | Malformed or truncated multi-line events |
| Duplicates | Duplicate event detection |
| Time Issues | Future-dated events, clock skew |
| Field Coverage | Missing or inconsistent fields |
| Queue Pressure | Parsing and indexing queue backlogs |
Results merge at a join node. Evaluator assesses severity. Router branches to critical alert, warning report, or healthy summary.
Requires: Splunk MCP
How Workflow Nodes Work
Templates use these node types:
| Node Type | Purpose |
|---|---|
| start | Entry point |
| end | Exit point |
| tool | Executes an MCP tool call (e.g., run SPL query) |
| agent | AI agent reasoning step — analyzes data, generates reports |
| evaluator | Assesses conditions and sets severity/status |
| router | Conditional branching based on evaluator output |
| parallel_split | Forks execution into parallel branches |
| parallel_join | Waits for all parallel branches to complete, then merges results |
Roadmap Workflows
Additional workflows planned:
- Security Investigation — correlate security events, identify anomalies
- Performance Troubleshooting — trace slow searches to root cause
- Capacity Planning — usage trends and growth projections
- Data Onboarding Validation — validate new data sources before go-live
- License Optimization — usage analysis and recommendations
Choosing a Template
| Need | Template |
|---|---|
| Routine morning check | Daily Health Check |
| Missing data alerts | Data Ingestion Monitor |
| ITSI service degradation | ITSI Episode Analysis |
| Data quality audit | Data Quality Check |
