Skip to content

JacobPEvans/VisiCore_TA_AI_Observability

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
default
default
 
 
lookups
lookups
 
 
metadata
metadata
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
CLAUDE.md
CLAUDE.md
 
 
README.md
README.md
 
 
app.manifest
app.manifest
 
 
renovate.json
renovate.json
 
 

Repository files navigation

VisiCore TA for AI Observability

Splunk Technology Add-on providing field extractions, OTel semantic convention aliases, macros, and lookups for AI coding tool observability. Companion to VisiCore_App_for_AI_Observability.

Architecture

Filesystem -> Cribl Edge -> Cribl Stream -> Splunk HEC -> Splunk Enterprise
   (JSON)      (packs)      (routing)       (port 8088)    (index=claude)

Knowledge Objects

  • props.conf - Field extractions for 20 sourcetypes (Claude, Gemini, Antigravity)
  • transforms.conf - Lookup definitions
  • macros.conf - 9 reusable search macros (index filters, token extraction, cost calc, tools, dedup, cache)
  • eventtypes.conf - 5 event types for Claude and Gemini events
  • tags.conf - ai/llm/genai tags for CIM compliance
  • lookups/ - Model pricing CSV for cost estimation

Token Model

Aligned with ccusage. Four token types:

Token Type Field Description
Input input_tokens Tokens sent to the model
Output output_tokens Tokens generated by the model
Cache Read cache_read_input_tokens Tokens read from prompt cache
Cache Creation cache_creation_input_tokens Tokens written to prompt cache

Deduplication via messageId:requestId composite key.

OTel Field Mapping

Native Field OTel Convention
message.model gen_ai.response.model
sessionId gen_ai.conversation.id
message.usage.input_tokens gen_ai.usage.input_tokens
message.usage.output_tokens gen_ai.usage.output_tokens
message.stop_reason gen_ai.response.finish_reasons
"anthropic" gen_ai.provider.name

CIM Data Model Mapping

Native Field CIM Field Data Model
type action Web, Change
message.model dest Web
sessionId session_id Web
"anthropic" vendor All
"claude_code" product All
tool name object, command Change
input.file_path object_path Change

Installation

Install this TA before the companion App:

splunk install app VisiCore_TA_AI_Observability-*.tar.gz
splunk restart

Ensure indexes exist: claude, gemini.

Usage

The TA provides macros for use in searches and dashboards:

  • `claude_assistant_events` - Base filter for Claude assistant messages
  • `extract_tokens` - Extract the 4 token types into convenience fields
  • `calculate_cost` - Model-aware cost calculation
  • `extract_tools` - Tool use extraction with CIM Change fields
  • `dedup_messages` - Deduplicate by messageId:requestId
  • `calculate_cache_pct` - Cache hit percentage calculation

Packaging

./scripts/package.sh

Produces a versioned tarball in build/.

References

About

The knowledge objects whisperer for your AI telemetry — field extractions, OTel aliases, macros, and lookups that make the magic happen

Topics

splunk gemini infrastructure-as-code claude cim opentelemetry nix-flakes ai-observability llm splunk-ta otel-genai field-extractions

Resources

Readme

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0 Latest
Mar 7, 2026

Packages

 
 
 

Contributors

Languages