Overview
DefenseClaw ships Splunk-oriented assets under the repository's observability/deploy tree and emits Splunk-ready data through two code paths:
splunk-hecaudit sink, configured throughdefenseclaw setup observability add splunk-hec.gateway.jsonl, tailed by Splunk Universal Forwarder with sourcetypedefenseclaw:gateway.
HEC sink setup
defenseclaw setup observability add splunk-hec \
--non-interactive \
--host splunk.example.com \
--port 8088 \
--index defenseclaw \
--source defenseclaw \
--sourcetype _json \
--token "$DEFENSECLAW_SPLUNK_HEC_TOKEN"
The writer stores the token in ~/.defenseclaw/.env and writes an audit_sinks[] entry with kind splunk_hec.
Universal Forwarder setup
[monitor:///home/defenseclaw/.defenseclaw/gateway.jsonl]
sourcetype = defenseclaw:gateway
index = defenseclaw
[monitor:///home/defenseclaw/.defenseclaw/gateway.jsonl.*.gz]
sourcetype = defenseclaw:gateway
index = defenseclaw
gatewaylog.Writer emits line-delimited JSON, so Splunk field extraction can use normal JSON parsing.
What to search
| Question | Search starting point |
|---|---|
| Recent blocked guardrail decisions | index=defenseclaw severity=HIGH OR severity=CRITICAL |
| Sink delivery failures | index=defenseclaw event_type=error subsystem=sinks |
| Webhook cooldown suppression | index=defenseclaw code=WEBHOOK_COOLDOWN |
| Audit export validation | defenseclaw-gateway audit export --include-activity --limit 100 |