Settings
The instrument, tuned. Connection, the arithmetic you own, the agent + models, and hand-back scheduling. The transport and exposure mode in force are always shown — never hidden.
● SAMPLEConnecting…
Splunk connection
Splunk Cloud over the 443 web-REST proxy. Session login.
Host—
Session…
VersionSplunk Cloud 10.4
Round-trip—
Transport modeREST proxy
MCP Server not installed in this trial — identical searches run over the 443 REST proxy. Same senses, different transport.
What counts as blind
The arithmetic you own. now − last(dependency) > window ⇒ BLIND.
Aging threshold 50% of window
Default window fallback-24h
Dependency-unknown policyvisible gap (never green)
Quiet-by-design allowlistnone set
Health is arithmetic on real timestamps, never a model verdict. A sourcetype meant to be quiet can be allowlisted so idle ≠ blind; we flag aging before blind and you confirm intent.
Agent + models
Gemini accelerates the parse; Foundation-sec grades exposure.
Gemini (Vertex) project—
Model—
Regex-only mode
Foundation-sec Hosted Modelheuristic fallback
Gemini parses your SPL into dependencies — strip it out (regex-only) and a regex-extracted index=/sourcetype= still drives a correct map.
Hand-back + scheduling
Where the gap-map lands and how the meta-detection runs.
Lookup namebackstop_coverage.csv
Write modeoverwrite
Backstop schedule*/15 * * * *
Alert actionemail
SAMPLE demo path
SAMPLE grades only the seeded Backstop Demo — detections over the sandbox index. Turn it off to grade your real saved searches live.