Settings

The instrument, tuned. Connection, the arithmetic you own, the agent + models, and hand-back scheduling. The transport and exposure mode in force are always shown — never hidden.
● SAMPLEConnecting…

Splunk connection

Splunk Cloud over the 443 web-REST proxy. Session login.
Host
Session
VersionSplunk Cloud 10.4
Round-trip
Transport modeREST proxy
MCP Server not installed in this trial — identical searches run over the 443 REST proxy. Same senses, different transport.

What counts as blind

The arithmetic you own. now − last(dependency) > window ⇒ BLIND.
Aging threshold 50% of window
Default window fallback-24h
Dependency-unknown policyvisible gap (never green)
Quiet-by-design allowlistnone set
Health is arithmetic on real timestamps, never a model verdict. A sourcetype meant to be quiet can be allowlisted so idle ≠ blind; we flag aging before blind and you confirm intent.

Agent + models

Gemini accelerates the parse; Foundation-sec grades exposure.
Gemini (Vertex) project
Model
Regex-only mode
Foundation-sec Hosted Modelheuristic fallback
Gemini parses your SPL into dependencies — strip it out (regex-only) and a regex-extracted index=/sourcetype= still drives a correct map.

Hand-back + scheduling

Where the gap-map lands and how the meta-detection runs.
Lookup namebackstop_coverage.csv
Write modeoverwrite
Backstop schedule*/15 * * * *
Alert actionemail
SAMPLE demo path
SAMPLE grades only the seeded Backstop Demo — detections over the sandbox index. Turn it off to grade your real saved searches live.