splunk-observability-aws-integration
- Repo stars 0
- Author updated Live
- Author repo skills-registry
- Domain
- Other
- Compatible agents
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- Trust score
- 88 / 100 · community maintained
- Author / version / license
- @tomevault-io · no license declared
- Token usage
- Lean
- Setup complexity
- Manual integration
- External API key
- Required · AWS
- Operating systems
- Unspecified (assume cross-platform)
- Runtime requirements
- No special requirements
- Permissions
-
- Read-only
- Write / modify
- Shell exec
- Network behavior
- External requests
- Install commands
- 26 variants
Profile is derived at build time from SKILL.md and install vectors. Subject to drift from author intent.
Heads up: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: splunk-observability-aws-integration
description: >- Use when this capability is needed. Render-first skill that owns the entire AWSCloudWatch int…
category: other
runtime: no special runtime
---
# splunk-observability-aws-integration output preview
## PART A: Task fit
- Use case: >- Use when this capability is needed. Render-first skill that owns the entire AWSCloudWatch integration object in Splunk Observability Cloud. The skill is standalone reusable and does not requires AWS API key. Works with Claude Code, Cursor, Cline and 23 more..
- Inputs: target material, constraints, expected output, and acceptance criteria.
- Evidence boundary: follow “Coverage Model / Safety Rules / Five-mode UX” and do not present inference as author intent.
## PART B: Execution result
- **01** The card summarizes the use case; runtime output centers on “>- Use when this capability is needed. Render-first skill that owns the entire AWSCloudWatch integration object in Splunk Observability Cloud. The skill is standalone reusable and does not requires AWS API key. Works with Claude Code, Cursor, Cline and 23 more.”.
- **02** When the source has headings, the agent prioritizes “Coverage Model / Safety Rules / Five-mode UX” so the result follows the author’s structure.
- **03** Typical output includes task judgment, concrete steps, required commands or file edits, validation, and follow-up options.
- **04** Risk context follows the fingerprint: read files, write/modify files, run shell commands; may access external network resources; requires AWS API keys.
## Running Rules
- read files, write/modify files, run shell commands; may access external network resources; requires AWS API keys.
- Validate with a small sample before expanding scope.
- Return the result, validation criteria, and next iteration options. The source mentions slash commands such as `/v2`, `/tmp`; use them first when your agent supports command triggers.
Name target files or source material, expected output, forbidden changes, and whether network or shell access is allowed. Permission fingerprint: read files, write/modify files, run shell commands.
Start with a small task and check whether the result follows “Coverage Model / Safety Rules / Five-mode UX”. Inspect diffs, logs, previews, or tests before expanding scope.
Confirm the final output includes a concrete result, evidence, and next action. If it stays generic, tighten inputs, boundaries, and acceptance criteria.
---
name: splunk-observability-aws-integration
description: >- Use when this capability is needed. Render-first skill that owns the entire AWSCloudWatch int…
category: other
source: tomevault-io/skills-registry
---
# splunk-observability-aws-integration
## When to use
- >- Use when this capability is needed. Render-first skill that owns the entire AWSCloudWatch integration object in Spl…
- Use it when the task has clear inputs, repeatable steps, and validation criteria.
## What to provide
- Target material, scope, expected result, and forbidden changes.
- Whether network, commands, file writes, or external services are allowed.
## Execution rules
- Organize steps around “Coverage Model / Safety Rules / Five-mode UX” and keep inference separate from source facts.
- read files, write/modify files, run shell commands; may access external network resources; requires AWS API keys.
- Validate with a small sample before expanding the task.
## Output requirements
- Return the deliverable, key evidence, validation method, and next action.
- Mark missing information as unknown; do not invent commands, platforms, or dependencies. The author source anchors workflow facts; repository files anchor sources and commands; Fluxly only adds fit, limitations, and quality judgment.
skill "splunk-observability-aws-integration" {
input -> user goal + target files + boundaries + acceptance criteria
context -> Coverage Model / Safety Rules / Five-mode UX
rules -> SKILL.md triggers / order / output contract
runtime -> no special runtime | read files, write/modify files, run shell commands | may access external network resources
guardrails -> requires AWS API keys + small-sample validation + diff/log review
output -> copyable result + checklist + next iteration
} Splunk Observability Cloud <-> AWS Integration
Render-first skill that owns the entire AWSCloudWatch integration object in
Splunk Observability Cloud. The skill is standalone reusable and does not
require any other Splunk Observability skill to run, but it hands off to other
skills for adjacent surfaces (logs, Lambda APM, dashboards, detectors, OTel
collectors).
The workflow is render-first by default. Live API changes only happen when the
user explicitly asks for --apply.
Coverage Model
Every rendered section gets an explicit coverage status in
coverage-report.json:
api_apply— a documented public REST API supports create / update / delete / validate (e.g.POST /v2/integration).api_validate— a documented public REST API supports read or validation only (e.g. preflightingec2:DescribeRegionspermission via the live integration's reported region list).deeplink— the skill renders a deterministic Splunk Observability Cloud UI link and validates referenced data where an API allows (e.g. the AWS guided-setup deeplink for AWS-managed Metric Streams).handoff— the skill renders deterministic operator steps for cross-skill workflows (e.g. logs path ->splunk-app-installforSplunk_TA_AWS).not_applicable— the section does not apply to the chosen target (e.g. Splunk-managed Metric Streams permissions whenconnection.modeispolling, or any AWS integration onrealm: us2-gcpbecause that realm is GCP-hosted and has no AWS STS region mapping).
Safety Rules
- Never ask for Splunk Observability tokens, AWS access keys, or AWS secret access keys in conversation.
- Never pass any secret on the command line or as an environment-variable prefix.
- Use
--token-filefor the Splunk Observability Cloud admin user API access token. Token files must bechmod 600. Override only with--allow-loose-token-perms(emits a WARN — use only for short-lived scratch tokens). - For
authentication.mode: security_token(GovCloud / China), use--aws-access-key-id-fileand--aws-secret-access-key-file. Both files must bechmod 600. - Reject direct secret flags:
--token,--access-token,--api-token,--o11y-token,--admin-token,--sf-token,--external-id,--aws-access-key-id,--aws-secret-access-key,--aws-secret-key,--password. - Prefer
SPLUNK_O11Y_REALMandSPLUNK_O11Y_TOKEN_FILEfrom the repocredentialsfile when present; these store only realms and token-file paths, never token values. - Strip every secret from
00-09-*.md,apply-plan.json,payloads/,current-state.json,state/apply-state.json, and any other rendered artifact on disk. The Splunk Observability admin token is referenced as${SPLUNK_O11Y_TOKEN_FILE}everywhere, never inlined. - The renderer FAILs render when the operator passes the deprecated
enableLogsSyncfield with a clear pointer to theSplunk_TA_AWShandoff. - The renderer FAILs render when
regions: [](the canonical schema rejects an empty list and Splunk highly discourages it because new AWS regions auto-onboard and inflate cost). bash skills/shared/scripts/write_secret_file.sh /tmp/splunk_o11y_tokenhelps the user create a token file without exposing the secret in shell history.
Five-mode UX
| Mode | Flag | Purpose |
|---|---|---|
| quickstart | --quickstart |
Single-shot: render + apply for the most common External-ID + Splunk-managed Metric Streams scenario. Always runs --discover first; pivots to --quickstart-from-live if an integration already exists. |
| render | --render (default) |
Produces the numbered plan tree under --output-dir. Never touches live state. |
| discover | --discover |
Read-only sweep that polls GET /v2/integration?type=AWSCloudWatch, writes current-state.json, and emits a drift-report.md against the rendered plan. |
| doctor | --doctor |
Runs the troubleshooting catalog and emits doctor-report.md with prioritized fixes and the exact setup.sh --apply command for each fix. |
| apply | --apply [SECTIONS] |
Applies the rendered plan; without arguments runs every section in dependency order; with --apply integration,iam,streams runs only the named sections. |
Plus quality-of-life flags:
--quickstart-from-live— turn the live integration into atemplate.observed.yamlthe operator can edit; never overwrites theirtemplate.example.--explain— print the apply plan in plain English, no API calls; for change-management approvals.--rollback <section>— render (do not auto-run) the reverse-engineered commands for steps that have a public reversible API.--list-namespaces— print the supported AWS service / namespace catalog (mirrorsreferences/namespaces-catalog.md).--list-recommended-stats— print the per-namespace per-metric stat catalog used bycollect_only_recommended_stats: true.--privatelink-domain {legacy,new}— picksignalfx.com(default; matches current Splunk-published PrivateLink doc) vsobservability.splunkcloud.comPrivateLink hostnames.--cfn-template-url URL— override the defaulthttps://o11y-public.s3.amazonaws.com/aws-cloudformation-templates/release/template_metric_streams_regional.yaml(or the StackSets equivalent whenmetric_streams.use_stack_sets: true).--accept-drift FIELD[,FIELD...]— needed for--applywhen discover shows the live integration differs from the rendered spec on a field with side effects (e.g. flippinguseMetricStreamsSync).
Primary Workflow
Collect non-secret values: realm, integration name, AWS account ID(s), IAM role name, regions, services list (or
all_built_in), connection mode (polling vs Splunk-managed Metric Streams vs AWS-managed Metric Streams), custom namespaces, multi-account toggle.Create or update a JSON / YAML spec from
template.example.Render and validate:
bash skills/splunk-observability-aws-integration/scripts/setup.sh \ --render \ --spec skills/splunk-observability-aws-integration/template.example \ --output-dir splunk-observability-aws-integration-renderedReview
splunk-observability-aws-integration-rendered/:README.md— TL;DR and ordered next-step commands.architecture.mmd— Mermaid topology of the rendered integration.00-prerequisites.mdthrough09-handoff.md— numbered per-section plans.coverage-report.json— per-section coverage status.apply-plan.json— apply ordering with idempotency keys (no secrets).payloads/— per-step request bodies for REST calls and CFN parameters.aws/— CloudFormation template stubs (regional or StackSets) and Terraform.tffiles for the AWS-side resources and the Splunk-side integration object.iam/— per-use-case IAM JSON (foundation, polling, streams, tag-sync, Cassandra-special-case, GovCloud security-token).scripts/— per-step apply scripts and cross-skill handoff drivers.support-tickets/— pre-filled tickets when Splunk Support is required.
Apply only when explicitly requested:
bash skills/splunk-observability-aws-integration/scripts/setup.sh \ --apply \ --spec skills/splunk-observability-aws-integration/template.example \ --realm us1 \ --token-file /tmp/splunk_o11y_admin_tokenTo run only a subset of sections:
bash skills/splunk-observability-aws-integration/scripts/setup.sh \ --apply integration,iam \ --spec my-aws-integration.yaml
Supported Sections
Specs use api_version: splunk-observability-aws-integration/v1 and can
include the following top-level blocks (full reference in
reference.md):
prerequisites— region/realm preflight, FedRAMP/GovCloud/GCP carve-out, IAM permission check stubs, CFN template URL HTTP HEAD probe.authentication—external_idorsecurity_tokenmode, AWS account ID, IAM role name, returned external ID.connection— polling vs Splunk-managed vs AWS-managed vs Terraform-only mode;pollRate,metadataPollRate,inactiveMetricsPollRate.regions— explicit AWS region list (cannot be empty).services—all_built_in/explicit/namespace_filtered/custom_only;collect_only_recommended_stats;metric_stats_to_syncs;namespace_sync_rules(for built-inAWS/*namespaces).custom_namespaces—simple_list(serializes tocustomCloudwatchNamespaces) ORsync_rules(serializes tocustomNamespaceSyncRules); they conflict.sync_custom_namespaces_onlytoggle.guards—enable_check_large_volume,ignore_all_status_metrics,sync_load_balancer_target_group_tags,enable_aws_usage.metric_streams—use_metric_streams_sync,managed_externally,named_token,cloudformation,cloudformation_template_url,use_stack_sets,terraform.private_link—enable,endpoint_types,service_name_overrides.terraform_provider—source(splunk-terraform/signalfx),version(~> 9.0default).multi_account—enabled,control_account_id,member_accounts,cfn_stacksets.handoffs—lambda_apm,logs_via_splunk_ta_aws,dashboards,detectors,otel_collector_for_ec2_eks.
Hand-offs to Other Skills
- AWS log ingestion ->
bash skills/splunk-app-install/scripts/install_app.sh --source splunkbase --app-id 1876(Splunk Add-on for AWS, Splunkbase 1876, min v8.1.1). Renderer preflights forSplunk_TA_amazon_security_lakeand emits an uninstall step before the v7+ upgrade. - Log Observer Connect to surface those logs in O11y ->
splunk-observability-cloud-integration-setup. - Native O11y dashboards for AWS namespaces ->
splunk-observability-dashboard-builder. - Detectors / AutoDetect alerting ->
splunk-observability-native-ops. - OTel collector on EC2 / EKS for richer host telemetry than
CWAgent->splunk-observability-otel-collector-setup. - Lambda APM via the Splunk OpenTelemetry Lambda layer (publisher
254067382080) ->splunk-observability-aws-lambda-apm-setup. Renderer emits a hand-off stub in09-handoff.md.
Out of Scope
- AWS log collection via the Splunk AWS log collector Lambda (handed off to
Splunk_TA_AWS; theenableLogsSyncAPI field is deprecated and rejected by the renderer). - Lambda APM instrumentation via the OpenTelemetry Lambda layer (handed off to
splunk-observability-aws-lambda-apm-setup). - Native O11y AWS dashboard / detector CRUD (handed off to
splunk-observability-dashboard-builderandsplunk-observability-native-ops). - AppDynamics for AWS workloads (separate AppDynamics SaaS workflow).
- Splunk Cloud Platform Data Manager AWS log onboarding (different product; Splunk Cloud Platform side, not Splunk Observability Cloud).
Validation
bash skills/splunk-observability-aws-integration/scripts/validate.sh \
--output-dir splunk-observability-aws-integration-rendered
Static checks: required-files, IAM JSON shape, secrets-leak scan across every
rendered file, CFN template URL HTTP HEAD probe (--live).
With --live: GET /v2/integration?type=AWSCloudWatch round-trip, drift
report against template.example.
See reference.md and the focused references under references/ for full
detail. The plan and corrections that produced this skill are recorded in
.cursor/plans/splunk_o11y_aws_integration_skill_*.plan.md.
Source: chambear2809/splunk-cisco-skills — distributed by TomeVault.
Decide Fit First
Design Intent
How To Use It
Boundaries And Review