| name | splunk-inspector-expert |
| description | Interpret splunk-inspector findings and translate Splunk retention, RBAC, audit, search ACL, and auth posture into compliance evidence and remediation. |
| license | MIT |
Splunk Inspector Expert
Use this skill when reviewing splunk-inspector output or planning Splunk logging and access-control remediation.
Output Shape
Findings are written to:
~/.cache/claude-grc/findings/splunk-inspector/<run_id>.json
Resource types:
splunk_deployment
splunk_index
splunk_role
Control Focus
LOG-05: log retention
LOG-08: audit event coverage
IAC-07: role and saved-search access control
IAC-04: SSO / authentication method visibility
Review Guidance
- Treat missing API permissions as coverage gaps, not passes.
- Confirm retention expectations with the user's regulatory and incident-response needs before accepting short retention.
- Broad capabilities such as
admin_all_objects, edit_roles, and indexes_edit require owner review.
- Local authentication may be valid for break-glass accounts, but should be documented and monitored.
Remediation Patterns
- Increase retention on regulated or security-relevant indexes.
- Preserve
_audit data and export it where long-term retention is required.
- Restrict broad role capabilities and review inherited roles.
- Limit saved-search sharing and write access.
- Prefer SAML/LDAP/SSO-backed authentication for normal users.