DropWatch
Agent online
Splunk Agentic Ops · Observability
Provable correctness.
Clean signals.
DropWatch ships every flash-drop event to Splunk over HEC, then an LLM agent reads it back, scores drop health, flags oversell-bot subnets, and monitors its own reasoning.
0
oversold, by construction
75
drop-health, scored live
/24
oversell-bot subnet, caught
01 — How it works
An agent, not a dashboard
The same closed loop runs over any Splunk index. The flash drop is just the showcase payload.
01
InstrumentEvery hot path emits a structured event: claim, hold, expiry, oversell-reject, waitlist, checkout.02
Ship to SplunkEvents stream to Splunk over the HTTP Event Collector. Splunk is the system of record.03
ReasonThe agent pulls telemetry back via MCP, summarizes it, and an LLM scores drop health 0 to 100.04
ActIt recommends one concrete fix, applies it in one click, and auto-pages on-call, writing the action back to Splunk.pull → summarize → reason → score → recommend → apply → page
02 — Beyond flash drops
One pattern, any telemetry
Works on any Splunk index
Under the drop-specific detectors sits a generic z-score anomaly detector that knows nothing about the flash-drop taxonomy. Point the same agent at any stream and it scores health, ranks anomalies, and pages on-call the same way.
App / serviceserror-rate spikes, latency
ITOpsqueue depth, saturation
NetOpspacket drops, anomalies
Securityabuse + bot clusters
03 — What's new
Built for Splunk's latest AI capabilities
Recently shipped, all open source and exercised by the test suite.
Security
OWASP OAT-005 scalping detectionThe oversell-bot cluster is raised as a security finding (OWASP Automated Threats OAT-005) with a confidence score and a block action, reasoned by Splunk's Foundation-Sec model. Provable correctness makes it a zero-false-positive bot signal.
AI monitoring
Agent self-observabilityDropWatch monitors its own agent: LLM tier, latency, token usage, estimated cost, confidence and drift, shipped to Splunk as dropwatch:agent. Parity with Splunk's AI Agent Monitoring.
MCP
Runnable MCP path + | dropwatch commandThe agent pulls telemetry over the Splunk MCP run_splunk_search contract end to end, and | dropwatch runs the same detection natively in the Splunk search bar.
Detect
Anomaly detection + early warningA baseline z-score detector flags off-pattern behavior on any index, and claim-rate velocity warns of a building stampede before it crosses the threshold.
Respond
Alert webhooks + packaged Splunk appHigh-severity findings auto-page Slack or PagerDuty with the agent's reasoning, and an installable Splunk app runs the detectors natively on a schedule.
04 — Access
Join the waitlist
DropWatch is built in the open. Get early access and product updates.
Splunk HECMCP ServerFoundation-SecNext.jsDynamoDBTypeScript
Built by
Jerom Tom
Building DropWatch in the open: agentic observability for oversell-proof flash drops.