chron-mcp 0.1.14 → 0.1.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,138 @@
1
+ # Chron → Splunk
2
+
3
+ Stream AI session telemetry from developer machines into Splunk via HTTP Event Collector (HEC). Works with Splunk Enterprise, Splunk Cloud, and a local Docker instance for testing.
4
+
5
+ ## Quickest way to see it working — Splunk Docker
6
+
7
+ The fastest path to visually verify the integration with no accounts or licenses:
8
+
9
+ ```bash
10
+ docker run -d \
11
+ --name splunk-chron \
12
+ --platform linux/amd64 \
13
+ -p 8000:8000 \
14
+ -p 8088:8088 \
15
+ -e SPLUNK_START_ARGS=--accept-license \
16
+ -e SPLUNK_PASSWORD=Admin1234! \
17
+ -e SPLUNK_HEC_TOKEN=chron-test-token \
18
+ splunk/splunk:latest
19
+ ```
20
+
21
+ > **Apple Silicon (M1/M2/M3):** The `--platform linux/amd64` flag is required — the Splunk image has no ARM64 manifest. Docker Desktop uses Rosetta 2 to emulate it automatically.
22
+
23
+ Wait ~2 minutes for Splunk to start, then:
24
+
25
+ ```bash
26
+ chron connect splunk
27
+ # URL: https://localhost:8088 ← HTTPS (Splunk 9.x uses SSL by default)
28
+ # Token: chron-test-token
29
+ ```
30
+
31
+ > Certificate verification is automatically skipped for localhost URLs — no extra flags needed.
32
+
33
+ Add to your MCP config and use your AI tool. Open [http://localhost:8000](http://localhost:8000) (admin / Admin1234!) and search:
34
+
35
+ ```
36
+ sourcetype="chron:event"
37
+ ```
38
+
39
+ Events appear in real time as you have AI conversations.
40
+
41
+ > Note: The default Docker image auto-creates a HEC token with the value you set in `SPLUNK_HEC_TOKEN`. If events aren't arriving, verify HEC is enabled under **Settings → Data Inputs → HTTP Event Collector**.
42
+
43
+ ---
44
+
45
+ ## Production setup — Splunk Enterprise or Cloud
46
+
47
+ ### Step 1 — Enable HTTP Event Collector
48
+
49
+ **Splunk Enterprise:** Settings → Data Inputs → HTTP Event Collector → Global Settings → Enable
50
+
51
+ **Splunk Cloud:** Settings → Data Inputs → HTTP Event Collector → New Token
52
+
53
+ ### Step 2 — Create a HEC token
54
+
55
+ 1. Settings → Data Inputs → HTTP Event Collector → New Token
56
+ 2. Name: `chron-ingest`
57
+ 3. Source type: `chron:event` (create new if prompted)
58
+ 4. Index: `main` (or a dedicated `chron` index)
59
+ 5. Copy the token value
60
+
61
+ ### Step 3 — Connect from the developer machine
62
+
63
+ ```bash
64
+ chron connect splunk
65
+ ```
66
+
67
+ Enter the HEC base URL and token when prompted. The command sends a test event and confirms before saving.
68
+
69
+ ### Step 4 — Add env vars to your MCP client
70
+
71
+ The `connect` command prints the exact block to paste. For Claude Code, add to the `chron` entry in `~/.claude.json`:
72
+
73
+ ```json
74
+ {
75
+ "mcpServers": {
76
+ "chron": {
77
+ "type": "stdio",
78
+ "command": "node",
79
+ "args": ["/path/to/dist/index.js"],
80
+ "env": {
81
+ "CHRON_SPLUNK_URL": "https://your-splunk-host:8088",
82
+ "CHRON_SPLUNK_TOKEN": "<your-hec-token>"
83
+ }
84
+ }
85
+ }
86
+ }
87
+ ```
88
+
89
+ ### Step 5 — Run SPL queries
90
+
91
+ In Splunk → Search & Reporting, run queries from this directory:
92
+
93
+ | File | Use |
94
+ |---|---|
95
+ | `events-by-type.spl` | Time-series — event volume by type |
96
+ | `sessions-by-developer.spl` | Table — sessions per host and AI tool |
97
+ | `secrets-detected.spl` | Table — credential exposures for SOC review |
98
+ | `ai-tool-usage.spl` | Summary — tool adoption breakdown |
99
+ | `daily-active-developers.spl` | Time-series — distinct active machines per day |
100
+ | `secrets-alert.spl` | Alert search — credential exposures (last 1h) |
101
+
102
+ ### Step 6 — Set up the credential alert (recommended)
103
+
104
+ 1. Search & Reporting → paste `secrets-alert.spl` → Save As → Alert
105
+ 2. Schedule: Run every hour
106
+ 3. Trigger: Number of results is greater than 0
107
+ 4. Action: Send email or create a notable event
108
+
109
+ ---
110
+
111
+ ## Event schema
112
+
113
+ All events arrive with `sourcetype=chron:event` and these fields:
114
+
115
+ | Field | Present on |
116
+ |---|---|
117
+ | `host` | All events: developer's machine hostname |
118
+ | `source` | All events: `chron-mcp` |
119
+ | `event_type` | All: `session_started`, `message_logged`, `secret_detected` |
120
+ | `session_id_prefix` | All events |
121
+ | `ai_tool` | All events: `claude`, `cursor`, `windsurf`, etc. |
122
+ | `os` | All events: `darwin`, `linux`, `win32` |
123
+ | `chron_version` | All events |
124
+ | `role` | `message_logged` only: `user` or `assistant` |
125
+ | `detection_type` | `secret_detected` only: `api_key`, `aws_key`, `jwt`, etc. |
126
+ | `masked_value` | `secret_detected` only: e.g. `AKIA****F3K2` |
127
+
128
+ **What is never transmitted:** message content, actual secret values, file paths, or any user-typed text.
129
+
130
+ ## Env vars
131
+
132
+ | Env var | Description |
133
+ |---|---|
134
+ | `CHRON_SPLUNK_URL` | Splunk HEC base URL, e.g. `https://localhost:8088` or `https://your-host:8088` |
135
+ | `CHRON_SPLUNK_TOKEN` | HEC ingest token |
136
+ | `CHRON_SPLUNK_INSECURE` | Set to `1` to skip TLS certificate verification (local Docker with self-signed cert) |
137
+
138
+ `CHRON_SPLUNK_URL` and `CHRON_SPLUNK_TOKEN` must both be set for events to flow. If unset, the integration is silently disabled.
@@ -0,0 +1,3 @@
1
+ sourcetype="chron:event" event_type="session_started" earliest=-30d
2
+ | stats count AS Sessions BY ai_tool
3
+ | sort -Sessions
@@ -0,0 +1,2 @@
1
+ sourcetype="chron:event" event_type="session_started" earliest=-30d
2
+ | timechart span=1d dc(host) AS ActiveDevelopers
@@ -0,0 +1,2 @@
1
+ | tstats count WHERE index=* sourcetype="chron:event" BY event_type _time span=1d
2
+ | timechart span=1d count BY event_type
@@ -0,0 +1,3 @@
1
+ sourcetype="chron:event" event_type="secret_detected" earliest=-1h
2
+ | where detection_type IN ("api_key","aws_key","gcp_key","azure_key","private_key","jwt")
3
+ | table _time, host, ai_tool, detection_type, masked_value, session_id_prefix
@@ -0,0 +1,4 @@
1
+ sourcetype="chron:event" event_type="secret_detected" earliest=-30d
2
+ | where detection_type IN ("api_key","aws_key","gcp_key","azure_key","private_key","jwt")
3
+ | table _time, host, ai_tool, detection_type, masked_value, session_id_prefix
4
+ | sort -_time
@@ -0,0 +1,3 @@
1
+ sourcetype="chron:event" event_type="session_started" earliest=-30d
2
+ | stats count AS Sessions BY host, ai_tool
3
+ | sort -Sessions