splunk
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 1 deletion b/‎.gitignore‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎Dockerfile‎
Lines changed: 24 additions & 0 deletions b/‎Dockerfile‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 2 additions & 2 deletions b/‎Makefile‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docker-compose.yml‎
Lines changed: 10 additions & 1 deletion b/‎docker-compose.yml‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎splunklib/ai/agent.py‎
Lines changed: 6 additions & 2 deletions b/‎splunklib/ai/agent.py‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎splunklib/ai/tools.py‎
Lines changed: 15 additions & 1 deletion b/‎splunklib/ai/tools.py‎
Lines changed: 15 additions & 1 deletion
diff --git a/‎tests/__init__.py‎
Lines changed: 13 additions & 0 deletions b/‎tests/__init__.py‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎tests/cretestlib.py‎
Lines changed: 124 additions & 0 deletions b/‎tests/cretestlib.py‎
Lines changed: 124 additions & 0 deletions
diff --git a/‎tests/system/test_ai_agentic_test_app.py‎
Lines changed: 54 additions & 0 deletions b/‎tests/system/test_ai_agentic_test_app.py‎
Lines changed: 54 additions & 0 deletions
@@ -278,4 +278,6 @@ $RECYCLE.BIN/
 # End of https://www.toptal.com/developers/gitignore/api/windows,macos,linux,pycharm+all,python
 
 .vscode/
-docs/_build/
+docs/_build/
+
+/deps
@@ -0,0 +1,24 @@
+ARG SPLUNK_VERSION=latest
+FROM splunk/splunk:${SPLUNK_VERSION}
+
+USER root
+
+RUN mkdir /tmp/sdk
+COPY ./pyproject.toml /tmp/sdk/pyproject.toml
+COPY ./uv.lock /tmp/sdk/uv.lock
+COPY ./splunklib /tmp/sdk/splunklib
+
+RUN mkdir /splunklib-deps
+RUN chown splunk:splunk /splunklib-deps
+RUN chown -R splunk:splunk /tmp/sdk
+RUN chown splunk:splunk /tmp/sdk
+
+USER splunk
+
+WORKDIR /tmp/sdk
+
+RUN /opt/splunk/bin/python3.13 -m venv .venv
+RUN /bin/bash -c "source .venv/bin/activate && LD_LIBRARY_PATH=/opt/splunk/lib python -m pip install '.[openai]' --target=/splunklib-deps"
+
+USER ${ANSIBLE_USER}
+WORKDIR /opt/splunk
@@ -18,7 +18,7 @@ test-integration:
 
 .PHONY: docker-up
 docker-up:
-	@docker-compose up -d
+	@DOCKER_BUILDKIT=0 docker-compose up -d --build
 
 .PHONY: docker-ensure-up
 docker-ensure-up:
@@ -45,4 +45,4 @@ docker-remove:
 	@docker-compose rm -f -s
 
 .PHONY: docker-refresh
-docker-refresh: docker-remove docker-start
+docker-refresh: docker-remove docker-start
@@ -1,6 +1,9 @@
 services:
     splunk:
-        image: "splunk/splunk:${SPLUNK_VERSION}"
+        build:
+            context: .
+            dockerfile: Dockerfile
+        platform: linux/amd64
         container_name: splunk
         environment:
             - SPLUNK_START_ARGS=--accept-license
@@ -24,8 +27,14 @@ services:
             - "./tests/system/test_apps/streaming_app:/opt/splunk/etc/apps/streaming_app"
             - "./tests/system/test_apps/modularinput_app:/opt/splunk/etc/apps/modularinput_app"
             - "./tests/system/test_apps/cre_app:/opt/splunk/etc/apps/cre_app"
+            - "./tests/system/test_apps/ai_agentic_test_app:/opt/splunk/etc/apps/ai_agentic_test_app"
+            - "./tests/system/test_apps/ai_agentic_test_local_tools_app:/opt/splunk/etc/apps/ai_agentic_test_local_tools_app"
             - "./splunklib:/opt/splunk/etc/apps/eventing_app/bin/splunklib"
             - "./splunklib:/opt/splunk/etc/apps/generating_app/bin/splunklib"
             - "./splunklib:/opt/splunk/etc/apps/reporting_app/bin/splunklib"
             - "./splunklib:/opt/splunk/etc/apps/streaming_app/bin/splunklib"
             - "./splunklib:/opt/splunk/etc/apps/modularinput_app/bin/splunklib"
+            - "./splunklib:/opt/splunk/etc/apps/ai_agentic_test_app/bin/lib/splunklib"
+            - "./splunklib:/opt/splunk/etc/apps/ai_agentic_test_local_tools_app/bin/lib/splunklib"
+            - "./tests:/opt/splunk/etc/apps/ai_agentic_test_app/bin/lib/tests"
+            - "./tests:/opt/splunk/etc/apps/ai_agentic_test_local_tools_app/bin/lib/tests"
@@ -25,9 +25,9 @@
 from splunklib.ai.model import PredefinedModel
 from splunklib.ai.tools import load_mcp_tools, locate_tools_path_by_sdk_location
 from splunklib.ai.types import (
+    AgentResponse,
     BaseAgent,
     Message,
-    AgentResponse,
     OutputT,
     StopConditions,
     Tool,
@@ -42,11 +42,13 @@ class Agent(BaseAgent[OutputT], AbstractAsyncContextManager):
     _use_mcp_tools: bool
     _service: Service | None = None
 
+    # TODO: We should have a logger inside of an agent, debugging and such.
+
     def __init__(
         self,
         model: PredefinedModel,
         system_prompt: str,
-        use_mcp_tools: bool = False,
+        use_mcp_tools: bool = False,  # TODO: should we default to True?
         service: Service | None = None,  # TODO: make it non-optional.
         agents: Sequence[BaseAgent[BaseModel | None]] | None = None,
         output_schema: type[OutputT] | None = None,
@@ -72,6 +74,8 @@ def __init__(
 
     @override
     async def __aenter__(self):
+        # TODO: replace these with if && raise
+        # See: https://docs.python.org/3/reference/simple_stmts.html#the-assert-statement
         assert self._impl is None, "Agent is already in `async with` context"
 
         if self._use_mcp_tools:
 
@@ -76,7 +76,21 @@ class RemoteCfg:
 
 @asynccontextmanager
 async def _connect_local_mcp(cfg: LocalCfg):
-    server_params = StdioServerParameters(command=sys.executable, args=[cfg.tools_path])
+    server_params = StdioServerParameters(
+        command=sys.executable,
+        args=[cfg.tools_path],
+    )
+
+    # Splunk starts processes with a custom LD_LIBRARY_PATH env var, the mcp lib
+    # does not forward all env, but few restricted ones by default. If we don't do
+    # so then the shared object that python loads would fail to succeed.
+    # TODO: If needed we might in future pass all env vars, but we would have to investigate why
+    # the mcp lib did that filtering in the first place. For now we only allow additionally
+    # the LD_LIBRARY_PATH.
+    ld = os.environ.get("LD_LIBRARY_PATH")
+    if ld is not None:
+        server_params.env = {"LD_LIBRARY_PATH": ld}
+
     async with stdio_client(server_params) as (read, write):
         async with ClientSession(read, write) as session:
             await session.initialize()
 
@@ -0,0 +1,13 @@
+# Copyright © 2011-2026 Splunk, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"): you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
@@ -0,0 +1,124 @@
+#
+# Copyright © 2011-2026 Splunk, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"): you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import asyncio
+import base64
+import traceback
+from abc import abstractmethod
+from http.cookies import SimpleCookie
+
+from splunklib.binding import _spliturl
+from splunklib.client import Service, connect
+
+try:
+    import splunk
+
+    class CRETestHandler(splunk.rest.BaseRestHandler):
+        _service: Service | None = None
+
+        def handle_POST(self) -> None:
+            async def run() -> None:
+                try:
+                    await self.run()
+                except Exception:
+                    trace = traceback.format_exc()
+                    self.response.setStatus(500)
+                    self.response.write(trace)
+                    return
+
+                self.response.setStatus(200)
+
+            asyncio.run(run())
+
+        @abstractmethod
+        async def run(self) -> None: ...
+
+        @property
+        def service(self) -> Service:
+            if self._service is not None:
+                return self._service
+
+            mngmt_url: str = splunk.getLocalServerInfo()
+            scheme, host, port, path = _spliturl(mngmt_url)
+
+            headers = self.request["headers"]
+
+            cookies: str | None = headers.get("cookie")
+            authorizaiton: str | None = headers.get("authorization")
+
+            if cookies is not None:
+                c = SimpleCookie()
+                c.load(cookies)
+                cookie_token = c.get("splunkd_8089")
+                if cookie_token is not None:
+                    service = connect(
+                        scheme=scheme,
+                        host=host,
+                        port=port,
+                        path=path,
+                        autologin=True,
+                        cookie=f"splunkd_8089: {cookie_token}",
+                    )
+
+                    # Make sure splunk connection works.
+                    assert service.info.startup_time
+
+                    self._service = service
+                    return service
+
+            if authorizaiton is not None:
+                authType, token = authorizaiton.split(" ", 1)
+                if authType.lower() == "bearer" or authType.lower() == "splunk":
+                    service = connect(
+                        scheme=scheme,
+                        host=host,
+                        port=port,
+                        path=path,
+                        autologin=True,
+                        token=token,
+                    )
+
+                    # Make sure splunk connection works.
+                    assert service.info.startup_time
+
+                    self._service = service
+                    return service
+                elif authType.lower() == "basic":
+                    decoded_bytes = base64.b64decode(token)
+                    username, password = decoded_bytes.decode("utf-8").split(":", 1)
+                    service = connect(
+                        scheme=scheme,
+                        host=host,
+                        port=port,
+                        path=path,
+                        autologin=True,
+                        username=username,
+                        password=password,
+                    )
+
+                    # Make sure splunk connection works.
+                    assert service.info.startup_time
+
+                    self._service = service
+                    return service
+
+            # We should not reach here, since Splunk requires that the request is authenticated.
+            raise Exception("Missing auth")
+except ImportError as e:
+    # The "splunk" package is only available on the Splunk instances, as it is only shipped
+    # with the default splunk python interpreter. We can't use it reliabely if used outside of
+    # splunk, in such cases, we don't expose the wrapped class.
+    if e.name != "splunk":
+        raise
@@ -0,0 +1,54 @@
+#!/usr/bin/env python
+#
+# Copyright © 2011-2026 Splunk, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"): you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+import pytest
+
+from tests import testlib
+
+
+class TestAgenticApp(testlib.SDKTestCase):
+    def test_agetic_app(self) -> None:
+        pytest.importorskip("langchain_openai")
+        self.skip_splunk_10_2()
+
+        resp = self.service.post("agentic_app/agent-name")
+        assert resp.status == 200
+        assert "stefan" in str(resp.body)
+
+    def test_agentic_app_with_tools_weather(self) -> None:
+        pytest.importorskip("langchain_openai")
+        self.skip_splunk_10_2()
+
+        resp = self.service.post("agentic_app_with_local_tools/weather")
+        assert resp.status == 200
+        assert "31.5" in str(resp.body)
+
+    def test_agentic_app_with_tools_agent_name(self) -> None:
+        pytest.importorskip("langchain_openai")
+        self.skip_splunk_10_2()
+
+        resp = self.service.post("agentic_app_with_local_tools/agent-name")
+        assert resp.status == 200
+        assert "stefan" in str(resp.body)
+
+    # TODO: Would be nice to test remote tool execution, such test would need to install the
+    # MCP Server App and define a custom tool (tools.conf). For now we only test remote tools ececution
+    # with a mock mcp server, outside of Splunk environment, see ../integration/ai/test_agent_mcp_tools.py.
+
+    def skip_splunk_10_2(self) -> None:
+        if self.service.splunk_version[0] < 10 or self.service.splunk_version[1] < 2:
+            self.skipTest("Python 3.13 not available on splunk < 10.2")