There's a new version of the MCP Server (1.0.2) that fixes the issue. ... View more

Here's a screenshot showing my request and the initial response, and it proceeds to display all of my indexes....and no, it's not hallucinating, they are our indexes, including test ones we've created. I've also made similar queries around data models, and it goes and collects them fine. I don't know what to tell you. Maybe it's something to do with Azure AI Foundry, who knows. ... View more

Hi. It's the most recent MCP server release, 1.0.1. I've tried with both the Claude Agent and Codex CLI external agents, and it works with any of the models I've tried (including Sonnet 4.5, Haiku 4.5, Opus 4.5, and gpt-4.1). I should note, once difference I have is I'm accessing these models through Azure AI Foundry. That could potentially be a difference. ... View more

Here's my MCP config in Zed: "splunk-mcp-server": { "enabled": true, "command": "npx", "args": [ "-y", "mcp-remote", "https://<URL>:8089/services/mcp", "--header", "Authorization: Bearer <token>" ], "env": {} }, It works with the Claude and Codex CLI external agents. Haven't tried the Zed agent.   ... View more

I'm seeing this as well in Windsurf, with any of the models I choose. Curiously, Zed seems to to be fine with it and properly gets the full results. I also upgraded from the beta release (it was a pre-1.0 release, I don't specifically remember the version) and that worked fine, never had this issue, so this is new in the 1.0 release cycle. ... View more

Yes! That's it, exactly what I was looking to do. Thank you.   ... View more

Hi yuanliu. Thanks for trying, but I realize by question wasn't phrased very well and my example JSON wasn't a very good example. I think I have a solution, but I'll try explaining it differently. Here's a sample JSON log.   { "operationName": "Add app role assignment to group", "properties": { "targetResources": [ { "administrativeUnits": [], "displayName": "MyAwesomeDisplayName", "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "modifiedProperties": [ { "displayName": "Group.DisplayName", "newValue": "myAwesomeGroupName", "oldValue": null } ], "type": "ServicePrincipal" } ], "userAgent": null }, "operationName": "Add app role assignment grant to user", "properties": { "targetResources": [ { "administrativeUnits": [], "displayName": "MyAwesomeDisplayNameTwo", "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "modifiedProperties": [ { "displayName": "User.UPN", "newValue": "myemail@onetrust.com", "oldValue": null } ], "type": "ServicePrincipal" } ], "userAgent": null } }   What I want to do is, if properties.targetResources.modifiedProperties.displayName = "Group.DisplayName" then I want to retrieve the corresponding value in properties.targetResources.modifiedProperties.newValue (in this case "myAwesomeGroupName") and put it into a new field.   Correspondingly, if properties.targetResources.modifiedProperties.displayName = "User.UPN" then I want to get the corresponding newValue for that as a separate field.   Although, as I pondered it over the weekend, I think it's better if I make two separate alerts with two separate queries where my search only includes records where operationName = "Add app role assignment to group", then I know properties.targetResources.modifiedProperties.displayName = "Group.DisplayName" will always be there (and then a separate one for the User.UPN query/alert). I was trying to do it as a single query/alert, but there are two different things, really, so breaking them up makes more sense and should work for me.   ... View more