Built this because we kept hitting the same wall: a log source with no TA, no CIM mapping, and a backlog of transforms.conf work.  Detection rules/queries should be able to be written once and applied on any logs. Splunk App: AI Mapper for OCSF based queries  Here's how it works: Open Mapping Studio in Splunk Paste raw sample events from your log source The app generates a parser and OCSF mapping — you see the normalized output before anything is saved Save the rule Use | fleakmapping in any search to stream events through and get OCSF fields back   What it's good for right now: Firewall, endpoint, identity, and app logs that don't have a TA and never will Situations where you need OCSF output feeding a correlation rule or dashboard and don't want to block on a normalization project Onboarding a new vendor format fast enough that the stakeholder doesn't lose faith in you Honest caveats: v0.1.0 — works, but rough edges exist, average generation time per event type end to end is 3-5min. AI-generated mappings are good, not perfect — you'll want to review before pushing to production Works on Splunk Enterprise and Cloud, platform 10.2+ If you try it on a log source and the mapping quality is off, post the event structure here. That's the most useful feedback we can get right now. ... View more