Power Mode¶
v0.0.5 release: Power Mode is hidden — LLM dispatch is disabled
Power Mode requires the LLM-driven path, which is disabled at compile time in the v0.0.5 release pending internal review. The ✦ Power toggle is hidden in v0.0.5 builds regardless of the power_user_roles configuration. This page is preserved as the design reference for the future release that re-enables the LLM path.
Power Mode is a role-gated ✦ Power toggle in the AI Assistant chat-input toolbar that forces a saved-search dispatch before LLM synthesis on every prompt. When Power Mode is on, the AI MUST call splunk_run_saved_search (or splunk_run_query) at least once before generating any narrative response — forced-RAG. Reasoning from prior knowledge alone is disallowed; every reply is data-grounded.
Why Power Mode Exists¶
The default free-form path lets the AI choose whether to dispatch a tool or reply from prior knowledge. For most questions the AI dispatches appropriately — but for questions that look like the AI knows them already from training data (“What’s a HANA audit log?”), it may answer from prior knowledge and skip the tool call. That’s fine for explanatory questions, but it’s the wrong behavior for investigations: a “what’s the failure rate this week?” question deserves a real Splunk dispatch, not a probability-weighted guess.
Power Mode resolves this by adding a forced-RAG rule to the system primer: for every user message, the AI MUST call splunk_run_saved_search at least once (or splunk_run_query if no saved search fits) BEFORE generating any narrative answer.
This is forced-RAG over chosen-RAG: same tools, same MCP path, same privacy tier — Power Mode just enforces the saved-search-first step. For the primer-augmentation mechanism, see AI Assistant Implementation Reference.
Role-Gated Visibility¶
Power Mode is opt-in per organization and per-role. The toggle is hidden from users entirely unless their Splunk role is in the configured allow-list. Default: empty list — Power Mode hidden from every user.
Configuration path (admin-only):
- Open Settings → AI Assistant → General.
- Find the Power Users subsection. The Multiselect is populated from Splunk’s
services/authorization/rolesREST endpoint. - Pick the roles that should see the Power toggle (typical:
admin,power,sc_admin). - Click Save Defaults.
- Affected users see the
✦ Powerbutton in their chat input toolbar on next page load.
Per-user gating would require a custom directory and doesn’t compose with Splunk’s standard RBAC. Role gating reuses the same primitive admins already manage for everything else (search permissions, app permissions, etc.).
Toggle UX¶
The ✦ Power button is a small pill in the chat input toolbar between Send and the keyboard-shortcut hint. State is persisted per-tab in sessionStorage under logserv.aiAssistant.powerMode — opening a new browser tab resets to OFF.
Visual states:
| State | Button text | Border | Tooltip |
|---|---|---|---|
| OFF (default) | ✦ Power |
panel-border-weak | “Power Mode OFF — click to enable forced saved-search-first behavior.” |
| ON | ✦ Power ON |
cyan-accent fill | “Power Mode ON — every prompt forces a saved-search dispatch before AI synthesis. Click to turn off.” |
A11y: aria-pressed="true" when on, aria-pressed="false" when off.
What Power Mode Does NOT Change¶
- Privacy tier behavior is unchanged. Tier 1 still gives the AI count + timing only; Tier 2 still gives aggregated metadata only. Power Mode just enforces saved-search-first; tier still controls what AI sees about each search result.
- Tool dispatch is unchanged. Same MCP path, same tool definitions (
splunk_run_saved_search,splunk_run_query), same SPL static-analysis guard, same session tool-call cap. - Audit categories are unchanged. Power Mode runs through the same
vendor_tier1/vendor_tier2audit events; the new fieldpowerMode?: booleanrecords whether the toggle was on at dispatch time, for SOC pivot analysis. - Per-user rate limit, daily spend cap, jailbreak detection. All unchanged.
When to Use Power Mode¶
| Use case | Power Mode? |
|---|---|
| Investigations that should be data-grounded (“what’s failing right now?”) | ON |
| Cross-cutting top-N questions (“find the top 10 issues to attend to”) | ON — Power Mode + the TIME-WINDOW REASONING rules together produce verify-confirmed severity claims |
| Compliance reports that the auditor will cross-check against the rendered tiles | ON (so every claim has a citation) |
| Conceptual questions (“what’s a HANA audit log?”, “explain risk_level”) | OFF (the AI’s training knowledge is fine) |
| One-shot follow-ups in an existing conversation where prior tool results already cover the answer | OFF (forces an unnecessary dispatch) |
Streaming-only chat-only mode (mcp_required=false) |
Power Mode auto-hides — there’s no tool path to force |
Audit Trail¶
Every free-form vendor call records a vendor_tier1 or vendor_tier2 audit event with a powerMode flag that captures whether the toggle was on for that turn. Use cases for the audit field:
- SOC pivot: filter audit events to
powerMode=trueto see only the strict-data-grounded turns. - Compliance review: confirm that audit-period investigations were run with Power Mode on (so every cited finding has a tool dispatch behind it).
- Cost analysis: Power Mode-on turns dispatch more tools per turn → higher per-turn cost. The audit lets finance attribute spend to the gating choice.
Power Mode does NOT generate a separate audit category — it’s a flag on the existing vendor_tier1 / vendor_tier2 events. See Audit Log.