Back to MCP Servers

Splunk MCP Server

Official Splunk MCP server that runs inside your Splunk instance, exposing SPL search, natural-language-to-SPL generation, and index metadata with RBAC.

Analytics by Cisco DevNet (Splunk) Bearer Token active
GitHub Docs
Overview

The Splunk MCP Server is the official Model Context Protocol implementation maintained by Cisco DevNet (Splunk) and distributed as a Splunk app on Splunkbase (App ID 7931). Unlike typical stdio-based MCP servers, it runs as an HTTP/SSE endpoint hosted directly inside your Splunk instance on the management port (default 8089) at /services/mcp, so all access stays within your existing Splunk security boundary.

The server gives AI agents a standardized way to interact with Splunk Enterprise and Splunk Cloud deployments. Capabilities include running raw SPL searches, generating SPL from natural language via Splunk's AI Assistant, listing and inspecting indexes, retrieving instance metadata, and reading saved searches and other knowledge objects. All tool calls are gated by Splunk's existing role-based access control through new MCP capabilities (mcp_tool_admin, mcp_tool_execute) configured in authorize.conf.

Notable features include token-based bearer authentication, audit logging, input validation, guardrails against destructive operations, and support for Splunk versions 8.0 through 10.2. As of v1.0.1 (February 2026) the app is published as a Splunk Supported Beta.

Tools

Tool Description
generate_spl Generate SPL from a natural language query using Splunk's AI Assistant.
run_splunk_query Execute an SPL search and return results.
get_splunk_info Retrieve basic Splunk instance metadata (version, server info).
get_indexes List indexes available on the Splunk instance.
get_index_info Get detailed metadata for a specific index.
get_saved_searches List saved searches and related knowledge objects.
Setup Guide

Prerequisites

  • Splunk Enterprise or Splunk Cloud Platform, version 8.0 to 10.2
  • Admin access to install a Splunkbase app and edit authorize.conf / mcp.conf
  • A Splunk auth token for the user that will call the MCP server

Install the Splunk app

Install Splunkbase app ID 7931 ("Splunk MCP Server") on your Splunk instance. The MCP endpoint will be served at https://<SPLUNK_HOST>:8089/services/mcp.

Configure RBAC

Grant MCP capabilities to a role in authorize.conf:

[role_mcp_user]
mcp_tool_admin = enabled
mcp_tool_execute = enabled

The sc_admin role manages MCP settings. For self-signed certs, set ssl_verify = false in mcp.conf.

Claude Desktop / Claude Code

{
  "mcpServers": {
    "splunk-mcp-server": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://<SPLUNK_HOST>:8089/services/mcp",
        "--header",
        "Authorization: Bearer <YOUR_TOKEN>"
      ],
      "env": { "NODE_TLS_REJECT_UNAUTHORIZED": "0" }
    }
  }
}

Cursor IDE

{
  "mcpServers": {
    "splunk-mcp-server": {
      "url": "https://<SPLUNK_HOST>:8089/services/mcp",
      "headers": { "Authorization": "Bearer <YOUR_TOKEN>" }
    }
  }
}

Replace <SPLUNK_HOST> with your Splunk management host and <YOUR_TOKEN> with a Splunk bearer token. Drop NODE_TLS_REJECT_UNAUTHORIZED if you use a publicly trusted certificate.

Use Cases
  • Let an AI assistant translate plain English questions like "errors in the last hour by host" into valid SPL and run them against production indexes.
  • Triage security alerts by asking an agent to search relevant indexes, summarize findings, and propose follow-up SPL queries.
  • Inventory and audit a Splunk deployment by listing indexes, getting index sizing or retention metadata, and enumerating saved searches.
  • Build agent workflows that pull saved-search results into reports or other systems while respecting Splunk RBAC.
  • Help SOC analysts and SREs iterate on SPL faster by generating, refining, and executing queries through a chat interface.
Example Prompts
  • "Generate an SPL query that finds failed SSH logins grouped by source IP in the last 24 hours, then run it."
  • "List all indexes on this Splunk instance and show retention and event count for the security index."
  • "Show me the saved searches owned by the SOC app and summarize what each one does."
  • "Search the web index for 5xx responses in the last hour and break them down by URL."
  • "What version of Splunk am I connected to and which indexes are available?"
Pros
  • Official implementation maintained by Cisco DevNet (Splunk) and distributed through Splunkbase.
  • Runs inside your Splunk instance with native RBAC, audit logging, and bearer-token auth, so no extra middleware is required.
  • Includes AI-powered natural-language-to-SPL generation via Splunk's built-in AI Assistant.
  • Works with both Splunk Enterprise and Splunk Cloud Platform across versions 8.0 to 10.2.
Limitations
  • Currently published as a Supported Beta, so behavior and tool surface may still change.
  • Tool set is focused on read and search workflows; there is no broad write/admin coverage of Splunk objects.
  • Self-signed Splunk certs commonly require disabling TLS verification on the client, which is not ideal for production.
Alternatives
More Analytics MCP Servers
Amplitude
Official Amplitude MCP server with 24+ tools for dashboards, charts, experiments, custom queries, session replays, feature flags, and event properties.
AppsFlyer
Official AppsFlyer MCP server (Beta). Query mobile attribution, campaign performance, SKAN data, audiences, and OneLink configs from any LLM via natural language.
BigQuery
Fully managed remote MCP server from Google Cloud that lets AI agents discover BigQuery datasets, inspect schemas, and execute SQL queries via OAuth.
Contentsquare
Official Contentsquare MCP server. Lets AI agents query experience analytics, conversion funnels, journey data, segments, and page metrics in natural language.