http://splunkbase.splunk.com/app/7931
Splunkbase App ID: 7931
Built by: Splunk LLC
Latest Version: 1.0.1 (February 7, 2026)
Status: Splunk Supported · Beta
Category: Artificial Intelligence, IT Operations
Rating: ⭐ 5/5 (7 reviews) · #8 in Artificial Intelligence
Downloads: 5,029+
The Model Context Protocol (MCP) is an open standard and framework that enables seamless, secure, and standardized two-way communication between AI applications (like large language models) and external data sources or tools. It acts as a universal adapter allowing AI systems to access, execute, and integrate functionalities from diverse systems through a common protocol, simplifying data sharing and tool interoperability without custom coding for each integration.
Splunk's MCP server leverages this to provide a standardized, secure, and scalable interface to connect AI assistants, agents, and other intelligent systems with data in the Splunk platform for both Enterprise and Cloud customers (currently in beta).
Universal Connectivity — Seamlessly connects AI agents and tools to Splunk data resources in a secure and efficient manner.
Enterprise-Grade Security — Includes built-in authentication, authorization, and Role-Based Access Control (RBAC). Respects existing Splunk authentication and access controls, preventing unauthorized data exposure. Supports auditing, logging, and input validation to monitor for malicious payloads or command injection attempts.
Rapid Deployment — Offers a plug-and-play solution, eliminating the need for custom integrations.
HTTP/SSE — The server is hosted within your Splunk instance and exposed over HTTP. Clients connect via the Splunk management port (default 8089) at the endpoint /services/mcp. It is not a locally-spawned stdio process.
Example initialization response confirming the transport:
curl -k \ -H "Authorization: Bearer <YOUR_TOKEN>" \ -H "Content-Type: application/json" \ -X POST \ -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"client":"curl","version":"0.1"}}' \ https://<YOUR_SPLUNK_HOST>:8089/services/mcp
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"protocolVersion": "2025-03-26",
"capabilities": { "tools": {} },
"serverInfo": { "name": "Splunk_MCP_Server", "version": "0.2.2" }
}
}Tools only — The server exposes Splunk functionality exclusively as callable MCP Tools. The capabilities field in the initialization response confirms {"tools": {}} with no resources or prompts declared.
| Tool | Description |
|---|---|
generate_spl |
Generate SPL from a natural language query (AI-powered) |
run_splunk_query |
Run a SPL query and return results (logs, aggregations, indexed data) |
get_splunk_info |
Get basic info about the Splunk instance (version, server name) |
get_indexes |
List available Splunk indexes (includes splunk_server) |
get_index_info |
Get detailed metadata for a specific index |
get_saved_searches |
List saved searches / knowledge objects |
| (additional tools) | Viewable via the built-in tools UI added in v1.0.0 |
Safety guardrails are in place to prevent destructive operations.
Uses mcp-remote as a local proxy to inject the Authorization header:
{
"mcpServers": {
"splunk-mcp-server": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://<SPLUNK_HOST>:8089/services/mcp",
"--header",
"Authorization: Bearer <YOUR_TOKEN>"
],
"env": {
"NODE_TLS_REJECT_UNAUTHORIZED": "0"
}
}
}
}Set
NODE_TLS_REJECT_UNAUTHORIZED: "0"if using self-signed certificates.
{
"mcpServers": {
"splunk-mcp-server": {
"url": "https://<SPLUNK_HOST>:8089/services/mcp",
"headers": {
"Authorization": "Bearer <YOUR_TOKEN>"
}
}
}
}Roles must be configured in authorize.conf to grant users access to MCP tools:
[role_mcp_user] mcp_tool_admin = enabled mcp_tool_execute = enabled
sc_admin role can manage MCP capabilities (added in v1.0.0).In mcp.conf, you can configure SSL verification:
[mcp] ssl_verify = true # Set to false for self-signed certificates
Security Operations — A SOC analyst queries: "Show me all failed login attempts from external IPs in the last hour." The MCP server executes the SPL search and returns a concise report.
DevOps Efficiency — A DevOps engineer asks: "What's the performance trend of my Kubernetes cluster logs in Splunk?" The server pulls and summarizes the data.
Business Insights — A product manager queries: "What's driving customer churn in Q2?" The server combines Splunk data with external sources for a comprehensive analysis.
Multi-App Insights — Connect a Confluence MCP server (containing Splunk system knowledge) with the Splunk MCP server for richer, more accurate insights.
| Date | Version | Changes |
|---|---|---|
| Feb 7, 2026 | 1.0.1 | Bug fix for invalid hostname in certificate errors |
| Oct 22, 2025 | 1.0.0 | sc_admin role support; ssl_verify config; built-in tools UI; updated get_indexes and get_index_info with splunk_server |
| Sep 8, 2025 | — | Initial public availability |
© 2005–2026 Splunk LLC. All rights reserved.
Owner
Contributors
Categories
ObservabilitySecurityProducts
SplunkAI
MCP ServersDeploy Type
HTTP/SSEFeatures / Capabilities
ToolsLicense
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community