Home / MCP / Splunk MCP Server

Splunk MCP Server

Provides an MCP server that connects AI clients to Splunk data sources, enabling AI-powered workflows and troubleshooting.

typescript

17stars

View on GitHub

Installation

Add the following to your MCP client configuration file.

Configuration

View docs

{
    "mcpServers": {
        "splunk_http": {
            "url": "http://localhost:8002/mcp/"
        }
    }
}

You can integrate AI agents with Splunk data using the MCP Server for Splunk. This single, standardized interface lets you connect AI clients to Splunk data sources, run intelligent workflows, and manage security and multi-client access without building custom integrations.

How to use

You use the MCP Server for Splunk to connect AI clients to your Splunk environment and run AI-powered workflows. Start a local or remote server, point your client at the MCP endpoint, and begin discovering available troubleshooting workflows. You can run workflows in parallel, monitor progress, and receive actionable recommendations. Use the HTTP endpoint when you want a centralized, multi-client setup, or run a local STDIO server for development and testing.

How to install

# Prerequisites
- Python 3.10+ and UV package manager
- Nodejs (optional for mcp inspector)
- Docker (optional but recommended for full stack)
- Splunk instance with API access (or use included Docker Splunk)

# Prepare configuration
cp env.example .env

# Optional: local HTTP transport defaults for stateless local runs
echo "MCP_STATELESS_HTTP=true" >> .env
echo "MCP_JSON_RESPONSE=true" >> .env

# One-command setup (Windows)
```
```
git clone https://github.com/deslicer/mcp-for-splunk.git
cd mcp-for-splunk

# Start the MCP Server (project script)
uv run mcp-server --local --detached

# Verify the server
uv run mcp-server --test
# Optional: detailed health output
uv run mcp-server --test --detailed
```
```
# One-command setup (macOS/Linux)
```
git clone https://github.com/deslicer/mcp-for-splunk.git
cd mcp-for-splunk

# Preview what would be installed (optional)
./scripts/smart-install.sh --dry-run

# Install missing prerequisites
./scripts/smart-install.sh

# Start the MCP Server (local, HTTP stateless by default)
uv run mcp-server --local --detached

# Verify the server
uv run mcp-server --test
uv run mcp-server --test --detailed
```

> Deployment paths include Docker and Local options. When prompted, you can choose:
- Docker: full stack with Splunk, Traefik, MCP Inspector (recommended if Docker is installed)
- Local: lightweight FastMCP server only (no Docker)

Stopping services:
- uv run mcp-server --stop stops only this project's compose services (dev/prod/splunk). It does not stop the Docker engine.

Note: If you use the so1 Splunk container, supply your Splunk Enterprise license if required. The compose files include a commented example mount for a license file.

Configuration and security notes

Before you start, configure your Splunk connection in your environment. You can copy an example environment file and edit it with your Splunk credentials. If you start locally, the server defaults to stateless HTTP for compatibility with many AI clients.

Security is designed to be production-ready, with client-scoped access and no credential exposure. When you run with multiple clients, each connection maintains its own Splunk session and context.

AI-powered troubleshooting workflows

You can discover available AI-powered troubleshooting workflows and run them with full parameter control. The system supports parallel execution, custom organization-specific workflows, and intelligent analysis following Splunk best practices.

Client integration examples

You can configure multiple clients to connect to the same MCP server, enabling multi-client access without restarting the server. A sample per-client configuration shows how to set endpoints and headers for different Splunk environments.

Deployment options

- Development (Local): Fast startup, minimal resources, suitable for stdio-based AI clients. Endpoint: http://localhost:8003/mcp/ - Production (Docker): Load balancing and health checks, suitable for multi-client access and web-based AI agents. Traefik handles routing and sticky sessions by default in streamable HTTP mode.

Troubleshooting and support

If you encounter issues, use the MCP Inspector for real-time testing and validation. Windows users have access to a guided setup and troubleshooting path with PowerShell scripts. Community channels provide quick help and best-practice patterns.

Ready to get started

Choose your path: Quick Start, Integration Examples, Architecture Guide, or Contribute to the project. This MCP Server enables AI clients to work with Splunk data through a single, standardized protocol.

Available tools

list_workflows

Discover available troubleshooting workflows (core + contrib)

workflow_runner

Execute any workflow with full parameter control and progress tracking

workflow_builder

Create custom troubleshooting procedures for your organization

smart_search

Natural language to SPL conversion for search queries

real_time_search

Real-time search with background execution and progress tracking

saved_searches

Create, execute, and manage saved searches and automation

metadata_exploration

Metadata exploration to discover indexes, sources, and sourcetypes

schema_analysis

Analyze the data schema and structure within Splunk indices

usage_patterns

Identify data usage patterns and access trends

app_management

List, enable, disable, and manage Splunk apps

user_management

Administrate Splunk users and roles

config_access

Read and analyze Splunk configuration files

system_health

Monitor overall system health of the Splunk deployment

degraded_feature_detection

Detect and report degraded features or services

alert_management

Track and analyze triggers and alerts within Splunk

google_agent_kit

Integrate Google Agent Development Kit capabilities to drive MCP workflows