home / mcp / splunk mcp server
Exposes Splunk data sources (saved searches, alerts, fired alerts, indexes, macros) via MCP tools over STDIO or SSE.
Configuration
View docs{
"mcpServers": {
"jkosik-mcp-server-splunk": {
"url": "http://localhost:3001/sse",
"headers": {
"SPLUNK_URL": "https://your-splunk-instance:8089",
"SPLUNK_TOKEN": "your-splunk-token"
}
}
}
}You run a Go-based MCP server that connects to Splunk and exposes a set of Splunk-related MCP tools over STDIO or via Server-Sent Events (SSE). This server lets you list saved searches, alerts, fired alerts, indexes, and macros from your Splunk instance and query them through a consistent MCP interface for automation, chat integrations, or dashboarding.
Choose your preferred transport and interact with the Splunk MCP Server through your MCP client. In STDIO mode you run the local server binary and communicate directly with the process. In SSE mode you start a server that streams responses over HTTP and use a session-based workflow to send tool calls. You can call the supported tools to retrieve lists of saved searches, alerts, fired alerts, indexes, and macros from your Splunk instance.
# Prerequisites
# - Go (1.18+)
# - A Splunk instance with a valid token
# Build the server (from source)
go build -o cmd/mcp-server-splunk/mcp-server-splunk cmd/mcp-server-splunk/main.go
# STDIO mode example (local server): update with your path to the built binary and your Splunk creds
# Command shown in the configuration example uses an explicit path to the built binaryIf you prefer the ready-made STDIO configuration shown for your environment, you can run the built binary directly after setting the environment variables. Use the path shown in the explicit configuration example to start the server in STDIO mode.
{
"mcpServers": {
"splunk_stdio": {
"name": "Splunk MCP Server (STDIO)",
"description": "MCP server for Splunk integration",
"type": "stdio",
"command": "/Users/juraj/data/github.com/jkosik/mcp-server-splunk/cmd/mcp-server-splunk/mcp-server-splunk",
"env": {
"SPLUNK_URL": "https://your-splunk-instance:8089",
"SPLUNK_TOKEN": "your-splunk-token"
}
}
}
}SSE mode provides a persistent HTTP API for interactive prompts and tool calls. Start the server in SSE mode and then connect using a separate client or browser command sequence. You will receive a session ID that you use to send subsequent tool calls.
export SPLUNK_URL=https://your-splunk-instance:8089
export SPLUNK_TOKEN=your-splunk-token
# Start the server in SSE mode on port 3001
go run cmd/mcp-server-splunk/main.go -transport sse -port 3001Configure your MCP client to reach the SSE endpoint at http://localhost:3001/sse and, after obtaining a Session ID, send tool calls to query Splunk data.
The server implements a set of Splunk-specific MCP tools you can call to fetch data from Splunk. Each tool accepts optional parameters to filter, paginate, or narrow results.
- list_splunk_saved_searches: returns saved searches. Parameters: count, offset.
- list_splunk_alerts: lists alerts. Parameters: count, offset, title.
- list_splunk_fired_alerts: lists alerts that fired. Parameters: count, offset, ss_name, earliest.
- list_splunk_indexes: lists indexes. Parameters: count, offset.
- list_splunk_macros: lists macros. Parameters: count, offset.
Secure your Splunk access by setting SPLUNK_URL and SPLUNK_TOKEN with appropriate permissions. For SSE, ensure your client only connects to trusted endpoints and uses session-based authentication if provided.
Retrieves a list of saved searches from Splunk. Supports count and offset for pagination.
Retrieves Splunk alerts with optional title filter and pagination.
Retrieves alerts that have fired within a time range, with optional name pattern filtering.
Lists Splunk indexes with pagination support.
Lists Splunk macros with pagination support.