Splunk MCP server

Integrates with Splunk Enterprise/Cloud to enable natural language-driven searches, index management, user handling, and KV store operations through a Python-based interface supporting both command-line and web server integration.
Back to servers
Setup instructions
Provider
LiveHybrid
Release date
Mar 13, 2025
Language
Python
Stats
68 stars

The Splunk MCP Tool enables natural language interaction with Splunk Enterprise/Cloud, providing capabilities for searching data, managing KV stores, and accessing Splunk resources through an intuitive interface.

Installation Options

Using UV (Recommended)

UV is a fast Python package installer and resolver that offers better performance than pip.

Prerequisites

  • Python 3.10 or higher
  • UV installed

Installation Steps with UV

  1. Clone the repository:

    git clone <repository-url>
    cd splunk-mcp
    
  2. Install dependencies with UV:

    # Install main dependencies
    uv sync
    
    # Or install with development dependencies
    uv sync --extra dev
    

Alternative Installation Methods

Using Poetry

# Install dependencies
poetry install

# Run the application
poetry run python splunk_mcp.py

Using pip

# Install dependencies
pip install -r requirements.txt

# Run the application
python splunk_mcp.py

Running the MCP Server

The Splunk MCP tool can operate in three different modes:

SSE Mode (Default)

Server-Sent Events based communication for real-time bidirectional interaction.

# Start in SSE mode (default)
python splunk_mcp.py
# or explicitly:
python splunk_mcp.py sse

# Using uvicorn directly:
SERVER_MODE=sse uvicorn splunk_mcp:app --host 0.0.0.0 --port 8000 --reload

API Mode

RESTful API endpoints available via the /api/v1 prefix.

# Start in API mode
python splunk_mcp.py api

# Using uvicorn directly:
SERVER_MODE=api uvicorn splunk_mcp:app --host 0.0.0.0 --port 8000 --reload

STDIO Mode

Standard input/output based communication, compatible with Claude Desktop and other MCP clients.

# Start in STDIO mode
python splunk_mcp.py stdio

Docker Usage

The project supports both Docker Compose V2 and legacy V1 commands.

Starting the Server with Docker

# SSE Mode (Default)
docker compose up -d mcp

# API Mode
docker compose run --rm mcp python splunk_mcp.py api

# STDIO Mode
docker compose run -i --rm mcp python splunk_mcp.py stdio

Docker Management Commands

# Build images
docker compose build

# View logs
docker compose logs
docker compose logs -f mcp

# Debug mode
DEBUG=true docker compose up mcp

# Access container shell
docker compose exec mcp /bin/bash

Configuration

Environment Variables

Configure the following environment variables:

  • SPLUNK_HOST: Your Splunk host address
  • SPLUNK_PORT: Splunk management port (default: 8089)
  • SPLUNK_USERNAME: Your Splunk username
  • SPLUNK_PASSWORD: Your Splunk password
  • SPLUNK_TOKEN: (Optional) Splunk authentication token
  • SPLUNK_SCHEME: Connection scheme (default: https)
  • VERIFY_SSL: Enable/disable SSL verification (default: true)
  • FASTMCP_LOG_LEVEL: Logging level (default: INFO)
  • SERVER_MODE: Server mode when using uvicorn

SSL Configuration Options

# Secure Mode (recommended for production)
VERIFY_SSL=true

# Relaxed Mode (for testing or self-signed certificates)
VERIFY_SSL=false

Available MCP Tools

Health and Status Tools

  • health_check: Verifies connectivity by returning available Splunk apps
  • ping: Simple endpoint to verify MCP server is operational

User Management

  • current_user: Returns information about the authenticated user
  • list_users: Returns all users and their roles

Index Management

  • list_indexes: Returns all accessible Splunk indexes
  • get_index_info: Returns detailed information about a specific index
  • indexes_and_sourcetypes: Returns a comprehensive list of indexes and their sourcetypes

Search Capabilities

  • search_splunk: Executes a Splunk search query with optional time parameters
  • list_saved_searches: Returns saved searches in the Splunk instance

KV Store Operations

  • list_kvstore_collections: Lists all KV store collections
  • create_kvstore_collection: Creates a new KV store collection
  • delete_kvstore_collection: Deletes an existing KV store collection

Tools Management

  • list_tools: Lists all available MCP tools with descriptions and parameters

SSE Endpoints

When running in SSE mode, the following endpoints are available:

  • /sse: Returns SSE connection information
  • /sse/messages: The main SSE stream endpoint
  • /sse/health: Health check endpoint for SSE mode

How to install this MCP server

For Claude Code

To add this MCP server to Claude Code, run this command in your terminal:

claude mcp add-json "splunk" '{"command":"poetry","env":{"SPLUNK_HOST":"your_splunk_host","SPLUNK_PORT":"8089","SPLUNK_USERNAME":"your_username","SPLUNK_PASSWORD":"your_password","SPLUNK_SCHEME":"https","VERIFY_SSL":"false"},"args":["--directory","/path/to/splunk-mcp","run","python","splunk_mcp.py","stdio"]}'

See the official Claude Code MCP documentation for more details.

For Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > Tools & Integrations and click "New MCP Server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "splunk": {
            "command": "poetry",
            "env": {
                "SPLUNK_HOST": "your_splunk_host",
                "SPLUNK_PORT": "8089",
                "SPLUNK_USERNAME": "your_username",
                "SPLUNK_PASSWORD": "your_password",
                "SPLUNK_SCHEME": "https",
                "VERIFY_SSL": "false"
            },
            "args": [
                "--directory",
                "/path/to/splunk-mcp",
                "run",
                "python",
                "splunk_mcp.py",
                "stdio"
            ]
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explicitly ask the agent to use the tool by mentioning the tool name and describing what the function does.

For Claude Desktop

To add this MCP server to Claude Desktop:

1. Find your configuration file:

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json
  • Linux: ~/.config/Claude/claude_desktop_config.json

2. Add this to your configuration file:

{
    "mcpServers": {
        "splunk": {
            "command": "poetry",
            "env": {
                "SPLUNK_HOST": "your_splunk_host",
                "SPLUNK_PORT": "8089",
                "SPLUNK_USERNAME": "your_username",
                "SPLUNK_PASSWORD": "your_password",
                "SPLUNK_SCHEME": "https",
                "VERIFY_SSL": "false"
            },
            "args": [
                "--directory",
                "/path/to/splunk-mcp",
                "run",
                "python",
                "splunk_mcp.py",
                "stdio"
            ]
        }
    }
}

3. Restart Claude Desktop for the changes to take effect

Want to 10x your AI skills?

Get a free account and learn to code + market your apps using AI (with or without vibes!).

Nah, maybe later