home / mcp / splunk mcp server
A Model Context Protocol (MCP) implementation for Splunk Enterprise and Cloud integration with Cursor IDE or Claude
Configuration
View docs{
"mcpServers": {
"livehybrid-splunk-mcp": {
"command": "poetry",
"args": [
"run",
"python",
"splunk_mcp.py",
"stdio"
],
"env": {
"VERIFY_SSL": "true",
"SPLUNK_HOST": "YOUR_SPLUNK_HOST",
"SPLUNK_PORT": "8089",
"SPLUNK_TOKEN": "YOUR_TOKEN_IF_ANY",
"SPLUNK_SCHEME": "https",
"SPLUNK_PASSWORD": "YOUR_PASSWORD",
"SPLUNK_USERNAME": "YOUR_USERNAME",
"FASTMCP_LOG_LEVEL": "INFO"
}
}
}
}You can run a Splunk MCP server that lets you interact with Splunk data using natural language. It supports real-time SSE interactions, a REST API, and a lightweight STDIO mode for direct AI-assisted workflows, enabling you to search, inspect indexes, manage KV stores, and handle Splunk resources efficiently.
Choose your preferred interaction mode and connect with your MCP client. In SSE mode (the default), you get real-time, server-sent event communication suitable for web-based clients. You can start the server in STDIO mode for direct line-by-line communication with an assistant or in API mode to expose REST endpoints.
Prerequisites: Install Python 3.10 or higher and a modern package manager such as UV, Poetry, or Pip. You will also configure environment variables to point to your Splunk instance.
# Prerequisites
# - Python 3.10+
# - UV (for fast installs) or Poetry or Pip
# Quick Start with UV
# 1. Clone the project
git clone <repository-url>
cd splunk-mcp
# 2. Install dependencies with UV
uv sync
# 3. Run in SSE mode by default
uv run python splunk_mcp.py
# Optional: run in STDIO mode
poetry run python splunk_mcp.py stdio
# Optional: run in API mode
poetry run uvicorn splunk_mcp:app --host 0.0.0.0 --port 8000 --reload # API modeAlternative using Poetry for dependency management and running the server:
```bash
poetry install
poetry run python splunk_mcp.py
```
If you prefer Pip and a requirements file instead:
```bash
pip install -r requirements.txt
python splunk_mcp.pyEnvironment variables control how you connect to Splunk and how the MCP server behaves. The key variables include the Splunk host, port, credentials, and SSL settings. You can toggle SSL verification for development or production use and adjust logging levels for troubleshooting.
- Keep sensitive credentials out of version control. Use a template like .env.example to share the required keys without exposing secrets. - Use VERIFY_SSL=true in production to ensure secure connections to Splunk. Disable only for testing with self-signed certificates. - Expose only necessary ports and prefer internal networking when deploying in production.
With the MCP server running, you can perform a range of actions through your MCP client: - Run Splunk searches using natural language and receive results. - List and inspect Splunk indexes and their properties. - Manage users and review current permissions. - Create, list, and delete KV store collections to organize data. - Use asynchronous interactions for better performance and responsive tools.
Lists all available MCP tools with their descriptions and parameters.
Returns a list of available Splunk apps to verify connectivity.
Simple heartbeat endpoint to verify MCP server responsiveness.
Returns information about the currently authenticated user.
Returns a list of all users and their roles.
Returns a list of all accessible Splunk indexes.
Returns detailed information about a specific index.
Provides a comprehensive list of indexes and their sourcetypes.
Executes a Splunk search query with optional time range and result limits.
Returns a list of saved searches in the Splunk instance.
Lists all KV store collections.
Creates a new KV store collection.
Deletes an existing KV store collection.