Splunk MCP server

The Splunk MCP tool provides a natural language interface for interacting with Splunk Enterprise/Cloud. It allows you to search data, manage KV stores, and access Splunk resources through an intuitive interface based on the Model Context Protocol.

Getting Started

Prerequisites

• Python 3.10 or higher
• Poetry for dependency management
• Splunk Enterprise/Cloud instance
• Appropriate Splunk credentials with necessary permissions

Installation

Local Installation

1. Clone the repository and navigate to the directory:

git clone <repository-url>
cd splunk-mcp

2. Install dependencies using Poetry:

poetry install

3. Create and configure your environment file:

cp .env.example .env

4. Update the .env file with your Splunk credentials:

SPLUNK_HOST=your_splunk_host
SPLUNK_PORT=8089
SPLUNK_USERNAME=your_username
SPLUNK_PASSWORD=your_password
SPLUNK_SCHEME=https
VERIFY_SSL=true
FASTMCP_LOG_LEVEL=INFO

Docker Installation

1. Pull the latest image:

docker pull livehybrid/splunk-mcp:latest

2. Create your .env file as above or use environment variables directly.

3. Run using Docker Compose:

docker compose up -d

Or using Docker directly:

docker run -i \
  --env-file .env \
  livehybrid/splunk-mcp

Usage

Operating Modes

The tool supports three different operating modes:

SSE Mode (Default)

• Server-Sent Events based communication
• Real-time bidirectional interaction
• Suitable for web-based MCP clients
• Access via /sse endpoint

# Start in SSE mode (default)
poetry run python splunk_mcp.py
# or explicitly:
poetry run python splunk_mcp.py sse

# Using uvicorn directly:
SERVER_MODE=api poetry run uvicorn splunk_mcp:app --host 0.0.0.0 --port 8000 --reload

API Mode

• RESTful API endpoints
• Access via /api/v1 endpoint prefix

poetry run python splunk_mcp.py api

STDIO Mode

• Standard input/output based communication
• Compatible with Claude Desktop and other MCP clients
• Ideal for direct integration with AI assistants

poetry run python splunk_mcp.py stdio

Docker Usage

Using Docker Compose:

# SSE Mode (Default)
docker compose up -d mcp

# API Mode
docker compose run --rm mcp python splunk_mcp.py api

# STDIO Mode
docker compose run -i --rm mcp python splunk_mcp.py stdio

Available Tools

The Splunk MCP provides several tools for interacting with Splunk:

Health and Tools Management

• list_tools: Lists all available MCP tools with descriptions and parameters
• health_check: Returns a list of available Splunk apps to verify connectivity
• ping: Simple ping endpoint to verify MCP server is alive

User Management

• current_user: Returns information about the currently authenticated user
• list_users: Returns a list of all users and their roles

Index Management

• list_indexes: Returns a list of all accessible Splunk indexes
• get_index_info: Returns detailed information about a specific index
• indexes_and_sourcetypes: Returns a comprehensive list of indexes and their sourcetypes

Search

• search_splunk: Executes a Splunk search query
• list_saved_searches: Returns a list of saved searches in the Splunk instance

KV Store

• list_kvstore_collections: Lists all KV store collections
• create_kvstore_collection: Creates a new KV store collection
• delete_kvstore_collection: Deletes an existing KV store collection

Environment Variables

Configure the following environment variables:

• SPLUNK_HOST: Your Splunk host address
• SPLUNK_PORT: Splunk management port (default: 8089)
• SPLUNK_USERNAME: Your Splunk username
• SPLUNK_PASSWORD: Your Splunk password
• SPLUNK_SCHEME: Connection scheme (default: https)
• VERIFY_SSL: Enable/disable SSL verification (default: true)
• FASTMCP_LOG_LEVEL: Logging level (default: INFO)
• SERVER_MODE: Server mode (sse, api, stdio) when using uvicorn

SSL Configuration

The tool provides flexible SSL verification options:

1. Default (Secure) Mode:

VERIFY_SSL=true

• Full SSL certificate verification
• Hostname verification enabled
• Recommended for production environments

2. Relaxed Mode:

VERIFY_SSL=false

• SSL certificate verification disabled
• Hostname verification disabled
• Useful for testing or self-signed certificates

Integration with Claude

Claude Desktop Configuration

You can integrate Splunk MCP with Claude Desktop by adding the following configuration to your claude_desktop_config.json:

STDIO Mode (Recommended for Desktop)

{
  "mcpServers": {
    "splunk": {
      "command": "poetry",
      "env": {
        "SPLUNK_HOST": "your_splunk_host",
        "SPLUNK_PORT": "8089",
        "SPLUNK_USERNAME": "your_username",
        "SPLUNK_PASSWORD": "your_password",
        "SPLUNK_SCHEME": "https",
        "VERIFY_SSL": "false"
      },
      "args": [
          "--directory",
          "/path/to/splunk-mcp",
          "run",
          "python",
          "splunk_mcp.py",
          "stdio"
      ]
    }
  }
}

SSE Mode

{
  "mcpServers": {
    "splunk": {
      "command": "poetry",
      "env": {
        "SPLUNK_HOST": "your_splunk_host",
        "SPLUNK_PORT": "8089",
        "SPLUNK_USERNAME": "your_username",
        "SPLUNK_PASSWORD": "your_password",
        "SPLUNK_SCHEME": "https",
        "VERIFY_SSL": "false",
        "FASTMCP_PORT": "8001",
        "DEBUG": "true"
      },
      "args": [
          "--directory",
          "/path/to/splunk-mcp",
          "run",
          "python",
          "splunk_mcp.py",
          "sse"
      ]
    }
  }
}

Using with Claude

Once configured, you can use natural language to interact with Splunk through Claude. Examples:

1. List available indexes:

What Splunk indexes are available?

2. Search Splunk data:

Search Splunk for failed login attempts in the last 24 hours

3. Get system health:

Check the health of the Splunk system

4. Manage KV stores:

List all KV store collections

Troubleshooting

Connection Issues

1. Basic Connectivity:

   • Verify if port 8089 is accessible
   • Check network routing and firewalls

2. SSL Issues:

   • If seeing SSL errors, try setting VERIFY_SSL=false
   • Check certificate validity and trust chain
   • Verify hostname matches certificate

3. Authentication Issues:

   • Verify Splunk credentials
   • Check user permissions
   • Ensure account is not locked

4. Debugging:

   • Set FASTMCP_LOG_LEVEL=DEBUG for detailed logs
   • Check connection logs for specific error messages
   • Review SSL configuration messages

How to add this MCP server to Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > MCP and click "Add new global MCP server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "cursor-rules-mcp": {
            "command": "npx",
            "args": [
                "-y",
                "cursor-rules-mcp"
            ]
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explictly ask the agent to use the tool by mentioning the tool name and describing what the function does.