Enables AI agents to interact with Splunk Enterprise/Cloud environments, providing comprehensive tools for search and analytics, data discovery, administration, health monitoring, and AI-powered troubleshooting workflows. Includes capabilities for natural language to SPL conversion, real-time search management, metadata exploration, user and app management, system health monitoring, and automated diagnostic procedures.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@MCP Server for Splunkshow me the top 5 error sources from the last hour"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
MCP Server for Splunk
Enable AI agents to interact seamlessly with Splunk environments through the Model Context Protocol (MCP)
Transform your Splunk instance into an AI-native platform. Our community-driven MCP server bridges Large Language Models and Splunk Enterprise/Cloud with 20+ tools, 16 resources (including CIM data models), and production-ready securityβall through a single, standardized protocol.
π Why This Matters
π Universal AI Connection: One protocol connects any AI to Splunk data
β‘ Zero Custom Integration: No more months of custom API development
π‘οΈ Production-Ready Security: Client-scoped access with no credential exposure
π€ AI-Powered Workflows: Intelligent troubleshooting agents that work like experts
π€ Community-Driven: Extensible framework with contribution examples
π NEW: - Transform reactive firefighting into intelligent, systematic problem-solving with specialist AI workflows.
Related MCP server: HubSpot MCP Server
π Table of Contents
π Quick Start
Prerequisites
Python 3.10+ and UV package manager
Nodejs (optional used for mcp inspector)
Docker (optional but recommended for full stack)
Splunk instance with API access (or use included Docker Splunk)
π Complete Setup Guide: Installation Guide
Configuration
Before running the setup, configure your Splunk connection:
One-Command Setup
Windows:
macOS/Linux:
π‘ Deployment Options: The
mcp-servercommand will prompt you to choose:
Docker (Option 1): Full stack with Splunk, Traefik, MCP Inspector - recommended if Docker is installed
Local (Option 2): Lightweight FastMCP server only - for users without Docker
Stopping services:
uv run mcp-server --stopstops only this project's compose services (dev/prod/splunk). It does not stop the Docker engine.
Note on Splunk licensing: When using the
so1Splunk container, you must supply your own Splunk Enterprise license if required. The compose files include a commented example mount:# - ./lic/splunk.lic:/tmp/license/splunk.lic:ro. Create alic/directory and mount your license file, or add the license via the Splunk Web UI after startup.
π― What You Can Do
π€ AI-Powered Troubleshooting (NEW!)
Transform your Splunk troubleshooting from manual procedures to intelligent, automated workflows using the MCP server endpoints:
π Key Benefits:
π§ Natural Language Interface: "Troubleshoot missing data" β automated workflow execution
β‘ Parallel Processing: Multiple diagnostic tasks run simultaneously for faster resolution
π§ Custom Workflows: Build organization-specific troubleshooting procedures
π Intelligent Analysis: AI agents follow proven Splunk best practices
π Read the Complete AI Workflows Guide β for detailed examples, workflow creation, and advanced troubleshooting techniques.
π Documentation Hub
Document | Purpose | Audience | Time |
Intelligent workflows powered by the workflow tools | All users | 5 min | |
Complete setup guide with prerequisites | New users | 15 min | |
Connect AI clients | Developers | 30 min | |
Production deployment | DevOps | 45 min | |
Create and run workflows (OpenAI env vars) | Developers | 10 min | |
Tool documentation | Integrators | Reference | |
Access CIM data models and Splunk docs | All users | Reference | |
Add your own tools | Contributors | 60 min | |
Complete contribution framework | Contributors | 15 min | |
Technical deep-dive | Architects | Reference | |
First success test steps | Developers | 2 min | |
Extend with entry-point plugins (separate package) | Integrators | 5 min |
π§ Available Tools & Capabilities
π€ AI Workflows & Specialists (NEW!)
list_workflows: Discover available troubleshooting workflows (core + contrib)workflow_runner: Execute any workflow with full parameter control and progress trackingworkflow_builder: Create custom troubleshooting procedures for your organizationBuilt-in Workflows: Missing data troubleshooting, performance analysis, and more
π Search & Analytics
Smart Search: Natural language to SPL conversion
Real-time Search: Background job management with progress tracking
Saved Searches: Create, execute, and manage search automation
π Data Discovery
Metadata Exploration: Discover indexes, sources, and sourcetypes
Schema Analysis: Understand your data structure
Usage Patterns: Identify data volume and access patterns
π₯ Administration
App Management: List, enable, disable Splunk applications
User Management: Comprehensive user and role administration
Configuration Access: Read and analyze Splunk configurations
π₯ Health Monitoring
System Health: Monitor Splunk infrastructure status
Degraded Feature Detection: Proactive issue identification
Alert Management: Track and analyze triggered alerts
π Client Integration Examples
πͺ Multi-Client Configuration Strength: One of the key advantages of this MCP Server for Splunk is its ability to support multiple client configurations simultaneously. You can run a single server instance and connect multiple clients with different Splunk environments, credentials, and configurations - all without restarting the server or managing separate processes.
π Multi-Client Benefits
Session-Based Isolation: Each client connection maintains its own Splunk session with independent authentication, preventing credential conflicts between different users or environments.
Dynamic Configuration: Switch between Splunk instances (on-premises, cloud, development, production) by simply changing headers - no server restart required.
Scalable Architecture: A single server can handle multiple concurrent clients, each with their own Splunk context, making it ideal for team environments, CI/CD pipelines, and multi-tenant deployments.
Resource Efficiency: Eliminates the need to run separate MCP server instances for each Splunk environment, reducing resource consumption and management overhead.
Cursor IDE
Single Tenant
Client Specified Tenant
Google Agent Development Kit
π€ Community & Contribution
Quick links: Contributing Β· Code of Conduct Β· Security Policy Β· Governance Β· License
π οΈ Create Your Own Tools & Extensions
π Quick Start for Contributors:
π Complete Contributing Guide β - Everything you need to know about creating tools, resources, and workflows for the MCP Server for Splunk.
Contribution Categories
π‘οΈ Security Tools: Threat hunting, incident response, security analysis
βοΈ DevOps Tools: Monitoring, alerting, operations, SRE workflows
π Analytics Tools: Business intelligence, reporting, data analysis
π‘ Example Tools: Learning templates and patterns for new contributors
π§ Custom Workflows: AI-powered troubleshooting procedures for your organization
π Deployment Options
Development (Local)
Startup Time: ~10 seconds
Resource Usage: Minimal (single Python process)
Best For: Development, testing, stdio-based AI clients
HTTP Defaults: Local runs enable
MCP_STATELESS_HTTP=trueandMCP_JSON_RESPONSE=trueby default for compatibility with Official MCP clients (no sticky sessions; JSON over SSE).Endpoint:
http://localhost:8003/mcp/Required client headers:
Accept: application/json, text/event-streamMCP-Session-ID: <uuid>(preferred;X-Session-IDoptional)X-Splunk-*headers (host, port, username, password, scheme, verify-ssl) or set via.env
Production (Docker)
Features: Load balancing, health checks, monitoring
Includes: Traefik, MCP Inspector, optional Splunk
Best For: Multi-client access, web-based AI agents
Session Routing: Traefik is configured with sticky sessions for streamable HTTP; alternatively, enable stateless HTTP for development scenarios.
Enterprise (Kubernetes)
Scalability: Horizontal scaling, high availability
Security: Pod-level isolation, secret management
Monitoring: Comprehensive observability stack
π Support & Community
π Issues: GitHub Issues
π¬ Discussions: GitHub Discussions
π Documentation: Complete guides and references
π§ Interactive Testing: MCP Inspector for real-time testing
Windows Support
Windows users get first-class support with PowerShell scripts and comprehensive troubleshooting guides. See our Windows Setup Guide.
π Project Stats
β 20+ Production Tools - Comprehensive Splunk operations
β 16 Rich Resources - System info, documentation, and CIM data models
β Comprehensive Test Suite - 170+ tests passing locally
β Multi-Platform - Windows, macOS, Linux support
β Community-Ready - Structured contribution framework
β Enterprise-Proven - Production deployment patterns
π― Ready to Get Started?
Choose your adventure:
π - Get running in 15 minutes
π» - Connect your AI tools
ποΈ - Understand the system
π€ - Add your own tools
Learn More: Model Context Protocol | FastMCP Framework