Supports Docker deployment with containerization capabilities for running the MCP server in Docker environments
Uses .env files for configuration management of environment variables including Splunk connection details and authentication credentials
Implements Pydantic models for request/response validation and type safety in data handling
Utilizes pytest for testing framework and test execution
Built with Python using modern async/await patterns and requires Python 3.8 or higher
Provides comprehensive integration with Splunk Enterprise and Splunk Cloud, enabling execution of SPL queries, index management, saved search operations, application listing, and server information retrieval
Splunk MCP Server
A Model Context Protocol (MCP) server for interacting with Splunk Enterprise and Splunk Cloud. This server enables AI assistants to search Splunk data, list indexes, manage saved searches, and retrieve server information through a standardized interface.
Features
Search Execution: Run SPL (Search Processing Language) queries with configurable time ranges and limits
Index Management: List and filter available Splunk indexes
Saved Searches: Retrieve and manage saved searches
Application Listing: Browse installed Splunk applications
Server Information: Get Splunk server details and health status
Flexible Authentication: Support for both token-based and username/password authentication
Async Operations: Built with modern Python async/await patterns
Type Safety: Full Pydantic models for request/response validation
Installation
Prerequisites
Python 3.8 or higher
Access to a Splunk Enterprise or Splunk Cloud instance
Valid Splunk credentials (token or username/password)
Quick Start
Clone the repository:
git clone https://github.com/yourusername/splunk-mcp.git cd splunk-mcpInstall dependencies:
pip install -r requirements.txtConfigure environment variables:
cp .env.example .env # Edit .env with your Splunk connection detailsRun the server:
python src/main.py
Development Installation
For development with additional tools:
Configuration
The server is configured using environment variables. Copy .env.example
to .env
and configure:
Required Variables
Authentication (choose one method)
Token-based authentication (recommended):
Username/password authentication:
Optional Variables
Usage
Once running, the MCP server provides the following tools:
1. Search Splunk Data
Execute SPL queries with configurable parameters:
2. List Indexes
Get available Splunk indexes with optional filtering:
3. Manage Saved Searches
Retrieve saved searches by name or owner:
4. List Applications
Browse installed Splunk apps:
5. Get Server Information
Retrieve Splunk server details and health status.
API Reference
Search Parameters
Parameter | Type | Default | Description |
| string | required | SPL search query |
| string | "-24h@h" | Search time range start |
| string | "now" | Search time range end |
| integer | 100 | Maximum results (1-10000) |
| integer | 60 | Search timeout in seconds |
Time Range Examples
"-24h@h"
- 24 hours ago, rounded to the hour"-7d@d"
- 7 days ago, rounded to the day"2024-01-01T00:00:00"
- Absolute timestamp"now"
- Current time"-1h"
- 1 hour ago
SPL Query Examples
Authentication
Token-Based Authentication (Recommended)
Create a token in Splunk Web:
Go to Settings > Tokens
Click "New Token"
Set appropriate permissions
Copy the generated token
Configure environment:
SPLUNK_TOKEN=your-token-here
Username/Password Authentication
Note: Token authentication is more secure and is the recommended approach for production deployments.
Error Handling
The server provides detailed error responses:
Common error scenarios:
Authentication failures: Invalid credentials or expired tokens
Query syntax errors: Malformed SPL queries
Permission issues: Insufficient access to indexes or searches
Timeout errors: Long-running searches exceeding timeout limits
Connection issues: Network problems or Splunk server unavailability
Security Considerations
Use HTTPS: Always use encrypted connections in production
Secure credentials: Store tokens and passwords securely
Limit permissions: Use principle of least privilege for Splunk accounts
Network security: Restrict network access to Splunk management ports
Token rotation: Regularly rotate authentication tokens
Development
Project Structure
Running Tests
Code Formatting
Type Checking
Deployment
Docker Deployment
Create a Dockerfile
:
Build and run:
Production Considerations
Use a process manager like
supervisor
orsystemd
Configure proper logging and monitoring
Set up health checks
Use environment-specific configuration
Implement proper secret management
Troubleshooting
Common Issues
Connection refused:
Check Splunk server is running
Verify host and port settings
Check network connectivity
Authentication errors:
Verify credentials are correct
Check token hasn't expired
Ensure user has necessary permissions
Search timeouts:
Reduce search time range
Optimize SPL query
Increase timeout setting
SSL errors:
Check certificate validity
Set
SPLUNK_VERIFY_SSL=false
for testing (not recommended for production)
Enabling Debug Logging
Contributing
Fork the repository
Create a feature branch
Make your changes
Add tests
Run the test suite
Submit a pull request
License
This project is licensed under the MIT License - see the LICENSE file for details.
Support
Issues: GitHub Issues
Documentation: Project Wiki
Splunk Documentation: Splunk REST API Reference
Changelog
v1.0.0
Initial release
Basic search functionality
Token and username/password authentication
Index and saved search management
Application listing
Server information retrieval
This server cannot be installed
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
Enables AI assistants to interact with Splunk Enterprise and Splunk Cloud instances through standardized MCP interface. Supports executing SPL queries, managing indexes and saved searches, listing applications, and retrieving server information with flexible authentication options.
Related MCP Servers
- AsecurityFlicenseAqualityEnables AI assistants to interact with Confluence Cloud for managing spaces, pages, and content via the Model Context Protocol (MCP).Last updated -1115
- AsecurityAlicenseAqualityA FastMCP-based tool for interacting with Splunk Enterprise/Cloud through natural language. This tool provides a set of capabilities for searching Splunk data, managing KV stores, and accessing Splunk resourcesLast updated -1270Apache 2.0
- -securityAlicense-qualityA lightweight service that enables AI assistants to execute AWS CLI commands through the Model Context Protocol (MCP), allowing AI tools to retrieve AWS documentation and interact with AWS services.Last updated -163MIT License
- -securityAlicense-qualityEnables AI assistants to interact with and manage Google Cloud Platform resources including Compute Engine, Cloud Run, Storage, BigQuery, and other GCP services through a standardized MCP interface.Last updated -4MIT License