Provides capabilities to integrate with Elastic log providers for fetching security event data and performing automated threat detection and log analysis.
Enables AI agents to fetch and analyze enterprise security logs from Splunk to identify threats like SSH brute force attempts and perform runbook-based security reasoning.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@MCP SplunkAnalyze the last hour of logs for any SSH brute force attempts."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
MCP Splunk — Full Setup & Architecture Guide
This guide explains:
• utilities & frameworks used
• how each component fits in the architecture
• step‑by‑step Windows local setup
• how MCP, RAG, LangGraph, Guardrails & LLM integrate
• basic → advanced usage flow
🧩 Architecture & Technology Flow
🧰 Utilities & Frameworks Used
Core Runtime
Python 3.10+
Primary runtime for orchestration and services.
LLM Layer
OpenRouter + Llama‑3
Used for reasoning over logs and generating security findings.
LangChain Ecosystem
LangChain
Provides embedding and vector search integration.
LangGraph
Used for deterministic agent orchestration.
✔ stateful workflows
✔ branching logic
✔ production reliability
LangSmith (Optional)
Observability & debugging for agent flows.
RAG Stack
SentenceTransformers
Creates semantic embeddings.
Model:
ChromaDB
Local vector database storing runbook embeddings.
MCP Service Layer
FastAPI
Provides log access endpoints.
Simulates enterprise log providers like Splunk or Elastic.
Guardrails
Pydantic
Validates LLM output structure.
Prevents malformed responses.
Detection Engine
Custom Python detection for:
✔ SSH brute force attempts
✔ suspicious IP activity
🖥️ Windows Local Setup
1️⃣ Install Python
Verify:
2️⃣ Clone Repo
3️⃣ Virtual Environment
4️⃣ Install Dependencies
If needed:
5️⃣ Environment Variables
Create .env
6️⃣ Build Vector DB
Run once:
7️⃣ Start MCP Server
Verify:
http://localhost:9000/service_health
8️⃣ Launch App
Open:
http://localhost:8501
🔄 Execution Flow
User submits query
Agent fetches logs via MCP
Logs parsed & categorized
Threat detection executed
Runbook context retrieved (RAG)
LLM generates security analysis
Guardrails validate output
Structured results displayed
🧠 Basic vs Advanced Usage
Basic
✔ run locally
✔ detect suspicious activity
Advanced
✔ integrate Splunk/Elastic
✔ stream logs via Kafka
✔ enable LangSmith tracing
✔ deploy via Docker & Kubernetes
🚀 Production Upgrade Path
Replace file logs → streaming ingestion
deploy vector DB remotely
enable SIEM alerting
multi-host correlation