Splunk Intelligence MCP Server
Provides tools for investigating Splunk data by ingesting exports (JSON/CSV) or running live SPL queries, applying deterministic detectors, and managing an investigation loop with findings and reports.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Splunk Intelligence MCP ServerInvestigate cert_errors.json for anomalies"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Splunk Intelligence — Local LLM Analysis Stack
A local Splunk investigation stack that ingests exports (JSON/CSV) or runs live SPL queries, applies deterministic detectors, and drives a structured multi-iteration investigation loop via MCP tools exposed to AI agents (GitHub Copilot or Claude Code). Everything runs on-device — no data leaves the machine.
How it works
Splunk export (JSON/CSV) ──or── Splunk REST API
└─> parsers.py # Polars DataFrame: field extraction, timestamp normalisation
└─> detectors.py # rule-based: spikes, cert anomalies, host rankings, timeline
└─> mcp_server.py # FastMCP: exposes investigation tools to Copilot / Claude
└─> runner.py # CLI orchestrator
└─> reports/ # generated markdown reports
└─> logs/ # per-run JSONL structured logs
└─> splunk.db # SQLite: events, findings, reports, queries per run_idThe investigation loop is self-contained — splunk__submit_report returns {status, findings, next} and the agent loops on its own without external hooks.
Related MCP server: MCP Server for Splunk
Quick start
1. Install prerequisites
Python 3.12+
uv—brew install uvSplunk instance URL (set
SPLUNK_URLenv var; required for live queries only)
Ollama is not required. Copilot or Claude Code handles all reasoning via MCP tools. To use the optional standalone LangGraph/Ollama agent, install the llm extra (uv sync --extra llm) and run with --llm.
2. Install dependencies
uv sync --extra dev
uv run playwright install chromium3. Configure Splunk URL (live queries only)
echo "SPLUNK_URL=https://your-splunk-instance:8089" > .env4. Authenticate to Splunk (live queries only)
uv run python -m splunk.authThis opens a visible Chromium window via Playwright. Complete the SSO login manually. The session cookie is saved to ~/.splunk/auth.json and loaded automatically on every live query. Re-run when your session expires (Splunk uses SSO/SAML — password login is not available).
5. Run an investigation
# From a local export file
uv run python -m splunk --input results/cert_errors.json
# Live SPL query
uv run python -m splunk --live --spl "index=pki sourcetype=ocsp_error" --earliest -6h
# Parsers + detectors only, no LLM
uv run python -m splunk --input results/cert_errors.json
# With standalone Ollama agent (requires uv sync --extra llm + Ollama running)
uv run python -m splunk --input results/cert_errors.json --llmVia AI agent (MCP tools)
Run both servers — the FastAPI UI server and the MCP tool server:
# Terminal 1 — FastAPI UI (http://127.0.0.1:8765)
./serve.sh
# Terminal 2 — MCP tool server
uv run python -m splunk.mcp_serverThe UI at http://127.0.0.1:8765/ui/runs/<run_id> shows live investigation progress, findings, and the final report. The MCP server exposes the investigation tools to the agent.
Then ask Copilot or Claude: "Start a Splunk investigation on results/cert_errors.json"
The agent calls splunk__investigate_start, reasons over findings, and loops via splunk__submit_report until confident. See AGENTS.md for the full loop protocol.
MCP Tools
Tool | Purpose |
| Load file or live SPL query, run detectors, return structured findings + |
| Submit a markdown report and follow-up SPL queries; returns |
| Read current findings for an active run without advancing the loop |
| Stop the loop after the current iteration |
| Inject an analyst hint that shapes the next iteration |
| Return past SPL queries from |
Onboarding (new team members)
An interactive onboarding prompt is available for GitHub Copilot. In VS Code Copilot Chat, attach .github/prompts/onboard.prompt.md via the # file picker — Copilot will walk you through setup, auth, and running your first investigation.
Tests
uv run pytest tests/Tests are fully deterministic — no Ollama, no Splunk connection, no server required. Fixtures live in tests/fixtures/.
Key files
File | Purpose |
| All tunables — model, thresholds, paths, auth |
|
|
|
|
| FastMCP server — 6 investigation tools |
| CLI entry point |
| Splunk REST client (cookie-based, SSO-compatible) |
| Playwright SSO — opens Chromium, saves cookie |
| SQLite store: events, findings, reports, queries |
| Structured JSON-lines logging per run |
Environment variables
Variable | Default | Purpose |
| — | Splunk base URL (required for live queries) |
|
| Set |
|
| Ollama model — only used when |
|
| ReAct loop cap — only used when |
|
| Events/window to trigger a spike |
|
| Spike detection window (seconds) |
|
| Splunk session cookie name |
|
| Cookie persist path |
|
| Log verbosity |
Put these in a .env file at the repo root (gitignored).
Agent instructions
GitHub Copilot — see AGENTS.md for loop rules, MCP tool reference, and report format
Claude Code — see CLAUDE.md for project conventions and task backlog
Onboarding — see .github/prompts/onboard.prompt.md
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/debaditya-mohankudo/splunk-intelligence'
If you have feedback or need assistance with the MCP directory API, please join our Discord server