MCP Server for Splunk
by
Provides a Go‑based MCP server that exposes Splunk data through STDIO and Server‑Sent Events, enabling LLMs to call tools for saved searches, alerts, indexes, and macros.
MCP Server for Splunk Overview
What is MCP Server for Splunk about?
MCP Server for Splunk implements the Model Context Protocol (MCP) tooling for Splunk environments. It delivers a lightweight Go service that can be interacted with via STDIO (default) or an SSE‑based HTTP API, exposing a set of predefined MCP tools that query Splunk objects such as saved searches, alerts, fired alerts, indexes, and macros.
How to use MCP Server for Splunk?
- Set environment variables
export SPLUNK_URL=https://your-splunk-instance:8089 export SPLUNK_TOKEN=your-splunk-token - STDIO mode (default) – pipe JSON‑RPC requests to the binary:
echo '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' | go run cmd/mcp-server-splunk/main.go | jq - SSE mode – start the server and interact with it via HTTP:
Then open a session withgo run cmd/mcp-server-splunk/main.go -transport sse -port 3001curl http://localhost:3001/sseand send JSON‑RPC messages tohttp://localhost:3001/message?sessionId=YOUR_SESSION_ID. - Docker – build and run the container:
docker build -t mcp-server-splunk . echo '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' | docker run --rm -i -e SPLUNK_URL=$SPLUNK_URL -e SPLUNK_TOKEN=$SPLUNK_TOKEN mcp-server-splunk | jq - Cursor integration – add the server definition to
~/.cursor/mcp.jsonfor STDIO or SSE, then use natural language prompts that trigger the MCP tools.
Key features of MCP Server for Splunk
- Multiple transport options: STDIO for local execution, SSE for remote HTTP interaction.
- Pre‑built MCP tools:
list_splunk_saved_searcheslist_splunk_alertslist_splunk_fired_alertslist_splunk_indexeslist_splunk_macros
- Pagination and filtering: Each tool supports
count,offset, and context‑specific filters (e.g.,title,ss_name,earliest). - Prompt implementation: Example prompt in
internal/splunk/prompt.godemonstrates complex multi‑tool workflows. - Docker ready: Dockerfile and
smithery.yamlenable one‑click deployment on Smithery platform. - Cursor ready: Seamless integration with Cursor’s MCP UI for LLM‑driven Splunk insights.
Use cases of MCP Server for Splunk
- Automated Splunk reporting: LLMs can retrieve the first N saved searches, alerts, or macros and generate summary reports.
- Incident investigation: Query fired alerts within a time window to understand recent incidents.
- Dashboard generation: Pull indexes and macros to build dynamic documentation or data dictionaries.
- Chat‑based Splunk assistance: Users ask natural‑language questions (e.g., "How many alerts contain 'CRITICAL' in the last day?") and the system calls the appropriate MCP tool behind the scenes.
- Integration with CI/CD: Use STDIO mode in pipelines to verify Splunk configuration or to audit alerts before deployment.
FAQ from the MCP Server for Splunk
- Q: What environment variables are required?
A:
SPLUNK_URL(the Splunk REST API endpoint) andSPLUNK_TOKEN(a valid auth token). - Q: How do I list the available tools?
A: Send a
tools/listJSON‑RPC request via STDIO or SSE. - Q: Can I change the default pagination limits?
A: Each tool accepts optional
count(max 100) andoffsetparameters; set them in theargumentsfield of thetools/callrequest. - Q: Is there a graphical UI? A: The server itself is headless; UI integration is provided through Cursor, Smithery, or any client that consumes the SSE endpoint.
- Q: How do I run the server in production?
A: Build the binary (
go build -o mcp-server-splunk cmd/mcp-server-splunk/main.go) or use the Docker image, then supervise the process with systemd, Docker‑compose, or Kubernetes. - Q: What is the maximum number of results I can retrieve?
A: Each tool caps
countat 100 results per request. - Q: How do I filter alerts by title?
A: Use the
titleargument inlist_splunk_alertsfor a case‑insensitive substring match.
MCP Server for Splunk's README
MCP Server for Splunk
A Go implementation of the MCP server for Splunk. Supports STDIO and SSE (Server-Sent Events HTTP API). Uses github.com/mark3labs/mcp-go SDK.
MCP Tools implemented
list_splunk_saved_searches- Parameters:
count(number, optional): Number of results to return (max 100, default 100)offset(number, optional): Offset for pagination (default 0)
- Parameters:
list_splunk_alerts- Parameters:
count(number, optional): Number of results to return (max 100, default 10)offset(number, optional): Offset for pagination (default 0)title(string, optional): Case-insensitive substring to filter alert titles
- Parameters:
list_splunk_fired_alerts- Parameters:
count(number, optional): Number of results to return (max 100, default 10)offset(number, optional): Offset for pagination (default 0)ss_name(string, optional): Search name pattern to filter alerts (default "*")earliest(string, optional): Time range to look back (default "-24h")
- Parameters:
list_splunk_indexes- Parameters:
count(number, optional): Number of results to return (max 100, default 10)offset(number, optional): Offset for pagination (default 0)
- Parameters:
list_splunk_macros- Parameters:
count(number, optional): Number of results to return (max 100, default 10)offset(number, optional): Offset for pagination (default 0)
- Parameters:
MCP Prompts and Resources
internal/splunk/prompt.goimplements an MCP Prompt to find Splunk alerts for a specific keyword (e.g. GitHub or OKTA) and instructs Cursor to utilise multiple MCP tools to review all Splunk alerts, indexes and macros first to provide the best answer.cmd/mcp/server/main.goimplements MCP Resource in the form of local CSV file with Splunk related content, providing further context to the chat.
Usage
STDIO mode (default)
export SPLUNK_URL=https://your-splunk-instance:8089
export SPLUNK_TOKEN=your-splunk-token
# List available tools
echo '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' | go run cmd/mcp-server-splunk/main.go | jq
# Call list_splunk_saved_searches tool
echo '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"list_splunk_saved_searches","arguments":{}}}' | go run cmd/mcp-server-splunk/main.go | jq
SSE mode (Server-Sent Events HTTP API)
export SPLUNK_URL=https://your-splunk-instance:8089
export SPLUNK_TOKEN=your-splunk-token
# Start the server
go run cmd/mcp-server-splunk/main.go -transport sse -port 3001
# Call the server and get Session ID from the output. Do not terminate the session.
curl http://localhost:3001/sse
# Keep session running and and use different terminal window for the final MCP call
curl -X POST "http://localhost:3001/message?sessionId=YOUR_SESSION_ID" \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' | jq
Installing via Smithery
Dockerfile and smithery.yaml are used to support hosting this MCP server at [Smithery](https://smithery.ai/server/@jkosik/.
Local Docker build and run
docker build -t mcp-server-splunk .
echo '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' | \
docker run --rm -i \
-e SPLUNK_URL=https://your-splunk-instance:8089 \
-e SPLUNK_TOKEN=your-splunk-token \
mcp-server-splunk | jq
Cursor integration
By configuring MCP Settings in Cursor, you can include remote data directly into the LLM context.
Integrate STDIO or SSE MCP Servers (see below) and use Cursor Chat. Cursor will automatically try to use MCP Tools, Prompts or Re Sample prompts:
How many MCP tools for Splunk are available?How many Splunk indexes do we have?Can you list first 5 Splunk macros including underlying queries?How many alers with "Alert_CRITICAL" in the name were fired in the last day?Read the MCP Resource "Data Dictionary" and find the contact person for the Splunk index XYZ.
STDIO mode
Build the server:
go build -o cmd/mcp-server-splunk/mcp-server-splunk cmd/mcp-server-splunk/main.go
Update ~/.cursor/mcp.json
{
"mcpServers": {
"splunk_stdio": {
"name": "Splunk MCP Server (STDIO)",
"description": "MCP server for Splunk integration",
"type": "stdio",
"command": "/Users/juraj/data/github.com/jkosik/mcp-server-splunk/cmd/mcp-server-splunk/mcp-server-splunk",
"env": {
"SPLUNK_URL": "https://your-splunk-instance:8089",
"SPLUNK_TOKEN": "your-splunk-token"
}
}
}
}
SSE mode
Start the server:
export SPLUNK_URL=https://your-splunk-instance:8089
export SPLUNK_TOKEN=your-splunk-token
# Start the server
go run cmd/mcp-server-splunk/main.go -transport sse -port 3001
Update ~/.cursor/mcp.json
{
"mcpServers": {
"splunk_sse": {
"name": "Splunk MCP Server (SSE)",
"description": "MCP server for Splunk integration (SSE mode)",
"type": "sse",
"url": "http://localhost:3001/sse"
}
}
}
Certified by MCP Review: https://mcpreview.com/mcp-servers/jkosik/mcp-server-splunk
MCP Server for Splunk Reviews
Login Required
Please log in to share your review and rating for this MCP.
Actions
MCP Server for Splunk's Information
- Author
- jkosik
- Category
- Monitoring & Observability
- Language
- Go
- Stars
- 5
- Updated
- 2 months ago
Similar MCP Servers like MCP Server for Splunk
Explore related MCPs that share similar capabilities and solve comparable challenges
Netdata
by netdata
Delivers real‑time, per‑second infrastructure monitoring with zero‑configuration agents, on‑edge machine‑learning anomaly detection, and built‑in dashboards.
Phoenix
Officialby Arize-ai
Open-source AI observability platform enabling tracing, evaluation, dataset versioning, experiment tracking, prompt management, and interactive playground for LLM applications.
Tianji
by msgbyte
Provides integrated website traffic analysis, uptime checking, and server health monitoring in a single self‑hosted platform.
Grafana MCP Server
by grafana
Provides programmatic access to a Grafana instance and its surrounding ecosystem through the Model Context Protocol, enabling AI assistants and other clients to query and manipulate dashboards, datasources, alerts, incidents, on‑call schedules, and more.
Dynatrace MCP Server
by dynatrace-oss
Provides a local server that enables real‑time interaction with the Dynatrace observability platform, exposing tools for querying data, retrieving problems, sending Slack notifications, and integrating AI assistance.
Logfire MCP Server
by pydantic
Provides tools to retrieve and query OpenTelemetry trace and metric data from Pydantic Logfire, allowing LLMs to analyze distributed traces and run arbitrary SQL queries against telemetry records.
VictoriaMetrics MCP Server
by VictoriaMetrics-Community
Provides a Model Context Protocol server exposing read‑only VictoriaMetrics APIs, enabling seamless monitoring, observability, and automation through AI‑driven assistants.
Datadog MCP Server
by GeLi2001
Enables interaction with the Datadog API through a Model Context Protocol server, providing access to monitors, dashboards, metrics, logs, events, and incident data.
Last9 MCP Server
by last9
Provides AI agents with real‑time production context—including logs, metrics, traces, and alerts—through a Model Context Protocol server, enabling automatic code fixing and faster debugging.