Splunk MCP Server Integration
Enable your AI agents to monitor, search, and automate Splunk operations with the Splunk MCP Server—fully integrated into FlowHunt.
What does “Splunk” MCP Server do?
The Splunk MCP (Model Context Protocol) Server is a Go-based server that bridges AI assistants and the Splunk platform, enabling seamless integration of Splunk data and operations into AI development workflows. By exposing Splunk’s search, alert, index, and macro functionalities as tools, the server allows AI clients to query Splunk, retrieve operational insights, and automate monitoring tasks. The Splunk MCP Server supports both STDIO and SSE (Server-Sent Events HTTP API) transports, making it adaptable for various client environments. This integration empowers developers to perform Splunk database searches, manage alerts, and gather contextual data programmatically, significantly enhancing efficiency and the breadth of AI-powered workflows.
List of Prompts
- Find Splunk Alerts for a Keyword: An MCP Prompt implemented to search for Splunk alerts matching a specific keyword (e.g., “GitHub” or “OKTA”).
- Instructs clients like Cursor to utilize multiple MCP tools to review all Splunk alerts, indexes, and macros before formulating the best answer.
List of Resources
- Local CSV Resource: MCP Resource implemented in the form of a local CSV file containing Splunk-related content, providing additional context to the chat or AI operations.
List of Tools
- list_splunk_saved_searches: Lists saved searches in Splunk. Supports pagination via
countandoffset. - list_splunk_alerts: Lists Splunk alerts. Supports pagination and filtering by alert
title. - list_splunk_fired_alerts: Lists fired alerts. Supports filtering by search name (
ss_name), time range (earliest), and pagination. - list_splunk_indexes: Lists indexes available in Splunk. Supports pagination.
- list_splunk_macros: Lists defined macros in Splunk. Supports pagination.
Use Cases of this MCP Server
- Monitoring Security Alerts: Developers or security teams can automate the retrieval and review of fired Splunk alerts for rapid incident response.
- Automated Compliance Audits: AI assistants can regularly pull data from Splunk indexes and saved searches to check for compliance-related events.
- Operational Intelligence Gathering: Teams can query Splunk macros and indexes to enrich AI-driven diagnostics and reporting tools.
- Custom Alert Investigation: AI workflows can search for alerts containing specific keywords (e.g., “GitHub”, “OKTA”), enabling targeted incident analysis.
- Integration with AI Agents: Use in advanced AI flows (e.g., with Cursor or Claude) to combine Splunk insights with other resources for automated troubleshooting.
How to set it up
Windsurf
- Ensure you have Go installed and your Splunk instance URL/token ready.
- Clone the repository or use the package:
@jkosik/mcp-server-splunk@latest. - Edit your Windsurf configuration file to add the Splunk MCP Server:
{ "mcpServers": [ { "command": "go", "args": ["run", "cmd/mcp-server-splunk/main.go"], "env": { "SPLUNK_URL": "https://your-splunk-instance:8089", "SPLUNK_TOKEN": "your-splunk-token" } } ] } - Save the configuration and restart Windsurf.
- Verify setup by listing tools through the Windsurf interface.
Claude
- Prerequisite: Go installed, Splunk credentials.
- Add the MCP server as a tool provider:
{ "mcpServers": [ { "command": "go", "args": ["run", "cmd/mcp-server-splunk/main.go"], "env": { "SPLUNK_URL": "https://your-splunk-instance:8089", "SPLUNK_TOKEN": "your-splunk-token" } } ] } - Save settings and restart Claude integration.
- Test tool listing or call to ensure operational status.
Cursor
- Make sure Go, Splunk URL and token are available.
- Update Cursor’s configuration:
{ "mcpServers": [ { "command": "go", "args": ["run", "cmd/mcp-server-splunk/main.go"], "env": { "SPLUNK_URL": "https://your-splunk-instance:8089", "SPLUNK_TOKEN": "your-splunk-token" } } ] } - Save the config and restart Cursor.
- Validate by running a tool command in Cursor.
Cline
- Install Go and ensure Splunk credentials are set.
- Insert the MCP server configuration in Cline’s config file:
{ "mcpServers": [ { "command": "go", "args": ["run", "cmd/mcp-server-splunk/main.go"], "env": { "SPLUNK_URL": "https://your-splunk-instance:8089", "SPLUNK_TOKEN": "your-splunk-token" } } ] } - Save and restart Cline.
- Confirm by executing a Splunk tool command.
Securing API Keys
It is best practice to secure your Splunk API keys and URLs using environment variables, as shown in the configuration above. Here is a JSON example:
{
"command": "go",
"args": ["run", "cmd/mcp-server-splunk/main.go"],
"env": {
"SPLUNK_URL": "https://your-splunk-instance:8089",
"SPLUNK_TOKEN": "your-splunk-token"
}
}
How to use this MCP inside flows
Using MCP in FlowHunt
To integrate MCP servers into your FlowHunt workflow, start by adding the MCP component to your flow and connecting it to your AI agent:
Click on the MCP component to open the configuration panel. In the system MCP configuration section, insert your MCP server details using this JSON format:
{
"splunk-mcp": {
"transport": "streamable_http",
"url": "https://yourmcpserver.example/pathtothemcp/url"
}
}
Once configured, the AI agent is now able to use this MCP as a tool with access to all its functions and capabilities. Remember to change “splunk-mcp” to whatever the actual name of your MCP server is and replace the URL with your own MCP server URL.
Overview
| Section | Availability | Details/Notes |
|---|---|---|
| Overview | ✅ | |
| List of Prompts | ✅ | Single prompt for keyword-based alert search |
| List of Resources | ✅ | Local CSV with Splunk content |
| List of Tools | ✅ | Five Splunk tools (searches, alerts, fired alerts, indexes, macros) |
| Securing API Keys | ✅ | Environment variable example provided |
| Sampling Support (less important in evaluation) | ⛔ | Not mentioned |
Based on the above, the Splunk MCP Server covers the essential MCP primitives (tools, prompts, resources) and provides clear setup and security guidance, but lacks explicit sampling or roots support. If you need agentic sampling or roots, further investigation would be required.
Our opinion
The Splunk MCP Server provides a strong, practical integration with Splunk, with clear tooling and resource support for AI agents. The coverage of basic MCP features is good, though the absence of sampling/roots support reduces its flexibility for advanced agentic workflows. Overall, a solid, focused MCP implementation for Splunk.
MCP Score
| Has a LICENSE | ⛔ (No LICENSE file found) |
|---|---|
| Has at least one tool | ✅ |
| Number of Forks | 0 |
| Number of Stars | 2 |
Frequently asked questions
- What is the Splunk MCP Server?
The Splunk MCP Server is a Go-based server that connects AI assistants with the Splunk platform, exposing search, alert, index, and macro functionalities as tools. This enables AI agents to query, monitor, and automate Splunk operations seamlessly.
- What Splunk operations are supported?
The server supports searching saved searches, alerts, fired alerts, indexes, and macros. These tools can be used for incident response, compliance audits, and operational intelligence.
- How do I securely configure my Splunk credentials?
It is recommended to use environment variables in your MCP server configuration to securely store your Splunk URL and token, as shown in the setup examples.
- What are typical use cases for this integration?
Automated security monitoring, compliance auditing, operational diagnostics, and custom alert investigations—empowering AI-driven workflows with direct Splunk access.
- Are there any limitations?
The Splunk MCP Server currently lacks explicit sampling and roots support, which may limit advanced agentic workflows requiring these features.
- Is there a license file?
No, currently the Splunk MCP Server does not include a LICENSE file.
Integrate Splunk with FlowHunt
Connect Splunk data and operations directly to your AI workflows. Try the Splunk MCP Server with FlowHunt for instant operational intelligence and automated incident response.
Learn more
