splunk-mcp

guardiansphere/splunk-mcp

3.3

If you are the rightful owner of splunk-mcp and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.

The Splunk MCP Server allows users to query Splunk using plain English, automatically discovering indexes, datamodels, and apps, and making them available as MCP resources and tools.

Tools
2
Resources
0
Prompts
0

Splunk MCP Server

A Model Context Protocol (MCP) server for Splunk that lets you query Splunk in plain English.
It automatically discovers indexes, datamodels, and installed apps, and makes them available as MCP resources and tools.
Works with ChatGPT Desktop, Claude Desktop, and any MCP-compatible client.

Features

  • Query Splunk using plain English
  • Auto-discovers indexes, datamodels, and apps at startup
  • Exposes metadata as an MCP resource
  • Tools provided:
    • askSplunk – ask in English, get translated SPL + results
    • describeEnvironment – summarize indexes, apps, datamodels
    • splunk://metadata – raw environment metadata

Setup

1) Clone the repo

git clone https://github.com/gaurdiansphere/splunk-mcp.git
cd splunk-mcp

2) Create virtual environment & install dependencies

python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

3) Configure Splunk connection

Create a .env file in the project root:

SPLUNK_URL=https://splunk.example.com:8089
SPLUNK_TOKEN=YOUR_SPLUNK_TOKEN
  • Use a Splunk service account with read/search only permissions
  • Do not commit .env to GitHub

Running the server

python3 splunk_mcp.py

If successful, you’ll see logs like:

[MCP] Loaded indexes: ['wineventlog', 'auth', 'okta']
[MCP] Loaded datamodels: ['Authentication', 'Endpoint']
[MCP] Loaded apps: ['Splunk_TA_windows', 'Splunk_TA_okta']

MCP integration

Add this server to your MCP client config (e.g. ~/.config/openai/mcp.json):

{
  "servers": {
    "splunk": {
      "command": "python3",
      "args": ["/absolute/path/to/splunk_mcp.py"]
    }
  }
}

Restart your MCP client (ChatGPT Desktop, Claude Desktop, etc.) after updating.

Example usage

Describe environment

/tool splunk.describeEnvironment {}

Example response:

{
  "applications": ["Splunk_TA_windows", "Splunk_TA_okta"],
  "indexes": ["wineventlog", "auth", "okta"],
  "datamodels": ["Authentication", "Endpoint"]
}

Ask in English

/tool splunk.askSplunk {"question": "Show me failed logins in the last 24 hours"}

Example response:

{
  "Translated SPL": "| tstats count from datamodel=Authentication.Authentication where Authentication.action=\"failure\" earliest=-24h by Authentication.user",
  "results": [
    {"Authentication.user": "bob", "count": "12"},
    {"Authentication.user": "alice", "count": "7"}
  ]
}

Security notes

  • Keep credentials in .env; never commit secrets
  • Limit tokens to read-only permissions
  • Rotate credentials regularly

Roadmap

  • Better English → SPL translation using discovered metadata
  • Support for saved searches and alerts
  • Streaming for large result sets