Splunk
Unofficial. Splunk MCP server. Implemented in Python and TypeScript/JS. Runs searches, queries Splunk, and outputs data as JSON, CSV, or Markdown for agentic LLM workflows. Includes guardrails for input SPL validation and output sanitization. SSE/std
What is Splunk?
Splunk is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to unofficial. splunk mcp server. implemented in python and typescript/js. runs searches, queries splunk, and outputs data as json, csv, or markdown for agentic llm workflows. includes guardrails for inp...
Unofficial. Splunk MCP server. Implemented in Python and TypeScript/JS. Runs searches, queries Splunk, and outputs data as JSON, CSV, or Markdown for agentic LLM workflows. Includes guardrails for input SPL validation and output sanitization. SSE/std
This server falls under the Monitoring & Observability category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- Unofficial. Splunk MCP server. Implemented in Python and Typ
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx splunk-mcp-server2Configuration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use Splunk
Splunk MCP Server 2 is an unofficial but comprehensive MCP server that exposes Splunk's Search Processing Language (SPL) capabilities to AI agents, enabling them to run blocking searches, stream large result sets, validate SPL queries, and access saved searches — all with output in JSON, CSV, or Markdown format. The server includes built-in guardrails: SPL risk validation before execution, configurable max event counts, and output sanitization to mask sensitive data. Both Python and TypeScript implementations are provided, and the server supports stdio and SSE transports for flexible deployment.
Prerequisites
- Python 3.8+ (for the Python implementation) or Node.js 18+ (for the TypeScript implementation)
- Access to a running Splunk Enterprise or Splunk Cloud instance with valid credentials
- Splunk username and password, or a Splunk API token with search permissions
- An MCP-compatible client such as Claude Desktop, Cursor, or VS Code with MCP support
Clone the repository
Clone the splunk-mcp-server2 repository to your local machine.
git clone https://github.com/splunk/splunk-mcp-server2.git
cd splunk-mcp-server2Set up the Python implementation
Navigate to the python directory, copy the example env file, fill in your Splunk credentials, and install dependencies.
cd python
cp .env.example .env
# Edit .env with your Splunk connection details
pip install -e .Configure environment variables
Edit the .env file inside the python or typescript directory with your Splunk connection details.
# .env file contents:
SPLUNK_HOST=<your-splunk-host>
SPLUNK_PORT=8089
SPLUNK_USERNAME=<your-username>
SPLUNK_PASSWORD=<your-password>
# Optional: use a token instead of username/password
# SPLUNK_TOKEN=<your-api-token>
VERIFY_SSL=true
SPL_MAX_EVENTS_COUNT=1000
SPL_RISK_TOLERANCE=50
SPL_SANITIZE_OUTPUT=trueStart the server
Start the Python server in stdio or SSE mode. The default transport is stdio, which is required for most MCP clients.
python server.pyConfigure your MCP client
Add the server to your MCP client configuration file, pointing to the Python executable in your virtual environment.
{
"mcpServers": {
"splunk": {
"command": "python",
"args": ["/path/to/splunk-mcp-server2/python/server.py"],
"env": {
"SPLUNK_HOST": "<your-splunk-host>",
"SPLUNK_PORT": "8089",
"SPLUNK_USERNAME": "<your-username>",
"SPLUNK_PASSWORD": "<your-password>",
"VERIFY_SSL": "true",
"SPL_MAX_EVENTS_COUNT": "1000",
"SPL_RISK_TOLERANCE": "50",
"SPL_SANITIZE_OUTPUT": "true"
}
}
}
}Splunk Examples
Client configuration
Claude Desktop configuration for the Splunk MCP server using the Python implementation.
{
"mcpServers": {
"splunk": {
"command": "python",
"args": ["/path/to/splunk-mcp-server2/python/server.py"],
"env": {
"SPLUNK_HOST": "splunk.example.com",
"SPLUNK_PORT": "8089",
"SPLUNK_USERNAME": "admin",
"SPLUNK_PASSWORD": "<your-password>",
"VERIFY_SSL": "true",
"SPL_MAX_EVENTS_COUNT": "500",
"SPL_RISK_TOLERANCE": "50",
"SPL_SANITIZE_OUTPUT": "true"
}
}
}
}Prompts to try
Example prompts for querying and analyzing Splunk data through the MCP server.
- "Run a Splunk search for failed login attempts in the last 24 hours and return the results as Markdown"
- "List all available Splunk indexes on my instance"
- "Validate this SPL query before running it: index=main sourcetype=access_combined status=500"
- "Run the saved search 'Daily Error Summary' and show me the top 10 results"
- "Search Splunk for the top 5 source IPs with the most events today and output as CSV"Troubleshooting Splunk
Connection refused or timeout when connecting to Splunk
Verify SPLUNK_HOST and SPLUNK_PORT (default management port is 8089, not 8000). Ensure the Splunk management port is accessible from the machine running the MCP server and that any firewall rules permit the connection.
SPL query is rejected by the validate_spl tool
Increase SPL_RISK_TOLERANCE in your .env file (scale 0-100) if your query is legitimate but flagged. Review the validation feedback to understand which part of the SPL was considered risky and rewrite accordingly.
SSL certificate verification fails
Set VERIFY_SSL=false in your .env for self-signed certificates in dev environments. For production, ensure the Splunk server's certificate chain is trusted by your system's CA store.
Frequently Asked Questions about Splunk
What is Splunk?
Splunk is a Model Context Protocol (MCP) server that unofficial. splunk mcp server. implemented in python and typescript/js. runs searches, queries splunk, and outputs data as json, csv, or markdown for agentic llm workflows. includes guardrails for input spl validation and output sanitization. sse/std It connects AI assistants to external tools and data sources through a standardized interface.
How do I install Splunk?
Follow the installation instructions on the Splunk GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with Splunk?
Splunk works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is Splunk free to use?
Yes, Splunk is open source and available under the MIT license. You can use it freely in both personal and commercial projects.
Splunk Alternatives — Similar Monitoring & Observability Servers
Looking for alternatives to Splunk? Here are other popular monitoring & observability servers you can use with Claude, Cursor, and VS Code.
Netdata
★ 78.9kReal-time infrastructure monitoring with metrics, logs, alerts, and ML-based anomaly detection.
Kubeshark
★ 11.9keBPF-powered network observability for Kubernetes. Indexes L4/L7 traffic with full K8s context, decrypts TLS without keys. Queryable by AI agents via MCP and humans via dashboard.
Mission Control
★ 4.9kSelf-hosted AI agent orchestration platform: dispatch tasks, run multi-agent workflows, monitor spend, and govern operations from one mission control dashboard.
Grafana
★ 3.0kThis MCP server enables natural-language querying of Grafana logs by automatically detecting log sources and service labels. It provides read-only access to log data with intelligent caching for efficient repeat queries.
Sentrux
★ 2.4kReal-time architectural sensor that helps AI agents close the feedback loop, enabling recursive self-improvement of code quality. Pure Rust.
OpenInference
★ 986OpenTelemetry Instrumentation for AI Observability
Browse More Monitoring & Observability MCP Servers
Explore all monitoring & observability servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up Splunk in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use Splunk?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.