splunk.com
splunk.com logo

Splunk

Integrates with Splunk Enterprise/Cloud to enable natural language-driven searches, index management, user handling, and...

Created byApr 22, 2025

Splunk MCP (Model Context Protocol) Tool

A FastMCP-based tool for interacting with Splunk Enterprise/Cloud through natural language. This tool provides a set of capabilities for searching Splunk data, managing KV stores, and accessing Splunk resources through an intuitive interface.

Operating Modes

The tool operates in three modes:
  1. SSE Mode (Default)
  1. API Mode
  1. STDIO Mode

Features

  • Splunk Search: Execute Splunk searches with natural language queries
  • Index Management: List and inspect Splunk indexes
  • User Management: View and manage Splunk users
  • KV Store Operations: Create, list, and manage KV store collections
  • Async Support: Built with async/await patterns for better performance
  • Detailed Logging: Comprehensive logging with emoji indicators for better visibility
  • SSL Configuration: Flexible SSL verification options for different security requirements
  • Enhanced Debugging: Detailed connection and error logging for troubleshooting
  • Comprehensive Testing: Unit tests covering all major functionality
  • Error Handling: Robust error handling with appropriate status codes
  • SSE Compliance: Fully compliant with MCP SSE specification

Available MCP Tools

The following tools are available via the MCP interface:

Tools Management

  • list_tools

Health Check

  • health_check
  • ping

User Management

  • current_user
  • list_users

Index Management

  • list_indexes
  • get_index_info
  • indexes_and_sourcetypes

Search

  • search_splunk
  • list_saved_searches

KV Store

  • list_kvstore_collections
  • create_kvstore_collection
  • delete_kvstore_collection

SSE Endpoints

When running in SSE mode, the following endpoints are available:
  • /sse: Returns SSE connection information in text/event-stream format
  • /sse/messages: The main SSE stream endpoint
  • /sse/health: Health check endpoint for SSE mode

Error Handling

The MCP implementation includes consistent error handling:
  • Invalid search commands or malformed requests
  • Insufficient permissions
  • Resource not found
  • Invalid input validation
  • Unexpected server errors
  • Connection issues with Splunk server
All error responses include a detailed message explaining the error.

Prerequisites

  • Python 3.10 or higher
  • Poetry for dependency management
  • Splunk Enterprise/Cloud instance
  • Appropriate Splunk credentials with necessary permissions

Installation

Option 1: Local Installation

  1. Clone the repository:
  1. Install dependencies using Poetry:
  1. Copy the example environment file and configure your settings:
  1. Update the .env file with your Splunk credentials:

Option 2: Docker Installation

  1. Pull the latest image:
  1. Create your .env file as above or use environment variables directly.
  1. Run using Docker Compose:
Or using Docker directly:

Usage

Local Usage

The tool can run in three modes:
  1. SSE mode (default for MCP clients):
  1. STDIO mode:

Docker Usage

The project supports both the new docker compose (V2) and legacy docker-compose (V1) commands. The examples below use V2 syntax, but both are supported.
  1. SSE Mode (Default):
  1. API Mode:
  1. STDIO Mode:

Testing with Docker

The project includes a dedicated test environment in Docker:
  1. Run all tests:
  1. Run specific test components:
Test results will be available in the ./test-results directory.

Docker Development Tips

  1. Building Images:
  1. Viewing Logs:
  1. Debugging:
Note: If you're using Docker Compose V1, replace docker compose with docker-compose in the above commands.

Security Notes

  1. Environment Variables:
  • Never commit .env files
  • Use .env.example as a template
  • Consider using Docker secrets for production
  1. SSL Verification:
  • VERIFY_SSL=true recommended for production
  • Can be disabled for development/testing
  • Configure through environment variables
  1. Port Exposure:
  • Only expose necessary ports
  • Use internal Docker network when possible
  • Consider network security in production

Environment Variables

Configure the following environment variables:
  • SPLUNK_HOST: Your Splunk host address
  • SPLUNK_PORT: Splunk management port (default: 8089)
  • SPLUNK_USERNAME: Your Splunk username
  • SPLUNK_PASSWORD: Your Splunk password
  • SPLUNK_SCHEME: Connection scheme (default: https)
  • VERIFY_SSL: Enable/disable SSL verification (default: true)
  • FASTMCP_LOG_LEVEL: Logging level (default: INFO)
  • SERVER_MODE: Server mode (sse, api, stdio) when using uvicorn

SSL Configuration

The tool provides flexible SSL verification options:
  1. Default (Secure) Mode:
  • Full SSL certificate verification
  • Hostname verification enabled
  • Recommended for production environments
  1. Relaxed Mode:
  • SSL certificate verification disabled
  • Hostname verification disabled
  • Useful for testing or self-signed certificates

Testing

The project includes comprehensive test coverage using pytest and end-to-end testing with a custom MCP client:

Running Tests

Basic test execution:
With coverage reporting:
With verbose output:

End-to-End SSE Testing

The project includes a custom MCP client test script that connects to the live SSE endpoint and tests all tools:
This script acts as an MCP client by:
  1. Connecting to the /sse endpoint to get the messages URL
  1. Sending tool invocations to the messages endpoint
  1. Processing the SSE events to extract tool results
  1. Validating the results against expected formats
This provides real-world testing of the SSE interface as it would be used by an actual MCP client.

Test Structure

The project uses three complementary testing approaches:
  1. MCP Integration Tests (tests/test_api.py):
  1. Direct Function Tests (tests/test_endpoints_pytest.py):
  1. End-to-End MCP Client Tests (test_endpoints.py):
  1. Configuration Tests (tests/test_config.py):

Testing Tools

The tests support:
  • Async testing with pytest-asyncio
  • Coverage reporting with pytest-cov
  • Mocking with pytest-mock
  • Parameterized testing
  • Connection timeout testing

Troubleshooting

Connection Issues

  1. Basic Connectivity:
  • The tool now performs a basic TCP connectivity test
  • Check if port 8089 is accessible
  • Verify network routing and firewalls
  1. SSL Issues:
  • If seeing SSL errors, try setting VERIFY_SSL=false
  • Check certificate validity and trust chain
  • Verify hostname matches certificate
  1. Authentication Issues:
  • Verify Splunk credentials
  • Check user permissions
  • Ensure account is not locked
  1. Debugging:
  • Set FASTMCP_LOG_LEVEL=DEBUG for detailed logs
  • Check connection logs for specific error messages
  • Review SSL configuration messages
  1. SSE Connection Issues:
  • Verify SSE endpoint is accessible via /sse
  • Check for proper content-type headers
  • Use browser developer tools to inspect SSE connections

Claude Integration

Claude Desktop Configuration

You can integrate Splunk MCP with Claude Desktop by configuring it to use either SSE or STDIO mode. Add the following configuration to your claude_desktop_config.json:

STDIO Mode (Recommended for Desktop)

SSE Mode

Usage with Claude

Once configured, you can use natural language to interact with Splunk through Claude. Examples:
  1. List available indexes:
  1. Search Splunk data:
  1. Get system health:
  1. Manage KV stores:
The MCP tools will be automatically available to Claude, allowing it to execute these operations through natural language commands.

License

[Your License Here]

Acknowledgments

  • FastMCP framework
  • Splunk SDK for Python
  • Python-decouple for configuration management
  • SSE Starlette for SSE implementation

Splunk MCP (Model Context Protocol) Tool

A FastMCP-based tool for interacting with Splunk Enterprise/Cloud through natural language. This tool provides a set of capabilities for searching Splunk data, managing KV stores, and accessing Splunk resources through an intuitive interface.

Operating Modes

The tool operates in three modes:
  1. SSE Mode (Default)
  1. API Mode
  1. STDIO Mode

Features

  • Splunk Search: Execute Splunk searches with natural language queries
  • Index Management: List and inspect Splunk indexes
  • User Management: View and manage Splunk users
  • KV Store Operations: Create, list, and manage KV store collections
  • Async Support: Built with async/await patterns for better performance
  • Detailed Logging: Comprehensive logging with emoji indicators for better visibility
  • SSL Configuration: Flexible SSL verification options for different security requirements
  • Enhanced Debugging: Detailed connection and error logging for troubleshooting
  • Comprehensive Testing: Unit tests covering all major functionality
  • Error Handling: Robust error handling with appropriate status codes
  • SSE Compliance: Fully compliant with MCP SSE specification

Available MCP Tools

The following tools are available via the MCP interface:

Tools Management

  • list_tools

Health Check

  • health_check
  • ping

User Management

  • current_user
  • list_users

Index Management

  • list_indexes
  • get_index_info
  • indexes_and_sourcetypes

Search

  • search_splunk
  • list_saved_searches

KV Store

  • list_kvstore_collections
  • create_kvstore_collection
  • delete_kvstore_collection

SSE Endpoints

When running in SSE mode, the following endpoints are available:
  • /sse: Returns SSE connection information in text/event-stream format
  • /sse/messages: The main SSE stream endpoint
  • /sse/health: Health check endpoint for SSE mode

Error Handling

The MCP implementation includes consistent error handling:
  • Invalid search commands or malformed requests
  • Insufficient permissions
  • Resource not found
  • Invalid input validation
  • Unexpected server errors
  • Connection issues with Splunk server
All error responses include a detailed message explaining the error.

Prerequisites

  • Python 3.10 or higher
  • Poetry for dependency management
  • Splunk Enterprise/Cloud instance
  • Appropriate Splunk credentials with necessary permissions

Installation

Option 1: Local Installation

  1. Clone the repository:
  1. Install dependencies using Poetry:
  1. Copy the example environment file and configure your settings:
  1. Update the .env file with your Splunk credentials:

Option 2: Docker Installation

  1. Pull the latest image:
  1. Create your .env file as above or use environment variables directly.
  1. Run using Docker Compose:
Or using Docker directly:

Usage

Local Usage

The tool can run in three modes:
  1. SSE mode (default for MCP clients):
  1. STDIO mode:

Docker Usage

The project supports both the new docker compose (V2) and legacy docker-compose (V1) commands. The examples below use V2 syntax, but both are supported.
  1. SSE Mode (Default):
  1. API Mode:
  1. STDIO Mode:

Testing with Docker

The project includes a dedicated test environment in Docker:
  1. Run all tests:
  1. Run specific test components:
Test results will be available in the ./test-results directory.

Docker Development Tips

  1. Building Images:
  1. Viewing Logs:
  1. Debugging:
  1. Environment Variables:

Security Notes

  • Never commit .env files
  • Use .env.example as a template
  • Consider using Docker secrets for production
  1. SSL Verification:
  • VERIFY_SSL=true recommended for production
  • Can be disabled for development/testing
  • Configure through environment variables
  1. Port Exposure:
  • Only expose necessary ports
  • Use internal Docker network when possible
  • Consider network security in production

Environment Variables

Configure the following environment variables:
  • SPLUNK_HOST: Your Splunk host address
  • SPLUNK_PORT: Splunk management port (default: 8089)
  • SPLUNK_USERNAME: Your Splunk username
  • SPLUNK_PASSWORD: Your Splunk password
  • SPLUNK_SCHEME: Connection scheme (default: https)
  • VERIFY_SSL: Enable/disable SSL verification (default: true)
  • FASTMCP_LOG_LEVEL: Logging level (default: INFO)
  • SERVER_MODE: Server mode (sse, api, stdio) when using uvicorn

SSL Configuration

The tool provides flexible SSL verification options:
  1. Default (Secure) Mode:
  • Full SSL certificate verification
  • Hostname verification enabled
  • Recommended for production environments
  1. Relaxed Mode:
  • SSL certificate verification disabled
  • Hostname verification disabled
  • Useful for testing or self-signed certificates

Testing

The project includes comprehensive test coverage using pytest and end-to-end testing with a custom MCP client:

Running Tests

Basic test execution:
With coverage reporting:
With verbose output:

End-to-End SSE Testing

The project includes a custom MCP client test script that connects to the live SSE endpoint and tests all tools:
This script acts as an MCP client by:
  1. Connecting to the /sse endpoint to get the messages URL
  1. Sending tool invocations to the messages endpoint
  1. Processing the SSE events to extract tool results
  1. Validating the results against expected formats
This provides real-world testing of the SSE interface as it would be used by an actual MCP client.

Test Structure

The project uses three complementary testing approaches:
  1. MCP Integration Tests (tests/test_api.py):
  1. Direct Function Tests (tests/test_endpoints_pytest.py):
  1. End-to-End MCP Client Tests (test_endpoints.py):
  1. Configuration Tests (tests/test_config.py):

Testing Tools

The tests support:
  • Async testing with pytest-asyncio
  • Coverage reporting with pytest-cov
  • Mocking with pytest-mock
  • Parameterized testing
  • Connection timeout testing

Troubleshooting

Connection Issues

  1. Basic Connectivity:
  • The tool now performs a basic TCP connectivity test
  • Check if port 8089 is accessible
  • Verify network routing and firewalls
  1. SSL Issues:
  • If seeing SSL errors, try setting VERIFY_SSL=false
  • Check certificate validity and trust chain
  • Verify hostname matches certificate
  1. Authentication Issues:
  • Verify Splunk credentials
  • Check user permissions
  • Ensure account is not locked
  1. Debugging:
  • Set FASTMCP_LOG_LEVEL=DEBUG for detailed logs
  • Check connection logs for specific error messages
  • Review SSL configuration messages
  1. SSE Connection Issues:
  • Verify SSE endpoint is accessible via /sse
  • Check for proper content-type headers
  • Use browser developer tools to inspect SSE connections

Claude Integration

Claude Desktop Configuration

You can integrate Splunk MCP with Claude Desktop by configuring it to use either SSE or STDIO mode. Add the following configuration to your claude_desktop_config.json:

STDIO Mode (Recommended for Desktop)

SSE Mode

Usage with Claude

Once configured, you can use natural language to interact with Splunk through Claude. Examples:
  1. List available indexes:
  1. Search Splunk data:
  1. Get system health:
  1. Manage KV stores:
The MCP tools will be automatically available to Claude, allowing it to execute these operations through natural language commands.

License

[Your License Here]

Acknowledgments

  • FastMCP framework
  • Splunk SDK for Python
  • Python-decouple for configuration management
  • SSE Starlette for SSE implementation

Related servers

magicslides
magicslides logo

MagicSlides MCP Server

A server that implements the Model Context Protocol (MCP) to generate PowerPoint presentations from text, YouTube videos, or structured JSON data.

A server that implements the Model Context Protocol (MCP) to generate PowerPoint presentations from text, YouTube videos, or structured JSON data.

Zerodha
Zerodha logo

Zerodha MCP Integration

Mcp server to connect with zerodha's kite trade apis

Mcp server to connect with zerodha's kite trade apis

tddt
tddt logo

Stock Info (AKShare)

Provides real-time financial market data from Chinese and global markets through AKShare API integration for traders and...

Provides real-time financial market data from Chinese and global markets through AKShare API integration for traders and...

Aaron Allsbury
Aaron Allsbury logo

QuickBooks Time

Integrates with QuickBooks Time API to provide unified access for managing timesheets, users, projects, and generating r...

Integrates with QuickBooks Time API to provide unified access for managing timesheets, users, projects, and generating r...