Creativity · MCP — server

MCP Splunk Server

Splunk is the enterprise SIEM and log platform of choice for many large organizations. The MCP Splunk Server exposes SPL search execution, saved-search listing, and job polling to MCP clients — giving Claude the ability to help incident responders pivot through logs without leaving chat.

MCP facts

Kind: server
Ecosystem: anthropic-mcp
Language: Python
Transports: stdio

Capabilities

Tools: list_indexes, list_saved_searches, run_spl_search, get_results
Respects user-level Splunk permissions
Token-based REST API auth

Install

pip install mcp-splunk

Configuration

{
  "mcpServers": {
    "splunk": {
      "command": "uvx",
      "args": ["mcp-splunk"],
      "env": {
        "SPLUNK_HOST": "splunk.example.com",
        "SPLUNK_PORT": "8089",
        "SPLUNK_TOKEN": "<hec-or-api-token>"
      }
    }
  }
}

Frequently asked questions

Can it run arbitrary SPL?

Yes, subject to user permissions. For safety many deployments restrict the MCP user to dashboards and saved searches only.

Does it support Splunk Cloud?

Yes — set SPLUNK_HOST to the Splunk Cloud stack hostname with port 8089 and use an API token.

How do I keep result payloads small?

Use head, stats, and timechart in SPL to aggregate before returning. Claude won't benefit from 100k raw events — a summary beats a firehose.

Sources

Splunk REST API Reference — accessed 2026-04-20
Model Context Protocol — accessed 2026-04-20