Connecting Splunk
Add Splunk MCP integration, enter connection details, verify the connection, apply to starter agents, and use context-aware agents
Connecting Splunk
Connect your own Splunk instance via MCP so agents can inspect real data, fields, and configurations. This guide covers the demo Splunk integration you received at signup, walks you through adding your own Splunk connection, and explains how to apply your new integration to starter agents.
Navigation
- Parent: Getting Started
- Previous: Your First Agent
- Related: Integrations | Understanding Agents
Demo Splunk Integration
When you signed up, Deslicer automatically created a Splunk Demo integration connected to a shared Splunk instance with sample data. Your starter agents are already attached to this integration, so you can run queries and explore Splunk tools immediately. The demo environment is ideal for learning how agents interact with Splunk before connecting your own instance.
Adding Your Own Splunk Connection
When you're ready to work with your own data, add a new Splunk integration.
Go to Integrations
From the dashboard or sidebar, open Integrations. Click Add integration and select Splunk MCP from the list.
Enter Connection Details
You provide your Splunk connection details: host URL, port, and authentication. Use the same credentials or tokens you use for Splunk Web or the Splunk API. Deslicer stores these securely and uses them only when agents call Splunk tools. Sensitive fields like passwords and tokens are automatically masked in the editor — you see dots instead of the actual value. If you use Splunk Cloud, use the appropriate API endpoint and token.
Verify the Connection
After you save the integration, Deslicer verifies the connection. You see a success message when the connection works. If verification fails, check your URL, port, and credentials. Common issues include firewall rules, incorrect ports, or expired tokens.
Applying Splunk to Starter Agents
When you add a Splunk MCP integration through the welcome onboarding flow, an additional step appears: Apply to starter agents. This step lets you choose which starter agents should use your new Splunk connection instead of the demo integration.
You see a checklist of the three starter agents:
| Agent | Description |
|---|---|
| GDI agent v4 (My Workspace) | Investigation and remediation workflows |
| Splunk Data Explorer (My Workspace) | Fast dataset and field exploration |
| Splunk CIM Normalizer Orchestrator (My Workspace) | CIM mapping automation |
Select the agents you want to rebind (all are selected by default). Click Apply selection to update the selected agents. A progress tracker shows each sub-step — resolving the integration, applying it to agents, and updating your onboarding progress. You see a success confirmation when the binding completes.
Non-Splunk integrations on the agents are preserved — only the Splunk binding is replaced. You can skip this step and change integration assignments later from the agent editor or integrations page.
What You Can Do Once Connected
With Splunk connected, agents gain context-aware capabilities:
- Run SPL — Agents execute search queries against your indexes and return results.
- Inspect fields — Agents see real field names, types, and sample values instead of guessing.
- Analyze events — Agents can sample events, identify sourcetypes, and suggest queries based on your data.
Agents stop hallucinating field names and sourcetypes because they see your actual environment. They generate SPL that works in your setup and explain results using real data.
Attaching Splunk to Agents
After the integration is verified, attach it to your agents. When you create or edit an agent, add the Splunk MCP tool from the integrations list. Agents with Splunk attached can run searches, inspect metadata, and provide environment-specific guidance. You can keep the demo integration for exploration and attach your own Splunk integration to specific agents.
For more integration options (Exa, GitHub, Slack, Smithery, custom MCP), see the Integrations section.
