Connecting Splunk

Connect your Splunk instance via MCP so agents can inspect real data, fields, and configurations. This guide walks you through adding and verifying the Splunk integration.

Parent: Getting Started
Previous: Your First Agent
Related: Integrations | Understanding Agents

Go to Integrations

From the dashboard or sidebar, open Integrations. Click Add integration and select Splunk MCP from the list.

Enter Connection Details

You provide your Splunk connection details: host URL, port, and authentication. Use the same credentials or tokens you use for Splunk Web or the Splunk API. Deslicer stores these securely and uses them only when agents call Splunk tools. If you use Splunk Cloud, use the appropriate API endpoint and token.

Verify the Connection

After you save the integration, Deslicer verifies the connection. You see a success message when the connection works. If verification fails, check your URL, port, and credentials. Common issues include firewall rules, incorrect ports, or expired tokens.

What You Can Do Once Connected

With Splunk connected, agents gain context-aware capabilities:

Run SPL — Agents execute search queries against your indexes and return results.
Inspect fields — Agents see real field names, types, and sample values instead of guessing.
Analyze events — Agents can sample events, identify sourcetypes, and suggest queries based on your data.

Agents stop hallucinating field names and sourcetypes because they see your actual environment. They generate SPL that works in your setup and explain results using real data.

Attaching Splunk to Agents

After the integration is verified, attach it to your agents. When you create or edit an agent, add the Splunk MCP tool from the integrations list. Agents with Splunk attached can run searches, inspect metadata, and provide environment-specific guidance.