Splunk MCP

Primary integration — connect agents to live Splunk for queries, docs, CIM, configs, and admin operations

Splunk MCP

Splunk MCP connects Deslicer AI agents to your live Splunk environment. Agents run SPL, inspect fields, reference CIM data models, access documentation, and read configurations — all through MCP (Model Context Protocol).

Navigation

What Is MCP?

MCP (Model Context Protocol) is a standard protocol that lets AI tools call external systems. Instead of guessing, agents call tools that talk directly to your Splunk instance. They see real indexes, sourcetypes, fields, and configurations.

You configure Splunk MCP once. Agents use it automatically.

Setup

  1. Go to SettingsIntegrationsSplunk MCP.
  2. Enter your Splunk REST API URL (e.g., https://your-splunk:8089).
  3. Provide credentials (username/password or Splunk auth token).
  4. Test the connection.
  5. Save.

Agents can now query your Splunk, run searches, and inspect results.

Tool Capabilities

Splunk MCP exposes these tool categories to agents:

Search & Query

  • run_oneshot_search — execute ad-hoc SPL queries and return results
  • run_splunk_search — run longer searches with job management

Data Discovery

  • list_indexes — list all available indexes
  • list_sourcetypes — list sourcetypes with metadata
  • get_metadata — index and sourcetype metadata

CIM & Data Models

  • get_cim_data_model — retrieve a specific CIM data model definition
  • list_cim_data_models — browse all available CIM models
  • get_cim_reference — CIM field reference

Documentation

  • get_spl_reference — SPL command reference and syntax
  • list_spl_commands — browse all SPL commands
  • get_spl_command_help — detailed help for a specific SPL command
  • get_splunk_cheat_sheet — quick reference for common operations
  • discover_splunk_docs — search across Splunk documentation
  • get_splunk_documentation — retrieve specific doc pages

Admin & Troubleshooting

  • get_admin_guide — Splunk admin guides
  • get_troubleshooting_guide — troubleshooting guides by topic
  • list_troubleshooting_topics — browse troubleshooting categories
  • list_available_topics — all available doc topics

Dashboard Studio

  • get_studio_topic — Dashboard Studio documentation
  • list_dashboard_studio_topics — browse Dashboard Studio topics

Apps

  • list_apps — list installed Splunk apps

Deployment Support

Splunk MCP connects to:

  • Splunk Enterprise — on-prem and self-hosted
  • Splunk Cloud — cloud-hosted instances
  • Hybrid — mixed deployments

You configure the REST API URL and credentials for your environment.

Why It Matters

Without Splunk MCP, agents guess field names and sourcetypes. With it, they see your actual data — suggestions match your environment, SPL runs correctly, and CIM mappings reference real data models. You spend less time fixing AI output and more time acting on results.