Gene Library Courses Download Pricing Contact Sign in
splunk logo
analytics Official Website

Splunk MCP Server – Observability and Search

Splunk's official MCP Server and hosted MCP Gateway connect AI clients to Splunk Platform and Splunk Observability Cloud data. Use it when an agent needs governed access to Splunk searches, knowledge objects, observability metrics, APM context, alerts, and operational investigations.

#observability#search#operations

Overview

Splunk MCP Server provides a standardized MCP interface for AI assistants,
agents, IDEs, chatbots, and internal LLMs to work with Splunk data. It is
available as a Splunk-supported app for Splunk Enterprise and Splunk Cloud
Platform, and as a hosted MCP Gateway for Splunk Cloud Platform and Splunk
Observability Cloud scenarios.

What the MCP server enables

Splunk documents MCP as a secure bridge from AI clients to Splunk tools and
data. Depending on the deployment, tenant, tokens, and enabled products, an AI
agent can:

  • Explore Splunk data resources.
  • Discover knowledge objects such as saved searches and lookups.
  • Execute Splunk searches to extract operational insights.
  • Use Splunk AI Assistant capabilities for SPL and MLTK, including SPL search
    generation from natural language, search optimization, search explanation,
    and retrieving MLTK models and algorithms.
  • Interact with Splunk Observability Cloud tools for metrics, SignalFlow, APM,
    and alerting workflows.
  • Use natural-language workflows from IDEs, chatbots, and custom LLM
    applications while preserving Splunk user context and RBAC controls.

When to use it

Use Splunk MCP when an AI workflow needs live observability, security, or
operational context from Splunk. Practical examples include investigating a
service outage, asking an assistant to generate an SPL query, exploring saved
searches relevant to an incident, summarizing alert context, checking metrics or
APM signals from Splunk Observability Cloud, or building an internal assistant
that can answer questions from Splunk data without custom point-to-point
integrations.

Connection and authentication

For Splunk Cloud and Observability workflows, connect to the hosted MCP Gateway
with Streamable HTTP. The endpoint format is
https://region-${SPLUNK_SCS_REGION}.api.scs.splunk.com/system/mcp-gateway/v1/.
Splunk documents region values such as dub10, fra10, lon10, iad10,
pdx10, tyo10, syd10, and sin10.

Required headers depend on the scenario. Splunk platform tools require
Authorization: Bearer ${SPLUNK_JWT_TOKEN} and
splunk_tenant: ${SPLUNK_TENANT}. Observability tools require
X-SF-TOKEN: ${SPLUNK_SIGNALFX_ACCESS_TOKEN} and
X-SF-REALM: ${SPLUNK_O11Y_REALM}. Combined Splunk Platform and Observability
use all four headers. Splunk's sample configuration also uses npx mcp-remote
as a bridge for clients that require a local stdio command.

Key considerations

The MCP Gateway is available only for Splunk Cloud customers in supported
regions, and Observability Cloud production realms exclude Google Cloud
Platform realms and GovCloud realms. Splunk Enterprise and Splunk Cloud
platform-only use requires the Splunk MCP Server app from Splunkbase. Access is
governed by token scope, tenant configuration, and Splunk RBAC, so use
least-privilege credentials and review generated searches before running costly
or sensitive queries. Keep platform tokens, SignalFx access tokens, tenant
names, and realms in secure MCP client configuration rather than in committed
files.

Supported Transports

streamable_http

URL: https://region-${SPLUNK_SCS_REGION}.api.scs.splunk.com/system/mcp-gateway/v1/

streamable_http

URL: https://region-${SPLUNK_SCS_REGION}.api.scs.splunk.com/system/mcp-gateway/v1/

streamable_http

URL: https://region-${SPLUNK_SCS_REGION}.api.scs.splunk.com/system/mcp-gateway/v1/

stdio

Command: npx

Args:

  • -y
  • mcp-remote
  • https://region-${SPLUNK_SCS_REGION}.api.scs.splunk.com/system/mcp-gateway/v1/
  • --header
  • Authorization: Bearer ${SPLUNK_JWT_TOKEN}
  • --header
  • splunk_tenant: ${SPLUNK_TENANT}
  • --header
  • X-SF-TOKEN: ${SPLUNK_SIGNALFX_ACCESS_TOKEN}
  • --header
  • X-SF-REALM: ${SPLUNK_O11Y_REALM}

Frequently Asked Questions

When should an AI agent use the Splunk MCP Server?
Use it when an agent needs governed access to Splunk Platform or Splunk Observability Cloud data, such as investigating incidents, generating SPL, exploring knowledge objects, summarizing alerts, querying metrics, or using APM and SignalFlow context in operational workflows.
What does the Splunk MCP Server add to an AI agent's capabilities?
It gives the agent a standardized MCP connection to Splunk searches, knowledge objects, Splunk AI Assistant capabilities, and Observability tools, allowing natural-language workflows over live Splunk data while preserving token-based authentication and RBAC context.
What can an AI agent access or manage through Splunk MCP?
Depending on tokens, tenant, product access, and enabled tools, the agent can explore Splunk data, discover saved searches and lookups, execute SPL searches, use SPL and MLTK assistant capabilities, and interact with Observability Cloud metrics, SignalFlow, APM, and alerting tools.
How is authentication configured for Splunk MCP?
Splunk platform access uses Authorization Bearer tokens and the splunk_tenant header. Observability access uses X-SF-TOKEN and X-SF-REALM. Combined platform and Observability workflows use all required headers. Store tokens securely and follow Splunk RBAC and tenant controls.
Which transport should be used for Splunk MCP?
Use the hosted Streamable HTTP MCP Gateway endpoint for supported Splunk Cloud and Observability scenarios. Use the documented `npx mcp-remote` bridge only when the MCP client requires stdio. Splunk Enterprise and platform-only workflows rely on the Splunk MCP Server app from Splunkbase.