MCP Server for Splunk

A Go implementation of the MCP server for Splunk. Supports STDIO and SSE (Server-Sent Events HTTP API). Uses github.com/mark3labs/mcp-go SDK.

MCP Tools implemented

• list_splunk_saved_searches
• list_splunk_alerts
• list_splunk_fired_alerts
• list_splunk_indexes
• list_splunk_macros

MCP Prompts and Resources

• internal/splunk/prompt.go
• cmd/mcp/server/main.go

Usage# STDIO mode (default)

export SPLUNK_URL=https://your-splunk-instance:8089
export SPLUNK_TOKEN=your-splunk-token\n\n# List available tools
echo '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' | go run cmd/mcp-server-splunk/main.go | jq\n\n# Call list_splunk_saved_searches tool
echo '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"list_splunk_saved_searches","arguments":{}}}' | go run cmd/mcp-server-splunk/main.go | jq

SSE mode (Server-Sent Events HTTP API)

export SPLUNK_URL=https://your-splunk-instance:8089
export SPLUNK_TOKEN=your-splunk-token\n\n# Start the server
go run cmd/mcp-server-splunk/main.go -transport sse -port 3001\n\n# Call the server and get Session ID from the output. Do not terminate the session.
curl http://localhost:3001/sse\n\n# Keep session running and and use different terminal window for the final MCP call
curl -X POST "http://localhost:3001/message?sessionId=YOUR_SESSION_ID" \
- H "Content-Type: application/json" \
- d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' | jq

Installing via Smithery

Local Docker build and run

docker build -t mcp-server-splunk .
echo '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' | \
docker run --rm -i \
- e SPLUNK_URL=https://your-splunk-instance:8089 \
- e SPLUNK_TOKEN=your-splunk-token \
mcp-server-splunk | jq

Cursor integration

By configuring MCP Settings in Cursor, you can include remote data directly into the LLM context.