Run Saved Search

Version 1.2 and higher of the MCP Server includes the Run Saved Search feature. This was offered as a beta feature in versions 1.1. x.

Built into Splunk MCP, the Run Saved Search tool lets AI assistants run your existing Splunk saved searches directly through MCP. Instead of writing SPL from scratch, AI can find and run the reports, alerts, and searches your team has built and validated.

Note: You must be using MCP Server version 1.2 or higher to use this feature.

Run Saved Search leverages the work you have invested into building and turning saved searches, which have already been reviewed and approved, and lets AI use those saved searches directly. Saved searches with token placeholders such as $host$ or $sourcetype$ can also be called with different values with each use. Running a saved search can be more reliable than generating an new SPL search.

Note: By default, the Run Saved Search tool uses the time range defined in the saved search. Users can override it as needed.

Run Saved Search key features

Key features of this Run Saved Search are as follows:

Key feature Description
Execute by name Run any saved search by providing its name.
Token substitution Pass key="value" pairs to fill placeholder tokens.
Time range control Uses the saved search's time range by default; supports optional earliest_time / latest_time overrides.
Input validation Strict pattern validation prevents SPL injection through arguments and saved search name.
Disabled search detection Blocks execution of disabled saved searches by checking the saved search's disabled flag.
Discovery Pair with get_knowledge_objects (type=saved_searches) to list available searches.
Auto app-resolution Automatically resolves the app namespace. When a name exists in multiple apps the alphabetically first app is used.
App mismatch detection Returns a clear error if the provided app does not match the app the saved search belongs to.

Run Saved Search parameters

Use the following parameters when using the beta offering of Run Saved Search:

Parameter Required Description
saved_search_name Yes Name of the saved search to run.
args No Token replacements as key="value" pairs. For example host="web01" sourcetype="syslog".
CAUTION: Pipe operators, brackets, backticks, semicolons, and newlines are blocked.
earliest_time No Override the saved search start time. For example -24h, -7d.
latest_time No Override the saved search end time. For example now, -1h.
app No Splunk app context. For example search, enterprise_security. When omitted, the app is auto-resolved. If the saved search exists in multiple apps then the alphabetically first app is used.

Run Saved Search examples

See the following sample prompts and tool call examples showing how customers and AI agents can use the run_saved_search tool.

Sample user prompts

  • Simple execution: "Run the saved search called 'Errors in the last 24 hours'"

  • With time override: "Run 'License Usage Data Cube' for the last 7 days"

  • With token arguments: "Run 'Network Traffic Report' with host=webserver01 and sourcetype=access_combined"
  • Specifying app context: "Run '_private_splunk_getCloudIndexesInfo' from the cloud_administration app"
  • Discovery first: "List all saved searches, then run the one related to license usage"

Tool call examples

Run a saved search by name:

JSON 
{
  "method": "tools/call",
  "params": {
    "name": "splunk_run_saved_search",
    "arguments": {
      "saved_search_name": "Errors in the last 24 hours"
    }
  }
}

When the app parameter is omitted , the server auto-resolves the app from the saved search's metadata.

With token arguments:

Some saved searches contain placeholder tokens such as $host$, $sourcetype$ and $args.earliest$. Pass replacement values through the args parameter.

JSON 
{
  "method": "tools/call",
  "params": {
    "name": "splunk_run_saved_search",
    "arguments": {
      "saved_search_name": "AgentManagerAgentsWithError",
      "args": "args.earliest=\"-24h\""
    }
  }
}

With time range override:

JSON 
{
  "method": "tools/call",
  "params": {
    "name": "splunk_run_saved_search",
    "arguments": {
      "saved_search_name": "License Usage Data Cube",
      "earliest_time": "-7d",
      "latest_time": "now"
    }
  }
}

With explicit app context:

When a saved search exists in multiple apps, specify which one.

JSON 
{
  "method": "tools/call",
  "params": {
    "name": "splunk_run_saved_search",
    "arguments": {
      "saved_search_name": "_private_splunk_getCloudIndexesInfo",
      "app": "cloud_administration"
    }
  }
}
Note: If the same saved search name exists in multiple apps and you omit app , the server picks the alphabetically first app. Pass app explicitly to target the correct one.