Connecting to MCP Server and Admin settings
Authenticate to the MCP server using an MCP client and issue commands to the MCP server.
Connect and use an MCP client
Tool Management
Administrators can enable or disable tools at the server level through the Splunk MCP Server app. This provides centralized control over which tools are available to all users across your deployment.
Why Server-Side Tool Management Matters
-
Centralized control: Changes apply across your entire deployment.
-
Security: Prevents users from accessing privileged information through restricted tool calls (for example,
splunk_get_user_info). -
Consistency: Tools disabled at the server level are not loaded in any client context.
Tool Namespacing
Tools are namespaced based on their source:
| Prefix | Source |
|---|---|
splunk_ |
Splunk core platform tools |
saia_ |
Splunk AI Assistant tools |
Connect and Use an MCP Client
Step 1: Create an Encrypted Authentication Token for your client
Step 2: Configure Your MCP Client
Generate a new token to use when authenticating to the MCP server. The Splunk MCP Server requires encrypted tokens for authentication. This security enhancement prevents token reuse outside of the MCP context. If you do not have the permission to generate a token, contact your Splunk administrator.
| Scenario | Required Capabilities |
|---|---|
| Create a token for yourself | edit_tokens_own + mcp_tool_admin |
| Create a token for any user | edit_tokens_all + mcp_tool_admin |
Token creation process:
-
Open the Splunk MCP Server app in your Splunk platform deployment.
-
Generate a new encrypted token.
-
Copy the token for use in your MCP client configuration. This token will only be displayed once.
Important:
-
Tokens are credentials, so you must closely guard them and not share them with anyone who does not explicitly need access to Splunk platform services. Each user provides their unique authentication token to a trusted MCP client.
-
Encrypted tokens cannot be used for direct Splunk API calls; they are exclusively for MCP authentication.
-
Tokens can be created and invalidated within the MCP app.
-
Set the appropriate expiration if the user does not have the permission to create their own token.
-
Encrypted tokens are Splunk tokens and will show up in the main Tokens page as well.
After your administrator has configured the MCP server for your Splunk platform deployment, authorized users can connect using any compatible MCP client that supports the streamable HTTP protocol.
Get your MCP server endpoint
The MCP server endpoint and sample configuration can be found in the Splunk MCP Server app. Copy these values for use in your client configuration. The endpoint can be copied from the Splunk MCP Server app, along with the sample configuration.
Sample Client Configuration (JSON):
{
"mcpServers": {
"splunk-mcp-server": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://<MCP_SERVER_ENDPOINT>",
"--header",
"Authorization: Bearer <YOUR_ENCRYPTED_TOKEN>"
]
}Replace the following placeholders:
| Placeholder | Value |
|---|---|
<MCP_SERVER_ENDPOINT> |
Your endpoint URL from the Splunk MCP Server app. |
<YOUR_ENCRYPTED_TOKEN> |
The encrypted token generated in Step 1. |
MCP Server settings can be adjusted by MCP admins. This is a role that has the mcp_tool_admin capability.
Administrators can enable or disable tools at the server level through the Splunk MCP Server app. This provides centralized control over which tools are available to all users across your deployment.
Why Server-Side Tool Management Matters
-
Centralized control: Changes apply across your entire deployment.
-
Security: Prevents users from accessing privileged information through restricted tool calls (for example,
splunk_get_user_info). -
Consistency: Tools disabled at the server level are not loaded in any client context.
You can choose to invalidate all MCP access tokens in App settings page by clicking on "Invalidate Keys" button.dsd
Please note that this will invalidate access to all tokens since a single pair of public/private key is used for all tokens at any given time. Invalidating this key will remove access from all encrypted tokens. This has impact on existing users and connections and thus should be done with caution.
The MCP server can be configured to connect with Splunk using self-signed certificates for testing purposes.
Navigate to mcp.conf, and configure the ssl_verify setting, using the following parameters:
| Value | Behavior |
|---|---|
| true | Enables SSL verification (default, recommended for production). |
| false | Disables SSL verification (testing only). |
| <certificate_path> | Uses a specific certificate file |
Sample client configuration:
{
"mcpServers": {
"splunk-mcp-server": {
"args": [
"-y",
"mcp-remote",
"https://<MCP_SERVER_ENDPOINT>",
"--header",
"Authorization: Bearer <YOUR_ENCRYPTED_TOKEN>"
],
"command": "npx",
"env": {
"NODE_TLS_REJECT_UNAUTHORIZED": "0"
}
}
}
}If you are currently using the cloud-hosted MCP endpoint (*.api.scs.splunk.com), perform the following steps to migrate to the Splunk MCP Server app:
-
Install the Splunk MCP Server app from Splunkbase on your deployment.
-
Configure role-based access by assigning the
mcp_tool_executecapability to appropriate roles. -
Create new encrypted tokens using the MCP app's token creation feature.
-
Update your MCP client configuration with the new endpoint URL and encrypted token.
-
Test the connection to verify functionality.
-
Decommission old tokens created for the deprecated endpoint.
Upgrading from 0.2.6 to 1.0.0 is a breaking change. Only encrypted tokens work for 1.0.0. To address this issue:
-
Upgrade the MCP App to version 1.0.0. This will cause existing clients to stop working.
-
Decommission old tokens created for version 0.2.6.
-
Create new encrypted tokens using the MCP app's token creation feature.
-
Update your MCP client configuration with the new endpoint URL and encrypted token.