MCP server tools
Splunk's MCP server provides several tools to interact with Splunk software.
Splunk's MCP server provides several tools to interact with Splunk software.
| Tool Name | Description |
|---|---|
| run_splunk_query | Runs a Splunk query and streams the results. See the guardrails for this tool later in this topic. |
| get_splunk_info | Retrieves Splunk version and server details. |
| get_indexes | Lists all accessible Splunk indexes. |
| get_index_info | Provides detailed information about a specific index. |
| get_metadata | Retrieves metadata (hosts, sources, sourcetypes) for index discovery and query assistance. |
| get_user_info | Fetches current user information, roles, and permissions. |
| get_user_list | Lists all users in the Splunk instance. |
| get_knowledge_objects | Retrieve a list of knowledge objects from Splunk for the specified type. Refer to the list of supported types later in this topic. |
Guardrails for usage of run_splunk_query
The run_splunk_query tool is intended for quick searches that are deemed safe and non-destructive. The tool might fail for one or more of the following reasons:
-
If the search contains commands that are deemed unsafe or destructive, the MCP server may not execute the search.
-
The execution time exceeds 1 minute.
-
The number of events in the response exceeds 1000.
List of knowledge object types supported by get_knowledge_objects
-
saved_searches
-
alerts
-
field_extractions
-
field_aliases
-
calculated_fields
-
lookups
-
automatic_lookups
-
lookup_transforms
-
macros
-
tags
-
data_models
-
workflow_actions
-
views
-
panels
-
apps