Beta feature: Run Saved Search

Version 1.1.0 of the MCP Server includes the beta feature of Run Saved Search. Built into Splunk MCP, the Run Saved Search tool lets AI assistants run your existing Splunk saved searches directly through MCP. Instead of writing SPL from scratch, AI can find and run the reports, alerts, and searches your team has built and validated.

Note: You must be using MCP Server version 1.1 to try this beta feature.

Run Saved Search leverages the work you have invested into building and turning saved searches, which have already been reviewed and approved, and lets AI use those saved searches directly. Saved searches with token placeholders such as $host$ or $sourcetype$ can also be called with different values with each use. Running a saved search can be more reliable than generating an new SPL search.

Note: By default, the Run Saved Search tool uses the time range defined in the saved search. Users can override it as needed.

Preview disclaimer

Beta features described in this document are provided by Splunk to you "as is" without any warranties, maintenance and support, or service-level commitments. Splunk makes this Beta feature available at its sole discretion and may discontinue it at any time. Use of Beta features is subject to the Splunk Pre-Release Agreement for Hosted Services.

Run Saved Search key features

Key features of this beta offering are as follows:


Key feature	Description
Execute by name	Run any saved search by providing its name.
Token substitution	Pass `key="value"` pairs to fill placeholder tokens.
Time range control	Uses the saved search's time range by default; supports optional `earliest_time` / `latest_time` overrides.
Input validation	Strict pattern validation prevents SPL injection through arguments and saved search name.
Disabled search detection	Blocks execution of disabled saved searches by checking the saved search's `disabled` flag.
Discovery	Pair with `get_knowledge_objects` (type=`saved_searches`) to list available searches.

Run Saved Search parameters

Use the following parameters when using the beta offering of Run Saved Search:


Parameter	Required	Description
`saved_search_name`	Yes	Name of the saved search to run.
`args`	No	Token replacements as `key="value"` pairs. For example `host="web01" sourcetype="syslog"`. CAUTION: Pipe operators, brackets, backticks, semicolons, and newlines are blocked.
`earliest_time`	No	Override the saved search start time. For example -24h, -7d.
`latest_time`	No	Override the saved search end time. For example now, -1h.

Splunk Enterprise

Beta feature: Run Saved Search

Preview disclaimer

Run Saved Search key features

Run Saved Search parameters

ON THIS PAGE

Splunk Enterprise

Splunk Cloud Platform

Splunkbase

Enterprise Security

SOAR

IT Service Intelligence

Content Packs

Splunk Observability Cloud

AppDynamics SaaS

AppDynamics On-Premises

SAP Agent

Developer Documentation

Splunkbase

Splunk Enterprise

Splunk Cloud Platform

Splunkbase

DATA MANAGEMENT

SEARCH AND ANALYTICS

ADMINISTRATION

Enterprise Security

SOAR

ENTERPRISE SECURITY

SOAR

RELATED APPS

IT Service Intelligence

Content Packs

ITSI

IT Ops

ADMINISTRATION

EXTENSIONS

Splunk Observability Cloud

MONITORING

DATA MANAGEMENT

ADMINISTRATION

AppDynamics SaaS

AppDynamics On-Premises

SAP Agent

ESSENTIALS

MONITORING

ADMINISTRATION

Developer Documentation

Splunkbase

PLATFORM

OBSERVABILITY

REFERENCE

Resources

REFERENCE

Learn More

Support

Beta feature: Run Saved Search

Preview disclaimer

Run Saved Search key features

Run Saved Search parameters