Configure the server

Perform the following tasks to allow Splunk’s MCP server to connect to your Splunk software deployment.

Perform the following tasks to allow Splunk’s MCP server to connect to your Splunk software deployment.

Prerequisites

Prerequisites

Enable API access and token authentication

Install Splunk AI Assistant for SPL

To enable AI tools such as generate_spl, explain_spl, optimize_spl & ask_splunk_question be available in the MCP server, Splunk AI Assistant for SPL must be installed. Read more at Install and use Splunk AI Assistant for SPL.

Perform the additional steps depending upon your chosen deployment method.

Method 1: On-Cloud MCP server

Configure role based access to the MCP server in order to allow Splunk's On-Cloud MCP server to connect to your Splunk Cloud Platform software deployment. Your administrator must configure role-based access to the MCP server for Splunk Platform.

  • Create a new role named mcp_user. This role does not require any capabilities.

  • Assign the mcp_user role to the users that are authorized to use the MCP server functionality.

  • Set the appropriate expiration if the user does not have the permission to create their own token.

Method 2: On-Deployment MCP server

Your administrator must install the Splunk MCP Server app on their deployment in order to create an MCP server on the Splunk deployment. The app shows the status of the server and provides useful information like the endpoint url for the server and sample client configuration to connect to the server. The app also adds a new capability called "mcp_tool_execute" that can be used to control who has access to the deployment through model context protocol. The app adds an additional capability called "mcp_tool_admin" that will be used in future versions of the app for admin capabilities.

Restart Splunk Deployment

You might be prompted to restart your Splunk deployment for the new capabilities to be available.

Configure capability-based access to the MCP server

Add the new 'mcp_tool_execute' capability to roles, existing or new, that are authorized to use the MCP server functionality.

Configure IP allow list (Splunk Cloud Platform only)

App 0.0.0.0/0 to the IP allow list for Search Head API access. See Configure IP allow lists for Splunk Cloud Platform for more information.

Configure role based access to the MCP server

Configure role based access for the MCP server for Splunk Platform.

The administrator must configure role based access to the MCP server for Splunk Platform.
  1. Create a new role named mcp_user. This role does not require any capabilities.
  2. Assign the mcp_user role to the users that are authorized to use the MCP server functionality.

Create an authentication token to use with the MCP server

Generate a new token to use when authenticating to the MCP server.

Generate a new token to use when authenticating to the MCP server. Tokens are credentials, so you must closely guard them and not share them with anyone who does not explicitly need access to Splunk platform services. Each user provides their unique authentication token to a trusted MCP client.
  1. Generate a new authentication token. In the token generation workflow set the audience field to mcp. See Create authentication tokens. If the audience is not set to mcp, your MCP client will not be able to connect the MCP server.
  2. Set the appropriate expiration if the user does not have the permission to create their own token.