Connect and use an MCP client

Authenticate to the MCP server using an MCP client and issue commands to the MCP server.

Create an authentication token for your client

Generate a new token to use when authenticating to the MCP server. If you do not have the permission to generate a token, contact your Splunk administrator. Tokens are credentials, so you must closely guard them and not share them with anyone who does not explicitly need access to Splunk platform services. Each user provides their unique authentication token to a trusted MCP client.

  • Generate a new authentication token. In the token generation workflow set the audience field to mcp. See Create authentication tokens for more information. If the audience is not set to mcp, your MCP client will not be able to connect the MCP server.

  • Set the appropriate expiration if the user does not have the permission to create their own token.

After the administrator has configured the MCP server for your Splunk deployment, authorized users can use a compatible MCP client that supports streamable HTTP protocol to connect to the MCP server.

  • Provide the MCP server endpoint:

    • For Method 1: On-Cloud MCP server, this endpoint is: https://<YOUR_SPLUNK_DEPLOYMENT_NAME>.api.scs.splunk.com/<YOUR_SPLUNK_DEPLOYMENT_NAME>/mcp/ v1

    • For Method 2: On-Deployment MCP server, this endpoint can be copied from the Splunk MCP Server app along with the sample configuration

If you are a Splunk Cloud Platform user and you are unsure about which method is applicable to you, contact your Splunk administrator. For Splunk Enterprise users, it will always be Method 2.

  • Replace the placeholder <YOUR_TOKEN> in your MCP client configuration with the token that was generated in the previous step. This step grants the MCP client the same privileges as the user for whom the token was created.

Note that the exact configuration might differ depending on your chosen MCP client and the operating system of the machine. Your MCP client might also have additional dependencies like Node.js and mcp-remote that are not owned by Splunk.

{
  "mcpServers": {
    "splunk-mcp-server": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://<YOUR_SPLUNK_DEPLOYMENT_NAME>.api.scs.splunk.com/<YOUR_SPLUNK_DEPLOYMENT_NAME>/mcp/v1/",
        "--header",
        "Authorization: Bearer <YOUR_TOKEN>"
      ]
    }
  }
}