MCP server tools
Splunk's MCP server provides several tools to interact with Splunk software.
Tool Namespacing
Tools are namespaced based on their source:
| Prefix | Source |
|---|---|
splunk_ |
Splunk core platform tools |
saia_ |
Splunk AI Assistant tools |
Note: Splunk platform tools are enabled by default.
Splunk's MCP server provides several tools to interact with Splunk software.
| Tool Name | Description | Date added |
|---|---|---|
| splunk_run_query | Execute a Splunk search query and return the results. This is the primary tool for running Splunk searches using SPL (Search Processing Language). Use this to retrieve log data, perform aggregations, analyze events, and extract insights from your Splunk environment. | July 2025 |
| splunk_get_info | Get comprehensive information about the Splunk instance. Retrieves system information including version, hardware specs, and operational status. | July 2025 |
| splunk_get_indexes | Get a list of indexes from Splunk. Indexes are data repositories where machine data is stored and organized. | July 2025 |
| splunk_get_index_info | Get detailed information about a specific Splunk index. Returns comprehensive configuration and status information for the specified index. | July 2025 |
| splunk_get_metadata | Retrieve metadata about hosts, sources, or sourcetypes across one or more indexes in the selected time window. | July 2025 |
| splunk_get_user_info | Retrieves detailed information about the currently authenticated user including roles and permissions. Returns comprehensive user profile data for the current session. | July 2025 |
| splunk_get_user_list | Get a list of users from Splunk. Retrieves information about all users including authentication details, roles, and account status. | July 2025 |
| splunk_get_kv_store_collections | Get KV Store collection statistics including size, count, and storage information. Retrieves comprehensive metrics about all KV Store collections in the Splunk instance. | July 2025 |
| splunk_get_knowledge_objects | Retrieve Splunk knowledge objects by type. Supports various knowledge object types including saved searches, alerts, field extractions, lookups, macros, data models, and more. Refer to the full list of supported types later in this topic. | July 2025 |
| saia_generate_spl | Generate SPL from natural language queries using Splunk AI Assistant. | September 2025 |
| saia_explain_spl | Explain SPL queries in natural language using Splunk AI Assistant. Converts complex SPL commands into human-readable explanations. | September 2025 |
| saia_optimize_spl | Optimize SPL (Search Processing Language) queries using Splunk AI Assistant. Improves query performance, efficiency, and follows best practices. | September 2025 |
| saia_ask_splunk_question | Ask natural language questions about Splunk using Splunk AI Assistant. Get explanations about Splunk commands, concepts, features, and best practices. | September 2025 |
Guardrails for usage of run_splunk_query
The run_splunk_query tool is intended for quick searches that are deemed safe and non-destructive. The tool might fail for one or more of the following reasons:
-
If the search contains commands that are deemed unsafe or destructive, the MCP server may not execute the search.
-
The execution time exceeds 1 minute.
-
The number of events in the response exceeds 1000.
List of knowledge object types supported by get_knowledge_objects
-
saved_searches
-
alerts
-
field_extractions
-
field_aliases
-
calculated_fields
-
lookups
-
automatic_lookups
-
lookup_transforms
-
macros
-
tags
-
data_models
-
workflow_actions
-
views
-
panels
-
apps
-
mltk_models
-
mltk_algorithms