Interact with your observability data using the Splunk MCP server

Use the Splunk MCP server to interact with your observability data from anywhere you work, including Integrated Development Environments, chatbots, and internal LLMs.

The MCP server acts as a bridge to your observability data in your Splunk Observability Cloud deployments from wherever you work. You can use natural language queries and automated workflows to question your observability data from the following environments where your teams work:

  • IDEs (VS Code, Cursor, Windsurf, and IntelliJ)

  • Chatbots (Claude and ChatGPT)

  • Homegrown LLMs

The MCP server is is a set of APIs that provides a secure, standard method to connect O11y AI Assistant capabilities to external tools.

Key benefits

The following are the key benefits of using the MCP server:

  • Natural language interaction with observability data
  • Integration with popular AI development tools and IDEs
  • Secure JWT-based authentication with SF tokens
  • Support for agentic workflows and automation

Deployment architecture: Hosted MCP Server

The MCP server runs within the Splunk Observability environment. The server provides access to the Splunk AI Assistant in Observability Cloud tools without requiring customers to run additional infrastructure.

Alpha release customers should authenticate with an API user access token, also known as a session token. See Retrieve your user API access token (session token) to learn how. This User session token provides the necessary authentication for MCP server access, ensuring proper user context and enforcement of Role Based Access Control (RBAC) within the Splunk Observability Cloud environment.

The server implements the streamable HTTP transport as defined in the MCP specification, enabling real-time bi-directional communication between AI clients and Splunk Observability Cloud data. This protocol choice ensures compatibility with popular MCP clients while providing the performance characteristics needed for interactive AI workflows.

Configuration: Gateway

Add the following configuration to your VS Code MCP settings file, which is typically located at ~/.vscode/mcp_servers.json or in your workspace settings:
JSON 
"Splunk_dontuse": {
            "type": "http",
            "url": "https://region-pdx10.api.scs.splunk.com/system/mcp-gateway/v1/",
            "headers": {
                "X-SF-REALM": "[realm]",
                "X-SF-TOKEN": "[token]",
                "splunk_tenant": "[splunk_tenant]",
                "Authorization": "Bearer [token]"
            }
        },
Replace [realm] with your realm (e.g. us1).

npx mcp-remote

Configuration example: Claude Desktop

Install Node.js if it is not already on your machine. Then, add the following configuration to your claude_desktop_config.json:
JSON 
{ "mcpServers": {
       "Splunk Observability": {
           "command": "npx",
           "args": [
              "-y",
              "mcp-remote",
              "https://region-pdx10.api.scs.splunk.com/system/mcp-gateway/v1/",
              "--header",
              "X-SF-REALM:[realm]",
              "--header",
              "X-SF-TOKEN:[token]",
              "--header",
              "splunk_tenant:[splunk_tenant]",
              "--header",
              "Authorization:Bearer [token]"
           ]
         }
       }
     }
The preceding configuration uses npx to run mcp-remote with the following parameters:
  • -y: Automatically confirms package installation
  • Target URL: https://api.[realm].signalfx.com/v2/mcp
  • Authentication header with your user session token
  • HTTP-only transport mode for compatibility
  • Debug mode enabled for troubleshooting

Replace [realm] with your realm (e.g. us1). Replace "replace with user session token" with your actual user session token obtained from your Splunk Observability Cloud profile.

Splunk Observability Cloud realms

The Splunk MCP server is supported in all Splunk Observability Cloud production realms.

Available Splunk AI Assistant in Observability Cloud tools

The following sections to describe the Splunk AI Assistant in Observability Cloud tools your users can utilize when they send natural language prompts to Splunk Observability Cloud through the Splunk MCP server.

Metrics and SignalFlow

The following are metrics and SignalFlow tools:
Tool Description
get_metric_names Search for metric names using wildcard search terms
get_metric_metadata Get dimensions, properties, and sample values for specific metrics
generate_signalflow_program Generate a SignalFlow program from a natural language prompt
execute_signalflow_program Execute a SignalFlow program and return the data stream

APM (Application Performance Monitoring)

The following are tools from Splunk APM:
Tool Description
get_apm_environments List APM environments
get_apm_services List services in a given environment
get_apm_service_dependencies Get inbound and outbound dependencies with requests and latencies
get_apm_service_latency Get latency breakdown by tag for a service
get_apm_service_errors_and_requests Get error and request breakdown by tag
get_apm_exemplar_traces Get sample traces (errors, latency buckets, etc.)
get_apm_trace_tool Get trace details and spans for a specific trace ID

Alerting

The following are tools from alerts:
Tool Description
get_incident_events Get incident details including trigger and clear events
search_alerts_or_incidents Search for alerts or incidents