Configure the Splunk MCP Server
Follow these steps to set up the Splunk MCP Server for your deployment.
Prerequisites
You must allow for API access and token authentication:
-
Splunk Cloud Platform: Allow REST API access for your Splunk platform deployment. For more information, see the Accessing the Splunk Cloud Platform REST API.
-
All deployments: Allow token authentication for all Splunk platform instance deployments. For more information, see Enable token authentication for a Splunk platform instance.
Configuration steps
Complete the following steps to download, install, and configure the Splunk MCP Server app.
Step 1: Download and install the Splunk MCP Server app from Splunkbase
The Splunk MCP Server app is available on Splunkbase. The Splunk MCP Server app can be installed on your Splunk Search Head (SH) or Search Head Cluster (SHC).
For Splunk Cloud Platform installation steps, see Install an add-on in Splunk Cloud Platform. For Splunk Enterprise, follow installation procedures from Installing Splunk add-ons.
Step 2: Configure role-based access
The MCP Server app adds 2 new capabilities for role-based access control:
| Capability | Description |
|---|---|
mcp_tool_execute |
Grants users access to use the MCP server tools. |
mcp_tool_admin |
Grants administrative access for tool management and token creation. |
Add the mcp_tool_execute capability to any new or existing roles that need access to MCP server functionality. Access the APIs is also required.
Step 3: (Optional) Install Splunk AI Assistant for SPL
To make AI tools such as generate_spl, explain_spl, optimize_spl, and ask_splunk_question available in the MCP server, Splunk AI Assistant for SPL must be installed. To learn more see About Splunk AI Assistant for SPL.