Connecting to the MCP Server and settings

Authenticate to the MCP server using an MCP client and issue commands to the MCP server.

The MCP Server provides a standardized, secure, and scalable interface to connect AI assistants, agents, and other intelligent systems with data in the Splunk platform.

Tool management

Administrators can enable or disable tools at the server level through the Splunk MCP Server app. This provides centralized control over which tools are available to all users across your deployment.

Why server-side tool management matters

  • Centralized control: Changes apply across your entire deployment.

  • Security: Prevents users from accessing privileged information through restricted tool calls. For example using splunk_get_user_info.

  • Consistency: Tools disabled at the server level are not loaded in any client context.

Tool namespacing

Tools are namespaced based on their source. See the following table for prefix and source information:

Prefix Source
splunk_ Splunk core platform tools
saia_ Splunk AI Assistant for SPL tools
Note: Splunk platform tools are turned on by default.

Connect and use an MCP client

Complete the following steps to connect to and use an MCP client.

Step 1: Create an Encrypted Authentication Token for your client

Generate a new token to use when authenticating to the MCP server. The Splunk MCP Server requires encrypted tokens for authentication. This security enhancement prevents token reuse outside of the MCP context. If you do not have the permission to generate a token, contact your Splunk administrator.

The following capabilities are required for token creation:

Scenario Required capabilities
Create a token for yourself edit_tokens_own and mcp_tool_admin
Create a token for any user edit_tokens_all and mcp_tool_admin

Token creation process

Complete the following steps:

  1. Open the Splunk MCP Server app in your Splunk platform deployment.

  2. Generate a new encrypted token.

  3. Copy the token for use in your MCP client configuration. This token is only displayed once.

The following image shows the window where users can create a Splunk MCP Encrypted Token:The following image displays the window where users can create a Splunk MCP Encrypted Token.

The following image shows the window where you can enter details about the MCP Encrypted Token you are creating:

The following image displays the window where users can enter details about the MCP Encrypted Token that they are creating.

About tokens

See the following for additional information on tokens:

  • Tokens are credentials, so you must closely guard them and not share them with anyone who does not explicitly need access to Splunk platform services.

    • Each user provides their unique authentication token to a trusted MCP client.

  • Encrypted tokens cannot be used for direct Splunk API calls. They are exclusively for MCP authentication.

  • Tokens can be created and invalidated within the MCP app.

  • Set the appropriate expiration if the user does not have the permission to create their own token.

  • Encrypted tokens are Splunk tokens and will show up in the main Tokens page.

Step 2: Configure your MCP client

After your administrator has configured the MCP server for your Splunk platform deployment, authorized users can connect using any compatible MCP client that supports the streamable HTTP protocol.

Get your MCP server endpoint

The MCP server endpoint and sample configuration can be found in the Splunk MCP Server app. Copy these values for use in your client configuration. The endpoint can be copied from the Splunk MCP Server app, along with the sample configuration.

See the following sample client configuration in JSON:

JSON 
{ 
 "mcpServers": { 
   "splunk-mcp-server": { 
     "command": "npx", 
     "args": [ 
       "-y", 
       "mcp-remote", 
       "https://<MCP_SERVER_ENDPOINT>", 
       "--header", 
       "Authorization: Bearer <YOUR_ENCRYPTED_TOKEN>" 
     ] 
   }

Replace placeholders

If you use the sample configuration from the previous section, replace the following placeholders with your own information as follows:
Placeholder Replace with this value
<MCP_SERVER_ENDPOINT> Your endpoint URL from the Splunk MCP Server app.
<YOUR_ENCRYPTED_TOKEN> The encrypted token generated in Step 1.
Note: The exact configuration can differ depending on your MCP client and operating system. Your MCP client might have additional dependencies such as Node.js and mcp-remote that are not owned by Splunk.

MCP Server settings

MCP Server settings can be adjusted by MCP admins. This is a role that has the mcp_tool_admin capability.

Tool management

Administrators can enable or disable tools at the server level through the Splunk MCP Server app. This provides centralized control over which tools are available to all users across your deployment.

Why server-side tool management matters

  • Centralized control: Changes apply across your entire deployment.

  • Security: Prevents users from accessing privileged information through restricted tool calls. For example by using splunk_get_user_info.

  • Consistency: Tools disabled at the server level are not loaded in any client context.

This image shows a list of tools along with a status column from which administrators can enable or disable.

Invalidate token and rotate keys

You can choose to invalidate all MCP access tokens in the app settings page by selecting the Invalidate Keys button.

Taking this step invalidates access to all tokens since a single pair of public/private key is used for all tokens at any given time. Invalidating this key removes access from all encrypted tokens.

CAUTION: This has impact on existing users and connections and must be done with caution.

Configure self-signed certificates (non-production only)

The MCP server can be configured to connect with Splunk using self-signed certificates for testing purposes.

CAUTION: Do not use self-signed certificates in production environments.

Navigate to mcp.conf, and configure the ssl_verify setting, using the following parameters:

Parameter value Description
true Enables SSL verification. Default, recommended for production.
false Disables SSL verification. Testing only.
certificate_path Uses a specific certificate file
The ssl_verify setting only applies to the MCP server connection. The rest of your Splunk deployment continues to respect default SSL verification settings. You can also disregard the lack of CA signed certificates.

See the following sample of a client configuration:
JSON 
{ 

 "mcpServers": { 
   "splunk-mcp-server": { 
     "args": [ 
       "-y", 
       "mcp-remote", 
       "https://<MCP_SERVER_ENDPOINT>", 
       "--header", 
       "Authorization: Bearer <YOUR_ENCRYPTED_TOKEN>" 
     ], 
     "command": "npx", 
     "env": { 
       "NODE_TLS_REJECT_UNAUTHORIZED": "0" 
     } 
   } 
 } 
}

Migration guide

If you are currently using the cloud-hosted MCP endpoint of *.api.scs.splunk.com, complete the following steps to migrate to the Splunk MCP Server app:

  1. Install the Splunk MCP Server app from Splunkbase on your deployment.

  2. Configure role-based access by assigning the mcp_tool_execute capability to appropriate roles.

  3. Create new encrypted tokens using the MCP app's token creation feature.

  4. Update your MCP client configuration with the new endpoint URL and encrypted token.

  5. Test the connection to verify functionality.

  6. Decommission old tokens created for the deprecated endpoint.

Upgrading to version 1.0.0

Upgrading from v0.2.6 to v1.0.0 is a breaking change. Only encrypted tokens work for v1.0.0.

Complete the following tasks to address this issue :

  • Upgrade the MCP Server app to version 1.0.0. This will cause existing clients to stop working.

  • Decommission old tokens created for version 0.2.6.

  • Create new encrypted tokens using the MCP app's token creation feature.

  • Update your MCP client configuration with the new endpoint URL and encrypted token.