MCP server tools
The Splunk MCP server provides several tools to interact with Splunk software.
Tool namespacing
Tools are namespaced based on their source. See the following table for prefix and source information:
| Prefix | Source |
|---|---|
splunk_ |
Splunk core platform tools |
saia_ |
Splunk AI Assistant for SPL tools |
Note: Splunk platform tools are turned on by default.
The Splunk MCP server provides several tools to interact with Splunk software. See the following table for tool names and descriptions:
| Tool name | Description | Date added |
|---|---|---|
splunk_run_query |
Execute a Splunk search query and return the results. This is the primary tool for running Splunk searches using Splunk Search Processing Language (SPL). Use this to retrieve log data, perform aggregations, analyze events, and extract insights from your Splunk environment. | July 2025 |
splunk_get_info |
Get comprehensive information about your Splunk instance. Retrieves system information including version, hardware specifications, and operational status. | July 2025 |
splunk_get_indexes |
Get a list of indexes from Splunk. Indexes are data repositories where machine data is stored and organized. | July 2025 |
splunk_get_index_info |
Get detailed information about a specific Splunk index. Returns comprehensive configuration and status information for the specified index. | July 2025 |
splunk_get_metadata |
Retrieve metadata about hosts, sources, or sourcetypes across 1 or more indexes in the selected time window. | July 2025 |
splunk_get_user_info |
Retrieves detailed information about the currently authenticated user including roles and permissions. Returns comprehensive user profile data for the current session. | July 2025 |
splunk_get_user_list |
Get a list of users from Splunk. Retrieves information about all users including authentication details, roles, and account status. | July 2025 |
splunk_get_kv_store_collections |
Get KV Store collection statistics including size, count, and storage information. Retrieves comprehensive metrics about all KV Store collections in the Splunk instance. | July 2025 |
splunk_get_knowledge_objects |
Retrieve Splunk knowledge objects by type. Supports various knowledge object types including saved searches, alerts, field extractions, lookups, macros, and data models. Refer to the full list of supported types later in this topic. | July 2025 |
saia_generate_spl |
Generate SPL from natural language searches using Splunk AI Assistant for SPL. | September 2025 |
saia_explain_spl |
Explain SPL queries in natural language using Splunk AI Assistant for SPL. Converts complex SPL commands into human-readable explanations. | September 2025 |
saia_optimize_spl |
Optimize SPL searches using Splunk AI Assistant for SPL. Improves search performance, efficiency, and follows best practices. | September 2025 |
saia_ask_splunk_question |
Ask natural language questions about Splunk using Splunk AI Assistant for SPL. Get explanations about Splunk commands, concepts, features, and best practices. | September 2025 |
Guardrails for run_splunk_query
The run_splunk_query tool is intended for quick searches that are deemed safe and non-destructive. The tool might fail for one or more of the following reasons:
- If the search contains commands that are deemed unsafe or destructive, the MCP server might not execute the search.
- The execution time exceeds 1 minute.
- The number of events in the response exceeds 1000.
Supported knowledge object types
The following knowledge object types are supported by get_knowledge_objects:
-
saved_searches -
alerts -
field_extractions -
field_aliases -
calculated_fields -
lookups -
automatic_lookups -
lookup_transforms -
macros -
tags -
data_models -
workflow_actions -
views -
panels -
apps -
mltk_models -
mltk_algorithms