mcp -splunk

This MCP server provides a Splunk integration with two communication modes: STDIO and SSE. In STDIO mode, the server runs as a local executable that talks to Splunk using the SPLUNK_URL and SPLUNK_TOKEN environment variables. It exposes a set of MCP tools like list_splunk_saved_searches, list_splunk_alerts, list_splunk_fired_alerts, list_splunk_indexes, and list_splunk_macros that allow Cursor or other MCP clients to fetch data from Splunk and feed it into LLM contexts. In SSE mode, the server runs as an HTTP API with a Server-Sent Events endpoint to maintain a long-lived session, and commands are issued via a JSON-RPC like protocol over HTTP to query the same Splunk data sources. To use either mode, configure mcp.json in your Cursor (or MCP consumer) to point at the appropriate server entry and provide the necessary SPLUNK_URL and SPLUNK_TOKEN. After starting in SSE, you will receive a session ID and can send subsequent tool calls to the /message endpoint to retrieve results.

Prerequisites:

• Go installed (1.20+ recommended)
• Access to a Splunk instance with a valid SPLUNK_URL and SPLUNK_TOKEN
• (Optional) Go environment for building the binary locally

Install and run (STDIO mode):

1. Build the executable (if you haven't built already): go build -o cmd/mcp-server-splunk/mcp-server-splunk cmd/mcp-server-splunk/main.go
2. Run the server (STDIO mode): SPLUNK_URL="https://your-splunk-instance:8089" SPLUNK_TOKEN="your-token" /tmp/mcp-server-splunk/cmd/mcp-server-splunk/mcp-server-splunk
3. Update Cursor settings (e.g. ~/.cursor/mcp.json) to point to the STDIO server, including the required env vars.

Install and run (SSE mode):

1. Ensure SPLUNK_URL and SPLUNK_TOKEN are set: export SPLUNK_URL=https://your-splunk-instance:8089 export SPLUNK_TOKEN=your-splunk-token
2. Start the SSE server (from source): go run cmd/mcp-server-splunk/main.go -transport sse -port 3001
3. Update Cursor settings to point to the SSE endpoint, e.g. http://localhost:3001/sse

Notes:

• The STDIO server expects an executable path as the command and can be configured with env vars for Splunk access.
• The SSE server is started with the Go runner and serves an HTTP SSE endpoint; you can connect clients to http://localhost:3001/sse.
• If you modify the code, you may need to rebuild the binary before restarting the STDIO server.

Tip: For production, consider running the STDIO server behind a process supervisor and ensure SPLUNK_URL uses a reachable address with proper TLS. The tools exposed by the MCP server (list_splunk_saved_searches, list_splunk_alerts, list_splunk_fired_alerts, list_splunk_indexes, list_splunk_macros) can be combined by Cursor prompts to perform multi-step data gathering before answering user queries. The internal Splunk prompt (internal/splunk/prompt.go) demonstrates how to coordinate multiple tools to fetch alerts, indexes, and macros before composing a response. If you encounter rate limits or timeouts, increase the SPLUNK_TOKEN permissions or adjust the query pagination (count/offset) in Cursor.