This MCP server provides a standardized interface for AI assistants to securely search, analyze, and validate Splunk queries using the MCP protocol. It exposes a set of tools that enable safe interaction with Splunk, including smart query validation, on-demand searches, and efficient streaming of large result sets. The server implements built-in safety guardrails, data sanitization for sensitive information, and supports multiple transport modes (stdio, SSE, and WebSocket) to accommodate different client setups. You can interact with the server using the two available implementations (Python and TypeScript) depending on your stack preference. Each implementation exposes the same core capabilities via the MCP protocol, so AI assistants can discover and invoke tools without worrying about underlying differences. Tools available include validate_spl, search_oneshot, search_export, get_indexes, get_saved_searches, run_saved_search, and get_config, with risk scoring and configurable thresholds to protect your environment.

Prerequisites:

• Docker (optional for containerized deployment)
• Python 3.8+ or Node.js 18+ (depending on the implementation you choose)
• Basic Splunk access credentials and REST API access

1. Clone the repository

• git clone https://github.com/gesman/splunk-mcp-server.git
• cd splunk-mcp-server

2. Install and run the Python implementation

• cd python
• python -m venv venv
• source venv/bin/activate (Linux/macOS) or venv\Scripts\activate (Windows)
• pip install -e .
• cp .env.example .env

• Edit .env with your Splunk credentials

• python server.py

3. Install and run the TypeScript implementation

• cd typescript
• cp .env.example .env

• Edit .env with your Splunk credentials

• npm install
• npm start

4. Docker (optional)

• Build and run the Python image (example): docker build -t splunk-mcp-python ./python docker run -i -e SPLUNK_HOST=... -e SPLUNK_USERNAME=... -e SPLUNK_PASSWORD=... splunk-mcp-python
• Build and run the TypeScript image (example): docker build -t splunk-mcp-typescript ./typescript docker run -i -e SPLUNK_HOST=... -e SPLUNK_USERNAME=... -e SPLUNK_PASSWORD=... splunk-mcp-typescript

5. Verify installation

• Ensure the MCP endpoints are reachable per the implemented REST/stdio/SSE interfaces
• Use an MCP client to discover tools and invoke them (see MCP docs in the repository)

Tips and common issues:

• Always store credentials securely in environment variables or a secure vault; never commit credentials.
• If you encounter connection errors to Splunk, verify host, port, and SSL settings in your .env file.
• The server performs automatic sanitization of sensitive data in outputs; however, review any custom saved searches or outputs for edge cases.
• Check the guardrails and risk scoring thresholds to balance safety with query richness for your environment.
• For production deployments, consider using SSL/TLS termination and proper authentication between the MCP client and server.