Splunk MCP server
Search indexes and triage notable events on Splunk Cloud or Splunk Enterprise.
About
Connect Tracecat to Splunk to drive SPL searches and notable event triage from agents working alongside SOC analysts and detection engineers. You can run one-shot or long-running SPL jobs against any indexed sourcetype so agents pivot through related events without an analyst writing the query by hand. From there, agents can walk through notable events in Enterprise Security, pull saved searches and accelerated data models, and pass enriched context to the rest of your security stack with the connected user's role permissions enforced throughout.
Setup
- 1
Create a bearer token
The Splunk MCP server authenticates with a JSON Web Token (JWT) and your Splunk REST endpoint URL. The base URL is configurable so the same setup works for Splunk Cloud Platform and on-prem Splunk Enterprise. The token inherits the role permissions of the user that created it.
- 2
Select the
Splunktile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theSplunktile, and paste your bearer token. - 3
Enable
Splunkin your agentIn your
ai.agentaction orAgents→toolstab, selectSplunkfrom theMCP integrationsdropdown.
Tools
run_oneshot_search | Run a one-shot SPL search against any indexed sourcetype and return the events. |
run_search_job | Submit a long-running SPL search job and poll for completion. |
get_search_results | Fetch the results of a previously-submitted search job by SID. |
list_indexes | List indexes available to the authenticated user, with retention and bucket stats. |
list_sourcetypes | List sourcetypes seen in a given index and time window. |
get_notable_events | Retrieve notable events from Splunk Enterprise Security for triage. |
list_saved_searches | List saved searches and reports the user has access to. |
list_data_models | Enumerate accelerated data models for use in tstats queries. |