Interact with your observability data using the Splunk MCP server

Use the Splunk MCP server to interact with your observability data from anywhere you work, including Integrated Development Environments, chatbots, and internal LLMs.

The MCP server acts as a bridge to your observability data in your Splunk Observability Cloud deployments from wherever you work. You can use natural language queries and automated workflows to question your observability data from the following environments where your teams work:

  • IDEs (VS Code, Cursor, Windsurf, and IntelliJ)

  • Chatbots (Claude and ChatGPT)

  • Homegrown LLMs

The MCP server is is a set of APIs that provides a secure, standard method to connect O11y AI Assistant capabilities to external tools.

Key benefits

The following are the key benefits of using the MCP server:

  • Natural language interaction with observability data
  • Integration with popular AI development tools and IDEs
  • Secure JWT-based authentication with SF tokens
  • Support for agentic workflows and automation

Deployment architecture: Hosted MCP Server

Splunk MCP Gateway is a hosted MCP server, deployed in SCS, which provides access to all Splunk tools available from Splunk Cloud Platform and Splunk Observability Cloud. To identify your Splunk MCP Gateway URL, see Configure Splunk Observability Cloud tools with Splunk MCP Server - Supported regions.

The server implements the streamable HTTP transport as defined in the MCP specification, enabling real-time bi-directional communication between AI clients and Splunk Observability Cloud data. This protocol choice ensures compatibility with popular MCP clients while providing the performance characteristics needed for interactive AI workflows.

You must provide a user session token for authentication. To copy your token, follow these instructions in Retrieve your user API access token. This user session token provides the necessary authentication for MCP server access, ensuring proper user context and enforcement of Role Based Access Control (RBAC) within the Splunk Observability Cloud environment.

Configuration: Gateway

Add the following configuration to your VS Code MCP settings file, which is typically located at ~/.vscode/mcp_servers.json or in your workspace settings:
JSON 
"Splunk": {
            "type": "http",
            "url": "https://region-pdx10.api.scs.splunk.com/system/mcp-gateway/v1/",
            "headers": {
                "X-SF-REALM": "[realm]",
                "X-SF-TOKEN": "[token]",
                "splunk_tenant": "[splunk_tenant]",
                "Authorization": "Bearer [token]"
            }
        },
Replace https://region-pdx10.api.scs.splunk.com/system/mcp-gateway/v1/ with the MCP gateway URL for your realm.

Replace the information in brackets with the information from your realm, organization, or Splunk tenant.

Parameters required for Splunk Observability Cloud:

  • X-SF-REALM

  • X-SF-TOKEN

Parameters required for Splunk Cloud Platform:

  • splunk_tenant

  • Authorization

Configuration example: Claude Desktop

The following configuration uses npx to run mcp-remote, which requires Node.js. Install Node.js if it is not already on your machine. Then, add the following configuration to your claude_desktop_config.json:
JSON 
{ "mcpServers": {
       "Splunk Observability": {
           "command": "npx",
           "args": [
              "-y",
              "mcp-remote",
              "https://region-pdx10.api.scs.splunk.com/system/mcp-gateway/v1/",
              "--transport", 
              "http-only", 
              "--allow-http",
              "--header",
              "X-SF-REALM:[realm]",
              "--header",
              "X-SF-TOKEN:[token]",
              "--header",
              "splunk_tenant:[splunk_tenant]",
              "--header",
              "Authorization:Bearer [token]"
           ]
         }
       }
     }
Replace https://region-pdx10.api.scs.splunk.com/system/mcp-gateway/v1/ with the MCP gateway URL for your realm.

Replace the information in brackets with the information from your realm, organization, or Splunk tenant.

Parameters required for Splunk Observability Cloud:

  • X-SF-REALM

  • X-SF-TOKEN

Parameters required for Splunk Cloud Platform:

  • splunk_tenant

  • Authorization

Splunk Observability Cloud realms supported for Splunk MCP server

The Splunk MCP server is supported in all Splunk Observability Cloud production realms except for Google Cloud Platform realms and GovCloud realms.

Available Splunk AI Assistant in Observability Cloud tools

The following sections to describe the Splunk AI Assistant in Observability Cloud tools your users can utilize when they send natural language prompts to Splunk Observability Cloud through the Splunk MCP server.

Metrics and SignalFlow

The following are metrics and SignalFlow tools:
Tool Description
get_metric_names Search for metric names using wildcard search terms
get_metric_metadata Get dimensions, properties, and sample values for specific metrics
generate_signalflow_program Generate a SignalFlow program from a natural language prompt
execute_signalflow_program Execute a SignalFlow program and return the data stream

APM (Application Performance Monitoring)

The following are tools from Splunk APM:
Tool Description
get_apm_environments List APM environments
get_apm_services List services in a given environment
get_apm_service_dependencies Get inbound and outbound dependencies with requests and latencies
get_apm_service_latency Get latency breakdown by tag for a service
get_apm_service_errors_and_requests Get error and request breakdown by tag
get_apm_exemplar_traces Get sample traces (errors, latency buckets, etc.)
get_apm_trace_tool Get trace details and spans for a specific trace ID

Alerting

The following are tools from alerts:
Tool Description
search_alerts_or_incidents Search for alerts or incidents