DEV Community

CuratedMCP profile image curatedmcp
curatedmcp for CuratedMCP

Posted on • Originally published at curatedmcp.com

Splunk MCP: Query your observability stack directly from Claude

#cursor #mcp #claude #ai

Install guide and config at curatedmcp.com

Splunk MCP: Query your observability stack directly from Claude

Splunk MCP is the official Model Context Protocol server that bridges AI agents to your Splunk instance. Instead of context-switching between Claude and your monitoring platform, you can now ask your AI assistant to search logs, inspect alerts, correlate incidents, and surface root causes—all without leaving your chat.

What It Does

Splunk MCP gives Claude and other AI agents direct access to your observability and security data. You can run SPL (Splunk Processing Language) queries, retrieve event results, inspect logs across services, and access alert timelines. The server also lets you search saved dashboards, manage data inputs, and correlate security events with operational metrics.

The key unlock: your AI agent can now triage incidents autonomously. Feed it vague symptoms ("why did latency spike at 3pm?"), and it can query your Splunk instance, pull relevant logs and metrics, cross-reference alert history, and surface likely root causes. For SRE and SecOps teams drowning in data, this cuts investigation time significantly.

How to Install

Install via npm:

npx -y @splunk/mcp
Enter fullscreen mode Exit fullscreen mode

Then add Splunk MCP to your Claude Desktop config:

{
  "mcpServers": {
    "splunk-mcp": {
      "command": "npx -y @splunk/mcp",
      "env": {
        "SPLUNK_URL": "https://your-splunk-instance.com",
        "SPLUNK_USERNAME": "your_username",
        "SPLUNK_PASSWORD": "your_api_token"
      }
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

Replace placeholders with your Splunk credentials and instance URL. Full setup guides for Cursor, Windsurf, and other clients available in the official docs.

Real-World Use Cases

  • Incident triage at speed: "Hey Claude, I got a PagerDuty alert for high error rates. Search Splunk logs from the last 30 minutes and tell me which service is failing." Claude queries your instance, correlates events, and suggests remediation steps.
  • Root cause analysis: "Why did our database queries slow down yesterday around 2pm?" Claude pulls metrics, compares baselines, and surfaces anomalies you'd normally miss.
  • Security event correlation: "Find all failed login attempts from the last 48 hours and correlate them with successful logins from unusual IPs." Claude runs complex multi-field searches without you writing SPL.

Full install guides for Claude Desktop, Cursor, Windsurf, and more at CuratedMCP.

Top comments (0)