MCP Server for Splunk

Build 25.0.9440

Establishing a Connection

The CData MCP Server for Splunk defines each connection to Splunk as a named configuration that Claude can use when sending natural language queries.

You create and manage these configurations using the MCP Configuration Tool. The tool automatically handles formatting, storage, and registration with Claude Desktop.

Understanding Connection Configurations

Each connection configuration is stored in a .mcp file. This file includes the details needed to initialize the connector when Claude starts a session.

  • On Windows, configuration files are stored in "~/AppData/Roaming/CData/Splunk Data Provider/".
  • On macOS, configuration files are stored in "~/Library/Application Support/CData/Splunk Data Provider/".

The .mcp file is a text file that contains a list of connection properties and a timestamp. For example: 

#Tue May 20 15:48:40 EDT 2025
AuthScheme=Basic
User=myUser
Password=myPassword
Security Token=myToken

The configuration tool handles these settings automatically. Each saved configuration enables Claude to launch a dedicated MCP Server instance with the correct connector and options. Manual file editing is not required.

Connecting to Splunk APIs

You must specify the URL to a valid Splunk server. By default the server makes requests on port 8089.

By default, the server attempts to negotiate TLS/SSL with the server. For more information on TLS/SSL configuration, see SSL Configuration.

Authenticating to Splunk

There are two ways to authenticate to Splunk data: logging in with Splunk credentials, or using a Splunk authentication token.

Splunk Credentials

To authenticate with Splunk credentials, set User and Password to your login credentials.

Splunk Token

When you access Splunk via an authentication token, you can access the Splunk platform using Representational State Transfer (REST) calls. On Splunk Enterprise, you can also use the CLI. Both of these methods enable you to access the instance and make requests without having to authenticate via credentials.

Note: Unless you are accessing a search head cluster (where you can use the same token to access all available head clusters), you must have a separate token for each instance being accessed.

To authenticate with a Splunk token:

  1. In the Splunk UI, navigate to Users and Authentication > Tokens to access your assigned authentication token. If you do not have one, request one from the administrator of the instance you want to access.
  2. Set the AuthScheme to AccessToken; and the AccessToken property to your Splunk token.

Copyright (c) 2025 CData Software, Inc. - All rights reserved.
Build 25.0.9440