MCP Splunk Server

You can deploy and use the MCP Splunk server to orchestrate log access, runbooks, detection logic, and security analysis using a modular stack. This guide shows you how to set up the local MCP server, run the services, and operate the end-to-end flow to receive structured security findings from your logs.

How to use

You will run the MCP server locally and connect a client to fetch logs, trigger runbooks, perform threat detection, retrieve runbook contexts via RAG, and receive a validated, structured security analysis. The standard flow starts the MCP server, launches the UI client, and then continuously processes user queries by coordinating log access, reasoning, and guardrails validation to produce actionable results.

How to install

Prerequisites you need before starting:

Step-by-step commands to set up locally on Windows or other systems:

Install commands step by step

# 1. Verify Python installation
python --version

# 2. Clone the repository
git clone https://github.com/vforvishal12/mcp-splunk.git
cd mcp-splunk

# 3. Create a virtual environment
python -m venv venv
venv\Scripts\activate

# 4. Install dependencies
pip install -r requirements.txt

# 5. Install additional dependencies if needed
pip install streamlit fastapi uvicorn requests python-dotenv
pip install langchain langgraph chromadb sentence-transformers
pip install openai pydantic

# 6. Set environment variables (OpenAI key example)
# Create a .env file in the project root and add:
OPENAI_API_KEY=your_key

# 7. Build the vector database (first run only)
python
from agent.rag import build_vector_db
build_vector_db()
exit()

# 8. Start the MCP server
uvicorn mcp_server:app --port 9000

# 9. Test the service health
# Open in browser: http://localhost:9000/service_health

# 10. Launch the Streamlit UI
streamlit run app.py

# 11. Open the UI
# Open in browser: http://localhost:8501

Configuration and startup notes

The server is started via an executable command for the MCP runtime. Ensure your environment has the OpenAI API key available as shown above. The API server exposes endpoints for log access and related MCP capabilities, and the UI connects to provide a seamless flow from user query to structured findings.

Security and reliability notes

Use a dedicated environment for local development. Keep sensitive keys in a controlled .env file and do not commit them to source control. Validate LLM outputs with guardrails to prevent malformed responses and ensure only structured, validated results are presented to users.

Basic vs advanced usage

Basic: Run locally, detect suspicious activity, and view structured findings from the UI. Advanced: Integrate real log sources like Splunk or Elastic, stream logs via Kafka, enable LangSmith tracing for observability, and deploy the setup via Docker or Kubernetes for scalable production use.

Production upgrade path

Upgrade by replacing file-based logs with streaming ingestion, deploying the vector database remotely, enabling SIEM-style alerting, and enabling multi-host correlation for broader coverage and resilience.

Available tools

log_fetch

Access and fetch logs from MCP-compatible sources through the Log Fetch endpoint.

runbook_rag

Retrieve and index runbooks for fast context retrieval within the RAG pipeline.

detection_engine

Apply custom Python-based detection logic for security events such as SSH brute force attempts and suspicious IP activity.

llm_reasoning

Leverage OpenRouter and Llama3 for reasoning over logs and generating security findings.

guardrails_validation

Validate LLM outputs against a structured schema to ensure well-formed, safe results.

structured_response

Produce a finalized, structured security analysis ready for display in the UI.