Connect Splunk to AI agents

Connect Splunk to Claude, Codex, Cursor, or other AI agents for your entire team. Metorial security, governance, observability, and gives your team a unified Magic MCP url to connect.

Supported Tools

get_index

Get Index

Get detailed information about a specific Splunk index including size, event count, time range, retention policy, and storage paths.

list_users

List Users

List Splunk users on the instance. Returns username, real name, email, assigned roles, and default app. Supports pagination.

create_saved_search

Create Saved Search

Create a new saved search in Splunk. Optionally configure it as a scheduled search with a cron schedule, and/or set up alert actions including webhook notifications.

get_search_results

Get Search Results

Retrieve the status and results of a previously created search job. Returns the job's dispatch state and, if the search is complete, the result rows. Supports pagination with count and offset.

list_indexes

List Indexes

List data indexes on the Splunk instance. Returns index name, data type, size, event count, retention settings, and status. Supports filtering and pagination.

get_server_info

Get Server Info

Retrieve Splunk server information including server name, version, build number, OS, CPU architecture, and license state. Useful for verifying connectivity and server status.

list_kvstore_collections

List KV Store Collections

List all KV Store collections within a given Splunk app. Returns collection names, field definitions, and ownership info.

run_search

Run Search

Execute an SPL (Search Processing Language) query against Splunk. Supports both **oneshot** (blocking, returns results immediately) and **async** (creates a search job, returns a job ID for later retrieval) execution modes. Use oneshot mode for quick searches and async mode for long-running or complex queries.

dispatch_saved_search

Dispatch Saved Search

Execute (dispatch) an existing saved search. Returns a search job ID that can be used to retrieve results. Optionally override the time range and trigger alert actions.

list_saved_searches

List Saved Searches

List saved searches configured on the Splunk instance. Returns search name, query, schedule, and alert configuration. Supports filtering and pagination.

upsert_kvstore_record

Upsert KV Store Record

Insert a new record or update an existing record in a KV Store collection. To update, provide the record's `_key`. All updates are wholesale replacements - the entire record is overwritten.

delete_kvstore_records

Delete KV Store Records

Delete one or more records from a KV Store collection. Delete a single record by key, or delete multiple records matching a MongoDB-style query.

create_kvstore_collection

Create KV Store Collection

Create a new KV Store collection in a Splunk app. The collection serves as a key-value data store for app state and data.

delete_saved_search

Delete Saved Search

Delete a saved search from the Splunk instance by name.

query_kvstore_records

Query KV Store Records

Query records from a KV Store collection. Supports MongoDB-style query syntax for filtering, field projection, sorting, and pagination.

delete_kvstore_collection

Delete KV Store Collection

Delete an entire KV Store collection and all its records from a Splunk app.

create_index

Create Index

Create a new data index on the Splunk instance. Configure data type (event or metric), storage paths, max data size, and retention period.

list_fired_alerts

List Fired Alerts

List recently fired alerts on the Splunk instance. Returns alert names, trigger counts, and identifiers. Useful for monitoring alert activity.

send_hec_raw_event

Send HEC Raw Event

Send raw text data to Splunk via the HTTP Event Collector (HEC) raw endpoint. Use this for unstructured log data that Splunk should parse using its normal data processing pipeline.

get_current_user

Get Current User

Get information about the currently authenticated Splunk user, including username, roles, and capabilities.

send_hec_event

Send HEC Event

Send one or more events to Splunk via the HTTP Event Collector (HEC). Supports JSON-formatted events with optional metadata (host, source, sourcetype, index, timestamp). Requires an HEC token configured in authentication settings.

update_saved_search

Update Saved Search

Update an existing saved search in Splunk. Modify its query, schedule, description, alert configuration, or webhook URL.

list_apps

List Apps

List installed local Splunk apps. Returns app name, label, version, visibility, disabled status, author, and description so users can discover valid app namespaces for searches, saved searches, and KV Store operations.

control_search_job

Control Search Job

Control a running or retained Splunk search job. Use this to cancel, finalize, pause, resume, or touch an async search job created by Run Search.

More integrations teams use with Splunk

GitHub

Manage repositories, issues, and pull requests. Create and configure branches, star repositories, review code, and merge changes. Automate CI/CD workflows with GitHub Actions, manage workflow runs, secrets, and artifacts. Track issues with labels, milestones, and assignees. Search across code, repositories, issues, and users. Manage organizations, teams, and memberships. Create and manage projects, gists, packages, deployments, and environments. Access security alerts including code scanning, secret scanning, and Dependabot alerts. Read and write file contents in repositories. Manage webhooks, notifications, and codespaces.

Sharepoint

Manage SharePoint sites, document libraries, lists, and files. Create, read, update, and delete lists and list items with custom columns. Upload, download, move, copy, and version files in document libraries. Search across sites, files, folders, lists, and list items using Microsoft Search. Manage permissions at site, list, and item levels with granular access control. Define and manage content types and site columns. Subscribe to webhooks for list and library change notifications. Retrieve site properties and search for sites across Microsoft 365.

Salesforce

Manage CRM data including Accounts, Contacts, Leads, Opportunities, Cases, and custom objects. Create, read, update, and delete records. Query data using SOQL and search across objects using SOSL. Perform bulk data operations for large-scale imports, exports, and migrations. Execute composite requests to batch multiple operations in a single API call. Access analytics, reports, and dashboards. Manage files and attachments associated with records. Interact with Chatter feeds, posts, and groups for social collaboration. Subscribe to real-time change events via Change Data Capture and Platform Events. Manage org metadata including custom objects, fields, layouts, and workflows. Query data using GraphQL for precise data retrieval across related objects.

Airtable

Create, read, update, and delete records in Airtable bases and tables. Manage base schemas including creating tables and fields. Filter records using formulas, sort by fields, and scope queries to specific views. Upsert records to find, create, or update in a single call. Upload attachments to records, read and write record comments, list accessible bases, and receive real-time base change events through webhooks.

Bitbucket

Manage Git repositories, pull requests, and CI/CD pipelines on Bitbucket Cloud. Create, fork, and configure repositories within workspaces and projects. Create, review, approve, merge, and decline pull requests with inline code comments. Browse source code, list commits, and manage branches and tags. Track issues with the built-in issue tracker. Trigger, monitor, and manage Bitbucket Pipelines. List workspace members, configure repository default reviewers and branch restrictions, create and manage repository webhooks, and search code across repositories.

Heroku

Deploy, manage, and scale applications on Heroku's cloud platform. Create and configure apps, scale dynos, provision add-ons (databases, caching, etc.), manage configuration variables, build and release code, add custom domains and SSL certificates, manage collaborators and team permissions, configure pipelines for continuous delivery, set up log drains, and sync data with Salesforce via Heroku Connect. Subscribe to webhooks for real-time notifications on app changes, builds, releases, dyno lifecycle events, and more.

Technical notes for Splunk

Search, monitor, and analyze machine-generated data such as logs, metrics, and events. Execute searches using Splunk Processing Language (SPL), create and manage search jobs, and retrieve results in JSON, XML, or CSV. Ingest data via the HTTP Event Collector (HEC) in JSON or raw text format. Create and manage saved searches, alerts, and webhook-based alert actions. Manage indexes, data inputs, and knowledge objects such as event types, field extractions, lookups, tags, and macros. Store and query application state using the KV Store with MongoDB-like queries. Manage dashboards, views, users, roles, apps, and server configuration.

Connect Splunk to production AI agents

See how Metorial gives Splunk access the governance, tracing, and security controls teams need.

Frequently asked questions

Common questions about connecting Splunk to AI agents with Metorial.

  1. Can Metorial connect Splunk to AI agents?
    Yes. Metorial connects AI agents to Splunk through a governed integration layer, so teams can use the provider while keeping access controlled and observable.
  2. Metorial is MCP compatible and lets teams expose approved provider tools to MCP-capable agents and clients through a controlled access layer.
  3. Metorial applies policies across users, groups, providers, agents, and individual tools, then records the context around every agent interaction.
  4. Yes. Metorial records provider activity so teams can inspect tool calls, troubleshoot integrations, and give security teams the visibility they need.