get_index
Get Index
Get detailed information about a specific Splunk index including size, event count, time range, retention policy, and storage paths.
get_index
Get detailed information about a specific Splunk index including size, event count, time range, retention policy, and storage paths.
list_users
List Splunk users on the instance. Returns username, real name, email, assigned roles, and default app. Supports pagination.
create_saved_search
Create a new saved search in Splunk. Optionally configure it as a scheduled search with a cron schedule, and/or set up alert actions including webhook notifications.
get_search_results
Retrieve the status and results of a previously created search job. Returns the job's dispatch state and, if the search is complete, the result rows. Supports pagination with count and offset.
list_indexes
List data indexes on the Splunk instance. Returns index name, data type, size, event count, retention settings, and status. Supports filtering and pagination.
get_server_info
Retrieve Splunk server information including server name, version, build number, OS, CPU architecture, and license state. Useful for verifying connectivity and server status.
list_kvstore_collections
List all KV Store collections within a given Splunk app. Returns collection names, field definitions, and ownership info.
run_search
Execute an SPL (Search Processing Language) query against Splunk. Supports both **oneshot** (blocking, returns results immediately) and **async** (creates a search job, returns a job ID for later retrieval) execution modes. Use oneshot mode for quick searches and async mode for long-running or complex queries.
dispatch_saved_search
Execute (dispatch) an existing saved search. Returns a search job ID that can be used to retrieve results. Optionally override the time range and trigger alert actions.
list_saved_searches
List saved searches configured on the Splunk instance. Returns search name, query, schedule, and alert configuration. Supports filtering and pagination.
upsert_kvstore_record
Insert a new record or update an existing record in a KV Store collection. To update, provide the record's `_key`. All updates are wholesale replacements - the entire record is overwritten.
delete_kvstore_records
Delete one or more records from a KV Store collection. Delete a single record by key, or delete multiple records matching a MongoDB-style query.
create_kvstore_collection
Create a new KV Store collection in a Splunk app. The collection serves as a key-value data store for app state and data.
delete_saved_search
Delete a saved search from the Splunk instance by name.
query_kvstore_records
Query records from a KV Store collection. Supports MongoDB-style query syntax for filtering, field projection, sorting, and pagination.
delete_kvstore_collection
Delete an entire KV Store collection and all its records from a Splunk app.
create_index
Create a new data index on the Splunk instance. Configure data type (event or metric), storage paths, max data size, and retention period.
list_fired_alerts
List recently fired alerts on the Splunk instance. Returns alert names, trigger counts, and identifiers. Useful for monitoring alert activity.
send_hec_raw_event
Send raw text data to Splunk via the HTTP Event Collector (HEC) raw endpoint. Use this for unstructured log data that Splunk should parse using its normal data processing pipeline.
get_current_user
Get information about the currently authenticated Splunk user, including username, roles, and capabilities.
send_hec_event
Send one or more events to Splunk via the HTTP Event Collector (HEC). Supports JSON-formatted events with optional metadata (host, source, sourcetype, index, timestamp). Requires an HEC token configured in authentication settings.
update_saved_search
Update an existing saved search in Splunk. Modify its query, schedule, description, alert configuration, or webhook URL.
list_apps
List installed local Splunk apps. Returns app name, label, version, visibility, disabled status, author, and description so users can discover valid app namespaces for searches, saved searches, and KV Store operations.
control_search_job
Control a running or retained Splunk search job. Use this to cancel, finalize, pause, resume, or touch an async search job created by Run Search.
Search, monitor, and analyze machine-generated data such as logs, metrics, and events. Execute searches using Splunk Processing Language (SPL), create and manage search jobs, and retrieve results in JSON, XML, or CSV. Ingest data via the HTTP Event Collector (HEC) in JSON or raw text format. Create and manage saved searches, alerts, and webhook-based alert actions. Manage indexes, data inputs, and knowledge objects such as event types, field extractions, lookups, tags, and macros. Store and query application state using the KV Store with MongoDB-like queries. Manage dashboards, views, users, roles, apps, and server configuration.
Common questions about connecting Splunk to AI agents with Metorial.