All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Problems service mcp

icarvaja
Engager
‎03-20-2026 10:06 AM

Hi,

I am trying to validate connectivity to the official Splunk MCP Server app before integrating it with an MCP client / Google ADK.

Current environment:
- Splunk MCP Server app version: 1.0.3
- App status: Enabled
- Server status in app: active
- Encrypted MCP token was generated successfully

The app publishes these endpoints:
1. https://SPLUNK_HOST:8089/services/mcp
2. https://SPLUNK_HOST:443/en-US/splunkd/__raw/services/mcp

I tested both endpoints using the client recommended in Splunk documentation:

npx -y mcp-remote "https://SPLUNK_HOST:8089/services/mcp" --header "Authorization: Bearer ENCRYPTED_TOKEN"

and

npx -y mcp-remote "https://SPLUNK_HOST:443/en-US/splunkd/__raw/services/mcp" --header "Authorization: Bearer ENCRYPTED_TOKEN"

Observed behavior:
- Endpoint https://SPLUNK_HOST:8089/services/mcp
- http-first => HTTP 405 Method Not Allowed
- sse-only => HTTP 405
- Endpoint https://SPLUNK_HOST:443/en-US/splunkd/__raw/services/mcp
- http-first => HTTP 404 Page not found
- sse-only => HTTP 405

At this point I have already ruled out:
- local client issues
- Python / ADK issues
- missing encrypted token
- basic network connectivity issues

Questions:
1. For Splunk MCP Server 1.0.3, which of these endpoints is the correct one for remote MCP clients such as mcp-remote?
2. Should the published endpoint support streamable HTTP / SSE out of the box?
3. Is any additional server-side configuration required beyond enabling the app and generating encrypted tokens?
4. Could missing capabilities such as mcp_tool_execute cause this behavior, or would that normally produce a different error?
5. Are there known cases where the app UI shows endpoints, but the remote transport is not actually exposed correctly?

Thanks.

cto para clientes MCP remotos como

Labels (1)
Labels
Reply

kknairr
Contributor
‎03-20-2026 10:39 AM

@icarvaja - Since you already ruled out common issues, I would suggest you upgrade your MCP Server app to latest version 1.0.4 from Splunk base as it fixed certain issues. I suspect the issue related to the mcp_tool_execute role is addressed in the latest version. After upgrading, retest the mcp-remote client against the 8089 endpoints with your encrypted token.

splunk-mcp.png

If issues persist, check splunkd.log for MCPrelated errors, as the app should expose SSE out of the box once correctly installed and enabled.

App link: Splunk MCP Server | Splunkbase

Hope it helps and keep us posted.

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...