Can I use Splunk as a CLI?

Yes. KosmoKrator exposes a Splunk CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose Splunk through MCP?

Yes. The KosmoKrator MCP gateway can expose selected Splunk tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are Splunk credentials stored?

Splunk credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for Splunk MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

monitoring

Splunk CLI for AI Agents

Use the Splunk CLI from KosmoKrator to call Splunk tools headlessly, return JSON, inspect schemas, and automate workflows from coding agents, scripts, and CI.

6 functions 5 read 1 write Bearer token auth

Submit Splunk feedback View package source

Splunk CLI Setup

Splunk can be configured headlessly with `kosmokrator integrations:configure splunk`.

# Install KosmoKrator first if it is not available on PATH.
curl -fsSL https://raw.githubusercontent.com/OpenCompanyApp/kosmokrator/main/install.sh | bash

# Configure and verify this integration.
kosmokrator integrations:configure splunk --set access_token="$SPLUNK_ACCESS_TOKEN" --enable --read allow --write ask --json
kosmokrator integrations:doctor splunk --json
kosmokrator integrations:status --json

Credentials

Authentication type: Bearer token bearer_token. Configure credentials once, then use the same stored profile from scripts, coding CLIs, Lua code mode, and the MCP gateway.

Key	Env var	Type	Required	Label
`access_token`	`SPLUNK_ACCESS_TOKEN`	Secret `secret`	yes	Access Token
`url`	`SPLUNK_URL`	URL `url`	no	Splunk URL

Call Splunk Headlessly

Use the generic call form when another coding CLI or script needs a stable universal interface.

kosmo integrations:call splunk.splunk_search '{
  "query": "example_query",
  "earliest_time": "example_earliest_time",
  "latest_time": "example_latest_time"
}' --json

Use the provider shortcut form for shorter human-facing commands.

kosmo integrations:splunk splunk_search '{
  "query": "example_query",
  "earliest_time": "example_earliest_time",
  "latest_time": "example_latest_time"
}' --json

Agent Discovery Commands

These commands return structured output for coding agents that need to inspect capabilities before choosing a function.

kosmo integrations:docs splunk --json
kosmo integrations:docs splunk.splunk_search --json
kosmo integrations:schema splunk.splunk_search --json
kosmo integrations:search "Splunk" --json
kosmo integrations:list --json

All CLI Functions

Every function below can be called headlessly. The generic form is stable across all integrations; the provider shortcut is shorter but specific to Splunk.

`splunk.splunk_search`

Write write

Run a Splunk search query (SPL). Creates an asynchronous search job and returns the search ID (SID). Use splunk_get_search_results to retrieve results once the job completes.

Parameters: query, earliest_time, latest_time

Generic CLI call

kosmo integrations:call splunk.splunk_search '{"query":"example_query","earliest_time":"example_earliest_time","latest_time":"example_latest_time"}' --json

Provider shortcut

kosmo integrations:splunk splunk_search '{"query":"example_query","earliest_time":"example_earliest_time","latest_time":"example_latest_time"}' --json

`splunk.splunk_get_search_results`

Read read

Retrieve results from a completed Splunk search job. Pass the search ID (SID) returned by splunk_search. Supports pagination with offset and count parameters.

Parameters: sid, offset, count

Generic CLI call

kosmo integrations:call splunk.splunk_get_search_results '{"sid":"example_sid","offset":1,"count":1}' --json

Provider shortcut

kosmo integrations:splunk splunk_get_search_results '{"sid":"example_sid","offset":1,"count":1}' --json

`splunk.splunk_list_indexes`

Read read

List all Splunk indexes available to the authenticated user. Returns index names, sizes, event counts, and retention settings.

Parameters: none

Generic CLI call

kosmo integrations:call splunk.splunk_list_indexes '{}' --json

Provider shortcut

kosmo integrations:splunk splunk_list_indexes '{}' --json

`splunk.splunk_list_saved_searches`

Read read

List all saved searches configured in Splunk. Returns search names, queries, schedules, and alert settings.

Parameters: none

Generic CLI call

kosmo integrations:call splunk.splunk_list_saved_searches '{}' --json

Provider shortcut

kosmo integrations:splunk splunk_list_saved_searches '{}' --json

`splunk.splunk_get_index`

Read read

Get details for a specific Splunk index by name. Returns configuration, size, event count, and retention policy.

Parameters: name

Generic CLI call

kosmo integrations:call splunk.splunk_get_index '{"name":"example_name"}' --json

Provider shortcut

kosmo integrations:splunk splunk_get_index '{"name":"example_name"}' --json

`splunk.splunk_get_current_user`

Read read

Get the current authenticated Splunk user context. Returns username, roles, capabilities, and tenant information.

Parameters: none

Generic CLI call

kosmo integrations:call splunk.splunk_get_current_user '{}' --json

Provider shortcut

kosmo integrations:splunk splunk_get_current_user '{}' --json

Function Schemas

Use these parameter tables when building CLI payloads without calling integrations:schema first.

`splunk.splunk_search`

Run a Splunk search query (SPL). Creates an asynchronous search job and returns the search ID (SID). Use splunk_get_search_results to retrieve results once the job completes.

Operation: Write write
Schema command: kosmo integrations:schema splunk.splunk_search --json

Parameter	Type	Required	Description
`query`	string	yes	The SPL search query (e.g., "search index=main error \| head 100").
`earliest_time`	string	no	Earliest time for the search time range. Supports relative (e.g., "-24h", "-7d") or absolute (e.g., "2025-01-01T00:00:00") format.
`latest_time`	string	no	Latest time for the search time range. Supports relative (e.g., "now") or absolute (e.g., "2025-01-31T23:59:59") format.

`splunk.splunk_get_search_results`

Retrieve results from a completed Splunk search job. Pass the search ID (SID) returned by splunk_search. Supports pagination with offset and count parameters.

Operation: Read read
Schema command: kosmo integrations:schema splunk.splunk_get_search_results --json

Parameter	Type	Required	Description
`sid`	string	yes	The search job ID (SID) returned by a previous search.
`offset`	integer	no	The starting offset for pagination (0-based, default: 0).
`count`	integer	no	The number of results to return per page (default: 100).

`splunk.splunk_list_indexes`

List all Splunk indexes available to the authenticated user. Returns index names, sizes, event counts, and retention settings.

Operation: Read read
Schema command: kosmo integrations:schema splunk.splunk_list_indexes --json

Parameter	Type	Required	Description
No parameters.

`splunk.splunk_list_saved_searches`

List all saved searches configured in Splunk. Returns search names, queries, schedules, and alert settings.

Operation: Read read
Schema command: kosmo integrations:schema splunk.splunk_list_saved_searches --json

Parameter	Type	Required	Description
No parameters.

`splunk.splunk_get_index`

Get details for a specific Splunk index by name. Returns configuration, size, event count, and retention policy.

Operation: Read read
Schema command: kosmo integrations:schema splunk.splunk_get_index --json

Parameter	Type	Required	Description
`name`	string	yes	The name of the Splunk index to retrieve (e.g., "main", "_internal").

`splunk.splunk_get_current_user`

Get the current authenticated Splunk user context. Returns username, roles, capabilities, and tenant information.

Operation: Read read
Schema command: kosmo integrations:schema splunk.splunk_get_current_user --json

Parameter	Type	Required	Description
No parameters.

Permissions

Headless calls still follow the integration read/write permission policy. Configure read/write defaults with integrations:configure. Add --force only for trusted automation that should bypass that policy.