Deslicer
All comparisons
Comparison

Splunk MCP Server vs Deslicer mcp-for-splunk — vendor-native vs open source

Splunk's MCP Server reached general availability in February 2026 (Splunkbase app 7931) with encrypted-token auth and admin-controlled tools. Deslicer maintains mcp-for-splunk, an Apache 2.0 open-source Model Context Protocol server with 50+ tools (plus 70+ more via the companion mcp-itsi-server, 120+ combined), 16 resources including CIM data models, built-in AI troubleshooting workflows, and per-request multi-tenancy. Compare both, then pick the right MCP path for your Splunk stack.

Last updated .

Deslicer's mcp-for-splunk (github.com/deslicer/mcp-for-splunk) is a community-driven, Apache-2.0 MCP server with 50+ tools, 16 resources including CIM data models, 174 tests, built-in AI troubleshooting workflows, and a companion mcp-itsi-server that adds 70+ ITSI tools, 9 docs resources, and 3 workflow prompts for ITSI 4.21 — 120+ tools combined when both are installed. Splunk's GA MCP Server (Splunkbase app 7931) runs inside the Splunk control plane with vendor-managed updates, encrypted-token auth, and granular admin-controlled tools. Most teams run both: vendor-native for first-party data access, open source for AI workflows, ITSI coverage, and any environment Splunk's app does not reach.

How they compare

DimensionDeslicerSplunk MCP Server
What it isOpen-source MCP server (mcp-for-splunk) — Apache 2.0, FastMCP-based, community-driven. Runs anywhere FastMCP runs: laptop, Docker, Kubernetes.Vendor-native MCP Server distributed as Splunkbase app 7931. Reached GA in February 2026 and runs inside the Splunk control plane.
License & opennessApache 2.0 — fork it, audit it, contribute tools to the catalog. Public roadmap and issue tracker on GitHub.Vendor-licensed app on Splunkbase; included with eligible Splunk Cloud Platform / Enterprise entitlements. Roadmap controlled by Splunk.
Tool & resource catalog50+ tools across search, data discovery, admin, and health monitoring. 16 resources including CIM data models. Companion mcp-itsi-server adds 70+ ITSI tools, 9 doc resources, and 3 workflow prompts (120+ tools combined).Core platform tools prefixed splunk_, AI Assistant tools prefixed saia_. Granular admin controls let admins disable individual tools server-side.
Built-in AI workflowsShips list_workflows, workflow_runner, and workflow_builder MCP tools, plus runbooks for missing-data troubleshooting and performance analysis. Custom workflows can be added with the contrib scaffolding.No built-in agentic workflow runtime — calling clients bring their own LLM and reasoning logic. Pairs natively with Splunk Hosted Models and AI Assistant 1.5.
ITSI coverageCompanion mcp-itsi-server (PyPI mcp-itsi-server) covers services, entities, KPIs, episodes, glass tables, deep dives, correlation searches, aggregation policies, and 9 ITSI doc resources for ITSI 4.21.ITSI tooling is not included in this MCP Server release per current GA notes; teams that need ITSI MCP coverage rely on third-party servers today.
Multi-tenancy & authPer-request X-Splunk-* headers — one running server can route to many Splunk environments simultaneously. Session-based isolation, no credential storage on the server itself.Encrypted token auth with rotating encryption keys. Each MCP Server instance binds to one Splunk Cloud / Enterprise environment.
Splunk environments supportedSplunk Enterprise on-prem, Splunk Cloud Platform, hybrid topologies — anywhere FastMCP can reach the Splunk management API on port 8089.Splunk Cloud Platform and Splunk Enterprise (deployed inside the Splunk control plane). The previous SCS endpoint is deprecated; teams must migrate to the GA app.
Custom-tool extensibilityAvailable today via uv run generate-tool scaffolding, contrib directory grouped by category (security, DevOps, analytics, examples), validate-tools check script.Custom-tool extensibility via App platform is announced as coming soon; no public release date in the current GA notes.
PricingFree under Apache 2.0. Optional Deslicer agentic platform (CIM Compliance, GDI Onboarding, DAP change plans) sits on top with per-user pricing.Included with eligible Splunk Cloud Platform / Enterprise entitlements; consult your Splunk account team for entitlement details.

Deslicer strengths

  • Apache 2.0 open source — fork it, audit the source, and contribute tools back to the catalog (174 tests passing in CI).
  • Built-in AI workflows: list_workflows, workflow_runner, workflow_builder, with missing-data and performance-analysis runbooks shipping today.
  • Companion mcp-itsi-server adds 70+ ITSI tools covering services, KPIs, glass tables, episodes, and correlation searches for ITSI 4.21 — 120+ tools combined when installed alongside the core server.
  • Per-request X-Splunk-* headers — one server, many environments, no credential storage.
  • Runs anywhere FastMCP runs: local (uv), Docker (with Traefik + MCP Inspector), or Kubernetes — including air-gapped on-prem.

Splunk MCP Server strengths

  • Vendor-native — first-party access to Splunk searches, knowledge objects, and platform metadata with no third-party connector to maintain.
  • GA February 2026 with encrypted-token auth and rotating encryption keys, hardened for production.
  • Granular admin controls — server-side enable/disable individual tools to manage exposure of sensitive capabilities.
  • Pairs natively with Splunk Hosted Models (Foundation-sec, Cisco Deep Time Series, gpt-oss) and AI Assistant 1.5.
  • Standard MCP surface that any compatible client (Cursor, Claude, Gemini, custom) can consume.

Public sources

Every claim about Splunk MCP Server on this page is anchored to a publicly available source so reviewers can verify each statement.

Frequently asked

Ready to see Deslicer in action?

Connect a Splunk environment, launch a CIM compliance audit, and review the generated change plan — all in under 30 minutes.

Try Deslicer's agentic platform

Free plan available · Self-hosted on-prem deployment supported.