Can I use Splunk as a CLI?

Yes. KosmoKrator exposes a Splunk CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose Splunk through MCP?

Yes. The KosmoKrator MCP gateway can expose selected Splunk tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are Splunk credentials stored?

Splunk credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for Splunk MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

data

Splunk CLI for AI Agents

Use the Splunk CLI from KosmoKrator to call Splunk tools headlessly, return JSON, inspect schemas, and automate workflows from coding agents, scripts, and CI.

Splunk CLI Setup

Splunk can be configured headlessly with `kosmokrator integrations:configure splunk`.

Install, configure, and verify

# Install KosmoKrator first if it is not available on PATH.
curl -fsSL https://raw.githubusercontent.com/OpenCompanyApp/kosmokrator/main/install.sh | bash

# Configure and verify this integration.
kosmokrator integrations:configure splunk --set access_token="$SPLUNK_ACCESS_TOKEN" --enable --read allow --write ask --json
kosmokrator integrations:doctor splunk --json
kosmokrator integrations:status --json

Credentials

Authentication type: Bearer token bearer_token. Configure credentials once, then reuse the same stored profile from scripts, coding CLIs, Lua, and MCP.

Key	Env var	Type	Required	Label
`access_token`	`SPLUNK_ACCESS_TOKEN`	Secret `secret`	yes	Access Token
`url`	`SPLUNK_URL`	URL `url`	no	Splunk Services URL

Command Patterns

The generic command is stable across every integration. The provider shortcut is shorter for humans.

Generic CLI call

kosmo integrations:call splunk.splunk_search '{"query":"example_query","earliest_time":"example_earliest_time","latest_time":"example_latest_time","exec_mode":"example_exec_mode","options":"example_options"}' --json

Provider shortcut

kosmo integrations:splunk splunk_search '{"query":"example_query","earliest_time":"example_earliest_time","latest_time":"example_latest_time","exec_mode":"example_exec_mode","options":"example_options"}' --json

Discovery

These commands return structured output for coding agents that need to inspect capabilities before choosing a function.

Discovery commands

kosmo integrations:docs splunk --json
kosmo integrations:docs splunk.splunk_search --json
kosmo integrations:schema splunk.splunk_search --json
kosmo integrations:search "Splunk" --json
kosmo integrations:list --json

Automation Contexts

The same configured command surface works in these environments. The command does not change unless the host wrapper, credentials, or permissions change.

CI Run integration calls from CI jobs with JSON output, explicit credentials, and predictable exit status. Cron Jobs Schedule repeatable integration workflows from cron while keeping credentials in KosmoKrator config. Shell Scripts Call integration functions from shell scripts with stable JSON input and output. Headless Automation Use KosmoKrator as a non-interactive integration runtime for local automations and wrappers. Coding Agents Let coding agents discover schemas and execute integration functions through CLI commands or MCP.

CLI Functions

Every function below can be called headlessly. Commands are highlighted, copyable, and scroll horizontally when payloads are long.

`splunk.splunk_search`

Run a Splunk search query (SPL). Creates an asynchronous search job and returns the search ID (SID). Use splunk_get_search_results to retrieve results once the job completes.

Write write

Parameters: query, earliest_time, latest_time, exec_mode, options

Generic call

kosmo integrations:call splunk.splunk_search '{"query":"example_query","earliest_time":"example_earliest_time","latest_time":"example_latest_time","exec_mode":"example_exec_mode","options":"example_options"}' --json

Shortcut

kosmo integrations:splunk splunk_search '{"query":"example_query","earliest_time":"example_earliest_time","latest_time":"example_latest_time","exec_mode":"example_exec_mode","options":"example_options"}' --json

`splunk.splunk_export_search`

Run a Splunk export search and return the parsed or raw response.

Read read

Parameters: query, earliest_time, latest_time, options

Generic call

kosmo integrations:call splunk.splunk_export_search '{"query":"example_query","earliest_time":"example_earliest_time","latest_time":"example_latest_time","options":"example_options"}' --json

Shortcut

kosmo integrations:splunk splunk_export_search '{"query":"example_query","earliest_time":"example_earliest_time","latest_time":"example_latest_time","options":"example_options"}' --json

`splunk.splunk_list_search_jobs`

List Splunk search jobs with pagination and optional server-side filtering.

Read read

Parameters: count, offset, search

Generic call

kosmo integrations:call splunk.splunk_list_search_jobs '{"count":1,"offset":1,"search":"example_search"}' --json

Shortcut

kosmo integrations:splunk splunk_list_search_jobs '{"count":1,"offset":1,"search":"example_search"}' --json

`splunk.splunk_get_search_job`

Get status and metadata for a Splunk search job by SID.

Read read

Parameters: sid

Generic call

kosmo integrations:call splunk.splunk_get_search_job '{"sid":"example_sid"}' --json

Shortcut

kosmo integrations:splunk splunk_get_search_job '{"sid":"example_sid"}' --json

`splunk.splunk_delete_search_job`

Cancel or delete a Splunk search job by SID.

Write write

Parameters: sid

Generic call

kosmo integrations:call splunk.splunk_delete_search_job '{"sid":"example_sid"}' --json

Shortcut

kosmo integrations:splunk splunk_delete_search_job '{"sid":"example_sid"}' --json

`splunk.splunk_get_search_results`

Retrieve results from a completed Splunk search job. Pass the search ID (SID) returned by splunk_search. Supports pagination with offset and count parameters.

Read read

Parameters: sid, offset, count

Generic call

kosmo integrations:call splunk.splunk_get_search_results '{"sid":"example_sid","offset":1,"count":1}' --json

Shortcut

kosmo integrations:splunk splunk_get_search_results '{"sid":"example_sid","offset":1,"count":1}' --json

`splunk.splunk_get_search_events`

Retrieve event rows from a completed Splunk search job.

Read read

Parameters: sid, offset, count

Generic call

kosmo integrations:call splunk.splunk_get_search_events '{"sid":"example_sid","offset":1,"count":1}' --json

Shortcut

kosmo integrations:splunk splunk_get_search_events '{"sid":"example_sid","offset":1,"count":1}' --json

`splunk.splunk_get_search_log`

Retrieve the search.log text for a Splunk search job.

Read read

Parameters: sid

Generic call

kosmo integrations:call splunk.splunk_get_search_log '{"sid":"example_sid"}' --json

Shortcut

kosmo integrations:splunk splunk_get_search_log '{"sid":"example_sid"}' --json

`splunk.splunk_list_indexes`

List all Splunk indexes available to the authenticated user. Returns index names, sizes, event counts, and retention settings.

Read read

Parameters: count, offset

Generic call

kosmo integrations:call splunk.splunk_list_indexes '{"count":1,"offset":1}' --json

Shortcut

kosmo integrations:splunk splunk_list_indexes '{"count":1,"offset":1}' --json

`splunk.splunk_get_index`

Get details for a specific Splunk index by name. Returns configuration, size, event count, and retention policy.

Read read

Parameters: name

Generic call

kosmo integrations:call splunk.splunk_get_index '{"name":"example_name"}' --json

Shortcut

kosmo integrations:splunk splunk_get_index '{"name":"example_name"}' --json

`splunk.splunk_create_index`

Create a Splunk index with optional index settings.

Write write

Parameters: name, options

Generic call

kosmo integrations:call splunk.splunk_create_index '{"name":"example_name","options":"example_options"}' --json

Shortcut

kosmo integrations:splunk splunk_create_index '{"name":"example_name","options":"example_options"}' --json

`splunk.splunk_update_index`

Update Splunk index configuration parameters.

Write write

Parameters: name, options

Generic call

kosmo integrations:call splunk.splunk_update_index '{"name":"example_name","options":"example_options"}' --json

Shortcut

kosmo integrations:splunk splunk_update_index '{"name":"example_name","options":"example_options"}' --json

`splunk.splunk_delete_index`

Delete a Splunk index by name.

Write write

Parameters: name

Generic call

kosmo integrations:call splunk.splunk_delete_index '{"name":"example_name"}' --json

Shortcut

kosmo integrations:splunk splunk_delete_index '{"name":"example_name"}' --json

`splunk.splunk_list_saved_searches`

List all saved searches configured in Splunk. Returns search names, queries, schedules, and alert settings.

Read read

Parameters: count, offset, search

Generic call

kosmo integrations:call splunk.splunk_list_saved_searches '{"count":1,"offset":1,"search":"example_search"}' --json

Shortcut

kosmo integrations:splunk splunk_list_saved_searches '{"count":1,"offset":1,"search":"example_search"}' --json

`splunk.splunk_get_saved_search`

Get a Splunk saved search by name.

Read read

Parameters: name

Generic call

kosmo integrations:call splunk.splunk_get_saved_search '{"name":"example_name"}' --json

Shortcut

kosmo integrations:splunk splunk_get_saved_search '{"name":"example_name"}' --json

`splunk.splunk_create_saved_search`

Create a Splunk saved search with optional schedule or alert settings.

Write write

Parameters: name, query, options

Generic call

kosmo integrations:call splunk.splunk_create_saved_search '{"name":"example_name","query":"example_query","options":"example_options"}' --json

Shortcut

kosmo integrations:splunk splunk_create_saved_search '{"name":"example_name","query":"example_query","options":"example_options"}' --json

`splunk.splunk_update_saved_search`

Update a Splunk saved search by name.

Write write

Parameters: name, options

Generic call

kosmo integrations:call splunk.splunk_update_saved_search '{"name":"example_name","options":"example_options"}' --json

Shortcut

kosmo integrations:splunk splunk_update_saved_search '{"name":"example_name","options":"example_options"}' --json

`splunk.splunk_delete_saved_search`

Delete a Splunk saved search by name.

Write write

Parameters: name

Generic call

kosmo integrations:call splunk.splunk_delete_saved_search '{"name":"example_name"}' --json

Shortcut

kosmo integrations:splunk splunk_delete_saved_search '{"name":"example_name"}' --json

`splunk.splunk_dispatch_saved_search`

Dispatch a saved search and return the generated search job.

Write write

Parameters: name, options

Generic call

kosmo integrations:call splunk.splunk_dispatch_saved_search '{"name":"example_name","options":"example_options"}' --json

Shortcut

kosmo integrations:splunk splunk_dispatch_saved_search '{"name":"example_name","options":"example_options"}' --json

`splunk.splunk_list_apps`

List installed Splunk apps.

Read read

Parameters: count, offset

Generic call

kosmo integrations:call splunk.splunk_list_apps '{"count":1,"offset":1}' --json

Shortcut

kosmo integrations:splunk splunk_list_apps '{"count":1,"offset":1}' --json

`splunk.splunk_get_app`

Get an installed Splunk app by name.

Read read

Parameters: name

Generic call

kosmo integrations:call splunk.splunk_get_app '{"name":"example_name"}' --json

Shortcut

kosmo integrations:splunk splunk_get_app '{"name":"example_name"}' --json

`splunk.splunk_list_users`

List Splunk users visible to the authenticated token.

Read read

Parameters: count, offset

Generic call

kosmo integrations:call splunk.splunk_list_users '{"count":1,"offset":1}' --json

Shortcut

kosmo integrations:splunk splunk_list_users '{"count":1,"offset":1}' --json

`splunk.splunk_get_user`

Get a Splunk user by username.

Read read

Parameters: username

Generic call

kosmo integrations:call splunk.splunk_get_user '{"username":"example_username"}' --json

Shortcut

kosmo integrations:splunk splunk_get_user '{"username":"example_username"}' --json

`splunk.splunk_get_current_user`

Get the current authenticated Splunk user context. Returns username, roles, capabilities, and tenant information.

Read read

Parameters: none

Generic call

kosmo integrations:call splunk.splunk_get_current_user '{}' --json

Shortcut

kosmo integrations:splunk splunk_get_current_user '{}' --json

`splunk.splunk_get_server_info`

Get Splunk server version, build, and platform information.

Read read

Parameters: none

Generic call

kosmo integrations:call splunk.splunk_get_server_info '{}' --json

Shortcut

kosmo integrations:splunk splunk_get_server_info '{}' --json

`splunk.splunk_api_get`

Call a safe relative Splunk services path with GET.

Read read

Parameters: path, params

Generic call

kosmo integrations:call splunk.splunk_api_get '{"path":"example_path","params":"example_params"}' --json

Shortcut

kosmo integrations:splunk splunk_api_get '{"path":"example_path","params":"example_params"}' --json

`splunk.splunk_api_post`

Call a safe relative Splunk services path with POST form parameters.

Write write

Parameters: path, payload, params

Generic call

kosmo integrations:call splunk.splunk_api_post '{"path":"example_path","payload":"example_payload","params":"example_params"}' --json

Shortcut

kosmo integrations:splunk splunk_api_post '{"path":"example_path","payload":"example_payload","params":"example_params"}' --json

`splunk.splunk_api_delete`

Call a safe relative Splunk services path with DELETE.

Write write

Parameters: path, params

Generic call

kosmo integrations:call splunk.splunk_api_delete '{"path":"example_path","params":"example_params"}' --json

Shortcut

kosmo integrations:splunk splunk_api_delete '{"path":"example_path","params":"example_params"}' --json

Function Schemas

Use these parameter tables when building CLI payloads without calling integrations:schema first.

splunk.splunk_search 5 parameters

Schema command

kosmo integrations:schema splunk.splunk_search --json

Parameter	Type	Required	Description
`query`	string	yes	The SPL search query (e.g., "search index=main error \| head 100").
`earliest_time`	string	no	Earliest time for the search time range. Supports relative (e.g., "-24h", "-7d") or absolute (e.g., "2025-01-01T00:00:00") format.
`latest_time`	string	no	Latest time for the search time range. Supports relative (e.g., "now") or absolute (e.g., "2025-01-31T23:59:59") format.
`exec_mode`	string	no	Splunk execution mode. Defaults to normal.
`options`	object	no	Additional search/jobs form parameters.

splunk.splunk_export_search 4 parameters

Schema command

kosmo integrations:schema splunk.splunk_export_search --json

Parameter	Type	Required	Description
`query`	string	yes	SPL search query.
`earliest_time`	string	no	Optional earliest time.
`latest_time`	string	no	Optional latest time.
`options`	object	no	Additional export parameters.

splunk.splunk_list_search_jobs 3 parameters

Schema command

kosmo integrations:schema splunk.splunk_list_search_jobs --json

Parameter	Type	Required	Description
`count`	integer	no	Maximum number of jobs.
`offset`	integer	no	Pagination offset.
`search`	string	no	Optional server-side search filter.

splunk.splunk_get_search_job 1 parameters

Schema command

kosmo integrations:schema splunk.splunk_get_search_job --json

Parameter	Type	Required	Description
`sid`	string	yes	Search job ID.

splunk.splunk_delete_search_job 1 parameters

Schema command

kosmo integrations:schema splunk.splunk_delete_search_job --json

Parameter	Type	Required	Description
`sid`	string	yes	Search job ID.

splunk.splunk_get_search_results 3 parameters

Schema command

kosmo integrations:schema splunk.splunk_get_search_results --json

Parameter	Type	Required	Description
`sid`	string	yes	The search job ID (SID) returned by a previous search.
`offset`	integer	no	The starting offset for pagination (0-based, default: 0).
`count`	integer	no	The number of results to return per page (default: 100).

splunk.splunk_get_search_events 3 parameters

Schema command

kosmo integrations:schema splunk.splunk_get_search_events --json

Parameter	Type	Required	Description
`sid`	string	yes	Search job ID.
`offset`	integer	no	Pagination offset.
`count`	integer	no	Number of events.

splunk.splunk_get_search_log 1 parameters

Schema command

kosmo integrations:schema splunk.splunk_get_search_log --json

Parameter	Type	Required	Description
`sid`	string	yes	Search job ID.

splunk.splunk_list_indexes 2 parameters

Schema command

kosmo integrations:schema splunk.splunk_list_indexes --json

Parameter	Type	Required	Description
`count`	integer	no	Maximum number of indexes to return.
`offset`	integer	no	Pagination offset.

splunk.splunk_get_index 1 parameters

Schema command

kosmo integrations:schema splunk.splunk_get_index --json

Parameter	Type	Required	Description
`name`	string	yes	The name of the Splunk index to retrieve (e.g., "main", "_internal").

splunk.splunk_create_index 2 parameters

Schema command

kosmo integrations:schema splunk.splunk_create_index --json

Parameter	Type	Required	Description
`name`	string	yes	Index name.
`options`	object	no	Additional index creation parameters.

splunk.splunk_update_index 2 parameters

Schema command

kosmo integrations:schema splunk.splunk_update_index --json

Parameter	Type	Required	Description
`name`	string	yes	Index name.
`options`	object	yes	Index update parameters.

splunk.splunk_delete_index 1 parameters

Schema command

kosmo integrations:schema splunk.splunk_delete_index --json

Parameter	Type	Required	Description
`name`	string	yes	Index name.

splunk.splunk_list_saved_searches 3 parameters

Schema command

kosmo integrations:schema splunk.splunk_list_saved_searches --json

Parameter	Type	Required	Description
`count`	integer	no	Maximum number of saved searches to return.
`offset`	integer	no	Pagination offset.
`search`	string	no	Optional server-side search filter.

splunk.splunk_get_saved_search 1 parameters

Schema command

kosmo integrations:schema splunk.splunk_get_saved_search --json

Parameter	Type	Required	Description
`name`	string	yes	Saved search name.

splunk.splunk_create_saved_search 3 parameters

Schema command

kosmo integrations:schema splunk.splunk_create_saved_search --json

Parameter	Type	Required	Description
`name`	string	yes	Saved search name.
`query`	string	yes	SPL query.
`options`	object	no	Additional saved-search parameters.

splunk.splunk_update_saved_search 2 parameters

Schema command

kosmo integrations:schema splunk.splunk_update_saved_search --json

Parameter	Type	Required	Description
`name`	string	yes	Saved search name.
`options`	object	yes	Saved-search update parameters.

splunk.splunk_delete_saved_search 1 parameters

Schema command

kosmo integrations:schema splunk.splunk_delete_saved_search --json

Parameter	Type	Required	Description
`name`	string	yes	Saved search name.

splunk.splunk_dispatch_saved_search 2 parameters

Schema command

kosmo integrations:schema splunk.splunk_dispatch_saved_search --json

Parameter	Type	Required	Description
`name`	string	yes	Saved search name.
`options`	object	no	Dispatch parameters.

splunk.splunk_list_apps 2 parameters

Schema command

kosmo integrations:schema splunk.splunk_list_apps --json

Parameter	Type	Required	Description
`count`	integer	no	Maximum number of apps.
`offset`	integer	no	Pagination offset.

splunk.splunk_get_app 1 parameters

Schema command

kosmo integrations:schema splunk.splunk_get_app --json

Parameter	Type	Required	Description
`name`	string	yes	App name.

splunk.splunk_list_users 2 parameters

Schema command

kosmo integrations:schema splunk.splunk_list_users --json

Parameter	Type	Required	Description
`count`	integer	no	Maximum number of users.
`offset`	integer	no	Pagination offset.

splunk.splunk_get_user 1 parameters

Schema command

kosmo integrations:schema splunk.splunk_get_user --json

Parameter	Type	Required	Description
`username`	string	yes	Splunk username.

splunk.splunk_get_current_user 0 parameters

Schema command

kosmo integrations:schema splunk.splunk_get_current_user --json

Parameter	Type	Required	Description
No parameters.

splunk.splunk_get_server_info 0 parameters

Schema command

kosmo integrations:schema splunk.splunk_get_server_info --json

Parameter	Type	Required	Description
No parameters.

splunk.splunk_api_get 2 parameters

Schema command

kosmo integrations:schema splunk.splunk_api_get --json

Parameter	Type	Required	Description
`path`	string	yes	Relative path under /services.
`params`	object	no	Query parameters.

splunk.splunk_api_post 3 parameters

Schema command

kosmo integrations:schema splunk.splunk_api_post --json

Parameter	Type	Required	Description
`path`	string	yes	Relative path under /services.
`payload`	object	no	Form body parameters.
`params`	object	no	Query parameters.

splunk.splunk_api_delete 2 parameters

Schema command

kosmo integrations:schema splunk.splunk_api_delete --json

Parameter	Type	Required	Description
`path`	string	yes	Relative path under /services.
`params`	object	no	Query parameters.

Permissions

Headless calls still follow the integration read/write permission policy. Configure read/write defaults with integrations:configure. Add --force only for trusted automation that should bypass that policy.