TA MCP Admin is the admin UI for operating MCP tools in Splunk. The app is not the MCP backend itself. Instead, it is an extension of Splunk_MCP_Server and provides the UI for backend connection setup, tool configuration, tool testing, and tool lifecycle actions.
The typical setup is:
Splunk_MCP_Serverprovides the MCP endpoints.TA MCP Adminconnects to that backend.- Administrators maintain the backend connection and tokens centrally.
- MCP tools can then be created, edited, enabled, tested, and deleted directly in Splunk.
Before first use, the following components must already exist:
- A running Splunk instance
- The
Splunk_MCP_Serverapp - The
TA MCP Adminapp - A valid Splunk management token
- A valid MCP bearer token
For the recommended operator role and the local E2E user flow, see ../docs/HOWTO_BERECHTIGUNGEN.md.
TA MCP Admin uses the Splunk management token to manage the Splunk_MCP_Server backend through /services/mcp_tools.
On the Splunk side, that token must have the mcp_tool_admin capability.
Recommended in practice:
- use a dedicated operator role with
mcp_tool_adminandmcp_tool_execute - in the local repo workflow,
Splunk_MCP_Serverdefinesmcp_tool_operatorfor that purpose adminandsc_adminstill work, but they are no longer the intended day-to-day operator model
Without mcp_tool_admin, TA MCP Admin can still be opened, but it cannot load the tool list or create, update, enable, disable, or delete tools.
- Install
Splunk_MCP_Serverin Splunk. - Install
TA MCP Adminin Splunk. - Make sure the MCP endpoints exposed by
Splunk_MCP_Serverare reachable. - Open the app in Splunk and go to the setup page.
In TA MCP Admin > Setup, configure the following values:
MCP Base URLMCP Backend App IDVerify backend TLS certificatesSplunk Management TokenMCP Bearer Token
Typical local defaults:
MCP Base URL:https://127.0.0.1:8089MCP Backend App ID:Splunk_MCP_Server
The tokens are stored server-side and should not be placed in files or dashboards.
Notes:
- the
Splunk Management Tokenis used for tool management against/services/mcp_tools - the
MCP Bearer Tokenis used for tool tests and calls against/services/mcp Verify backend TLS certificatesis enabled by default for remote backends and should only be disabled deliberately for self-signed lab environments- the Setup permission gate is
mcp_tool_admin, notadmin
After initial configuration:
- Open the tool management UI.
- Review which tools already exist in the MCP backend.
- Create your own tools or edit existing ones.
- Enable or disable tools.
- Run a tool directly from the test panel against
Splunk_MCP_Server.
That makes TA MCP Admin the working interface for the main use case: managing MCP tools in Splunk in a controlled way and verifying them immediately against the real backend.
- This app is prepared for publication under
Apache License 2.0. - The full license text is included in the package as
LICENSE.txt. - The app is provided without warranty. Deployment and operation in a specific Splunk environment remain the responsibility of the operator.
- The corresponding GitHub repository is only the default public contact channel.
- Security reports should not disclose exploit details in public issues. See
SECURITY.mdfor details. - No SLA, warranty, managed support commitment, maintenance obligation, or duty to respond is provided unless the publisher explicitly offers one in writing on GitHub or Splunkbase.
- The published GitHub folder is expected to include
SECURITY.md,SUPPORT.md, andTRADEMARKS.mdalongside this README.
- Splunkbase should use the same declared license as the GitHub repository.
- Package metadata for Splunk tooling is stored in
app.manifest. - Contact, support, and release details on Splunkbase should stay consistent with
README.md,SUPPORT.md, andSECURITY.mdin this app directory.