Splunk MCP Health-Check Guardrail Proxy

A secure Model Context Protocol (MCP) server that intercepts, validates, and optimizes AI-generated SPL queries to protect Splunk infrastructure from destructive and boundless operations.

Comment

Inspiration

As AI agents gain autonomous capabilities and direct tool access, they are increasingly trusted to query sensitive, production SIEM infrastructure like Splunk. However, LLMs can easily hallucinate bad syntax, generate boundless search windows that degrade system performance, or execute destructive commands (like data erasure). We were inspired by standard web application firewalls (WAFs) and proxy architectures to build a protocol-level safety gateway that acts as a real-time policy interceptor for AI-generated search intents.

What it does

The Splunk MCP Health-Check Guardrail Proxy sits directly as a middleware layer between the AI agent orchestrator and Splunk:

  1. Model Context Protocol (MCP) Interface: Implements the standardized FastMCP framework, exposing tool nodes (secure_splunk_agent_gateway) and a capability discovery registry (inspect_mcp_capabilities).
  2. Destructive Command Interception: Uses high-performance regex scanners to immediately block dangerous actions (like delete, outputlookup, collect, join, map) from executing.
  3. Boundless Search Optimization: Automatically intercepts queries missing time limits and injects earliest=-30m safely at the beginning of the SPL pipeline to prevent index-wide resource exhaustion.
  4. Actionable Compliance Alerts: Returns granular compliance metadata to the agent, suggesting modifications when a query is blocked rather than failing silently.

How we built it

We built this standalone middleware using:

  • Python for low-overhead string processing and rule validation.
  • Model Context Protocol (MCP) Python SDK / FastMCP to configure standard stdio-based transport channels.
  • Regular Expressions (Regex) for fast, low-latency pattern matching of structured SPL queries.
  • Git for version control, fully licensed under the open-source Apache License 2.0.

Challenges we ran into

One key challenge was parsing dynamically generated SPL queries without breaking command pipelines. We resolved this by analyzing common search query prefixes and designing clean replacement patterns to inject constraints without corrupting syntax. Another challenge was navigating version-specific module hierarchies in the newly-released Python MCP SDK, which we resolved by importing classes directly from the mcp.server.fastmcp submodule.

Accomplishments that we're proud of

  • Creating a fully functional, zero-dependency, standalone server that conforms perfectly to the new Model Context Protocol specifications.
  • Designing a non-intrusive safety injector that seamlessly rewrites query pipelines (like prepending time limits) without requiring database execution overhead.
  • Incorporating realistic enterprise log schemas (_time, host, source, message) into the query results to mock real-world production environments.

What we learned

We gained deep insight into the design patterns of the Model Context Protocol (MCP) spec in bringing uniform tool execution to LLMs. We also realized how critical security proxies are when bridging generative AI models with high-throughput IT infrastructure.

What's next for Splunk MCP Health-Check Guardrail Proxy

  1. Abstract Syntax Tree (AST) Parsing: Transition from simple regex scanning to a full SPL AST parser to analyze complex nested subsearches.
  2. Active Splunk API Integration: Connect with live developer licenses to check Splunk performance and dynamically adjust the time window (e.g., changing from earliest=-30m to -15m under heavy indexing load).
  3. Dynamic Policy Updates: Load safety patterns and blocked keywords from an external, encrypted configuration server.

Built With

Share this project:

Updates