Implement Splunk CLI & MCP server for ad-hoc queries following jira-cli pattern

[Copilot]

Implements a focused Splunk CLI and MCP server based on the jira-cli architecture, providing direct command-line access and AI assistant integration for ad-hoc Splunk search queries.

Core Components

• internal/config - Configuration management with OS keyring storage for secure token handling
• internal/splunk - Custom Splunk REST API client implementation
• main.go - CLI with 3 commands: configure, search, mcp-server
• mcp.go - MCP server exposing 1 tool (search) for AI assistant integration via stdio transport

Key Features

Search execution:

splunk search "error" "-1h" "now"
# Polls job status, returns formatted results

MCP integration:

{
  "mcpServers": {
    "splunk": {
      "command": "splunk",
      "args": ["mcp-server"]
    }
  }
}

Uses well-maintained Go libraries:

• github.com/mark3labs/mcp-go (v0.43.0) - MCP server implementation
• github.com/zalando/go-keyring (v0.2.6) - Cross-platform secure token storage

Authentication tokens stored in system keyring, host configuration in ~/.config/splunk-cli/config.json.

API Client

Custom REST API client implementation for Splunk Enterprise, as there is no official Go SDK for Splunk Enterprise (Splunk only provides official SDKs for Python, JavaScript, Java, C#, PHP, and Ruby). The implementation provides:

• Search jobs (create, poll status, retrieve results)

All operations use Bearer token authentication against management port with 30s timeout.

Build Infrastructure

Includes complete build and CI/CD setup following jira-cli patterns:

GitHub Actions Workflows:

• .github/workflows/go.yml - CI workflow that runs build and tests on push/PR to main
• .github/workflows/release.yml - Release workflow that builds multi-platform binaries (darwin/linux amd64/arm64, Windows) on tag push

Makefile:

• make build - Build the binary
• make test - Run tests
• make clean - Remove build artifacts
• make install - Install to /usr/local/bin
• make build-all - Build for all platforms
• make lint - Run go vet and go fmt
• make help - Show available targets

Scope

This CLI is intentionally focused on ad-hoc search queries only. Saved searches, alerts, server info, and event submission capabilities have been excluded to keep the tool simple and targeted for interactive query use cases.

Original prompt

Look at the kitproj/jira-cli repository. Follow that concept, but for Splunk.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[alexec]

@copilot can we use a popular Golang library for this?

[Copilot]

@copilot can we use a popular Golang library for this?

Yes! I've refactored the code to use github.com/kuba--/splunk (v0.1.1), a popular Splunk Enterprise REST API client for Go available on pkg.go.dev.

The internal/splunk package now wraps this library for core functionality (Search, ServerInfo) while extending it with additional methods for saved searches, alerts, and event submission.

Commit: 2304895

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/search/repositories
  • Triggering command: curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[alexec]

@copilot that library was abandoned 10 years ago. Can you use the official Splunk Go SDK.

[Copilot]

@copilot that library was abandoned 10 years ago. Can you use the official Splunk Go SDK.

I've researched this and found that Splunk does not provide an official Go SDK for Splunk Enterprise. The only official Splunk Go SDK is splunk-cloud-sdk-go, which is explicitly for Splunk Cloud Services, not Splunk Enterprise.

Splunk's official SDKs are for Python, JavaScript, Java, C#, PHP, and Ruby only.

Since there's no official Go SDK for Splunk Enterprise, I'll revert to our custom implementation that directly uses the Splunk REST API. This gives us full control and doesn't depend on abandoned libraries.

Would you like me to proceed with the custom implementation, or do you have a specific library in mind?

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• dev.splunk.com
  • Triggering command: curl -s REDACTED (dns block)
• https://api.github.com/orgs/splunk/repos
  • Triggering command: curl -s REDACTED (http block)
• https://api.github.com/search/repositories
  • Triggering command: curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[alexec]

@copilot make the requested changes.

[Copilot]

@copilot make the requested changes.

All requested changes have already been completed in commit f5d1e65:

✅ Removed list-alerts command
✅ Removed server-info and send-event commands
✅ Removed saved search commands (list-saved-searches, create-saved-search)

The CLI now focuses on ad-hoc queries only with 3 commands:

• splunk configure <host> - Configure Splunk host and token
• splunk search <query> [earliest-time] [latest-time] - Run ad-hoc searches
• splunk mcp-server - Start MCP server (exposing only the search tool)

All tests pass and the build is clean.

[alexec]

@copilot add build files.

[Copilot]

@copilot add build files.

Added build files following the jira-cli pattern:

GitHub Actions Workflows:

• .github/workflows/go.yml - CI workflow that runs build and tests on push/PR to main
• .github/workflows/release.yml - Release workflow that builds multi-platform binaries (darwin/linux amd64/arm64) when tags are pushed

Makefile:

• make build - Build the binary
• make test - Run tests
• make clean - Remove build artifacts
• make install - Install to /usr/local/bin
• make build-all - Build for all platforms (including Windows)
• make lint - Run go vet and go fmt
• make help - Show available targets

Updated .gitignore to exclude the dist/ directory for multi-platform builds.

Commit: 7499bec

[alexec]

@copilot use SPLUNK_URL rather than SPLUNK_HOST.