Authenticate to the Splunk REST API (default port 8089) using HTTP Basic auth or a session token obtained from POST /services/auth/login.
Create a saved search that functions as a scheduled alert with POST /servicesNS/{user}/{app}/saved/searches, providing name, search (SPL string), cron_schedule, alert_type, alert_condition, and actions parameters.
Configure an alert action (e.g., webhook or email) by setting alert.track=1 and the relevant action.* parameters on the saved search; list available action types with GET /services/alerts/alert_actions.
Enable or disable an existing alert with POST /servicesNS/nobody/search/saved/searches/{name}/enable or /disable.
Retrieve triggered alert history with GET /services/alerts/fired_alerts and filter by saved search name to confirm the alert is firing as expected.
Known gotchas
Unless you set alert.track=1 (Add to Triggered Alerts), Splunk executes the alert action but does not record it in the fired alerts list, making programmatic monitoring impossible.
Saved searches created via the REST API default to the admin user's namespace; use servicesNS/{user}/{app} paths to scope correctly to the target app and sharing level.
The REST API uses XML by default; append output_mode=json to query strings to receive JSON responses.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp