Blog  /  Engineering

Everything You Need to Know About the Splunk Plugin for Grafana

18 Feb 2020 3 min read

Last week on Slack:

Eldin: Hey Christine, do you remember the first time you viewed a log file?

Christine: Oh yes. I used Splunk as a support engineer and I remember. You?

Eldin: I believe it was early 2000s. I was installing Slackware and a few network cards for a DIY router, and logs were critical.

Hello again! We are Eldin and Christine from Solutions Engineering – a team at Grafana that is passionate about connecting people to our products – reporting back for duty. Due to the overwhelming response and engagement from our last blog post, we’ve decided to join forces again to showcase another one of our favorite Enterprise plugins: Splunk!

Why Splunk is Special

Regardless of where you are in the stack, logs are ubiquitous and provide invaluable insights for troubleshooting and broader business analyses. Splunk is a leading log management solution that’s been highly adopted throughout different organizations, and we hear everyone loud and clear on why: It’s really good at what it does. (We think so, too.)

With our Splunk plugin, you can leverage everything you love about Splunk (collection, storage, and indexing of logs, oh my!) without compromising on where you choose to centrally visualize all of your data sources (with Grafana, we hope). The outcome? A flexible, single-pane view of the underlying metrics that measure the health of your systems, which allows you to quickly correlate and debug for reduced MTTR.

For example:

Splunk Docker Overview

It’s simple to set up: Once you’ve installed the Splunk plugin, configure Splunk as a data source by going to Configuration > Data Sources > Add data source. Add your authentication details, and the data source is ready to query!

Our query editor supports two modes: raw and visual. Raw mode allows you to write queries in Splunk’s Search Processing Language; if you’d like to quickly find some data with dropdown menus, click on the pencil icon to use the visual mode.

Raw and visual editor

Some Quick Tips

  • When configuring the data source, toggle on the Advanced options section to take advantage of Splunk-specific functionality, such as search performance optimizations (Fast, Verbose, and Smart) and streaming.

  • Click on the Permissions tab to enable data source permissions, an Enterprise feature that allows you to control who can query the data source.

  • Want to visualize Splunk data in more than just metric and table format? Use the Logs panel to view log lines next to a graph panel of a related process.

Logs Panel
  • Don’t forget to use Splunk in the Explore panel! With the split panel option, you’ll be able to test out your queries, investigate your logs, and compare two data sources side-by-side.

  • If you need some help with your SPL query, take advantage of autocomplete support.


Remember, logs are just one piece of the observability equation. The more you can correlate logs with metrics and incorporate data and panel links to your dashboards, the faster your team can respond to an incident, discover the root cause, get better, and move on.

If you’re not using Splunk, or want an alternative logging solution so you can still debug like a champion, give Loki a spin – it’s Grafana’s open source answer for a cost-effective and horizontally-scalable logs aggregator that you can start running right away:

Prometheus & Loki Dashboard

Well, that’s all we have time for today, but please tweet at us to let us know the next plugin you’d like us to write about. Until next time!