Documentationbreadcrumb arrow Pluginsbreadcrumb arrow OpenSearchbreadcrumb arrow Configure
Grafana Cloud Enterprise Open source
Last reviewed: March 26, 2026

Configure the OpenSearch data source

This document explains how to configure the OpenSearch data source in Grafana.

Before you begin

Before configuring the data source, ensure you have:

  • Grafana permissions: Organization administrator role to add and configure data sources.
  • OpenSearch instance: A running OpenSearch or Elasticsearch instance accessible from your Grafana server.
  • Credentials: Authentication credentials for your OpenSearch instance, if required.

Add the data source

To add the OpenSearch data source:

  1. Click Connections in the left-side menu.
  2. Click Add new connection.
  3. Type OpenSearch in the search bar.
  4. Select OpenSearch.
  5. Click Add new data source.

Configure settings

The following table describes the connection settings:

SettingDescription
NameThe name used to refer to the data source in panels and queries.
DefaultToggle to make this the default data source for new panels.
URLThe HTTP protocol, IP address, and port of your OpenSearch instance, for example http://localhost:9200.

Authentication

The OpenSearch data source supports several authentication methods.

Basic authentication

To use basic authentication:

  1. Enable Basic auth in the data source settings.
  2. Enter the User and Password for your OpenSearch instance.

TLS client authentication

To use TLS client authentication:

  1. Enable TLS Client Auth in the data source settings.
  2. Provide the CA Cert, Client Cert, and Client Key.
  3. Optionally enable Skip TLS Verify to bypass certificate validation (not recommended for production).

AWS SigV4 authentication

To sign requests to Amazon OpenSearch Service using AWS Signature Version 4:

  1. Enable SigV4 in your Grafana configuration.
  2. In the data source settings, enable SigV4 auth.
  3. Configure the authentication provider:
    • Access & secret key: Enter your AWS access key and secret key directly.
    • Credentials file: Use a shared credentials file on the Grafana server.
    • Workspace IAM role: Use the IAM role attached to the Grafana workspace (Grafana Cloud or Amazon Managed Grafana).
SettingDescription
Authentication providerMethod for providing AWS credentials.
Default regionThe AWS region of your OpenSearch Service domain.
Assume Role ARNOptional ARN of an IAM role to assume.
External IDOptional external ID for cross-account role assumption.

For more information about AWS authentication options, refer to AWS authentication.

OAuth pass-through

When oauthPassThru is enabled in the data source configuration, Grafana forwards the user’s OAuth token to OpenSearch with each request. This is configured through provisioning or the Grafana API.

OpenSearch details

These settings control how Grafana connects to and queries your OpenSearch index.

SettingDescription
Index nameThe default OpenSearch index name. You can use a time pattern such as [logstash-]YYYY.MM.DD or a wildcard. When using a time pattern, wrap the fixed portion in square brackets. Cross-cluster index patterns (for example, cluster_name:index_name) are also supported.
PatternThe matching pattern for the index name. Options: No pattern, Hourly, Daily, Weekly, Monthly, Yearly. Only select a pattern if you’ve specified a time pattern in Index name.
Time field nameThe name of the time field in your index. Defaults to @timestamp.
ServerlessToggle to enable Amazon OpenSearch Serverless mode. When enabled, the flavor is set to OpenSearch, version to 1.0.0, and PPL is enabled automatically. The Version and Max concurrent Shard Requests fields are hidden.
VersionThe version of your OpenSearch or Elasticsearch instance. Click Get Version and Save to auto-detect the version. This is required because query composition differs between versions. Hidden when Serverless is enabled.
Max concurrent Shard RequestsThe maximum number of concurrent shard requests per query. Available for OpenSearch and Elasticsearch 5.6+. Hidden when Serverless is enabled.
Min time intervalThe lower limit for the auto group-by time interval. Set this to your data’s write frequency, for example 1m if data is written every minute. You can also override this per panel.
PPL enabledToggle to enable Piped Processing Language (PPL) queries in the query editor. Enabled by default.

Note

When the connected OpenSearch instance is upgraded, update the configured version to match. The plugin uses the configured version to compose queries, and a mismatch can cause errors.

The Min time interval value must be a number followed by a valid time identifier:

IdentifierDescription
yyear
Mmonth
wweek
dday
hhour
mminute
ssecond
msmillisecond

Log settings

These optional settings control how log data is displayed in Explore.

SettingDescription
Message field nameThe field to use for log messages. When left empty, the full _source object is used.
Level field nameThe field to use for log levels.

For example, if you use a default Filebeat setup to ship logs to OpenSearch, set Message field name to message and Level field name to fields.level.

Data links create a link from a specified field that you can access in Explore’s log view.

Each data link configuration consists of:

SettingDescription
FieldThe name of the field used by the data link. Can be an exact field name or a regex pattern that matches the field name.
TitleAn optional display title for the link.
URLThe full URL for an external link. Use ${__value.raw} to interpolate the field value. When Internal link is enabled, this field changes to Query and sets the query for the target data source.
Internal linkToggle to use an internal link. When enabled, a data source picker appears to select the target tracing data source.

Private data source connect (PDC)

Use private data source connect (PDC) to connect to and query data within a secure network without opening that network to inbound traffic from Grafana Cloud. For more information, refer to Private data source connect and Configure PDC.

If you use PDC with SigV4, the PDC agent must allow internet egress to sts.<region>.amazonaws.com:443.

To configure PDC, click in the Private data source connect box to select an existing PDC connection from the drop-down or create a new one.

Verify the connection

Click Save & test to verify the connection. If you encounter errors, refer to Troubleshoot OpenSearch data source issues.

On success, the data source returns one of the following messages:

MessageMeaning
Index OK. Time field name OK.The index was found and the time field is a valid date type.
Index OK. Note: No field named <timeField> foundThe index exists but the specified time field wasn’t found in the index mappings.
Index OK. Note: <timeField> is not a date fieldThe index exists and the time field was found, but it isn’t mapped as a date type.
Fields fetched OK. Index not set.The connection succeeded but no index name is configured.

Amazon OpenSearch Service

AWS users can use this data source to visualize data from Amazon OpenSearch Service. If you use an AWS Identity and Access Management (IAM) policy to control access to your domain, you must use AWS SigV4 to sign all requests.

For more information about AWS SigV4, refer to the AWS documentation.

IAM policies for OpenSearch Service

Grafana needs permissions granted through IAM to read OpenSearch Service documents. You can attach these permissions to IAM roles and use Grafana’s built-in support for assuming roles. Configure the required policy before adding the data source to Grafana.

For predefined policies, refer to the Amazon OpenSearch Service managed policies documentation.

The following is an example of a minimal policy for querying OpenSearch Service:

Note

Update the ARN to match your OpenSearch Service domain.

JSON 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["es:ESHttpGet", "es:ESHttpPost"],
      "Resource": "arn:aws:es:<REGION>:<ACCOUNT_ID>:domain/<DOMAIN_NAME>"
    }
  ]
}

Amazon OpenSearch Serverless

Amazon OpenSearch Serverless lets you run OpenSearch workloads without managing infrastructure. Access is controlled by data access policies.

To use Serverless mode, enable the Serverless toggle in the data source settings. This automatically sets the flavor and version.

Data access policies for OpenSearch Serverless

The following example shows a policy that allows querying a collection and index:

Note

Replace the placeholder values for collection name, index name, and Principal with your values.

JSON 
[
  {
    "Rules": [
      {
        "Resource": ["collection/<COLLECTION_NAME>"],
        "Permission": ["aoss:DescribeCollectionItems"],
        "ResourceType": "collection"
      },
      {
        "Resource": ["index/<COLLECTION_NAME>/<INDEX_NAME>"],
        "Permission": ["aoss:DescribeIndex", "aoss:ReadDocument"],
        "ResourceType": "index"
      },
      {
        "Effect": "Allow",
        "Action": "aoss:APIAccessAll",
        "Resource": "arn:aws:aoss:<REGION>:<ACCOUNT_ID>:collection/<COLLECTION_NAME>"
      },
      {
        "Effect": "Allow",
        "Action": ["aoss:BatchGetCollection", "aoss:ListCollections"],
        "Resource": "*"
      }
    ],
    "Principal": ["arn:aws:iam:<REGION>:<ACCOUNT_ID>:user/<USERNAME>"],
    "Description": "read-access"
  }
]

Provision the data source

You can define and configure the data source in YAML files as part of Grafana’s provisioning system. For more information, refer to Provisioning Grafana.

The following example provisions an OpenSearch data source with basic authentication:

YAML 
apiVersion: 1

datasources:
  - name: OpenSearch
    type: grafana-opensearch-datasource
    access: proxy
    url: <OPENSEARCH_URL>
    basicAuth: true
    basicAuthUser: <USERNAME>
    jsonData:
      flavor: opensearch
      version: "2.18.0"
      database: <INDEX_NAME>
      timeField: "@timestamp"
      logMessageField: message
      logLevelField: level
      pplEnabled: true
      serverless: false
      maxConcurrentShardRequests: 5
      timeInterval: 10s
    secureJsonData:
      basicAuthPassword: <PASSWORD>

The following table describes the available jsonData provisioning options:

FieldDescription
flavoropensearch or elasticsearch.
versionThe version of your OpenSearch or Elasticsearch instance, for example 2.18.0.
databaseThe default index name.
timeFieldThe time field name. Defaults to @timestamp.
logMessageFieldThe field used for log messages.
logLevelFieldThe field used for log levels.
pplEnabledSet to true to enable PPL queries.
serverlessSet to true for Amazon OpenSearch Serverless.
maxConcurrentShardRequestsMaximum concurrent shard requests per query.
timeIntervalMinimum time interval for auto group-by, for example 10s.
dataLinksArray of data link objects with field, url, and optional title properties.
versionLabelDisplay label for the version, for example OpenSearch 2.18.0. Optional.

The following table describes the available secureJsonData provisioning options:

FieldDescription
basicAuthPasswordPassword for basic authentication.

Provision the data source using Terraform

You can provision the data source using the Grafana Terraform provider. The following example creates an OpenSearch data source with basic authentication:

hcl 
resource "grafana_data_source" "opensearch" {
  type = "grafana-opensearch-datasource"
  name = "OpenSearch"
  url  = "<OPENSEARCH_URL>"

  basic_auth_enabled  = true
  basic_auth_username = "<USERNAME>"

  json_data_encoded = jsonencode({
    flavor                     = "opensearch"
    version                    = "2.18.0"
    database                   = "<INDEX_NAME>"
    timeField                  = "@timestamp"
    logMessageField            = "message"
    logLevelField              = "level"
    pplEnabled                 = true
    serverless                 = false
    maxConcurrentShardRequests = 5
    timeInterval               = "10s"
  })

  secure_json_data_encoded = jsonencode({
    basicAuthPassword = "<PASSWORD>"
  })
}

For more information about the Grafana Terraform provider, refer to the Grafana provider documentation.