Splunk annotations
Annotations let you overlay Splunk events or fired alerts on Grafana graphs, providing context for changes, deployments, or incidents alongside your time-series data.
Before you begin
- Configure the Splunk data source.
- Understand Grafana annotations.
Annotation sources
The Splunk data source supports two annotation sources:
Create an annotation query
To add an annotation to a dashboard:
- Navigate to your dashboard and click Dashboard settings (gear icon).
- Click Annotations in the left menu.
- Click Add annotation query.
- Select the Splunk data source.
- Choose the annotation mode (Search or Events) and configure the query using the fields described in the following sections.
Annotation modes
The annotation editor provides two modes via a toggle at the top of the editor:
- Search: Use the raw SPL editor for annotation queries. Provides access to Namespace, Sample Ratio, and Limit options. The visual query builder isn’t available in the annotation editor.
- Events: A simplified editor with fields for SPL search, event text extraction, regular expression matching, and Splunk fired alerts.
Search mode fields
Events mode fields
Query routing behavior
When using Events mode, the annotation editor routes your query as follows:
When using Search mode, the SPL query runs directly. If the search field is empty, no request is sent.
SPL search annotation examples
Mark deployment events on a graph:
index=main sourcetype=deployment | fields _time, environment, versionAnnotate error spikes:
index=main log_level=ERROR | timechart span=5m count | where count > 100Show configuration changes:
index=_audit action=edit | fields _time, user, infoAnnotate Splunk system warnings:
index=_internal log_level=WARN component=SearchScheduler | fields _time, messageUse Event field as text with Regex
To extract a specific portion of a log message for annotation text, combine Event field as text with Regex:
This configuration extracts the text after ERROR: from the _raw field and uses it as the annotation label.
Fired alerts
To display Splunk fired alerts as annotations, use the Or Splunk alert name field in Events mode.
- Enter a specific alert name (for example,
high_cpu_alert) to show only that alert. - Leave the field blank to display all fired alerts.
- Use template variables in the alert name for dynamic filtering (for example,
$alert_name).
Fired alert annotations display the Splunk saved search name as the annotation title.
Note
Retrieving fired alerts requires the Splunk user to have the appropriate permissions. If you receive a “requires license feature” error, verify your Splunk license supports the fired alerts API. Refer to Splunk’s Fired alerts documentation for more information.
Display options
After creating the annotation query, you can customize how annotations appear on the graph:
- Set a Name for the annotation to identify it in the dashboard.
- Choose a Color to distinguish different annotation types.
- Toggle Enabled to show or hide the annotation.
For more information on configuring annotation display options, refer to Annotations.


