Get started with Splunk on Grafana Cloud
This guide walks you through connecting your Splunk instance to Grafana Cloud and visualizing your first query. The entire process takes under 10 minutes.
Prerequisites
Before you begin, ensure you have:
- A Grafana Cloud Pro or Advanced plan.
- A Splunk Enterprise or Splunk Cloud instance with port 8089 enabled.
- Splunk user credentials (username and password) or an authentication token with permissions to run searches.
- If your Splunk instance is on a private network: A Linux host in the same network to run the PDC agent.
Step 1: Install the plugin
- Verify the Splunk plugin is activated for your organization at grafana.com/orgs. If it isn’t listed, confirm your Cloud plan includes Enterprise plugins.
- In your Grafana Cloud instance, navigate to Administration > Plugins and data > Plugins.
- Search for Splunk.
- Click Install.
The plugin is ready to use immediately after installation. For detailed installation instructions or troubleshooting, refer to Install the Splunk data source.
Step 2: Connect to a private Splunk instance (optional)
Note
Skip this step if your Splunk instance has a public IP address that Grafana Cloud can reach directly on port 8089.
If your Splunk instance is behind a firewall or on a private network, set up Private data source connect (PDC) to create a secure tunnel:
- Navigate to Connections > Private data source connect.
- Click Add new network and follow the setup wizard.
- On the Configuration Details tab, generate a token and note the configuration values (token, cluster, hosted Grafana ID).
- Install and run the PDC agent on a host in the same network as your Splunk instance. Choose binary, Docker, or Kubernetes depending on your environment.
- Verify the agent shows a Connected status in the Grafana Cloud UI.
- Confirm the agent host can reach your Splunk instance:
nc -zv <SPLUNK_HOST> 8089.
For detailed instructions, refer to Configure Private data source connect.
Step 3: Configure the data source
Navigate to Connections > Add new connection.
Search for Splunk and select Splunk data source.
Click Add new data source.
In the URL field, enter your Splunk management URL and port (for example,
https://splunk.example.com:8089).Under Authentication, select an authentication method:
- Basic authentication (default): Enter your Splunk User and Password.
- Alternative authentication: Enter a Splunk Authentication token instead of a username and password.
If you set up PDC in Step 2, select your PDC network from the Private data source connect section.
Click Save & test.
On success, you see a message: Connected to Splunk version: “9.1.3” build: “d95b3bc7f6d0”.
If the connection fails, refer to Troubleshoot connection errors.
Step 4: Write your first query
Navigate to Explore in the left-side menu.
Select your new Splunk data source from the data source picker.
The query editor opens in raw SPL mode by default. Paste the following query to verify connectivity and see event volume by sourcetype:
index=_internal | timechart count by sourcetypeClick Run query. You should see a time-series graph showing event counts.
Try a log query to view raw events:
index=_internal sourcetype=splunkd log_level=ERRORSelect Logs from the View As radio buttons to see the results in log format.
Step 5: Build a dashboard
- Navigate to Dashboards in the left-side menu.
- Click New > New dashboard > Add visualization.
- Select your Splunk data source.
- Paste a time-series query (like the
index=_internalexample above). - Choose a visualization type (Time series, Stat, Gauge, or Table).
- Click Apply to add the panel.
- Repeat for additional panels, then click Save dashboard.
Starter panels to consider:
Next steps
- Splunk query editor: Query modes, visual builder, and advanced options.
- Template variables: Create dynamic dashboards with drop-down filters.
- Configure the Splunk data source: Advanced settings, authentication options, and provisioning.
- Troubleshooting: Solutions for common issues.


