Grafana Cloud Enterprise
Last reviewed: May 29, 2026

Configure the Splunk data source

This document explains how to configure the Splunk data source in Grafana.

Before you begin

Before configuring the data source, ensure you have:

  • Grafana permissions: Organization administrator role.
  • Splunk account: A Splunk account with credentials (username and password or an authentication token).
  • Network access: Port 8089 enabled on your Splunk instance.

Key concepts

If you’re new to Splunk, these terms are used throughout the configuration:

TermDescription
SPLSearch Processing Language, the query language used by Splunk to search and analyze data.
IndexA repository for Splunk data, similar to a database table.
SourcetypeA classification for data ingested into Splunk that determines how data is formatted and parsed.
NamespaceA Splunk app context that determines which knowledge objects are available to a query.
Authentication tokenA token-based alternative to username and password for authenticating to Splunk’s REST API.

Add the data source

To install the plugin, refer to Install the Splunk data source. For general information on adding a data source, refer to Add a data source.

To add the Splunk data source, complete the following steps:

  1. Click Connections in the left-side menu.
  2. Under Connections, click Add new connection.
  3. Enter Splunk in the search bar.
  4. Select Splunk data source.
  5. Click Add new data source in the upper right.

You are taken to the Settings tab where you set up your Splunk configuration.

Configuration options

The following sections describe the available configuration options.

General settings

SettingDescription
NameThe data source name. This is how you refer to the data source in panels and queries. For example: Splunk-1, Splunk_data.
DefaultToggle to make this the default data source for new panels.

Connection settings

SettingDescription
URLThe URL of your Splunk server, including the management port. For example: http://localhost:8089 or https://splunk-server.example.com:8089.

Authentication

The data source supports multiple authentication methods. Choose the method that best fits your deployment.

MethodBest forRequires feature toggle
Basic authenticationMost deploymentsNo
Authentication tokenToken-based access without sharing passwordsNo
Forward OAuth IdentityUser-level auth via OAuthYes

Note

Use TLS (Transport Layer Security) for an additional layer of security when working with Splunk. For information on setting up TLS encryption with Splunk, refer to Securing Splunk Enterprise.

Basic authentication

The most common authentication method. Use your Splunk username and password to connect. Avoid using the default administration account; create a dedicated user for Grafana with appropriate permissions.

Authentication token

Use an authentication token generated in Splunk instead of a username and password. Tokens let you provide access to environments without sharing standard credentials.

To configure token authentication:

  1. Generate a token in Splunk. Refer to Splunk’s Create authentication tokens documentation.
  2. In the data source configuration, enter the token in the Authentication token field under Alternative authentication.

Forward OAuth Identity

Forward the logged-in user’s OAuth token to Splunk for authentication. This enables user-level authentication without requiring separate Splunk credentials.

Note

Forward OAuth Identity is not enabled by default. For Grafana Cloud, contact Grafana Support to enable this feature. For self-managed Grafana Enterprise, enable the splunkEnableOAuthForwarding feature toggle in your Grafana configuration.

TLS configuration

The following TLS options are available:

SettingDescription
Add self-signed certificateUpload a CA certificate for verifying self-signed TLS certificates.
TLS client authenticationToggle on to use mutual TLS. When enabled, provide the Server name, Client cert, and Client key.
Skip TLS certificate validationToggle on to bypass TLS certificate validation. Not recommended for production environments.

Custom HTTP headers

Add custom HTTP headers to all requests sent to the data source. This is useful for custom authentication or routing requirements.

SettingDescription
HeaderThe HTTP header name.
ValueThe HTTP header value.

Advanced options

The advanced options are available under the Additional settings section in the data source configuration.

Advanced HTTP settings

SettingDescriptionDefault
Allowed cookiesSpecify cookies by name that should be forwarded to the data source. The Grafana proxy strips all forwarded cookies by default.None
TimeoutThe HTTP request timeout in seconds. This is the Grafana HTTP transport-level timeout, separate from the query timeout.Unset (uses Grafana default)

Query and performance options

SettingDescriptionDefault
Results limitMaximum number of results returned from each data request.No limit (backend safety cap: 10000)
Preview modeToggle on to get search results as they become available. Enables polling of the jobs/{search_id}/results_preview Splunk API endpoint.Off
Async queriesToggle on to periodically check for query results instead of waiting for the full result set.Off
Min poll intervalMinimum polling interval in milliseconds when preview mode or async queries are enabled.500
Max poll intervalMaximum polling interval in milliseconds when preview mode or async queries are enabled.3000
Auto cancel timeoutNumber of seconds a job can be inactive before Splunk automatically cancels it. Set to 0 to disable.30
Timeout in secondsPlugin-level query timeout in seconds. Controls how long a query can run before it is cancelled. Minimum value is 1.30
Maximum status bucketsMaximum number of timeline status buckets generated per query. Set to 0 to disable timelines.300
Filter internal fieldsToggle on to hide fields with names matching the internal field pattern.Off
Internal field patternRegex pattern for identifying internal fields to filter. Only visible when Filter internal fields is enabled.^_.+
Timestamp fieldField used by Grafana to determine event timestamps. Refer to Timestamp and time ranges for more information._time
Default earliest timeEarliest time for searches without a time range, such as template variable queries.-1hr

Search mode

There are two search mode settings:

  • Fields search mode: Sets the search mode for field queries. Options are quick and full.
  • Variables search mode: Sets the search mode for variable queries. Options:
    • fast: Turns field discovery off for event searches. No event or field data for stats searches.
    • smart: Turns field discovery on for event searches. No event or field data for stats searches.
    • verbose: Returns all event and field data.

Secure Socks Proxy

Note

This setting is only visible when the secureSocksDSProxyEnabled feature toggle is enabled in your Grafana configuration and you are running Grafana 10 or later.

Toggle on to route data source traffic through a secure SOCKS proxy.

Data links allow you to associate data with other Grafana data sources or external URLs. They are commonly used in Explore mode.

To set up a data link, click + Add under the Data links header in data source settings.

SettingDescription
FieldThe exact field name or a regular expression pattern that matches the field name.
LabelA meaningful label for the data link.
RegexA regular expression to parse and capture part of a log message. Wrap the expression in // and include one set of brackets for the matching group. To match everything, use /(.*)/.
URLUse ${__value.raw} to reference the captured value.
Internal linkToggle on to link to another Grafana data source. Toggle off to link to an external URL.

Click + Add to add multiple data links. Click the red X to remove a link.

Verify the connection

Click Save & test to verify the connection. On success, you see a message like:

Connected to Splunk version: “9.1.3” build: “d95b3bc7f6d0”

If the connection fails, refer to Troubleshoot the Splunk data source.

Provision the data source

You can define and configure the Splunk data source in YAML files as part of Grafana’s provisioning system. For more information about provisioning, refer to Provision Grafana.

Basic authentication example:

YAML
apiVersion: 1
datasources:
  - name: Splunk
    type: grafana-splunk-datasource
    access: proxy
    basicAuth: true
    basicAuthUser: <USERNAME>
    editable: true
    enabled: true
    jsonData:
      fieldSearchType: quick
      internalFieldsFiltration: true
      variableSearchLevel: fast
      previewMode: false
      maxResultCount: 999
    secureJsonData:
      basicAuthPassword: <PASSWORD>
    url: <SPLUNK_URL>

Token authentication example:

YAML
apiVersion: 1
datasources:
  - name: Splunk
    type: grafana-splunk-datasource
    access: proxy
    editable: true
    enabled: true
    jsonData:
      authType: custom-splunk
      fieldSearchType: quick
      variableSearchLevel: fast
    secureJsonData:
      authToken: <SPLUNK_AUTH_TOKEN>
    url: <SPLUNK_URL>

Note

When using token authentication in provisioning, you must set authType: custom-splunk in jsonData. Without this, the backend treats the configuration as basic authentication and ignores the authToken value.

Set query results limit

To improve performance, you can limit the number of returned results at multiple levels. The hierarchy from highest to lowest precedence is:

  1. The GF_PLUGIN_GRAFANA_SPLUNK_DATASOURCE_MAX_RESULT_LIMIT environment variable (self-managed only).
  2. The Results limit value in data source configuration.
  3. The per-query limit set in the query editor.

The default safety cap is 10000 results.

Note

Grafana Cloud does not support the GF_PLUGIN_GRAFANA_SPLUNK_DATASOURCE_MAX_RESULT_LIMIT environment variable. Use the Results limit setting in the data source configuration instead.