Configure the Splunk data source
This document explains how to configure the Splunk data source in Grafana.
Before you begin
Before configuring the data source, ensure you have:
- Grafana permissions: Organization administrator role.
- Splunk account: A Splunk account with credentials (username and password or an authentication token).
- Network access: Port 8089 enabled on your Splunk instance.
Key concepts
If you’re new to Splunk, these terms are used throughout the configuration:
Add the data source
To install the plugin, refer to Install the Splunk data source. For general information on adding a data source, refer to Add a data source.
To add the Splunk data source, complete the following steps:
- Click Connections in the left-side menu.
- Under Connections, click Add new connection.
- Enter
Splunkin the search bar. - Select Splunk data source.
- Click Add new data source in the upper right.
You are taken to the Settings tab where you set up your Splunk configuration.
Configuration options
The following sections describe the available configuration options.
General settings
Connection settings
Authentication
The data source supports multiple authentication methods. Choose the method that best fits your deployment.
Note
Use TLS (Transport Layer Security) for an additional layer of security when working with Splunk. For information on setting up TLS encryption with Splunk, refer to Securing Splunk Enterprise.
Basic authentication
The most common authentication method. Use your Splunk username and password to connect. Avoid using the default administration account; create a dedicated user for Grafana with appropriate permissions.
Authentication token
Use an authentication token generated in Splunk instead of a username and password. Tokens let you provide access to environments without sharing standard credentials.
To configure token authentication:
- Generate a token in Splunk. Refer to Splunk’s Create authentication tokens documentation.
- In the data source configuration, enter the token in the Authentication token field under Alternative authentication.
Forward OAuth Identity
Forward the logged-in user’s OAuth token to Splunk for authentication. This enables user-level authentication without requiring separate Splunk credentials.
Note
Forward OAuth Identity is not enabled by default. For Grafana Cloud, contact Grafana Support to enable this feature. For self-managed Grafana Enterprise, enable the
splunkEnableOAuthForwardingfeature toggle in your Grafana configuration.
TLS configuration
The following TLS options are available:
Custom HTTP headers
Add custom HTTP headers to all requests sent to the data source. This is useful for custom authentication or routing requirements.
Advanced options
The advanced options are available under the Additional settings section in the data source configuration.
Advanced HTTP settings
Query and performance options
Search mode
There are two search mode settings:
- Fields search mode: Sets the search mode for field queries. Options are
quickandfull. - Variables search mode: Sets the search mode for variable queries. Options:
fast: Turns field discovery off for event searches. No event or field data for stats searches.smart: Turns field discovery on for event searches. No event or field data for stats searches.verbose: Returns all event and field data.
Secure Socks Proxy
Note
This setting is only visible when the
secureSocksDSProxyEnabledfeature toggle is enabled in your Grafana configuration and you are running Grafana 10 or later.
Toggle on to route data source traffic through a secure SOCKS proxy.
Data links
Data links allow you to associate data with other Grafana data sources or external URLs. They are commonly used in Explore mode.
To set up a data link, click + Add under the Data links header in data source settings.
Click + Add to add multiple data links. Click the red X to remove a link.
Verify the connection
Click Save & test to verify the connection. On success, you see a message like:
Connected to Splunk version: “9.1.3” build: “d95b3bc7f6d0”
If the connection fails, refer to Troubleshoot the Splunk data source.
Provision the data source
You can define and configure the Splunk data source in YAML files as part of Grafana’s provisioning system. For more information about provisioning, refer to Provision Grafana.
Basic authentication example:
apiVersion: 1
datasources:
- name: Splunk
type: grafana-splunk-datasource
access: proxy
basicAuth: true
basicAuthUser: <USERNAME>
editable: true
enabled: true
jsonData:
fieldSearchType: quick
internalFieldsFiltration: true
variableSearchLevel: fast
previewMode: false
maxResultCount: 999
secureJsonData:
basicAuthPassword: <PASSWORD>
url: <SPLUNK_URL>Token authentication example:
apiVersion: 1
datasources:
- name: Splunk
type: grafana-splunk-datasource
access: proxy
editable: true
enabled: true
jsonData:
authType: custom-splunk
fieldSearchType: quick
variableSearchLevel: fast
secureJsonData:
authToken: <SPLUNK_AUTH_TOKEN>
url: <SPLUNK_URL>Note
When using token authentication in provisioning, you must set
authType: custom-splunkinjsonData. Without this, the backend treats the configuration as basic authentication and ignores theauthTokenvalue.
Set query results limit
To improve performance, you can limit the number of returned results at multiple levels. The hierarchy from highest to lowest precedence is:
- The
GF_PLUGIN_GRAFANA_SPLUNK_DATASOURCE_MAX_RESULT_LIMITenvironment variable (self-managed only). - The Results limit value in data source configuration.
- The per-query limit set in the query editor.
The default safety cap is 10000 results.
Note
Grafana Cloud does not support the
GF_PLUGIN_GRAFANA_SPLUNK_DATASOURCE_MAX_RESULT_LIMITenvironment variable. Use the Results limit setting in the data source configuration instead.


