Splunk query editor
The Splunk query editor lets you create and run queries using Splunk’s Search Processing Language (SPL) in two modes: Search mode and Events mode. If you’re getting started with SPL, refer to Splunk’s Search reference for guidance.
Before you begin
- Configure the Splunk data source.
- Verify your Splunk credentials have appropriate permissions to run searches.
Key concepts
If you’re new to Splunk, these terms are used throughout the query editor:
Query modes
The query editor supports two modes:
- Search mode: For metrics and time-series queries. Supports both raw SPL and a visual query builder.
- Events mode: For log and annotation queries. Supports raw SPL only.
Search mode
Search mode provides two editing experiences: a raw SPL editor and a visual query builder.
Raw SPL editor
The following options are available in the raw SPL editor:
The SPL editor includes autocomplete that provides suggestions from Splunk’s typeahead API, Grafana template variables, and built-in SPL commands.
Search query example:
index=sales_data_index action=purchase | stats sum(bytes) BY hostVisual query builder
Click the pencil icon in the upper right of the query editor to toggle the visual query builder. The builder generates SPL automatically based on your selections.

The visual query builder provides the following options:
Aggregation functions
The visual builder supports the following aggregation functions:
Statistical: avg, count, distinct_count, estdc, estdc_error, max, mean, median, min, mode, perc95, range, stdev, stdevp, sum, sumsq, var, varp
Event ordering: earliest, first, last, latest
Events mode
Events mode is designed for log and annotation queries. Unlike Search mode, Events mode doesn’t include a visual query builder.
The following options are available:
Example event search query:
index=os sourcetype=iostat | where total_ops > 400
index=os sourcetype=iostat | where total_ops > $io_thresholdExample using Event field as text with Regex:
Event field as text: _raw
Regex: WirelessRadioManagerd\[\d*\]: (.*)View As (Explore only)
When using the query editor in Explore, the View As selector lets you control how results are displayed. This option isn’t available in the dashboard panel editor.
Common options
The following options are available in both query modes.
Add queries
Click + Add query to add multiple queries in the query editor.
Query history
The query editor keeps a history of your Splunk queries:
- Query history: Displays your recent queries. Queries are kept for two weeks unless starred. The editor shows 100 queries at a time and is paginated, with an overall limit of 200,000 records.
- Starred: Starred queries are kept beyond the two-week limit.
- Settings: Toggle to change the default active tab from “Query history” to “Starred”.
Query inspector
Click Query inspector to view detailed statistics about your query, including query statistics under Stats, request response time under Query, data frame details under {} JSON, and the shape of your data under Data.
Work with Splunk data
The following sections describe additional commands and options for working with Splunk data in the query editor.
Timechart
Use the timechart command to generate a statistical aggregation table from time-series data. Refer to the timechart command overview and timechart reference in Splunk’s documentation.
Example:
index=os sourcetype=cpu | timechart span=1m avg(pctSystem) as system, avg(pctUser) as user, avg(pctIowait) as iowait
index=os sourcetype=ps | timechart span=1m limit=5 useother=false avg(cpu_load_percent) by process_nameSplunk metrics and mstats
Starting with version 7.x, Splunk introduced the mstats command for analyzing metrics, which you combine with the timechart command. You must also set the prestats=t option as shown in the following example:
Current syntax:
| mstats prestats=t avg(disk.disk_ops.read) avg(disk.disk_ops.write) WHERE index="collectd" by metric_name span=1m
| timechart avg(disk.disk_ops.read) avg(disk.disk_ops.write) span=1m
Deprecated syntax:
| mstats prestats=t avg(_value) AS Value WHERE index="collectd" metric_name="disk.disk_ops.read" OR metric_name="disk.disk_ops.write" by metric_name span=1m
| timechart avg(_value) span=1m by metric_nameFor more information about the mstats command, refer to Splunk’s mstats documentation.
Result format
The data source automatically determines the result format based on the Splunk response:
- Time series: When the response contains date fields, results are formatted as time-series data suitable for graph visualizations.
- Logs: When the response contains a
_rawfield, results are formatted as log data. - Table: When using the
statscommand or returning raw events withfields, results are formatted as tabular data similar to the Statistics tab in Splunk UI.
You can override the automatic detection using the View As selector in Explore mode.
Table query examples:
index="_internal" sourcetype="scheduler" | fields host, sourceindex="_internal" sourcetype="splunkd_access" | stats avg(bytes) as bytes, avg(file) as file by statusRefer to the stats command reference in Splunk’s documentation for more information.
Common query examples
The following examples demonstrate common use cases for Splunk queries in Grafana.
Monitor error rates over time:
index=main log_level=ERROR | timechart span=5m count as error_countTrack system CPU usage:
index=os sourcetype=cpu | timechart span=1m avg(pctSystem) as system, avg(pctUser) as userView top sourcetypes by event volume:
index=* | stats count by sourcetype | sort -count | head 10Search logs for a specific error pattern:
index=main sourcetype=application "connection refused" OR "timeout" | fields _time, host, _rawMonitor Splunk indexing throughput:
index=_internal sourcetype=splunkd group=thruput | timechart span=1m sum(kb) as throughput_kbAnnotations
You can use Splunk queries and fired alerts as annotations on Grafana graphs. For setup instructions, refer to Splunk annotations.
Import queries from other data sources
The Splunk query editor can import queries from Prometheus and Loki data sources. This converts label selectors into SPL format, making it easier to migrate existing queries to Splunk.
Next steps
- Template variables: Create dynamic dashboards with drop-down filters.
- Annotations: Overlay Splunk events and alerts on graphs.
- Alerting: Set up alert rules based on Splunk queries.
- Troubleshooting: Solutions for common query issues.


