Running test environment
In order to get test environment up and running, see docker directory.
Table Of Contents
Data Source Config
When configuring the Data Source, ensure the URL field utilizes
https and points to the your configured Splunk port. The default Splunk API point is 8089, not 8000 (this is default web UI port). Enable Basic Auth and specify Splunk username and password.
Browser (direct) access mode and CORS
If you are using CORS, you'll need to configure the Splunk server to allow Grafana to communicate with it using a CORS connection. To do this, add your web site's address as a trusted HTTP origin to the crossOriginSharingPolicy attribute in the server.conf configuration file.
For example, add this stanza to the $SPLUNK_HOME/etc/system/local/server.conf configuration file, then restart Splunk:
[httpServer] crossOriginSharingPolicy = http://localhost:3000
See more info in original article Communicate with the Splunk server for apps outside of Splunk Web
Note: we don't recommend to use browser (direct) access mode. It almost always is better to connect to Splunk via Grafana backend in server (proxy) access mode. Use browser (direct) only if you really need it and know how it works.
Enable stream mode if you want to get search results as they become available. Note!!! This is experimental feature, don't enable it until you really need it.
Run search and then periodically check for result. Under the hood this option runs
search/jobs API call wiht
exec_mode set to
normal. In this case API request returns job SID, and then Grafana checks job status time to time,
in order to get job result. This option may be helpful for slow queries. By default this option is disabled and Grafana
oneshot which allows returning search result in the same API call. See more about
search/jobs API endpoint in Splunk docs
Search polling interval
This option allow to adjust how often Grafana will poll splunk for search results. Time for next poll choosing randomly from [min, max) interval. If you run a lot of heavy searches, it makes sense to increase these values. Tips: increase Min if search jobs execution takes a long time, and Max if you run a lot of parallel searches (a lot of splunk metrics on Grafana dashboard). Default is [500, 3000) milliseconds interval.
If specified, the job automatically cancels after this many seconds of inactivity (0 means never auto-cancel). Default is 30.
The most status buckets to generate. 0 indicates to not generate timeline information. Default is 300.
Fields search mode
When you use visual query editor, data source attempts to get list of available fields for selected source type.
- quick - use first available result from preview
- full - wait for job finish and get full result.
Default earliest time
Some searches can't use dashboard time range (such as template variable queries). This option helps to prevent search for all time, which can slow down Splunk. The syntax is an integer and a time unit
[+|-]<time_integer><time_unit>. For example
-1w. Time unit can be
s, m, h, d, w, mon, q, y.
Variables search mode
Search mode for template variable queries. Possible values:
- fast - Field discovery off for event searches. No event or field data for stats searches.
- smart - Field discovery on for event searches. No event or field data for stats searches.
- verbose - All event & field data.
Query editor support two modes: raw and visual. To switch between these modes click hamburger icon at the right side of editor and select Toggle Editor Mode.
timechart command for timeseries data. For example:
index=os sourcetype=cpu | timechart span=1m avg(pctSystem) as system, avg(pctUser) as user, avg(pctIowait) as iowait index=os sourcetype=ps | timechart span=1m limit=5 useother=false avg(cpu_load_percent) by process_name
Queries support template variables:
sourcetype=cpu | timechart span=1m avg($cpu)
Keep in mind that Grafna is timeseries-oriented application and your search should return timeseries data (timestamp and value) or single value. You can read about timechart command and find more search examples in official Splunk Search Reference
There are two supported result format modes - Time series (default) and Table. Table mode suitable for using with Table panel when you want to display aggregated data. That works with raw events (returns all selected fields) and
stats search function, which returns table-like data. Examples:
index="os" sourcetype="vmstat" | fields host, memUsedMB index="os" sourcetype="ps" | stats avg(PercentProcessorTime) as "CPU time", latest(process_name) as "Process", avg(UsedBytes) as "Memory" by PID
Result is similar to Statistics tab in Splunk UI.
Read more about
stats function usage in Splunk Search Reference
This mode provide easy to use step-by-step search creating. Note, that this mode creates
timechart splunk search. Just select index, source type, and metrics, and set split by fields if you want.
You can add multiple metrics to search by clicking plus button at the right side of metric row. Metric editor contains list of frequently used aggregations, but you can specify here any other function. Just click on agg segment (
avg by default) and type what you need. Select interested field from dropdonw (or type) and set alias if you want.
Split by and Where
If you set Split by field and use Time series mode, Where editor will be available. Click plus and select operator, aggregation and value, for example Where avg in top 10. Note, this Where clause is a part of Split by. See more at timechart docs.
To change default timechart options, click Options at last row: See more about these options in timechart docs.
Rendered splunk search
Click on target letter at the left to collapse editor and show rendered splunk search.
Use annotations if you want to show Splunk alerts or events on graph. Annotation can be either predefined Splunk alert or regular splunk search.
Specify alert name or leave field blank to get all fired alerts. Template variables are supported.
Use splunk search to get needed events, for example:
index=os sourcetype=iostat | where total_ops > 400 index=os sourcetype=iostat | where total_ops > $io_threshold
Template variables are supported.
Event field as text option suitable if you want to use field value as annotation text. For example, error message text from logs:
Event field as text: _raw Regex: WirelessRadioManagerd\[\d*\]: (.*)
Regex allows to extract a part of message.
Template variables feature supports Splunk queries which return list of values, for example with
index=os sourcetype="iostat" | stats values(Device)
This query returns list of
Device field values from
iostat source. Then you can use these device names for timeseries queries or annotations.
There're two possible types of variable queries can be used in Grafana. First is a simple query (as present above) which retunrs a list of values. Second type is a query that can create a key/value variable. The query should return two columns that are named
_text column value should be unique (if it is not unique then the first value is used). The options in the dropdown will have a text and value that allows you to have a friendly name as text and an id as the value.
For instance, this search returns table with columns
Name (Docker container name) and
Id (container id):
source=docker_inspect | stats count latest(Name) as Name by Id | table Name, Id
In order to use container name as a visible value for variable and id as it's real value, query should be modified, like:
source=docker_inspect | stats count latest(Name) as Name by Id | table Name, Id | rename Name as "_text", Id as "_value"
It's possible to use multi-value variables in queries. An interpolated search will be depending on variable usage context. There are a number of that contexts which plugin supports. Assume there's a variable
$container with selected values
- Basic filter for
source=docker_stats $container => source=docker_stats (foo OR bar)
- Field-value filter
source=docker_stats container_name=$container => source=docker_stats (container_name=foo OR container_name=bar)
- Field-value filter with the
source=docker_stats container_name IN ($container) => source=docker_stats container_name IN (foo, bar) source=docker_stats | where container_name in($container) => source=docker_stats | where container_name in(foo, bar)
Multi-value variables and quotes
If variable wrapped in quotes (both double or single), its values also will be quoted:
source=docker_stats container_name="$container" => source=docker_stats (container_name="foo" OR container_name="bar") source=docker_stats container_name='$container' => source=docker_stats (container_name='foo' OR container_name='bar')