Troubleshoot observability previews
Following are some common issues that you can encounter when you try to set up or use Splunk Observability Cloud previews in Splunk Cloud Platform. Read this topic to learn how to resolve those issues.
You cannot add a Splunk Observability Cloud organization access token
You are either unable to get to the organization access token page in Splunk Observability Cloud or you cannot add the access token to the configuration page when setting up Splunk Observability Cloud previews.
You cannot add an organization access token if either of the following are true:
- You do not have sc_admin capabilities in Splunk Cloud Platform.
- There is already an organization access token in the configuration.
Solution
Ensure that the person setting up Splunk Observability Cloud previews in Splunk Cloud Platform has the sc_admin role in Splunk Cloud Platform. Ensure that there is not already an active token in the Access Token field of the configuration.
You cannot activate Automatic UI Updates (AUIU) for Splunk Observability Cloud
You cannot activate Automatic UI Updates if the following are true:
- You do not have sc_admin capabilities in Splunk Cloud Platform.
- There is no active access token in the configuration.
Solution
Ensure that the person setting up Splunk Observability Cloud previews in Splunk Cloud Platform has the sc_admin role in Splunk Cloud Platform. Ensure that there is an active token in the Access Token field of the configuration.
If 1) you have the sc_admin role in Splunk Cloud Platform, and 2) there is an active access token in the configuration, but you still cannot activate Automatic UI Updates, open a ticket with Splunk Support.
Error message: The token is no longer valid
Organization access tokens expire one year after the creation date. Your access token might be past the expiry date. See Create and manage organization access tokens using Splunk Observability Cloud for more information. You can rotate a token before it expires using Splunk Observability Cloud APIs. For details, see Org token in the developer documentation.
Solution
If you receive an error stating that the token is no longer valid, verify that the token is valid on the Splunk Observability Cloud token management page. To determine whether your token is active, go to the Splunk Observability Cloud token management page by selecting Settings and then selecting Access Tokens.
You can't rotate tokens after they expire. If you don't rotate a token before it expires, you must create a new token to replace it. See Create an access token to learn how.
Error message: Can't update remote UI opt in config
This error is likely caused by a temporary network dropout.
Solution
Check the network and reload the page.
Error message: Talk to your Splunk administrator
Only users with the sc_admin role in Splunk Cloud Platform can configure Splunk Observability Cloud previews. All other users receive this message when attempting to set up Splunk Observability Cloud previews.
Solution
Ask a Splunk Cloud Platform user with the sc_admin role to configure Splunk Observability Cloud previews.
You do not see Observability Cloud previews despite having an active access token and active Automatic UI Updates
Previews of Splunk Observability Cloud data display in the Related Content panel in the Search & Reporting application. If you do not see the Related Content panel, it is possible that your access token recently expired or an administrator deactivated Automatic UI Updates. Also, your log event data must have fields that map to the following fields:
- host.name
- service.name
- trace_id
- k8s.cluster.name
- k8s.node.name
- k8s.pod.name
- container.id
Solution
Do the following to ensure that you can see the Related Content panel in Splunk Cloud Platform:
- Check to see if the access token is still active.
- Check to make sure that your Splunk Cloud Platform role has the read_o11y_content capability turned on.
- Check to see that your log events have fields that map to each field listed in the preceding section. If you do not have fields that map the fields listed, take one of the following actions:
- Turn on Auto Field Mapping. See the Field aliasing section of Configure Splunk Observability Cloud to learn how to turn on Auto Field Mapping.
- Use field aliasing to map your corresponding fields to fields in the previous list. See Create field aliases in Splunk Web to learn how.
You cannot see the Related Content column when you expand an event in the Search app
If Related Content is active for your organization but you do not see the Related Content column when you expand an event in the Search app, your Splunk Cloud Platform role might not include all required capabilities.
Solution
In Splunk Cloud Platform, ensure that you have the following capabilities:
- search
- read_o11y_content
- rest_properties_get
- rest_access_server_endpoints
- request_remote_tok
Note that these capabilities are turned on by default for the user role. Ensure that an administrator doesn't deactivate them.
Preview observability data | About searching with time |
This documentation applies to the following versions of Splunk® Enterprise: 9.4.0
Feedback submitted, thanks!