Splunk® Enterprise

Search Manual

Troubleshoot observability previews

Following are some common issues that you can encounter when you try to set up or use Splunk Observability Cloud previews in Splunk Cloud Platform. Read this topic to learn how to resolve those issues.

You cannot add a Splunk Observability Cloud organization access token

You are either unable to get to the organization access token page in Splunk Observability Cloud or you cannot add the access token to the configuration page when setting up Splunk Observability Cloud previews.

You cannot add an organization access token if either of the following are true:

  • You do not have sc_admin capabilities in Splunk Cloud Platform.
  • There is already an organization access token in the configuration.

Solution

Ensure that the person setting up Splunk Observability Cloud previews in Splunk Cloud Platform has the sc_admin role in Splunk Cloud Platform. Ensure that there is not already an active token in the Access Token field of the configuration.

You cannot activate Automatic UI Updates (AUIU) for Splunk Observability Cloud

You cannot activate Automatic UI Updates if the following are true:

  • You do not have sc_admin capabilities in Splunk Cloud Platform.
  • There is no active access token in the configuration.

Solution

Ensure that the person setting up Splunk Observability Cloud previews in Splunk Cloud Platform has the sc_admin role in Splunk Cloud Platform. Ensure that there is an active token in the Access Token field of the configuration.

If 1) you have the sc_admin role in Splunk Cloud Platform, and 2) there is an active access token in the configuration, but you still cannot activate Automatic UI Updates, open a ticket with Splunk Support.

Error message: The token is no longer valid

Organization access tokens expire one year after the creation date. Your access token might be past the expiry date. See Create and manage organization access tokens using Splunk Observability Cloud for more information. You can rotate a token before it expires using Splunk Observability Cloud APIs. For details, see Org token in the developer documentation.

Solution

If you receive an error stating that the token is no longer valid, verify that the token is valid on the Splunk Observability Cloud token management page. To determine whether your token is active, go to the Splunk Observability Cloud token management page by selecting Settings and then selecting Access Tokens.

You can't rotate tokens after they expire. If you don't rotate a token before it expires, you must create a new token to replace it. See Create an access token to learn how.

Error message: Can't update remote UI opt in config

This error is likely caused by a temporary network dropout.

Solution

Check the network and reload the page.

Error message: Talk to your Splunk administrator

Only users with the sc_admin role in Splunk Cloud Platform can configure Splunk Observability Cloud previews. All other users receive this message when attempting to set up Splunk Observability Cloud previews.

Solution

Ask a Splunk Cloud Platform user with the sc_admin role to configure Splunk Observability Cloud previews.

You do not see Observability Cloud previews despite having an active access token and active Automatic UI Updates

Previews of Splunk Observability Cloud data display in the Related Content panel in the Search & Reporting application. If you do not see the Related Content panel, it is possible that your access token recently expired or an administrator deactivated Automatic UI Updates. Also, your log event data must have fields that map to the following fields:

  • host.name
  • service.name
  • trace_id
  • k8s.cluster.name
  • k8s.node.name
  • k8s.pod.name
  • container.id

Solution

Do the following to ensure that you can see the Related Content panel in Splunk Cloud Platform:

  • Check to see if the access token is still active.
  • Check to make sure that your Splunk Cloud Platform role has the read_o11y_content capability turned on.
  • Check to see that your log events have fields that map to each field listed in the preceding section. If you do not have fields that map the fields listed, take one of the following actions:

You cannot see the Related Content column when you expand an event in the Search app

If Related Content is active for your organization but you do not see the Related Content column when you expand an event in the Search app, your Splunk Cloud Platform role might not include all required capabilities.

Solution

In Splunk Cloud Platform, ensure that you have the following capabilities:

  • search
  • read_o11y_content
  • rest_properties_get
  • rest_access_server_endpoints
  • request_remote_tok

Note that these capabilities are turned on by default for the user role. Ensure that an administrator doesn't deactivate them.

Last modified on 09 July, 2024
Preview observability data   About searching with time

This documentation applies to the following versions of Splunk® Enterprise: 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters