Splunk Cloud Platform

Search Manual

Configure Splunk Observability Cloud previews

Splunk Cloud Platform users can see previews of observability data that correlates to search results in the Search & Reporting application (the Search app) when you set up Splunk Observability Cloud Related Content previews. An administrator must connect your Splunk Cloud Platform and Splunk Observability Cloud accounts. Users can then see previews of observability data in a Related Content panel and jump into Splunk Observability Cloud in context for troubleshooting.

Prerequisites

To set up Splunk Observability Cloud Related Content in Splunk Cloud Platform, a user must have an administrator role in both Splunk Cloud Platform and Splunk Observability Cloud.

Connect accounts

To connect accounts and activate data correlation previews, an administrator must do the following:

1. In Splunk Observability Cloud, retrieve an access token. See Create and manage organization access tokens using Splunk Observability Cloud to learn how.

2. In Splunk Cloud Platform, select the Discover Splunk Observability Cloud application from the navigation panel.

3. Select Connect accounts.

4. In the Access Token field, paste the Splunk Observability Cloud access token you retrieved in step 1. In the Realm field, enter your Splunk Observability Cloud realm.

Supported realms include us0, us1, eu0, jp0, and au0.

5. Select Automatic UI updates, then turn on the toggle next to Splunk Observability Cloud and select Save. You must turn on automatic UI updates to see real-time Splunk Observability Cloud data in the Search app.

6. In Splunk Cloud Platform, ensure that the appropriate users have the capability, read_o11y_content. Only users with the read_o11y_content capability in Splunk Cloud Platform can see preview data from Splunk Observability Cloud. Note that this capability is turned on for all users by default.

Test your connection

After connecting your accounts, you can see previews of Splunk Observability Cloud data that correlates with your Splunk Cloud Platform logs.

To test the connection and preview capability, follow these steps:

1. Do a search in the Search & Reporting application in Splunk Cloud Platform.

2. Select a sample log to show details.

3. Next to any field for which there is correlated Splunk Observability Cloud data, you see the Preview link. Check for the Preview link next to the host.name, service.name, and trace_id fields.

4. Select Preview to open the Related Content panel.

The Related Content panel shows the following Splunk Observability Cloud data previews:

Splunk Cloud Platform field Splunk Observability Cloud related data
host.name CPU utilization, memory usage, disk utilization, network bytes in, network bytes out, tags
service.name Service dependency map, latency graph, error rate graph
trace_id Errors, trace duration, service errors, top 10 operations

Automatic field mapping

In order to correlate search results in the Search & Reporting app with related observability data, your field names for host, service, and trace id must match the names for those fields in Splunk Observability Cloud. Automatic field mapping matches Splunk Observability Cloud Related Content field keys (host.name, service.name, and trace_id fields) to alternative versions of those field names that your event data might use, such as host, service, or trace.id.

The following table shows which alternative field names will be automatically mapped to the Splunk Observability Cloud Related Content field keys, host.name, service.name, and trace_id:

If your data has these field names Splunk Observability Cloud maps them to these field names
  • host
  • hostname
  • host_name
  • hostid
  • host.id
  • host_id
 host.name
  • service
  • servicename
  • service_name
  • serviceid
  • service.id
  • service_id
  • app
  • appname
  • app.name
  • app_name
  • appid
  • app.id
  • app_id
  • application
  • applicationid
  • application.id
  • application_id
  • applicationname
  • application.name
  • application_name
 service.name
  • trace
  • trace.id
  • traceid
 trace_id

Related Content previews: Examples

The following sections show sample previews of observability data in the Search app and how to drill down on the data in context in Splunk Observability Cloud.

Host data previews

The following screenshot shows previews of host.name data from Splunk Observability Cloud on the Related Content panel:

This image shows a preview of host data from Splunk Observability Cloud in the Related Content panel.

Select Open in Infrastructure to open the host data in context in Splunk Infrastructure Monitoring.

Service data previews

The following screenshot shows previews of service.name data from Splunk Observability Cloud on the Related Content panel:

This image shows a preview of service name data from Splunk Observability Cloud in the Related Content panel.

Select Open in APM to open the service data in context in Splunk APM.

Trace data previews

The following screenshot shows previews of trace_id data from Splunk Observability Cloud on the Related Content panel:

This image shows a preview of trace data from Splunk Observability Cloud in the Related Content panel.

Select Open in APM to open the trace data in context in Splunk APM.

See also

To learn how to use Related Content to preview observability data, see Preview Splunk Observability Cloud data.

Last modified on 21 June, 2024
Preview events   Preview observability data

This documentation applies to the following versions of Splunk Cloud Platform: 9.2.2403

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters