Docs » Splunk Log Observer » View individual log details and create a field extraction processor

View individual log details and create a field extraction processor đź”—

Note

Customers with a Splunk Log Observer entitlement in Splunk Observability Cloud must transition from Log Observer to Log Observer Connect by December 2023. With Log Observer Connect, you can ingest more logs from a wider variety of data sources, enjoy a more advanced logs pipeline, and expand into security logging. See Splunk Log Observer transition to learn how.

After you find a set of log records that contain specific useful information, you can view the contents of an individual record to get a complete view of the data in the log, broken down by fields and values and displayed in JSON format in the Fields panel. You can also see the number of times each field appears in all of your logs.

Once you have identified an interesting field, you can perform a field extraction and use it to transform your data. See Transform your data with log processing rules for more information.

Note

Only customers with a Splunk Log Observer entitlement in Splunk Observability Cloud can create a field extraction processor. If you are using Log Observer Connect, you can view and search Splunk Cloud Platform or Splunk Enterprise data in Log Observer, but you cannot transform it.

To view the contents of an individual log record and create a field extraction rule, follow these steps:

  1. Select a log record line in the Logs table to display the Log Details panel.

    This panel displays the entire record in JSON format as well as a table of each field and its value.

  2. To do more with a particular field in the table, select the field value.

    Log Observer displays a drop-down list with 5 options:

    • To copy the field value to the clipboard, select Copy

    • To filter to the Logs table so it only displays log records containing the selected value, select Add to filter.

    • To filter the Logs table so it doesn’t display log records containing the selected value, select Exclude from filter.

    • To create a new log processing rule based on the selected field, select Extract Field. To learn more about extracting fields to create log processors, see Transform your data with log processing rules.

    • To add the field as a new column in the Logs table, select Add field as column.

    • Select View <field_name> to go to the appropriate view in the Splunk Observability Cloud. For example, if you select a field related to Kubernetes, Observability Cloud displays related data in the Kubernetes Navigator. If you select fields related to APM, such as View trace_id or View span_id, Observability Cloud displays the trace or span in the APM Navigator.