Splunk Log Observer transition 🔗
All Splunk Log Observer customers, who are sending log data to Splunk Observability cloud today, must transition to using Splunk Cloud Platform or Splunk Enterprise as the central platform for logs by the end of December 2023. Splunk Observability Cloud will continue to support Log Observer functionality and user experience with Splunk Log Observer Connect as a bridge between Splunk Observability Cloud and Splunk Cloud Platform. Transitioning to the Splunk platform, whether it is Splunk Cloud Platform or Splunk Enterprise, as the back-end for log storage does not impact your ability to use Splunk Observability Cloud to correlate logs, metrics, and traces.
Using the Splunk platform allows you to ingest more logs from a wider variety of data sources, use a more advanced logs pipeline, and use logging for security use cases.
How to transition to Log Observer Connect 🔗
To transition to Splunk Log Observer Connect, you must take the following actions:
Reach out to your Splunk regional sales manager to request assistance with the transition. The deadline is November 15, 2023.
Connect your Splunk platform instance to your Log Observer Connect instance. See Set up Log Observer Connect for Splunk Cloud Platform or Set up Log Observer Connect for Splunk Enterprise, depending on the type of Splunk platform deployment you have.
If you have a Splunk Cloud Platform deployment, set up an HEC token to forward or mirror your existing Log Observer logs to Splunk Cloud Platform. See Forward Log Observer logs data to the Splunk platform to learn how.
Verify log data transfer 🔗
After completing the preceding steps, you can store data in both Log Observer and your Splunk platform instance for 30 days. During the 30-day window you can verify that the data in your Splunk platform instance from Log Observer Connect matches the Log Observer data. There is no disruption to your functionality during this time.
Changes in logging after the transition 🔗
After your transition to Log Observer Connect, you experience changes in the following logging functionality:
Log processing rules 🔗
You can continue using existing log processing rules. See Transform your data with log processing rules for more information. You can turn your existing log processing rules off and on. However, you cannot create new log processing rules or edit existing rules.
Going forward, you can process data in the Splunk platform using the following methods:
Processing method |
Documentation |
|---|---|
Field extractions |
|
Ingest actions |
|
.conf configuration |
|
Edge Processor |
|
Data Stream Processor |
Infinite logging rules 🔗
You can continue using existing infinite logging rules. See Archive your logs with infinite logging rules for more information. You can turn your existing infinite logging rules off and on. However, you cannot create new infinite logging rules or edit existing rules.
Going forward, determine the best option for your organization by discussing with your Splunk representative the following types of data storage:
Storage type |
Documentation |
|---|---|
Dynamic Data Active Archive |
See Store expired Splunk Cloud Platform data in a Splunk-managed archive |
Dynamic Data Self Storage |
See Store expired Splunk Cloud Platform data in your private archive |
Ingest actions |
Search-time processing rules 🔗
You cannot use search-time processing rules in the Log Observer Connect UI. Search-time rules are the application of log processing rules across historical data. See Apply processing rules across historical data for more information.
Going forward, you can utilize the following methods for processing data at search time in Splunk Cloud Platform:
Search-time processing method |
Documentation |
|---|---|
Field extractor |
|
Field aliases |
Live Tail 🔗
The Live Tail feature of Log Observer ends in January 2024. In Splunk Cloud Platform, you can achieve similar functionality by adjusting the time range picker to All time (real-time) or 30 second window. You must select Search again and rerun your search to see the most recent log events because live events do not stream in unprompted. For more information, see Select time ranges to apply to your search