Ingest Google Cloud Platform log data 🔗
Splunk Log Observer is no longer available for new users. If you have a Log Observer entitlement, you must transition to Splunk Cloud Platform or Splunk Enterprise. Read more at Splunk Log Observer transition.
You can also use the Data Manager to send GCP logs to Splunk Platform. Learn how at Onboard GCP in Data Manager .
To send GCP logging data to Splunk Observability Cloud’s Log Observer, create a Pub/Sub subscription and use the Pub/Sub to Splunk Dataflow template to create a Dataflow job. The Dataflow job takes messages from the Pub/Sub subscription, converts payloads into Splunk HTTP Event Collector (HEC) event format, and forwards them to Splunk Observability Cloud, where the whole event (JSON payload and its information) is ingested.
Splunk Observability Cloud only supports push-based GCP log export. To learn more, see Scenarios for exporting Cloud Logging data: Splunk .
Ingest logs from GCP 🔗
To send GCP logs to Splunk Observability Cloud:
Use the example
gcloudcommand provided in Option A: Stream logs using Pub/Sub to Splunk Dataflow .
Apply the with the following changes:
Change the token in the sample syntax (
token=your-splunk-hec-token) to a Splunk Observability Cloud organization access token with ingest permission. For more information about organization access tokens, see Create and manage organization access tokens using Splunk Observability Cloud.
Change the URL in the sample syntax (
url=your-splunk-hec-url) to point to the real-time log data ingest endpoint for Splunk Observability Cloud:
Manage delivery failures 🔗
Any response code that is not 2xx, including throttling, indicates a message delivery failure.
If message delivery fails, see how to handle delivery failures of log exports to Splunk using Dataflow at GCP documentation .