Forward Log Observer logs data to the Splunk platform 🔗
Note
Customers with a Splunk Log Observer entitlement in Splunk Observability Cloud must transition from Log Observer to Log Observer Connect by December 2023. With Log Observer Connect, you can ingest more logs from a wider variety of data sources, enjoy a more advanced logs pipeline, and expand into security logging. See Splunk Log Observer transition to learn how.
The Log Observer transition allows customers to analyze their Log Observer logs in the Splunk platform while still maintaining the ability to analyze them in Log Observer. Current Log Observer customers can forward their Log Observer logs data to a single index in a single instance of the Splunk platform. Splunk Observability Cloud uses an HEC token to forward new incoming Log Observer logs data to the Splunk platform in addition to storing it in Log Observer.
To forward logs data from Log Observer to the Splunk platform, you must do the following:
Create an HEC ingest token in the Splunk platform
Authenticate the connection to HEC in Splunk Observability Cloud
Create an HEC ingest token in the Splunk platform 🔗
Follow the steps below to create an HEC ingest token in the Splunk platform:
Log in to your Splunk platform instance, select Settings.
Select Add Data > Monitor > HTTP Event Collector.
In the Name field, enter a name for the token.
(Optional) In the Source name override field, you can enter a custom name for the event data’s source. The source field contains automatically generated information such as the log file path, network device, or application generating the log event, but you can override the value of the source name.
(Optional) In the Description field, enter a description for the logs data.
(Optional) If you want to activate indexer acknowledgment for this token, select Enable indexer acknowledgment, then select Next. Indexer acknowledgement can impact the timeliness of data forwarding and Splunk does not recommend it for the Log Observer forwarding use case.
Ensure that the source type is correct.
Install the
olly_logsapp on your Splunk Cloud Platform instance.To learn how, follow Manage private apps on your Splunk Cloud Platform deployment .
Contact support to obtain the private app package for Observability Logs - prepackaged transformations.
Ensure that the index for Log Observer logs data is in the Allowed indexes list and select it as the default index. It’s best practice to create a new index for Log Observer logs data.
For more information on source types and indexes, see Modify input settings .
Select Review and confirm that all settings for the HEC endpoint are what you want.
If all settings are correct, select Submit. Otherwise, select Back to make changes.
Copy the token value that Splunk Web displays and paste it in the HEC Ingest Token field. You must use it in the next section.
(Optional) If you want to see the progress of the new token’s deployment to your Splunk platform instance, select Track deployment progress on the Splunk platform token settings page. When you see a status of “Done”, you can then use the token to send your Log Observer data.
To learn more about HEC Ingest tokens for Splunk Cloud or Splunk Enterprise, see Set up and use HTTP Event Collector in Splunk Web .
Add Splunk Observability Cloud IP addresses to your allow list 🔗
A Splunk Cloud Platform admin must add Splunk Observability Cloud IP addresses to your Splunk Cloud Platform allow list. See Configure IP allow lists using Splunk Web to learn how.
If you already set up Log Observer Connect, you do not need to add the necessary IP addresses because you already added them. If you have not set up Log Observer Connect, add the following IP addresses to your Splunk Cloud Platform allow list:
Realm |
IP addresses |
|---|---|
us0 |
34.199.200.84/32
52.20.177.252/32
52.201.67.203/32
54.89.1.85/32
|
us1 |
44.230.152.35/32
44.231.27.66/32
44.225.234.52/32
44.230.82.104/32
|
eu0 |
108.128.26.145/32
34.250.243.212/32
54.171.237.247/32
|
Authenticate the connection to HEC in Splunk Observability Cloud 🔗
Follow these steps to authenticate your connection to HEC:
Log in to Splunk Observability Cloud and select Settings, then select Forward Logs Data.
In the Enter your HEC details section, enter the URL and port of your Splunk platform instance, and the value of the HEC Ingest token that you created in the previous section.
Select Save and Activate to start forwarding new incoming Log Observer logs data to the Splunk platform in addition to storing it in Log Observer.
To verify that your HEC ingest token is functional and that Splunk Observability Cloud is forwarding logs successfully, go to Search & Reporting in your Splunk platform instance and verify that logs from Splunk Observability Cloud appear in the index you selected in step 8 of the previous section. To continue working with the forwarded logs in Splunk Observability Cloud, use Log Observer Connect to connect to the Splunk platform index that contains the forwarded logs.
Troubleshooting 🔗
If you do not see Log Observer logs in your Splunk platform instance, check the Splunk platform instance URL and HEC token you provided and try again, or contact Customer Support for help.
To update an HEC token, select Deactivate Forwarding, update the token, then select Reactivate Forwarding.
When you select Deactivate Forwarding, Log Observer no longer forwards logs to the Splunk platform.