Open logs in Splunk platform 🔗
Customers with a Splunk Log Observer entitlement in Splunk Observability Cloud must transition from Log Observer to Log Observer Connect by December 2023. With Log Observer Connect, you can ingest more logs from a wider variety of data sources, enjoy a more advanced logs pipeline, and expand into security logging. See Splunk Log Observer transition to learn how.
You can search Splunk Observability Cloud logs if your Splunk Observability Cloud instance ingests logs. If your organization has integrated its Splunk platform (Splunk Cloud Platform or Splunk Enterprise) instance with its Splunk Observability Cloud instance, you can search Splunk platform logs that your Splunk platform role has permissions to see in Splunk platform. You can also open the logs in Splunk platform for additional SPL querying.
To open your logs in Splunk platform, follow these steps:
Navigate to Log Observer. In the content control bar, enter a time range in the time picker if you know it.
Select Index next to Saved Queries, then select the indexes you want to query. If you want to search your Splunk platform (Splunk Cloud Platform or Splunk Enterprise) data, select the integration for the appropriate Splunk platform instance first, then select which index you want to query in Log Observer. You can only query indexes from one Splunk platform instance or Observability Cloud instance at a time. You can only query Splunk platform indexes if you have the appropriate role and permissions in the Splunk platform instance. Select Apply.
In the content control bar next to the index picker, select Add Filter.
To search on a keyword, select the Keyword tab, type the keyword or phrase you want to search on, then press Enter. If you want to search on a field, select the Fields tab, enter the field name, then press Enter.
To continue adding keywords or fields to the search, select Add Filter.
Review the top values for your query on the the Fields panel on right. This list includes the count of each value in the log records. To include log records with a particular value, select the field name, then select
=. To exclude log records with a particular value from your results, select the field name, then select
!=. To see the full list of values and distribution for this field, select Explore all values.
Optionally, if you are viewing Splunk platform (Splunk Cloud Platform or Splunk Enterprise) data, you can open your query results in the Splunk platform to use SPL to further filter or work with the query results. You must have an account in Splunk platform. To open the log results in the Splunk platform, select the Open in Splunk platform icon at the top of the Logs table.
When you add keywords, field names, or field values to the filters, Log Observer narrows the results in the Timeline and the Logs table so that only records containing the selected fields and values appear. To learn how you can use a productive search in the future, see Save and share Log Observer queries.