Docs » Splunk Log Observer Connect » Ensure the correct mapping of your severity key

Ensure the correct mapping of your severity key 🔗

The Log Observer Connect timeline displays a histogram of logged events over time, grouped by values of the message field severity. The severity key is a field that all logs contain. It has the values debug, error, info, unknown, and warning. Your logs might use a different field name for the severity key.

If your logs call the severity key or its values by different names, that’s okay. Ensure that Log Observer Connect can read your field and value names. Log Observer Connect assigns unknown to all values that it does not recognize.

Note

The names of your severity key and its values are not case sensitive.

Your severity key can have any of the following names:

  • severity

  • level

  • otel.log.severity.text

The following table lists the values that Log Observer Connect recognizes for each severity name:

Severity field names

Severity value names

severity

info, information
err, error
warn, warning
debug
critical

level

info, information
err, error
warn, warning

otel.log.severity.text

normal
warn, warning

If your severity key or values do not match any of the names in the previous table, do one of the following to turn them to names that Log Observer Connect recognizes:

When you create an alias for your severity key name, the original key name and its aliases continue to function for Log Observer queries. On the Log Observer timeline histogram, the severity key name and all its aliases are combined into one and represented as “severity”.

This page was last updated on Mar 25, 2025.