Set up Log Observer Connect for Splunk Cloud Platform 🔗
Set up Log Observer Connect by integrating Log Observer with Splunk Cloud Platform. If you are in a Splunk Enterprise environment and want to set up Log Observer Connect, see Set up Log Observer Connect for Splunk Enterprise.
When you set up Log Observer Connect, your logs data remains strictly in your Splunk Cloud Platform instance and is accessible only to Log Observer Connect. Log Observer Connect does not store or index your logs data. There is no additional charge for Log Observer Connect.
Region and version availability 🔗
Splunk Log Observer Connect is available in the AWS regions us0, us1, eu0, jp0, and au0. Log Observer Connect is not supported in GovCloud regions. Splunk Log Observer Connect is compatible with Splunk Cloud Platform versions 8.2 and higher. Log Observer Connect is not available for Splunk Cloud Platform trials.
You can collect data using both the Splunk Distribution of OpenTelemetry Collector and the universal forwarder without submitting any duplicate telemetry data. See Splunk Universal Forwarder to learn how.
Ensure that token authentication is enabled in your Splunk Cloud Platform instance. See Securing Splunk Cloud Platform: Enable or disable token authentication token to learn how.
Set up Log Observer Connect 🔗
To set up Log Observer Connect for Splunk Cloud Platform without help from the Support team, follow these steps:
In Observability Cloud, go to Settings > Log Observer Connect and select Add new connection. If you don’t see Log Observer Connect in Settings, you are not an administrator in Observability Cloud. Contact your organization’s Observability Cloud administrator to perform this integration.
Select Splunk Cloud Platform.
Follow the instructions in the guided setup for the integration to do the following in Splunk Cloud Platform:
Configure a service account in Splunk Cloud Platform. The service account is a user role that can access the specific Splunk Cloud Platform indexes that you want your users to search in Log Observer Connect.
Configure users in the Splunk Cloud Platform.
Attach the role and the user you created in the integration guided setup.
Secure a connection to your Splunk Cloud Platform instance in Observability Cloud. To get help from Splunk Support, Submit a support ticket. To do it yourself, select Download this script in the guided setup section, Secure connection to the Splunk platform, and follow the instructions on screen. When you run the script, the Admin Config Service API does the following:
Adds Observability Cloud IPs and your local machine’s IP to your Splunk Cloud Platform allow list to allow Log Observer Connect services and your machine to connect to your Splunk Cloud Platform instance through the management port
Fetches a certificate chain
Removes your local machine’s IP from the allow list
Copy only the first certificate in the chain and paste it on the next page of the guided setup to securely connect Log Observer Connect and your Splunk Cloud Platform instance.
Make sure to give each connection a unique name on the final page of the Log Observer Connect guided setup.
Manage concurrent search limits using your current strategy in Splunk Cloud Platform. All searches initiated by Log Observer Connect users go through the service account you create in Splunk Cloud Platform. For each active Log Observer Connect user, four back-end searches occur when a user performs a search in Log Observer Connect. For example, if there are three users accessing Log Observer Connect at the same time, the service account for Log Observer Connect initiates approximately 12 searches in Splunk Cloud Platform.
Submit a support ticket 🔗
If you were not able to run the script in step 3d in the preceeding section, you may submit a support ticket to do this on your behalf. Submit a ticket to Splunk Support to configure your Splunk Cloud Platform instance’s IP allow list. Configuring your allow list properly opens your Splunk Cloud Platform instance management port to Log Observer Connect, which can then search your Splunk Cloud Platform instance log data. After Splunk Support prepares your Splunk Cloud Platform instance, you can securely create a connection to Log Observer Connect.
To submit a support ticket, follow these steps:
Find the following:
Your Observability Cloud organization name and region. To see this information in Observability Cloud, go to Settings, then select your profile name.
Your Splunk Cloud Platform instance name, the URL prefix of your Splunk Cloud Platform deployment, which is formatted as such: [Your_instance_name].splunkcloud.com.
Log in to your Splunk Cloud Platform instance and select Support.
Select Support Portal from the drop-down list to submit a case ticket.
In the description of your ticket, paste the following and enter the relevant values for your organization:
OrgID: <enter-orgid> Realm: <enter-realm> Instance Name: <instance-name> Request: Please securely open our Splunk Cloud Platform instance management port (8089) and add the IP addresses of the above realm to our allow list. Also, please provide us with the SSL certificate chain in this ticket so that we can enable Log Observer Connect.
When you receive the SSL certificate from Splunk Support in your support ticket, do the following:
Paste the first certificate stanza in the final section of the Log Observer Connect guided setup, Set up Observability Cloud.
Click Save and Activate.
See Troubleshoot Log Observer Connect setup to learn how to solve common issues with Log Observer Connect.