Set up Log Observer Connect for Splunk Cloud Platform 🔗
Set up Log Observer Connect by integrating Log Observer with Splunk Cloud Platform. If you are in a Splunk Enterprise environment and want to set up Log Observer Connect, see Set up Log Observer Connect for Splunk Enterprise.
When you set up Log Observer Connect, your logs data remains strictly in your Splunk Cloud Platform instance and is accessible only to Log Observer Connect. Log Observer Connect does not store or index your logs data. There is no additional charge for Log Observer Connect.
Region and version availability 🔗
Splunk Log Observer Connect is available in the AWS regions us0, us1, eu0, jp0, and au0. Log Observer Connect is not supported in GovCloud regions. Splunk Log Observer Connect is compatible with Splunk Cloud Platform versions 8.2 and higher. Log Observer Connect is not available for Splunk Cloud Platform trials.
Note
You can collect data using both the Splunk Distribution of OpenTelemetry Collector and the universal forwarder without submitting any duplicate telemetry data. See Use the Splunk Universal Forwarder with the Collector to learn how.
Prerequisites 🔗
Ensure that token authentication is enabled in your Splunk Cloud Platform instance. See Securing Splunk Cloud Platform: Enable or disable token authentication token to learn how. The Splunk Cloud users you configure in the following section must have the sc_admin role.
Set up Log Observer Connect 🔗
To set up Log Observer Connect for Splunk Cloud Platform without help from the Support team, follow these steps:
Splunk Observability Cloud 🔗
In Splunk Observability Cloud, do the following:
Go to Settings > Log Observer Connect and select Add new connection. If you don’t see Log Observer Connect in Settings, you are not an administrator in Splunk Observability Cloud. Contact your organization’s Splunk Observability Cloud administrator to perform this integration.
Select Splunk Cloud Platform.
Splunk Cloud Platform 🔗
In Splunk Cloud Platform, follow the instructions in the guided setup for the integration to do the following:
To configure a role in Splunk Cloud Platform for the Log Observer Connect service account, go to Settings > Roles.
Select the role you want to use for the Log Observer Connect service account. The service account is a user role that can access the specific Splunk Cloud Platform indexes that you want your users to search in Log Observer Connect.
On the Capabilities tab, ensure that
edit_tokens_own
is selected. Also, ensure thatindexes_list_all
is not selected.On the Indexes tab in the Included column, deselect *(All internal indexes) and select the indexes that you want users to query in Log Observer Connect.
On the Resources tab, enter a Standard search limit of 40 for both Role search job limit and User search job limit. Enter 0 for Real-time search limit for both role and user search job limits.
The limit of 40 assumes that you have 10 Log Observer Connect users. To determine your ideal Standard search limit, multiply the number of Log Observer Connect users you have by 4. For example, if you have 20 Log Observer users, enter a Standard search limit of 80 for both Role search job limit and User search job limit.
Now, in the Role search time window limit section of the Resources tab, select Custom time and enter 2,592,000 seconds (30 days) for the maximum time window for searches for this role. For the earliest searchable event time for this role, select Custom time and enter 7,776,000 seconds (90 days). In the Disk space limit section enter a Standard search limit of 1000 MB.
Next, in Splunk Cloud Platform, go to Settings > Users and create the user for the Log Observer Connect service account. In the Assign roles section, assign to the user the role you created in the preceeding steps for the Log Observer Connect service account.
Secure a connection to your Splunk Cloud Platform instance in Splunk Observability Cloud. To get help from Splunk Support, Submit a support ticket. To do it yourself, select Download this script in the guided setup section, Secure connection to the Splunk platform, and follow the instructions on screen. When you run the script, the Admin Config Service API does the following:
Adds Splunk Observability Cloud IPs and your local machine’s IP to your Splunk Cloud Platform allow list to allow Log Observer Connect services and your machine to connect to your Splunk Cloud Platform instance through the management port
Fetches a certificate chain
Removes your local machine’s IP from the allow list
Copy the first certificate in the chain and paste it on the next page of the guided setup to securely connect Log Observer Connect and your Splunk Cloud Platform instance. The script returns 3 certificates. Be sure to copy only the first certificate and include
-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
. The following is an example of a certificate.-----BEGIN CERTIFICATE-----
MIIEiDCCA3CgAwIBAgIQYtRkQZS4gkQSqEN/3NaYgjANBgkqhkiG9w0BAQsFADBG MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM QzETMBEGA1UEAxMKR1RTIENBIDFDMzAeFw0yMzAyMjAwOTE1MzRaFw0yMzA1MTUw OTE1MzNaMBkxFzAVBgNVBAMTDnd3dy5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYI KoZIzj0DAQcDQgAEOU31sc6basWKjNmWj0gWF9ewzDavJK3QKASkQ/V7XwatprPh /vnuEzWx8vYY1Rlfcy5Yhsxpa/Cb9Iomn+wIaqOCAmgwggJkMA4GA1UdDwEB/wQE AwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW BBQilv+CDxMpP/SuW5VTeT4rzLTAoTAfBgNVHSMEGDAWgBSKdH+vhc3ulc09nNDi RhTzcTUdJzBqBggrBgEFBQcBAQReMFwwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3Nw LnBraS5nb29nL2d0czFjMzAxBggrBgEFBQcwAoYlaHR0cDovL3BraS5nb29nL3Jl cG8vY2VydHMvZ3RzMWMzLmRlcjAZBgNVHREEEjAQgg53d3cuZ29vZ2xlLmNvbTAh BgNVHSAEGjAYMAgGBmeBDAECATAMBgorBgEEAdZ5AgUDMDwGA1UdHwQ1MDMwMaAv oC2GK2h0dHA6Ly9jcmxzLnBraS5nb29nL2d0czFjMy9tb1ZEZklTaWEyay5jcmww ggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwCt9776fP8QyIudPZwePhhqtGcpXc+x DCTKhYY069yCigAAAYZuUlZbAAAEAwBIMEYCIQDlwIgI7EnPSD21IsDsf1botxy/ Blfi2jKy60WpGq+XNgIhAI8L2XYzQ8OEGsw7JmpWC/hOKSB18n6wqB3EMWYFoaRc AHYAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGGblJWVQAABAMA RzBFAiBd+rIH4lPny35N5OmGqOEYNXl3rK7pfzfjZH0sFF30TwIhAKK4pgWZO0IN fTzqnyWKEbmqy6lyNvl/khtYreqsvE0eMA0GCSqGSIb3DQEBCwUAA4IBAQCyw1us +cEBWh7HglwAoU1TMStbdNrugviDQ3DoBnGL4N+sCjOfXzCXGhINLwzv8KfAZV+Y 0IX4nGNyliDu7Gd6vt+pnyLUsI2fTfPZq6Po14rNGaC8vRHcN+Yo317ylo6sQD6E Z04CmlIA4JUzEtj1H6tj69RjyxDqV5EXsGLJ+DIJ4JYAm5xi6gEvFkdhnVYvHV5W 0BNRR+EO4Vw/tOkpyisemMt9L9aFZ4HaEuiSvL3R/HGU94uCxXc+TFwmVTelVFZN eP4Q0ck4ooUOd7XgCc5qdvCiCiD/268+gBNSHhJSPZXeuzC6vL7mMKVY4I80sKKP F+4goIJZUyLdHZ+a
-----END CERTIFICATE-----
Make sure to give each connection a unique name on the final page of the Log Observer Connect guided setup.
Note
Manage concurrent search limits using your current strategy in Splunk Cloud Platform. All searches initiated by Log Observer Connect users go through the service account you create in Splunk Cloud Platform. For each active Log Observer Connect user, four back-end searches occur when a user performs a search in Log Observer Connect. For example, if there are three users accessing Log Observer Connect at the same time, the service account for Log Observer Connect initiates approximately 12 searches in Splunk Cloud Platform.
Submit a support ticket 🔗
If you were not able to run the script in step 3d in the preceeding section, you may submit a support ticket from your Splunk Cloud Platform instance to do this on your behalf. Submit a ticket to Splunk Support to configure your Splunk Cloud Platform instance’s IP allow list. Configuring your allow list properly opens your Splunk Cloud Platform instance management port to Log Observer Connect, which can then search your Splunk Cloud Platform instance log data. After Splunk Support prepares your Splunk Cloud Platform instance, you can securely create a connection to Log Observer Connect.
To submit a support ticket, follow these steps:
Find the following:
Your Splunk Observability Cloud organization name and region. To see this information in Splunk Observability Cloud, go to Settings, then select your profile name.
Your Splunk Cloud Platform instance name, the URL prefix of your Splunk Cloud Platform deployment, which is formatted as such: [Your_instance_name].splunkcloud.com.
Log in to your Splunk Cloud Platform instance and select Support.
Select Support Portal from the drop-down list to submit a case ticket.
In the description of your ticket, paste the following and enter the relevant values for your organization:
OrgID: <enter-orgid> Realm: <enter-realm> Instance Name: <instance-name> Request: Please securely open our Splunk Cloud Platform instance management port (8089) and add the IP addresses of the above realm to our allow list. Also, please provide us with the SSL certificate chain in this ticket so that we can enable Log Observer Connect.
When you receive the SSL certificate from Splunk Support in your support ticket, do the following:
Paste the first certificate stanza in the final section of the Log Observer Connect guided setup, Set up Observability Cloud.
Select Save and Activate.
Troubleshooting 🔗
See Troubleshoot Log Observer Connect setup to learn how to solve common issues with Log Observer Connect.