Set up Log Observer Connect for Splunk Enterprise 🔗
Set up Log Observer Connect by integrating Log Observer with Splunk Enterprise. If you are in a Splunk Cloud Platform environment and want to set up Log Observer Connect, see Set up Log Observer Connect for Splunk Cloud Platform.
When you set up Log Observer Connect, your Splunk Enterprise logs data remains in Splunk Enterprise. Log Observer Connect does not store or index your logs data. There is no additional charge for Log Observer Connect.
Note
You can collect data using both the Splunk Distribution of the OpenTelemetry Collector and the Universal Forwarder without submitting any duplicated telemetry data. See Use the Splunk Universal Forwarder with the Collector to learn how.
Region and version compatibility 🔗
Splunk Log Observer Connect is available in the AWS regions us0, us1, eu0, jp0, and au0, and is compatible with Splunk Enterprise 9.0.1 and higher.
Prerequisites 🔗
To set up Log Observer Connect for Splunk Enterprise, you must have an administrator role in Splunk Observability Cloud. You must also be an administrator in Splunk Enterprise.
Ensure the following configuration in your Splunk Enterprise instance:
Token authentication is active on your Log Observer Connect service account. See Securing Splunk Enterprise: Enable or disable token authentication to learn how.
Make sure you can access these IP addresses from the Splunk Enterprise host or network:
us0:
34.199.200.84,52.20.177.252,52.201.67.203,54.89.1.85us1:
44.230.152.35,44.231.27.66,44.225.234.52,44.230.82.104eu0:
108.128.26.145,34.250.243.212,54.171.237.247jp0:
35.78.47.79,35.77.252.198,35.75.200.181au0:
13.54.193.47,13.55.9.109,54.153.190.59
Expose port
8089to all the IPs of the realms you’re using. Log Observer Connect needs to be able to access the search head on port8089. It doesn’t need to directly access the deployer or indexers. For example, if you have a search head cluster with load balancer in front of the members of the search head cluster, you would allow the incoming traffic to the load balancer.
Caution
Check with your security team before you add these IPs to the allow list of your firewall rules or to your security groups in AWS.
Set up Log Observer Connect 🔗
To set up Log Observer Connect for Splunk Enterprise, follow these steps:
Splunk Observability Cloud 🔗
In Splunk Observability Cloud, do the following:
Go to Settings > Log Observer Connect and select Add new connection. If you don’t see Log Observer Connect in Settings, you are not an administrator in Splunk Observability Cloud. Contact your organization’s Splunk Observability Cloud administrator to perform this integration.
Select Splunk Enterprise.
Splunk Enterprise 🔗
In Splunk Enterprise, follow the instructions in the guided setup for the integration to do the following:
To configure a role in Splunk Enterprise for the Log Observer Connect service account, go to Settings > Roles.
Select the role you want to use for the Log Observer Connect service account. The service account is a user role that can access the specific Splunk Enterprise indexes that you want your users to search in Log Observer Connect.
On the Capabilities tab, ensure that
edit_tokens_ownandsearchare selected. Also, ensure thatindexes_list_allis not selected.
On the Indexes tab in the Included column, deselect *(All internal indexes) and select the indexes that you want users to query in Log Observer Connect.
On the Resources tab, enter a Standard search limit of 40 for both Role search job limit and User search job limit. Enter 0 for Real-time search limit for both role and user search job limits.
The limit of 40 assumes that you have 10 Log Observer Connect users. To determine your ideal Standard search limit, multiply the number of Log Observer Connect users you have by 4. For example, if you have 20 Log Observer users, enter a Standard search limit of 80 for both Role search job limit and User search job limit.
Now, in the Role search time window limit section of the Resources tab, select Custom time and enter 2592000 seconds (30 days) for the maximum time window for searches for this role. For the earliest searchable event time for this role, select Custom time and enter 7776000 seconds (90 days). In the Disk space limit section enter a Standard search limit of 1000 MB.
Next, in Splunk Enterprise, go to Settings > Users and create the user for the Log Observer Connect service account. In the Assign roles section, assign to the user the role you created in the preceeding steps for the Log Observer Connect service account.
Obtain certificates for securing inter-Splunk communication. See Configure and install certificates in Splunk Enterprise for Splunk Log Observer Connect to learn how. Copy only the first certificate in the chain and paste it on the next page of the guided setup to securely connect Log Observer Connect and your Splunk Enterprise instance.
Make sure to give each connection a unique name on the final page of the Log Observer Connect guided setup.
Note
Manage concurrent search limits using your current strategy in Splunk Enterprise. All searches initiated by Log Observer Connect users go through the service account you create in Splunk Enterprise. For each active Log Observer Connect user, four back-end searches occur when a user performs a search in the Log Observer Connect UI. For example, if there are three concurrent users accessing the Log Observer Connect UI at the same time, the service account for Log Observer Connect initiates approximately 12 searches in Splunk Enterprise.
Troubleshooting 🔗
See Troubleshoot Log Observer Connect setup to learn how to solve common issues with Log Observer Connect.