Set up Log Observer Connect for Splunk Enterprise 🔗
Set up Log Observer Connect by integrating Log Observer with Splunk Enterprise. If you are in a Splunk Cloud Platform environment and want to set up Log Observer Connect, see Set up Log Observer Connect for Splunk Cloud Platform.
When you set up Log Observer Connect, your Splunk Enterprise logs data remains in Splunk Enterprise. Log Observer Connect does not store or index your logs data. There is no additional charge for Log Observer Connect.
Region and version availability 🔗
Splunk Log Observer Connect is available in the AWS regions us0, us1, eu0, jp0, and au0. Splunk Log Observer Connect is compatible with Splunk Enterprise 8.2 and higher.
You can collect data using both the Splunk Distribution of OpenTelemetry Collector and the Universal Forwarder without submitting any duplicate telemetry data. See Splunk Universal Forwarder to learn how.
Ensure that token authentication is enabled in your Splunk Enterprise instance. See Securing Splunk Enterprise: Enable or disable token authentication to learn how.
Set up Log Observer Connect 🔗
To set up Log Observer Connect for Splunk Enterprise, follow these steps:
In Observability Cloud, go to Settings > Log Observer Connect and click Add new connection.
Click Splunk Enterprise.
Follow the instructions in the integration guided setup to do the following in Splunk Enterprise:
Create a new role in your Splunk Enterprise instance.
Select the Splunk Enterprise indexes that you want to search in Log Observer Connect.
Create and configure a new user in your Splunk Enterprise instance.
Obtain certificates for securing inter-Splunk communication. See Configure and install certificates in Splunk Enterprise for Splunk Log Observer Connect to learn how. Copy only the first certificate in the chain and paste it on the next page of the guided setup to securely connect Log Observer Connect and your Splunk Enterprise instance.
Make sure to give each connection a unique name on the final page of the Log Observer Connect guided setup.
Manage concurrent search limits using your current strategy in Splunk Enterprise. All searches initiated by Log Observer Connect users go through the service account you create in Splunk Enterprise. For each active Log Observer Connect user, four back-end searches occur when a user performs a search in the Log Observer Connect UI. For example, if there are three concurrent users accessing the Log Observer Connect UI at the same time, the service account for Log Observer Connect initiates approximately 12 searches in Splunk Enterprise.
See Troubleshoot Log Observer Connect setup to learn how to solve common issues with Log Observer Connect.