Splunk Observability Cloud previews

Splunk platform users can see previews of observability data that correlates to search results in the Search & Reporting application (the Search app) when you set up Splunk Observability Cloud Related Content previews. An administrator must connect your Splunk platform and Splunk Observability Cloud accounts. Users can then see previews of observability data in a Related Content panel and jump into Splunk Observability Cloud in context for troubleshooting.

Prerequisites

To set up Splunk Observability Cloud Related Content in the Splunk platform, a user must have an administrator role in both the Splunk platform and Splunk Observability Cloud. An administrator must connect your Splunk platform and Splunk Observability Cloud accounts.

Configure Splunk Observability Cloud previews

The ability to preview Splunk Observability Cloud data in the Splunk platform is available for both Splunk Cloud Platform and Splunk Enterprise.

An admin can connect a Splunk Cloud Platform organization to Splunk Observability Cloud through Unified Identity or API token. If Unified Identity is already set up, observability previews in the Related Content panel are already available.

An admin can connect a Splunk Enterprise organization to Splunk Observability Cloud only through API token.
Note: The Splunk platform refers to both Splunk Cloud Platform and Splunk Enterprise.
To connect accounts and activate data correlation previews, an admin must do the following:
  1. Open the Discover Splunk Observability Cloud app in the Splunk platform, and complete each of the following sections:
    1. Access tokens
    2. Automatic UI updates
    3. Field aliasing (optional)
    4. Test related content
    5. Related content discovery
  2. In the Splunk platform, turn on the read_o11y_content capability for roles that you want to have access to observability previews. The sc_admin and power roles have the read_o11y_content role automatically active.
  3. Turn on the Read permission to the Discover Splunk Observability Cloud app for all users who you want to allow to see related observability data in the Search & Reporting app.
    1. In the Splunk platform, in the Apps drop-down menu, select Manage Apps.
    2. Search for the Discover Splunk Observability Cloud app, then in the Sharing column, select Permissions.
    3. Select the roles to which you want to give the Read permission for the Discover Splunk Observability Cloud app. The roles can now see related Splunk Observability Cloud content on the Search & Reporting page.
  4. If you are using the Firefox extension, uBlock Origin, turn it off. If uBlock Origin is on, it blocks the Splunk Observability Cloud previews.

Note: If a non-admin role gets Read access to the Discover Splunk Observability Cloud app, they can open the app but cannot access or edit configurations.

Access tokens

1. In Splunk Observability Cloud, retrieve an API access token. See Create and manage organization access tokens using Splunk Observability Cloud to learn how.

2. On the Access tokens section of the Discover Splunk Observability Cloud app, enter your Splunk Observability Cloud realm in the Realm field. In the Access token field, paste the Splunk Observability Cloud API access token you retrieved in step 1, then select Save.

Supported realms include us0, us1, eu0, eu1, eu2, jp0, au0, and sg0.

Automatic UI updates

Turn on the toggle next to See data previews from Splunk Observability Cloud in Splunk platform. You must turn on automatic UI updates to see real-time Splunk Observability Cloud data in the Search app.

Field aliasing (optional)

To correlate search results in the Search & Reporting app with related observability data, your field names for host, service, and trace id must match the names for those fields in Splunk Observability Cloud. Decide whether you want to use Auto Field Mapping or create your own field aliases to align field names that do not match. Select the Enable Auto Field Mapping toggle to alias fields automatically. Select Open field aliasing to alias field names manually in the Splunk platform.

Auto Field Mapping

Auto Field Mapping matches Splunk Observability Cloud Related Content field keys (host.name, service.name, and trace_id fields) to alternative versions of those field names that your event data might use, such as host, service, or trace.id.

The following table shows which alternative field names will be automatically mapped to the Splunk Observability Cloud Related Content field keys, host.name, service.name, and trace_id:

If your data has these field names Splunk Observability Cloud maps them to these field names
  • host
  • hostname
  • host_name
  • hostid
  • host.id
  • host_id
host.name
  • service
  • servicename
  • service_name
  • serviceid
  • service.id
  • service_id
  • app
  • appname
  • app.name
  • app_name
  • appid
  • app.id
  • app_id
  • application
  • applicationid
  • application.id
  • application_id
  • applicationname
  • application.name
  • application_name
service.name
  • trace
  • trace.id
  • traceid
trace_id

Test related content

1. Select Test now in the Search & Reporting application to test your configuration in a new tab.

2. In the new tab showing the Search & Reporting app, select a sample log to show details.

3. Next to any field for which there is correlated Splunk Observability Cloud data, you see the Preview link. Check for the Preview link next to the host.name, service.name, and trace_id fields.

4. Select Preview to open the Related Content panel.

The Related Content panel shows the following Splunk Observability Cloud data previews:

Splunk platform field Splunk Observability Cloud related data
host.name CPU utilization, memory usage, disk utilization, network bytes in, network bytes out, tags
service.name Service dependency map, latency graph, error rate graph
trace_id Errors, trace duration, service errors, top 10 operations
k8s.cluster.name Kubernetes cluster name
k8s.node.name Kubernetes node name
k8s.pod.name Kubernetes pod name
container.id Kubernetes container ID

Related content discovery

To know when observability previews are available, you must activate Related Content discovery. In the Related Content discovery section, select Related Content discovery.

Now when you add fields to SELECTED FIELDS in the Search app, a new Related Content button appears in the search results next to logs that contain related content in Splunk Observability Cloud.

When you select the Related Content button, a modal opens containing links that open the Related Content panel on the right side of the Search app. The Related Content panel shows previews of observability data. Selecting links in the previews takes you to Splunk Observability Cloud where you can review the details of the related observability content.

Related Content previews: Examples

The following sections show sample previews of observability data in the Search app and how to drill down on the data in context in Splunk Observability Cloud.

Host data previews

The following screenshot shows previews of host.name data from Splunk Observability Cloud on the Related Content panel:

This image shows a preview of host data from Splunk Observability Cloud in the Related Content panel.

Select Open in Infrastructure to open the host data in context in Splunk Infrastructure Monitoring.

Service data previews

The following screenshot shows previews of service.name data from Splunk Observability Cloud on the Related Content panel:

This image shows a preview of service name data from Splunk Observability Cloud in the Related Content panel.

Select Open in APM to open the service data in context in Splunk APM.

Trace data previews

The following screenshot shows previews of trace_id data from Splunk Observability Cloud on the Related Content panel:

This image shows a preview of trace data from Splunk Observability Cloud in the Related Content panel.

Select Open in APM to open the trace data in context in Splunk APM.