Automatic entity–index mapping

Automatic entity-index mapping automatically generates entity-index mappings for all users based on the indexes that they can access. This reduces the search time and resources, making searches more efficient.

Introduction

Entity–Index Mapping was significantly reduces the search footprint across Log Observer, Related Content, O11y AI, Service-Centric View, and out-of-the-box dashboards by reliably associating Observability entities with the indexes where their logs reside. This makes searches more efficient, consuming less time and resources by searching only relevant indexes.

With automatic entity-index mapping, admins no longer have to manually generate mappings, including in environments with thousands of indexes. Splunk Observability Cloud now automaticallly generates entity-index mappings for all user roles (Read, Usage, Power, and Admin). Individual users can also manually trigger entity-index mappings. Admins can configure, schedule, and control mappings. Automation means that mappings are always up-to-date as new services onboard and generate logs in new indexes.

Mapping generation for all user roles

When a user interacts with Log Observer or any feature relying on mappings (e.g., Related Content, Splunk AI Assistant in Observability Cloud), the system evaluates which indexes the user can access. Using the user's token, the system automatically triggers mapping generation only for unmapped indexes accessible to that user. This distributed, incremental approach reduces admin workload and accelerates mapping convergence, benefiting all users as new mappings are created.

Maximum runtime enforcement and safe execution

Each mapping generation request has a strict maximum execution time, defaulting to one minute. Administrators can adjust this runtime limit up to a maximum of 15 minutes. If the runtime limit is reached, the process terminates safely, preserving any partial mapping results. This prevents long-running or runaway mapping operations, especially in environments with many indexes.

Admin configuration panel for scheduled and controlled mappings

A new admin-only configuration panel allows administrators to define system-level refresh cadences and execution constraints.

The system automatically refreshes mappings for relevant indexes without user intervention. Admins have the following options for mapping refresh cadence:

  • Never

  • Twenty-four hours (default)

  • Weekly

  • Monthly

Admins configure the lookback period, or how far back the discovery logic searches logs to determine index–entity relationships. The default is 24 hours, with options for shorter or longer periods based on ingestion patterns.

Admins can set the maximum allowed runtime for both automated and user-triggered mapping generation.

Admins can select a limited set of relevant indexes on which Automated Mapping Generation (AMG) runs periodically, narrowing the search scope and optimizing performance and cost.

To schedule and control mappings, an admin must follow these steps:

  1. Log in to Splunk Observability Cloud and go to Logs > Connections > View Mapping or Generate Mapping > Generation Policy.

  2. In the Mapping refresh cadence field, select the interval that you want the system to automatically refresh mappings for relevant indexes without user intervention.

  3. In Lookback period, select how far back you want the system to search logs to determine index–entity relationships.

  4. In Maximum runtime, select the maximum execution time for generating automatic mappings. The default is 1 minute. You can select up to a maximum of 15 minutes. If the limit is reached, the process terminates and preserves any partial mapping results.

  5. In Index Exclusion List, select any indexes that you want to exclude from the periodic mapping generation to ensure that these indexes are not processed during scheduled runs.