Create or refine log field aliases

An alias is an alternate name you assign to a field. Splunk Observability Cloud adds it to the event alongside the original field name to make it easier to find the data you want and to connect your data sources through Related Content. Create field aliases for all log fields. For more information, see Create field aliases.

To see a complete list of the specific log fields that require log field aliases, see the section, Prerequisites: Configure log field aliases.

Generate entity-index mappings

Entity-index mappings optimize how logs Related Content (RC) retrieves log data. You can enhance the performance and accuracy of log queries by defining relationships between observability entities and specific Splunk index and sourcetype combinations. To learn more, see Set up entity-index mappings.

Deactivate Global Index Search

After generating your entity-index mappings, deactivate Global Index Search for the connection if you want the system to rely on only the entity-index mappings you generated. If the Global Index Search is active, it runs index=* queries to fetch logs when there are no entity-index mappings.

Enable consumption of entity-index mappings

To utilize entity-index mappings, which make your logs searches more efficient, you must also enable their consumption after you generate the mappings. To do this, follow these steps:

1. Go to Settings > General settingsin Splunk Observability Cloud.

2. Select Activate related content mappings consumption for logs.

For detailed information on entity-index mappings, see Set up entity-index mappings.