Ensure that your search is set to the correct index or indexes. Select Index next to Saved Queries. In the pop-up window, first select a Splunk platform (Splunk Cloud Platform or Splunk Enterprise) connection in the Connection Selection section. Then, in the Index Selection section, select the indexes you want to query in Log Observer Connect. When you do not select an index, the following behavior occurs:

1. If it is your first time performing a search, Log Observer Connect runs an initial search of all indexes you have access to and returns the most recent 150,000 logs. The search then defaults to Pause to save Splunk Virtual Compute (SVC) resources. Control your SVC resources, which impact performance and cost, by leaving your search on Pause when you are not monitoring incoming logs, and select Play when you want to see more incoming logs.

2. If it is not your first time coming to Log Observer Connect and you have defined a main index, the search defaults to the main index. If you have not defined a main index, the search defaults to the first index in your list of indexes. If you select one or more indexes and run queries on them, Log Observer Connect defaults to your previously selected indexes.

3. If you enter Log Observer Connect by selecting related logs in another area in Splunk Observability Cloud, the Log Observer Connect search defaults to all indexes in order to find all related logs.

   Note: You must choose only one connection because you can query indexes from only one Splunk platform instance at a time. You can query Splunk platform indexes only if you have the appropriate role and permissions in Splunk platform.

In the content control bar next to the index picker, select Add Filter. Select the Keyword tab to search on a keyword or phrase. Select the Fields tab to search on a field. Then press Enter. To continue adding keywords or fields to the search, select Add Filter again. To edit a filter after creating it, select the filter pill and edit the filter value inline.

Next, select Unlimited or 150,000 from the Search Records field to determine the number of logs you want to return on a single search. Select 150,000 to optimize your Splunk Virtual Compute (SVC) resources and control performance and cost. However, only the most recent 150,000 logs display. To see a specific time range, you must select Infinite.

To narrow your search, use the Group by drop-down list to select the field or fields by which you want to group your results, then select Apply. To learn more about aggregations, see Group logs by fields using log aggregation.

Select Run search.

(Optional) If you want to stop the current search, select Cancel search. Partial results do not display. To continue your search, select Run search again.

Review the top values for your query on the the Fields panel on right. This list includes the count of each value in the log records. To include log records with a particular value, select the field name, then select =. To exclude log records with a particular value from your results, select the field name, then select !=. To see the full list of values and distribution for this field, select Explore all values.

(Optional) If you are viewing Splunk platform data, you can open your query results in the Splunk platform and use SPL to further query the resulting logs. You must have an account in Splunk platform. To open the log results in the Splunk platform, select the Open in Splunk platform icon at the top of the Logs table.