fixed formatting, added clarification on a few steps

Author: timhard-splunk

content/en/ninja-workshops/11-ingest_processor_for_observability_cloud/1-getting-started/1-access-cloud-instances.md

@@ -22,10 +22,12 @@ Login to Splunk Show using your [splunk.com](https://login.splunk.com/) credenti
 
 {{% notice title="Note" style="primary"  icon="lightbulb" %}}
 
-Take note of the Participant Number provided in your Splunk Show event details. This number will be included in the `sourcetype` that you will use for searching and filtering the Kubernetes data. Because this is a shared environment only use the participant number provided so that other participants data is not effected.
+Take note of the `User Id` provided in your Splunk Show event details. This number will be included in the `sourcetype` that you will use for searching and filtering the Kubernetes data. Because this is a shared environment only use the participant number provided so that other participants data is not effected.
 
 {{% /notice %}}
 
+![Splunk Show Instance Information](../../images/show_instance_information.png)
+
 ## 2. Splunk Observability Cloud Instances
 
 You should have also received an email to access the Splunk Observability Cloud workshop organization (You may need to check your spam folder). If you have not received an email, let your workshop instructor know. To access the environment click the **Join Now** button.

content/en/ninja-workshops/11-ingest_processor_for_observability_cloud/3-create-an-ingest-pipeline/1-login-to-splunk.md

@@ -8,27 +8,27 @@ In this section you will create an Ingest Pipeline which will convert Kubernetes
 
 {{% notice title="Pre-requisite: Login to Splunk Enterprise Cloud" style="green" icon="running" %}}
 
-Open the **Ingest Processor Cloud Stack** URL provided in the Splunk Show event details.
+**1.** Open the **Ingest Processor Cloud Stack** URL provided in the Splunk Show event details.
 
 ![Splunk Cloud Instance Details](../../images/show_instances_sec.png)
 
-In the Connection info click on the **Stack URL** link to open your Splunk Cloud stack.
+**2.** In the Connection info click on the **Stack URL** link to open your Splunk Cloud stack.
 
 ![Splunk Cloud Connection Details](../../images/sec_connection_details.png)
 
-Use the `admin` username and password to login to Splunk Cloud.
+**3.** Use the `admin` username and password to login to Splunk Cloud.
 
 ![Splunk Cloud Login](../../images/sec_login.png)
 
-After logging in, if prompted, accept the Terms of Service and click **OK**
+**4.** After logging in, if prompted, accept the Terms of Service and click **OK**
 
 ![Splunk Cloud Login](../../images/sec_terms.png)
 
-Navigate back to the Splunk Show event details and select the Ingest Processor SCS Tenant
+**5.** Navigate back to the Splunk Show event details and select the Ingest Processor SCS Tenant
 
 ![Ingest Processor Connection Details](../../images/show_instances_scs.png)
 
-Click on the **Console URL** to access the **Ingest Processor SCS Tenant**
+**6.** Click on the **Console URL** to access the **Ingest Processor SCS Tenant**
 
 {{% notice title="Note" style="primary" icon="lightbulb" %}}
 **Single Sign-On (SSO)**

content/en/ninja-workshops/11-ingest_processor_for_observability_cloud/3-create-an-ingest-pipeline/2-review-k8s-events.md

@@ -8,23 +8,29 @@ In this section you will review the Kubernetes Audit Logs that are being collect
 
 {{% notice title="Exercise: Create Ingest Pipeline" style="green" icon="running" %}}
 
-1. Open your **Ingest Processor Cloud Stack** instance using the URL provided in the Splunk Show workshop details.
+**1.** Open your **Ingest Processor Cloud Stack** instance using the URL provided in the Splunk Show workshop details.
 
-2. Navigate to **Apps** -> **Search and Reporting**
+**2.** Navigate to **Apps** -> **Search and Reporting**
 
 ![Search and Reporting](../../images/search_and_reporting.png?width=20vw)
 
-3. In the search bar, enter the following SPL search string:
+**3.** In the search bar, enter the following SPL search string. 
+
+{{% notice title="Note" style="primary"  icon="lightbulb" %}}
+Make sure to replace `USER_ID` with the User ID provided in your Splunk Show instance information.
+{{% /notice %}}
 
 ```
-```Replace PARTICIPANT_NUMBER with the participant number provided in your Splunk Show event details```
-index=main sourcetype="kube:apiserver:audit:PARTICIPANT_NUMBER"
+```Replace USER_ID with the User ID provided in your Splunk Show instance information```
+index=main sourcetype="kube:apiserver:audit:USER_ID"
 ```
 
-4. Press **Enter** or click the green magnifying glass to run the search.
+**4.** Press **Enter** or click the green magnifying glass to run the search.
 
 ![Kubernetes Audit Log](../../images/k8s_audit_log.png)
 
-You should now see the Kubernetes Audit Logs for your environment. Notice that the events are fairly robust. Explore the available fields and start to think about what information would be good candidates for metrics and dimensions. Ask yourself: What fields would I like to chart and how would I like to be able to filter, group, or split those fields?
+<center>
+<b>You should now see the Kubernetes Audit Logs for your environment. Notice that the events are fairly robust. Explore the available fields and start to think about what information would be good candidates for metrics and dimensions. Ask yourself: What fields would I like to chart and how would I like to be able to filter, group, or split those fields?</b>
+</center>
 
 {{%/ notice %}}

content/en/ninja-workshops/11-ingest_processor_for_observability_cloud/3-create-an-ingest-pipeline/3-create-ingest-pipeline.md

@@ -8,7 +8,7 @@ In this section you will create an Ingest Pipeline which will convert Kubernetes
 
 {{% notice title="Exercise: Create Ingest Pipeline" style="green" icon="running" %}}
 
-1. Open the **Ingest Processor SCS Tenant** using the connection details provided in the Splunk Show event.
+**1.** Open the **Ingest Processor SCS Tenant** using the connection details provided in the Splunk Show event.
 
 ![Launch Splunk Cloud Platform](../../images/data_management_home.png?width=40vw)
 
@@ -20,40 +20,40 @@ When you open the  **Ingest Processor SCS Tenant**, if you are taken to a welcom
 
 {{% /notice %}}
 
-2. From the Splunk Data Management console select **Pipelines** -> **New pipeline** -> **Ingest Processor pipeline**.
+**2.** From the Splunk Data Management console select **Pipelines** -> **New pipeline** -> **Ingest Processor pipeline**.
 
 ![New Ingest Processor Pipeline](../../images/new_pipeline.png?width=40vw)
 
-3. In the **Get started** step of the Ingest Processor configuration page select **Blank Pipeline** and click **Next**.
+**3.** In the **Get started** step of the Ingest Processor configuration page select **Blank Pipeline** and click **Next**.
 
 ![Blank Ingest Processor Pipeline](../../images/blank_pipeline.png?width=40vw)
 
-4. In the **Define your pipeline’s partition** step of the Ingest Processor configuration page select **Partition by sourcetype**. Select the **= equals** Operator and enter `kube:apiserver:audit:PARTICIPANT_NUMBER` (Be sure to replace PARTICIPANT_NUMBER with the participant number you were assigned) for the value. Click **Apply**.
+**4.** In the **Define your pipeline’s partition** step of the Ingest Processor configuration page select **Partition by sourcetype**. Select the **= equals** Operator and enter `kube:apiserver:audit:USER_ID` (Be sure to replace USER_ID with the User ID you were assigned) for the value. Click **Apply**.
 
 ![Add Partition](../../images/add_partition.png?width=40vw)
 
-5. Click **Next**
+**5.** Click **Next**
 
-6. In the **Add sample data** step of the Ingest Processor configuration page select **Capture new snapshot**. Enter `k8s_audit` for the name and click **Capture**.
+**6.** In the **Add sample data** step of the Ingest Processor configuration page select **Capture new snapshot**. Enter `k8s_audit_USER_ID` (Be sure to replace USER_ID with the User ID you were assigned) for the Snapshot name and click **Capture**.
 
 ![Capture Snapshot](../../images/capture_snapshot.png?width=40vw)
 
-7. Make sure your newly created snapshot (`k8s_audit`) is selected and then click **Next**.
+**7.** Make sure your newly created snapshot (`k8s_audit_USER_ID`) is selected and then click **Next**.
 
 ![Configure Snapshot Sourcetype](../../images/capture_snapshot_sourcetype.png?width=20vw)
 
-8. In the **Select a metrics destination** step of the Ingest Processor configuration page select **show_o11y_org**. Click **Next**.
+**8.** In the **Select a metrics destination** step of the Ingest Processor configuration page select **show_o11y_org**. Click **Next**.
 
 ![Metrics Destination](../../images/metrics_destination.png?width=20vw)
 
-9. In the **Select a data destination** step of the Ingest Processor configuration page select **splunk_indexer**. Under **Specify how you want your events to be routed to an index** select **Default**. Click **Done**.
+**9.** In the **Select a data destination** step of the Ingest Processor configuration page select **splunk_indexer**. Under **Specify how you want your events to be routed to an index** select **Default**. Click **Done**.
 
 ![Event Routing](../../images/event_routing.png?width=20vw)
 
-10. In the **Pipeline search field** replace the default search with the following. 
+**10.** In the **Pipeline search field** replace the default search with the following. 
 
 {{% notice title="Note" style="primary" icon="lightbulb" %}}
-**Replace `UNIQUE_FIELD` in the metric name with a unique value which will be used to identify your metric in Observability Cloud.**
+**Replace `UNIQUE_FIELD` in the metric name with a unique value (such as your initials) which will be used to identify your metric in Observability Cloud.**
 {{% /notice %}}
 
 ```
@@ -63,12 +63,14 @@ import logs_to_metrics from /splunk/ingest/commands
 $pipeline =
 | from $source
 | thru [
-//define the metric name, type, and value for the Kubernetes Events
-| logs_to_metrics name="k8s_audit_UNIQUE_FIELD" metrictype="counter" value=1 time=_time
-| into $metrics_destination
-]
+        //define the metric name, type, and value for the Kubernetes Events
+        //
+        // REPLACE UNIQUE_FIELD WITH YOUR INITIALS
+        //
+        | logs_to_metrics name="k8s_audit_UNIQUE_FIELD" metrictype="counter" value=1 time=_time
+        | into $metrics_destination
+    ]
 | eval index = "kube_logs"
-//Send unfiltered logs to S3
 | into $destination;
 ```
 {{% notice title="New to SPL2?" style="info" icon="lightbulb" %}}
@@ -83,15 +85,15 @@ Here is a breakdown of what the SPL2 query is doing:
 
 {{% /notice %}}
 
-11. In the upper-right corner click the **Preview** button ![Preview Button](../../images/preview.png?height=20px&classes=inline) or press CTRL+Enter (CMD+Enter on Mac). From the **Previewing $pipeline** dropdown select **$metrics_destination**. Confirm you are seeing a preview of the metrics that will be sent to Splunk Observability Cloud.
+**11.** In the upper-right corner click the **Preview** button ![Preview Button](../../images/preview.png?height=20px&classes=inline) or press CTRL+Enter (CMD+Enter on Mac). From the **Previewing $pipeline** dropdown select **$metrics_destination**. Confirm you are seeing a preview of the metrics that will be sent to Splunk Observability Cloud.
 
 ![Preview Pipeline](../../images/preview_pipeline.png?width=40vw)
 
-12. In the upper-right corner click the **Save pipeline** button ![Save Pipeline Button](../../images/save_pipeline_btn.png?height=20px&classes=inline). Enter a name for your pipeline and click **Save**.
+**12.** In the upper-right corner click the **Save pipeline** button ![Save Pipeline Button](../../images/save_pipeline_btn.png?height=20px&classes=inline). Enter `Kubernetes Audit Logs2Metrics USER_ID` for your pipeline name and click **Save**.
 
 ![Save Pipeline Dialog](../../images/save_pipeline_dialog.png?width=40vw)
 
-13. After clicking save you will be asked if you would like to apply the newly created pipeline. Click **Yes, apply**.
+**13.** After clicking save you will be asked if you would like to apply the newly created pipeline. Click **Yes, apply**.
 
 ![Apply Pipeline Dialog](../../images/apply_pipeline_dialog.png?width=40vw)
 

content/en/ninja-workshops/11-ingest_processor_for_observability_cloud/3-create-an-ingest-pipeline/4-confirm-metrics.md

@@ -8,11 +8,11 @@ Now that an Ingest Pipeline has been configured to convert Kubernetes Audit Logs
 
 {{% notice title="Exercise: Confirm Metrics in Splunk Observability Cloud" style="green" icon="running" %}}
 
-1. Login to the **Splunk Observability Cloud** organization you were invited for the workshop. In the upper-right corner, click the **+** Icon -> **Chart** to create a new chart.
+**1.** Login to the **Splunk Observability Cloud** organization you were invited for the workshop. In the upper-right corner, click the **+** Icon -> **Chart** to create a new chart.
 
 ![Create New Chart](../../images/create_new_chart.png?width=40vw)
 
-2. In the **Plot Editor** of the newly created chart enter the metric name you used while configuring the **Ingest Pipeline**.
+**2.** In the **Plot Editor** of the newly created chart enter the metric name you used while configuring the **Ingest Pipeline**.
 
 ![Review Metric](../../images/review_metric.png?width=40vw)
 

content/en/ninja-workshops/11-ingest_processor_for_observability_cloud/4-update-pipeline-and-visualize/1-update-ingest-pipeline.md

@@ -6,18 +6,18 @@ weight: 2
 
 {{% notice title="Exercise: Update Ingest Pipeline " style="green" icon="running" %}}
 
-1. Navigate back to the configuration page for the Ingest Pipeline you created in the previous step.
+**1.** Navigate back to the configuration page for the Ingest Pipeline you created in the previous step.
 
 ![Ingest Pipeline](../../images/ingest_pipeline.png?width=40vw)
 
-2. To add dimensions to the metric from the raw Kubernetes audit logs update the SPL2 query you created for the pipeline by replacing the `logs_to_metrics` portion of the query with the following.
+**2.** To add dimensions to the metric from the raw Kubernetes audit logs update the SPL2 query you created for the pipeline by replacing the `logs_to_metrics` portion of the query with the following:
 
 {{% notice title="Note" style="primary" icon="lightbulb" %}}
-**Be sure to update the metric name field (`name="k8s_audit"`) to the name you provided in the original pipeline**
+**Be sure to update the metric name field (`name="k8s_audit_UNIQUE_FIELD"`) to the name you provided in the original pipeline**
 {{% /notice %}}
 
 ```
-| logs_to_metrics name="k8s_audit" metrictype="counter" value=1 time=_time dimensions={"level": _raw.level, "response_status": _raw.responseStatus.code, "namespace": _raw.objectRef.namespace, "resource": _raw.objectRef.resource, "user": _raw.user.username, "action": _raw.verb}
+| logs_to_metrics name="k8s_audit_UNIQUE_FIELD" metrictype="counter" value=1 time=_time dimensions={"level": _raw.level, "response_status": _raw.responseStatus.code, "namespace": _raw.objectRef.namespace, "resource": _raw.objectRef.resource, "user": _raw.user.username, "action": _raw.verb}
 ```
 
 {{% notice title="Note" style="info" icon="info" %}}
@@ -26,20 +26,40 @@ Using the `dimensions` field in the SPL2 query you can add dimensions from the r
 You should consider adding any common tags across your services so that you can take advantage of context propagation and related content in Splunk Observability Cloud.
 {{% /notice %}}
 
-3. In the upper-right corner click the **Preview** button ![Preview Button](../../images/preview.png?height=20px&classes=inline) or press CTRL+Enter (CMD+Enter on Mac). From the **Previewing $pipeline** dropdown select **$metrics_destination**. Confirm you are seeing a preview of the metrics that will be sent to Splunk Observability Cloud.
+The updated pipeline should now be the following:
+
+```
+/*A valid SPL2 statement for a pipeline must start with "$pipeline", and include "from $source" and "into $destination".*/
+/* Import logs_to_metrics */
+import logs_to_metrics from /splunk/ingest/commands
+$pipeline =
+| from $source
+| thru [
+        //define the metric name, type, and value for the Kubernetes Events
+        //
+        // REPLACE UNIQUE_FIELD WITH YOUR INITIALS
+        //
+        | logs_to_metrics name="k8s_audit_UNIQUE_FIELD" metrictype="counter" value=1 time=_time dimensions={"level": _raw.level, "response_status": _raw.responseStatus.code, "namespace": _raw.objectRef.namespace, "resource": _raw.objectRef.resource, "user": _raw.user.username, "action": _raw.verb}
+        | into $metrics_destination
+    ]
+| eval index = "kube_logs"
+| into $destination;
+```
+
+**3.** In the upper-right corner click the **Preview** button ![Preview Button](../../images/preview.png?height=20px&classes=inline) or press CTRL+Enter (CMD+Enter on Mac). From the **Previewing $pipeline** dropdown select **$metrics_destination**. Confirm you are seeing a preview of the metrics that will be sent to Splunk Observability Cloud.
 
 ![Ingest Pipeline Dimensions](../../images/ingest_pipeline_dimensions.png?width=40vw)
 
-4. Confirm you are seeing the dimensions in the dimensions column of the preview table. You can view the entire dimensions object by clicking into the table. 
+**4.** Confirm you are seeing the dimensions in the dimensions column of the preview table. You can view the entire dimensions object by clicking into the table. 
 
 ![Ingest Pipeline Dimensions Review](../../images/ingest_pipeline_dimensions_field.png?width=40vw)
 
-5. In the upper-right corner click the **Save pipeline** button ![Save Pipeline Button](../../images/save_pipeline_btn.png?height=20px&classes=inline). On the “You are editing an active pipeline modal” click **Save**.
+**5.** In the upper-right corner click the **Save pipeline** button ![Save Pipeline Button](../../images/save_pipeline_btn.png?height=20px&classes=inline). On the “You are editing an active pipeline modal” click **Save**.
 
 ![Save Updated Pipeline](../../images/save_updated_pipeline.png?width=30vw)
 
 <center>
-<b>Because this pipeline is already active, the changes we’ve made will take effect immediately. Your metric should now be split into multiple metric timeseries using the dimensions you added.</b>
+<b>Because this pipeline is already active, the changes you made will take effect immediately. Your metric should now be split into multiple metric timeseries using the dimensions you added.</b>
 
 In the next step you will create a visualization using different dimensions from the kubernetes audit events.
 </center>