Merge pull request #2644 from splunk/tcarter-O11YDOCS-7039-severity-key

tcarter-O11YDOCS-7039-severity-key

Author: tcarter-splunk

logs/lo-connect-landing.rst

@@ -18,6 +18,7 @@ Splunk Log Observer Connect
     LOconnect-default-index
     LOconnect-scenario
     timeline
+    severity-key
     queries
     raw-logs-display
     keyword
@@ -49,6 +50,8 @@ Splunk Log Observer Connect
 
 - :ref:`logs-timeline`
 
+- :ref:`severity-key`
+
 - :ref:`logs-queries`
 
 - :ref:`logs-raw-logs-display`

logs/severity-key.rst

@@ -0,0 +1,12 @@
+.. _severity-key:
+
+*****************************************************************
+Ensure the correct mapping of your severity key
+*****************************************************************
+
+.. meta::
+  :description: Log Observer Connect relies on the correct mapping of the severity key. Confirm that your severity key is correctly mapped.
+
+The Log Observer Connect timeline displays a histogram of logged events over time, grouped by values of the message field :guilabel:`severity`. The severity key is a field that all logs contain. It has the values :guilabel:`DEBUG`, :guilabel:`ERROR`, :guilabel:`INFO`, :guilabel:`UNKNOWN`, and :guilabel:`WARNING`. Your logs might use a different field name for the severity key. Because the severity key in many logs is called :guilabel:`level`, Log Observer Connect automatically remaps the log field :guilabel:`level` to :guilabel:`severity`.
+
+If your logs call the severity key by a different name, that's okay. To ensure that Log Observer Connect can read your field, transform your field name to :guilabel:`severity` or add a :guilabel:`severity` alias to your field name. To transform your field name, see :new-page:`Extract fields from event data using Ingest Processor <https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/IngestProcessor/FieldExtractionPipeline>`. To add an alias to your field name, see :ref:`logs-alias`.