Merge branch 'main' into patch-4

Author: pauljwil

_includes/metric-categories.rst

@@ -50,8 +50,7 @@
        | This category is not part of the report.
 
    * - 13
-     - | APM Monitoring MetricSets
-       | This category is not part of the report.
+     - APM Monitoring MetricSets
 
    * - 14
      - Infrastructure Monitoring function

gdi/get-data-in/connect/aws/aws-prereqs.rst

@@ -412,7 +412,7 @@ Read more at the official AWS documentation:
 
 * :new-page:`AWS Organization Service Control Policies <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html>`
 * :new-page:`Permissions boundaries for IAM entities <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html>`
-* :new-page:`Troubleshooting IAM permission access denied or unauthorized errors <https://web.archive.org/web/20231129090004/https://repost.aws/knowledge-center/troubleshoot-iam-permission-errors>`
+* :new-page:`Troubleshooting IAM permission access denied or unauthorized errors <https://repost.aws/knowledge-center/troubleshoot-iam-permission-errors>`
 
 .. _aws-regions:
 

gdi/get-data-in/connect/aws/aws-troubleshooting.rst

@@ -18,22 +18,22 @@ If issues persist, you can also contact :ref:`support`.
 Error validating your AWS connection
 =========================================
 
-The automatic attempt to validate a connection that you just configured fails, so there is no connection between Splunk Observability Cloud and your AWS account.
+The automatic attempt to validate a connection that you just configured fails, so there is no connection between Splunk Observability Cloud and your AWS account. This can include failed API calls with ``400`` error codes.
 
 Cause
 ^^^^^^
 
-The connection might fail due to invalid Identity Access Management (IAM) policy used by your AWS integration.
+The connection might fail due to your AWS integration using invalid Identity Access Management (IAM) policies, or missing some of the required permissions. 
 
-If you use the AWS Organizations' :new-page:`Service control policies <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html>` or :new-page:`Permission boundaries for IAM entities <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html>`, they 
+If you use AWS Organizations' :new-page:`Service control policies <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html>` or :new-page:`Permission boundaries for IAM entities <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html>`, they 
 might impact the AWS IAM policy you're using to connect to Splunk Observability Cloud. 
 
 Solution
 ^^^^^^^^^
 
-Ensure all :ref:`aws-required-permissions` are included in your IAM policy.
+Make sure to include all the required policies to connect your AWS account to Splunk Observability Cloud, as described in :ref:`aws-required-permissions`. Note that required permissions depend on your connection method (polling or Metric Streams), and that tag collection requires specific permissions.
 
-Also review the AWS Organizations' policies and boundaries you're using.
+You also need to review the AWS Organizations' policies and boundaries you're using.
 
 .. _aws-ts-cloud:
 

gdi/opentelemetry/collector-kubernetes/install-k8s.rst

@@ -72,7 +72,7 @@ Depending on your destination, you need:
    * ``splunkObservability.accessToken``. Your Splunk Observability Cloud org access token with ingest authorization scope. See :ref:`admin-org-tokens`.
    * ``splunkObservability.realm``. Splunk realm to send telemetry data to. The default is ``us0``. See :new-page:`realms <https://dev.splunk.com/observability/docs/realms_in_endpoints/>`.
 
-.. note:: The Collector for Kubernetes uses ``main`` as the default Splunk platform index.
+.. note:: The Collector for Kubernetes uses ``main`` as the default Splunk platform index. You can use annotations to send data to different indexes. See :ref:`kubernetes-config-logs-annotations-indexes` for more information. 
 
 Deploy the Helm chart
 ==============================================

gdi/opentelemetry/collector-kubernetes/kubernetes-config-logs.rst

@@ -2,13 +2,12 @@
 .. _kubernetes-config-logs:
 
 *********************************************************************************
-Configure logs and events for Kubernetes
+Collect logs and events for the Collector for Kubernetes
 *********************************************************************************
 
 .. meta::
       :description: Configure logs and events for the Splunk Distribution of OpenTelemetry Collector for Kubernetes.
 
-
 .. note:: See how to configure the Collector for Kubernetes at :ref:`otel-kubernetes-config` and :ref:`otel-kubernetes-config-advanced`.
 
 Starting on version 0.86.0, the Splunk Distribution of the Collector for Kubernetes collects native OpenTelemetry logs by default.
@@ -77,17 +76,26 @@ To process multi-line logs, add the following section to your values.yaml config
 
 Use :new-page:`regex101 <https://regex101.com/ >` to find a Golang regex that works for your format and specify it in the config file for the config option ``firstEntryRegex``.
 
+.. _kubernetes-config-logs-annotations:
+
 Manage log ingestion using annotations
 ===========================================================================
 
-Use the ``splunk.com/index`` annotation on pods or namespaces to indicate which Splunk platform indexes you want to send logs to. Pod annotation will take precedence over namespace annotation when both are annotated. 
+.. _kubernetes-config-logs-annotations-indexes:
+
+Send logs to different indexes
+-----------------------------------------------------
+
+The Collector for Kubernetes uses ``main`` as the default Splunk platform index. Use the ``splunk.com/index`` annotation on pods or namespaces to indicate which Splunk platform indexes you want to send logs to. 
 
 For example, to send logs from the ``kube-system`` namespace to the ``k8s_events`` index, use the command: 
 
 .. code-block:: bash
 
     kubectl annotate namespace kube-system splunk.com/index=k8s_events
 
+.. note:: A pod annotation takes precedence over a namespace annotation when both are annotated.     
+
 Filter logs using pod or namespace annotations
 -----------------------------------------------------
 

gdi/opentelemetry/collector-linux/collector-linux-intro.rst

@@ -17,6 +17,7 @@ Get started with the Collector for Linux
    linux-config-ootb.rst
    Default Linux metrics <metrics-ootb-linux.rst>   
    linux-config.rst
+   linux-config-logs.rst
    linux-upgrade.rst   
    linux-uninstall.rst
    collector-configuration-tutorial/about-collector-config-tutorial.rst
@@ -30,8 +31,9 @@ To install and configure the Splunk Distribution of the OpenTelemetry Collector
 See the default settings and configuration options at:
 
 * :ref:`linux-config-ootb`
-* :ref:`otel-linux-config`
 * By default, you'll obtain these :ref:`metrics <ootb-metrics-windows>` 
+* :ref:`otel-linux-config`
+* :ref:`linux-config-logs`
 
 .. include:: /_includes/gdi/collector-common-options.rst
 

gdi/opentelemetry/collector-linux/install-linux.rst

@@ -107,88 +107,6 @@ If you're installing your Collector instance in a host with Docker, you need to
     # or if specifying the user:group directly
     $ docker run -v /var/run/docker.sock:/var/run/docker.sock:ro --user "splunk-otel-collector:$(stat -c '%g' /var/run/docker.sock)" quay.io/signalfx/splunk-otel-collector:latest <...>
 
-Collect logs for the Collector for Linux
-====================================================================
-
-Use the Universal Forwarder to send logs to the Splunk platform. See more at :ref:`collector-with-the-uf`.
-
-Fluentd is turned off by default. If you already installed Fluentd on a host, re-install the Collector without Fluentd using the ``--without-fluentd`` option. 
-
-.. _fluentd-manual-config-linux:
-
-Collect Linux logs with Fluentd
----------------------------------------
-
-If you have a Log Observer entitlement or want to collect logs for the target host with Fluentd, use the ``--with-fluentd`` option to also install Fluentd when installing the Collector. For example:
-
-.. code-block:: bash
-
-   curl -sSL https://dl.signalfx.com/splunk-otel-collector.sh > /tmp/splunk-otel-collector.sh && \
-   sudo sh /tmp/splunk-otel-collector.sh --with-fluentd --realm $SPLUNK_REALM -- $SPLUNK_ACCESS_TOKEN
-
-When turned on, the Fluentd service is configured by default to collect and forward log events with the ``@SPLUNK`` label to the Collector, which then sends these events to the HEC ingest endpoint determined by the ``--realm <SPLUNK_REALM>`` option. For example, ``https://ingest.<SPLUNK_REALM>.signalfx.com/v1/log``.
-
-The following Fluentd plugins are also installed:
-
-* ``capng_c`` for activating Linux capabilities.
-* ``fluent-plugin-systemd`` for systemd journal log collection.
-
-Additionally, the following dependencies are installed as prerequisites for the Fluentd plugins:
-
-.. tabs:: 
-
-  .. tab:: Debian-based systems
-
-    * build-essential
-    * libcap-ng0
-    * libcap-ng-dev
-    * pkg-config
-
-  .. tab:: RPM-based systems
-
-    * Development Tools
-    * libcap-ng
-    * libcap-ng-devel
-    * pkgconfig
-
-You can specify the following parameters to configure the package to send log events to a custom Splunk HTTP Event Collector (HEC) endpoint URL:
-
-* ``--hec-url <URL>``
-* ``--hec-token <TOKEN>``
-
-HEC lets you send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. See :new-page:`Set up and use HTTP Event Collector in Splunk Web <https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/UsetheHTTPEventCollector>`.
-
-The main Fluentd configuration is installed to ``/etc/otel/collector/fluentd/fluent.conf``. Custom Fluentd source configuration files can be added to the ``/etc/otel/collector/fluentd/conf.d`` directory after installation.
-
-Note the following:
-
-* In this directory, all files with the .conf extension are automatically included by Fluentd.
-* The td-agent user must have permissions to access the configuration files and the paths defined within.
-* By default, Fluentd is configured to collect systemd journal log events from ``/var/log/journal``.
-
-After any configuration modification, run ``sudo systemctl restart td-agent`` to restart the td-agent service.
-
-If the td-agent package is upgraded after initial installation, you might need to set the Linux capabilities for the new version by performing the following steps for td-agent versions 4.1 or higher:
-
-#. Check for the activated capabilities:
-
-   .. code-block:: bash
-
-      sudo /opt/td-agent/bin/fluent-cap-ctl --get -f /opt/td-agent/bin/ruby
-      Capabilities in `` /opt/td-agent/bin/ruby`` ,
-      Effective:   dac_override, dac_read_search
-      Inheritable: dac_override, dac_read_search
-      Permitted:   dac_override, dac_read_search
-
-#. If the output from the previous command does not include ``dac_override`` and ``dac_read_search`` as shown above, run the following commands:
-
-   .. code-block:: bash
-
-      sudo td-agent-gem install capng_c
-      sudo /opt/td-agent/bin/fluent-cap-ctl --add "dac_override,dac_read_search" -f /opt/td-agent/bin/ruby
-      sudo systemctl daemon-reload
-      sudo systemctl restart td-agent
-
 .. _configure-auto-instrumentation:
 
 Configure automatic discovery for back-end applications

gdi/opentelemetry/collector-linux/linux-config-logs.rst

@@ -0,0 +1,91 @@
+.. _otel-install-linux-logs:
+.. _linux-config-logs:
+
+***************************************************************
+Collect logs for the Collector for Linux
+***************************************************************
+
+.. meta::
+  
+  :description: Describes how to collect logs for the Splunk Distribution of OpenTelemetry Collector for Linux.
+
+Use the Universal Forwarder to send logs to the Splunk platform. See more at :ref:`collector-with-the-uf`.
+
+Fluentd is turned off by default. If you already installed Fluentd on a host, re-install the Collector without Fluentd using the ``--without-fluentd`` option. 
+
+.. _fluentd-manual-config-linux:
+
+Collect Linux logs with Fluentd
+===========================================================================
+
+If you have a Log Observer entitlement or want to collect logs for the target host with Fluentd, use the ``--with-fluentd`` option to also install Fluentd when installing the Collector. For example:
+
+.. code-block:: bash
+
+   curl -sSL https://dl.signalfx.com/splunk-otel-collector.sh > /tmp/splunk-otel-collector.sh && \
+   sudo sh /tmp/splunk-otel-collector.sh --with-fluentd --realm $SPLUNK_REALM -- $SPLUNK_ACCESS_TOKEN
+
+When turned on, the Fluentd service is configured by default to collect and forward log events with the ``@SPLUNK`` label to the Collector, which then sends these events to the HEC ingest endpoint determined by the ``--realm <SPLUNK_REALM>`` option. For example, ``https://ingest.<SPLUNK_REALM>.signalfx.com/v1/log``.
+
+The following Fluentd plugins are also installed:
+
+* ``capng_c`` for activating Linux capabilities.
+* ``fluent-plugin-systemd`` for systemd journal log collection.
+
+Additionally, the following dependencies are installed as prerequisites for the Fluentd plugins:
+
+.. tabs:: 
+
+  .. tab:: Debian-based systems
+
+    * build-essential
+    * libcap-ng0
+    * libcap-ng-dev
+    * pkg-config
+
+  .. tab:: RPM-based systems
+
+    * Development Tools
+    * libcap-ng
+    * libcap-ng-devel
+    * pkgconfig
+
+You can specify the following parameters to configure the package to send log events to a custom Splunk HTTP Event Collector (HEC) endpoint URL:
+
+* ``--hec-url <URL>``
+* ``--hec-token <TOKEN>``
+
+HEC lets you send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. See :new-page:`Set up and use HTTP Event Collector in Splunk Web <https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/UsetheHTTPEventCollector>`.
+
+The main Fluentd configuration is installed to ``/etc/otel/collector/fluentd/fluent.conf``. Custom Fluentd source configuration files can be added to the ``/etc/otel/collector/fluentd/conf.d`` directory after installation.
+
+Note the following:
+
+* In this directory, all files with the .conf extension are automatically included by Fluentd.
+* The td-agent user must have permissions to access the configuration files and the paths defined within.
+* By default, Fluentd is configured to collect systemd journal log events from ``/var/log/journal``.
+
+After any configuration modification, run ``sudo systemctl restart td-agent`` to restart the td-agent service.
+
+If the td-agent package is upgraded after initial installation, you might need to set the Linux capabilities for the new version by performing the following steps for td-agent versions 4.1 or higher:
+
+#. Check for the activated capabilities:
+
+   .. code-block:: bash
+
+      sudo /opt/td-agent/bin/fluent-cap-ctl --get -f /opt/td-agent/bin/ruby
+      Capabilities in `` /opt/td-agent/bin/ruby`` ,
+      Effective:   dac_override, dac_read_search
+      Inheritable: dac_override, dac_read_search
+      Permitted:   dac_override, dac_read_search
+
+#. If the output from the previous command does not include ``dac_override`` and ``dac_read_search`` as shown above, run the following commands:
+
+   .. code-block:: bash
+
+      sudo td-agent-gem install capng_c
+      sudo /opt/td-agent/bin/fluent-cap-ctl --add "dac_override,dac_read_search" -f /opt/td-agent/bin/ruby
+      sudo systemctl daemon-reload
+      sudo systemctl restart td-agent
+
+

logs/processors.rst

@@ -41,6 +41,9 @@ Going forward after the transition to Log Observer Connect, you can process data
    * - Data Stream Processor
      - See :new-page:`Use the Data Stream Processor <https://docs.splunk.com/Documentation/DSP/1.4.2/User/About>`.
 
+   * - Ingest Processor
+     - See :new-page:`About Ingest Processor <https://docs.splunk.com/Documentation/SplunkCloud/latest/IngestProcessor/AboutIngestProcessorSolution>`.  
+
 
 Prepackaged processing rules
 =============================================================================