Merge pull request #2697 from splunk/tcarter-releaseDayFix

tcarter-splunk · web-flow · commit c2c378ff0219 · 2025-03-25T12:42:12.000-07:00
tcarter-releaseDayFix
diff --git a/_images/logs/indexSelection.png b/_images/logs/indexSelection.png
diff --git a/_includes/logs/query-logs.rst b/_includes/logs/query-logs.rst
@@ -8,7 +8,13 @@
 
 2. In the content control bar, enter a time range in the time picker if you want to see logs from a specific historical period. To select a time range, you must select :guilabel:`Unlimited` from the :guilabel:`Search Records` field in step 5 below. When you select :guilabel:`150,000`, Log Observer returns only the most recent 150,000 logs regardless of the time range you select.
 
-3. Select :guilabel:`Index` next to :guilabel:`Saved Queries`, then select the indexes you want to query. When you do not select an index, Log Observer runs your query on all indexes to which you have access. If you want to search your Splunk platform (Splunk Cloud Platform or Splunk Enterprise) data, select the integration for the appropriate Splunk platform instance first, then select which index you want to query in Log Observer. You can query indexes from only one Splunk platform instance or Splunk Observability Cloud instance at a time. You can query Splunk platform indexes only if you have the appropriate role and permissions. 
+3. Select :guilabel:`Index` next to :guilabel:`Saved Queries`. In the pop-up window, first select a Splunk platform (Splunk Cloud Platform or Splunk Enterprise) connection in the :guilabel:`Connection selection` section. Then, in the :guilabel:`Index selection` section, select which index you want to query in Log Observer Connect. 
+
+   .. image:: /_images/logs/indexSelection.png
+            :width: 90%
+            :alt: The Log Observer index selection pop-up is displayed.
+
+.. note:: You can query indexes from only one Splunk platform instance at a time. You can query Splunk platform indexes only if you have the appropriate role and permissions in Splunk platform. 
 
 4. In the content control bar next to the index picker, select :guilabel:`Add Filter`. Select the :guilabel:`Keyword` tab to search on a keyword or phrase. Select the :guilabel:`Fields` tab to search on a field. Then press Enter. To continue adding keywords or fields to the search, select :guilabel:`Add Filter` again.
 
@@ -18,9 +24,11 @@
 
 7. Select :guilabel:`Run search`.
 
-8. Review the top values for your query on the the :guilabel:`Fields` panel on right. This list includes the count of each value in the log records. To include log records with a particular value, select the field name, then select ``=``. To exclude log records with a particular value from your results, select the field name, then select ``!=``. To see the full list of values and distribution for this field, select :guilabel:`Explore all values`.
+8. [Optional] If you want to stop the current search, select :guilabel:`Cancel search`. Partial results do  not display. To continue your search, select :guilabel:`Run search` again.
+
+9. Review the top values for your query on the the :guilabel:`Fields` panel on right. This list includes the count of each value in the log records. To include log records with a particular value, select the field name, then select ``=``. To exclude log records with a particular value from your results, select the field name, then select ``!=``. To see the full list of values and distribution for this field, select :guilabel:`Explore all values`.
 
-9. Optionally, if you are viewing Splunk platform data, you can open your query results in the Splunk platform and use SPL to further query the resulting logs. You must have an account in Splunk platform. To open the log results in the Splunk platform, select the :guilabel:`Open in Splunk platform` icon at the top of the Logs table. 
+10. [Optional] If you are viewing Splunk platform data, you can open your query results in the Splunk platform and use SPL to further query the resulting logs. You must have an account in Splunk platform. To open the log results in the Splunk platform, select the :guilabel:`Open in Splunk platform` icon at the top of the Logs table. 
 
    .. image:: /_images/logs/lo-openinsplunk.png
          :width: 90%
diff --git a/logs/severity-key.rst b/logs/severity-key.rst
@@ -7,15 +7,48 @@ Ensure the correct mapping of your severity key
 .. meta::
   :description: Log Observer Connect relies on the correct mapping of the severity key. Confirm that your severity key is correctly mapped.
 
-The Log Observer Connect timeline displays a histogram of logged events over time, grouped by values of the message field :guilabel:`severity`. The severity key is a field that all logs contain. It has the values :guilabel:`DEBUG`, :guilabel:`ERROR`, :guilabel:`INFO`, :guilabel:`UNKNOWN`, and :guilabel:`WARNING`. Your logs might use a different field name for the severity key. Because the severity key in many logs is called :guilabel:`level`, Log Observer Connect automatically remaps the log field :guilabel:`level` to :guilabel:`severity`.
+The Log Observer Connect timeline displays a histogram of logged events over time, grouped by values of the message field :guilabel:`severity`. The severity key is a field that all logs contain. It has the values :guilabel:`debug`, :guilabel:`error`, :guilabel:`info`, :guilabel:`unknown`, and :guilabel:`warning`. Your logs might use a different field name for the severity key. 
 
-If your logs call the severity key by a different name, that's okay. To ensure that Log Observer Connect can read your field, transform your field name to :guilabel:`severity` or add a :guilabel:`severity` alias to your field name. To transform your field name, see :new-page:`Extract fields from event data using Ingest Processor <https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/IngestProcessor/FieldExtractionPipeline>`. To add an alias to your field name, see :ref:`logs-alias`.
+If your logs call the severity key or its values by different names, that's okay. Ensure that Log Observer Connect can read your field and value names. Log Observer Connect assigns :guilabel:`unknown` to all values that it does not recognize.
 
-The mapping of your severity key and its values is case sensitive. The key and its values must appear exactly as follows:
+.. note:: The names of your severity key and its values are not case sensitive. 
+
+Your severity key can have any of the following names:
 
 * severity
-* DEBUG
-* ERROR
-* INFO
-* UNKNOWN
-* WARNING 
+* level
+* otel.log.severity.text
+
+The following table lists the values that Log Observer Connect recognizes for each severity name:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 50, 50
+
+   * - :guilabel:`Severity field names`
+     - :guilabel:`Severity value names`
+
+   * - severity
+     - | info, information
+       | err, error
+       | warn, warning
+       | debug
+       | critical
+
+   * - level
+     - | info, information
+       | err, error
+       | warn, warning
+
+   * - otel.log.severity.text
+     - | normal
+       | warn, warning
+
+
+If your severity key or values do not match any of the names in the previous table, do one of the following to turn them to names that Log Observer Connect recognizes:
+
+* Use a field extraction to transform your field name. See :new-page:`Extract fields from event data using Ingest Processor <https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/IngestProcessor/FieldExtractionPipeline>` to learn how.
+
+* Add a :guilabel:`severity` alias to your field name.  See :ref:`logs-alias` to learn how.
+
+When you create an alias for your severity key name, the original key name and its aliases continue to function for Log Observer queries. On the Log Observer timeline histogram, the severity key name and all its aliases are combined into one and represented as "severity". 
