splunk · aurbiztondo-splunk · Oct 21, 2024 · Oct 12, 2024 · Oct 14, 2024 · Oct 15, 2024
@@ -4,6 +4,7 @@
  :width: 90%
  :alt: The Log Observer UI is displayed.
 
+.. note:: To increase performance and help control cost, search jobs originating from Related Content stop running after 2 minutes of inactivity. All other search jobs stop running after fifteen minutes.
 
 2. In the content control bar, enter a time range in the time picker if you want to see logs from a specific historical period. To select a time range, you must select :guilabel:`Infinite` from the :guilabel:`Search Records` field in step 5 below. When you select :guilabel:`150,000`, Log Observer returns only the most recent 150,000 logs regardless of the time range you select.
 

@@ -1,17 +1,20 @@
 .. _java-monitor:
 
-Java metrics
-============
+Java metrics (deprecated)
+====================================
 
 .. meta::
  :description: Use this Splunk Observability Cloud integration for the Java monitor. See benefits, install, configuration, and metrics
 
-The Splunk Distribution of OpenTelemetry Collector uses the Smart Agent receiver with the
-``java-monitor`` to retrieve metrics from a Java application.
+.. caution:: 
+
+ This integration is deprecated and will reach End of Support on February 15th, 2025. During this period only critical security and bug fixes are provided. When End of Support is reached, the monitor will be removed and no longer be supported, and you won't be able to use it to send data to Splunk Observability Cloud. 
 
-This integration is available on Linux and Windows.
+ To forward metrics from a Java application to Splunk Observability Cloud use the :ref:`Splunk Distribution of OpenTelemetry Java <get-started-java>` instead. To activate metrics collection in the OpenTelemetry Java agent, see :ref:`Activate metrics collection <enable_automatic_metric_collection>`.
+
+The Splunk Distribution of the OpenTelemetry Collector uses the Smart Agent receiver with the ``java-monitor`` to retrieve metrics from a Java application.
 
-.. note:: To activate metrics collection in the OpenTelemetry Java agent, see :ref:`Activate metrics collection <enable_automatic_metric_collection>`.
+This integration is available on Linux and Windows.
 
 Benefits
 --------

@@ -62,7 +62,7 @@ Browse the table below to learn how to carry out common tasks with the Splunk Di
  * - Collect custom metrics 
  - To send custom infrastructure and application metrics to Splunk Observability Cloud for deeper custom visibility.
  - Use this when instrumenting a service that isn't natively supported or when specific custom metrics are required.
- - :new-page:`send-custom-metrics` 
+ - :ref:`send-custom-metrics` 
  * - Collect Prometheus metrics 
  - To collect widely used Prometheus metrics and send them to Splunk Observability Cloud.
  - Use this when instrumenting a Prometheus source for monitoring.

@@ -66,17 +66,17 @@ Follow these steps:
 
 2. Run the following command, where ``PATH_TO_MSI`` is the full path to the downloaded package. For example, ``C:\your\download\folder\splunk-otel-collector-0.4.0-amd64.msi``. 
 
-.. code-block:: PowerShell
+ .. code-block:: PowerShell
 
- Start-Process -Wait msiexec "/i PATH_TO_MSI /qn" 
+  Start-Process -Wait msiexec "/i PATH_TO_MSI /qn" 
 
-3. Configure the Collector using the environment variables listed in the table below. 
+3. Configure the Collector using the variables listed in the table that follows: 
 
-.. code-block:: PowerShell
+ .. code-block:: PowerShell
 
- Start-Process -Wait msiexec "/i PATH_TO_MSI /qn SPLUNK_ACCESS_TOKEN=<my_access_token>"
+  Start-Process -Wait msiexec "/i PATH_TO_MSI /qn SPLUNK_ACCESS_TOKEN=<my_access_token>"
 
-You can use the following Splunk-specific environment variables with the MSI:
+Use the following installation configurations with the MSI deployment method:
 
 .. list-table::
  :widths: 15 75 10

@@ -102,4 +102,4 @@ The following table shows how long data is retained at different resolutions.
 
 For more information on rollups in general, and how they apply to charts and detectors, see :ref:`rollups`.
 
-.. note:: Custom events are retained in the platform for a year.
+.. note:: All events are retained in the platform for 12 months.
@@ -125,4 +125,12 @@ When you hover over an event in the Event Feed sidebar, a vertical line is shown
 
 When you select an event in the Event Feed sidebar, you can see details about the event and, for events associated with alerts, an option to open the detector that generated the event. If the event is associated with a currently active alert, you'll also see an option to resolve the alert.
 
-.. note:: You can also :ref:`overlay event markers <dashboard-event-overlay>` onto charts on a dashboard.
+.. note:: You can also :ref:`overlay event markers <dashboard-event-overlay>` onto charts on a dashboard.
+
+
+.. _events-retention:
+
+Events retention in Splunk Observability Cloud
+=============================================================================
+
+All types of events have a retention period of 12 months.
@@ -77,7 +77,7 @@ Prerequisites
 You must be an admin of the Splunk Cloud Platform and Splunk Observability Cloud instances that you want to pair.
 
 
-New Splunk Observability Cloud customers
+Set up Unified Identity for new Splunk Observability Cloud customers
 ------------------------------------------------------------------------------------------
 
 Splunk Cloud Platform customers who want to purchase Splunk Observability Cloud must take the following actions to set up Unified Identity:
@@ -87,9 +87,11 @@ Splunk Cloud Platform customers who want to purchase Splunk Observability Cloud
 2. Turn on token authentication to allow Splunk Observability Cloud to view your Splunk Cloud Platform logs. See :new-page:`Enable or disable token authentication <https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/EnableTokenAuth>` to learn how.
 
 
-Existing Splunk Observability Cloud customers
+Set up Unified Identity for existing Splunk Observability Cloud customers
 ------------------------------------------------------------------------------------------
 
+There are 2 ways you can pair your Splunk Observability Cloud and Splunk Cloud Platform organizations: using command-line interface with Admin Config Services (ACS) commands or using API endpoints. These instructions cover both ways. If you haven't installed the ACS command-line tool and want to use it, see :new-page:`Administer Splunk Cloud Platform using the ACS CLI <https://docs.splunk.com/Documentation/SplunkCloud/latest/Config/ACSCLI>`. 
+
 If you already have a Splunk Cloud Platform account and a Splunk Observability Cloud account, take the following actions to set up Unified Identity:
 
 1. Turn on token authentication to allow Splunk Observability Cloud to view your Splunk Cloud Platform logs. See :new-page:`Enable or disable token authentication <https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/EnableTokenAuth>` to learn how.
@@ -98,33 +100,67 @@ If you already have a Splunk Cloud Platform account and a Splunk Observability C
 
  .. note:: The API token must have ``admin`` privileges.
 
-3. To pair orgs, open Terminal and enter the following Admin Config Services (ACS) command:
+3. Pair your Splunk Observability Cloud and Splunk Cloud Platform organizations: 
 
- .. code-block:: bash
+ a. To pair with command-line interface, enter the following Admin Config Services (ACS) command:
+
+ .. code-block:: bash
  
- acs observability pair --o11y-access-token "GrkvoDav1M-FNyxdONtK2Q"
+ acs observability pair --o11y-access-token "<enter-o11y-access-token>"
+
+ Replace ``<enter-o11y-access-token>`` in the example above, with the user API access token you retrieved from Splunk Observability Cloud in previous step.
+
+ b. To pair with API endpoints, collect the following information then run the curl command:
+
+ i. Splunk Cloud Platform admin API access token (Create a new authentication token with an admin user. See :new-page:`Use Splunk Web to create authentication tokens <https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/CreateAuthTokens>`.)
+
+ ii. O11y API access token (obtained it in step 2 above)
+
+ iii. Splunk Cloud Platform instance name (the custom subdomain for your Splunk Cloud stack)
+
+ Run the curl command:
+
+ .. code-block:: bash
 
- Replace the access token, ``GrkvoDav1M-FNyxdONtK2Q`` in the example above, with the user API access token you retrieved from Splunk Observability Cloud in previous step.
+ curl --location 
+ 'https://admin.splunk.com/<enter-stack-name>/adminconfig/v2/observability/sso-pairing' \
+ --header 'Content-Type: application/json' \
+ --header 'Authorization: Bearer <enter-splunk-admin-api-token>' \
+ --header 'o11y-access-token': '<enter-o11y-api-token>'
 
- .. note:: If you haven't installed the ACS command-line tool, see :new-page:`Administer Splunk Cloud Platform using the ACS CLI <https://docs.splunk.com/Documentation/SplunkCloud/latest/Config/ACSCLI>`.
 
- The pairing command returns a pairing id:
+ Whether you used the command-line interface or API endpoints, the pairing command returns a pairing id:
 
- .. image:: /_images/splunkplatform/pairingID.png
- :width: 90%
- :alt: This screenshot shows the response in Terminal showing the pairing id for the new pairing.
+ .. code-block:: bash
+
+ "id": "<pairing-id>"
+
+4. You can use the pairing id to get the current status of the pairing. 
+
+ a. To get the status using command-line interface, run the following ACS command:
 
-4. You can use the pairing id to get the current status of the pairing. To get the status, run the following ACS command:
+ .. code-block:: bash
 
- .. code-block:: bash
+  acs observability pairing-status-by-id --pairing-id "<enter-pairing-id>" --o11y-access-token "<enter-o11y-access-token>"
 
- acs observability pairing-status-by-id --pairing-id "GGPH8FPAAAA" --o11y-access-token "GrkvoDav1M-FNyxdONtK2Q"
+ Replace the pairing id and the access token with your own values. 
+
+ b. To get the status using API endpoints, run the following curl command with the data you obtained in step 3b:
+
+ .. code-block:: bash
+ 
+ curl --location --request GET 
+ 'https://admin.splunk.com/<enter-stack-name>/adminconfig/v2/observability/sso-pairing/<enter-pairing-id>' \
+ --header 'Content-Type: application/json' \
+ --header 'Authorization: Bearer <enter-splunk-admin-api-token>'
+ --header 'o11y-access-token': '<enter-o11y-api-token>'
 
- Replace the pairing id and the access token with your own values. The system returns a status message showing whether or not the pairing was a success. 
+5. The system returns a status message showing whether or not the pairing was a success. Statuses are SUCCESS, FAILED, or IN_PROGRESS. 
 
- .. image:: /_images/splunkplatform/unifiedID-pairingSuccess.png
- :width: 90%
- :alt: This screenshot shows a success status for the new pairing.
+ .. code-block:: bash
+ 
+ "pairingId": "<pairing-id>"
+ "status": "SUCCESS"
 
 
 Users will receive an email telling them to authenticate to Splunk Observability Cloud using the new authentication method through Splunk Cloud Platform SSO. Note that users can continue to use their previous login method. If you want to force all users to authenticate through Splunk Cloud Platform SSO, reach out to Splunk Customer Support to deactivate local login. To deactivate login through a third party identity provider, go to :strong:`Data Managemen > Available integrations` in Splunk Observability Cloud, select the appropriate integration (for example, Okta), and select :strong:`Deactivate`. 

@@ -116,7 +116,7 @@ Follow these steps to limit logging:
 
 Add certificates in Synthetics
 ------------------------------------------------------
-Splunk Synthetic Monitoring supports injecting custom root CA certificates for API and Uptime tests running from your private locations. Client keys and certificates aren't supported at this time. 
+Splunk Synthetic Monitoring supports injecting custom root CA certificates for Uptime tests running from your private locations. Client keys and certificates aren't supported at this time. 
 
 #. Create a folder called ``certs`` on your host machine and place the CA Certificate (in CRT format) in the folder.