Hi,

I think I’m understanding the question, but if I’m off base, just let me know. I think what I’m hearing is that you’re moving from Elastic to Splunk Observability Cloud and you’re wanting to understand how logs are exported, stored, and used in dashboards.

Here is an overview of where observability data is stored and how it’s all integrated together.

- Splunk Observability Cloud is where application metrics and traces are ingested and stored.

- Splunk Cloud or Enterprise is where logs are ingested and stored.

- Splunk Observability Cloud uses an integration called Log Observer Connect to read logs from Splunk Cloud/Enterprise and correlate them to your metrics and traces. The logs are not stored in Splunk Observability Cloud—they’re just visible through this integration.

- Dashboards with logs can be created in either Splunk Observability Cloud or Splunk Cloud/Enterprise. The choice is yours and just depends on your use-case and what you want to include on the dashboards.

- You may also choose to pull metrics and APM data into Splunk Cloud/Enterprise from Splunk Observability Cloud using the Splunk Infrastructure Monitoring TA. This will be helpful if you want to build your dashboards in Splunk Cloud/Enterprise and include application metrics or Real User Monitoring metrics or Synthetics test metrics.

- As for getting logs into Splunk from your application, you have options:

- For Kubernetes environments, I would recommend using our OpenTelemetry helm chart. You can export logs to a Splunk HEC endpoint on Splunk Cloud/Enterprise. You can also utilize OpenTelemetry pipelines to control that data any way you want.

- For traditional server environments, you can simply use the Universal Forwarder to read your application logs from disk and forward them to Splunk Cloud/Enterprise.