Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

HTTP event collector: Channel identifiers, what do they identify

mneergaa
Engager
‎08-09-2017 05:35 AM

Quote from event collector docs:

Channels are designed so that you assign a unique channel to each client that sends data to HEC. Each channel has a channel identifier (ID), which must be a GUID but can be randomly generated. You assign channel IDs simply by including them in requests as shown in the examples above. When the Splunk server sees a new channel identifier, it creates a new channel.

What does this mean, exactly? If I have four different pieces of software, e.g. a Linux client program and a Windows client program, each of which log to Splunk, how many channel identifiers should I generate? The word “client” is quite ambiguous here...

  • One per client software, Linux and Windows?
  • One per released version of the softwares?
  • One per actual client running the software?

Does the channel parameter actually impact indexing or queries in any way? I don't understand why it's required at all.

Reply

Durgapk
Explorer
‎12-23-2020 04:15 AM

Can we use one channel identifier for multiple clients through Splunk HEC to enable indexer acknowledgement

0 Karma
Reply

shandr
Path Finder
‎05-12-2020 04:50 PM

The new links are below.

  1. https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/FormateventsforHTTPEventCollector#Channel_id...
  2. https://docs.splunk.com/Documentation/Splunk/7.1.2/RESTREF/RESTinput#services.2Fcollector.2Fraw

Be sure to select your Splunk version from that page (see URL).

0 Karma
Reply

Durgapk
Explorer
‎12-23-2020 04:16 AM

Can we use one channel identifier for multiple clients through Splunk HEC to enable indexer acknowledgement

Tags (1)
0 Karma
Reply

sni_splunk
Splunk Employee
Splunk Employee
‎04-29-2018 01:54 AM

According to what I understand, it means the third meaning you mentioned, "one per actual client running the software". I think this is only needed if you use the indexer acknowledge, and you can read more details from here:
http://dev.splunk.com/view/event-collector/SP-CAAAE8X#aboutchannels

0 Karma
Reply

Durgapk
Explorer
‎12-23-2020 04:23 AM

Can we use one channel identifier for multiple clients through Splunk HEC to enable indexer acknowledgement

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...