HTTP event collector: Channel identifiers, what do...

mneergaa · ‎08-09-2017

Channels are designed so that you assign a unique channel to each client that sends data to HEC. Each channel has a channel identifier (ID), which must be a GUID but can be randomly generated. You assign channel IDs simply by including them in requests as shown in the examples above. When the Splunk server sees a new channel identifier, it creates a new channel.

What does this mean, exactly? If I have four different pieces of software, e.g. a Linux client program and a Windows client program, each of which log to Splunk, how many channel identifiers should I generate? The word “client” is quite ambiguous here...

One per client software, Linux and Windows?
One per released version of the softwares?
One per actual client running the software?

Does the channel parameter actually impact indexing or queries in any way? I don't understand why it's required at all.

Durgapk · ‎12-23-2020

Can we use one channel identifier for multiple clients through Splunk HEC to enable indexer acknowledgement

shandr · ‎05-12-2020

The new links are below.

Be sure to select your Splunk version from that page (see URL).

Durgapk · ‎12-23-2020

Can we use one channel identifier for multiple clients through Splunk HEC to enable indexer acknowledgement

sni_splunk · ‎04-29-2018

According to what I understand, it means the third meaning you mentioned, "one per actual client running the software". I think this is only needed if you use the indexer acknowledge, and you can read more details from here:
http://dev.splunk.com/view/event-collector/SP-CAAAE8X#aboutchannels

Durgapk · ‎12-23-2020

Can we use one channel identifier for multiple clients through Splunk HEC to enable indexer acknowledgement

HTTP event collector: Channel identifiers, what do they identify

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk