Splunk ITSI
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

"Enable indexer acknowledgement" in "ITSI Event Management Token" causes "Data channel is missing" errors

ahkow2
Loves-to-Learn
‎10-26-2022 02:43 AM

Hi,

After I ticked "Enable Indexer acknowledgement" in "HTTP Event Collection" -> "Auto Generated ITSI Event Management Token", I no longer have notable events generated. And I saw  "Data channel is missing" errors in _internal index.

ahkow2_0-1667876749875.png

 

After some research, I understood from https://docs.splunk.com/Documentation/Splunk/8.2.7/Data/AboutHECIDXAck that HEC sender must include a channel identifier. But how do I configure ITSI so that it include channel identifier when it is generating notable events?

Thank you very much.

 

Labels (3)
0 Karma
Reply
Get Updates on the Splunk Community!

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...
Top