From About HTTP Event Collector Indexer Acknowledgment: Channels are designed so that you assign a unique channel to each client that sends data to HEC. Each channel has a channel identifier (ID), which must be a Globally Unique Identifier (GUID) but can be randomly generated. You assign channel IDs simply by including them in requests as shown in the examples above. When Splunk Enterprise sees a new channel identifier, it creates a new channel.  One way to create unique GUIDs is with the Python module uuid. Here is an example of how to do that with a GUID constructed from the local machine's hostname: export HEC_CHANNEL=$(python3 -c "import os, uuid; print(str(uuid.uuid3(uuid.NAMESPACE_DNS, os.uname()[1])))") curl \ -k \ https://$HEC_HOST:8088/services/collector/event \ -H "Authorization: Splunk $HEC_TOKEN" \ -H "X-Splunk-Request-Channel: $HEC_CHANNEL" \ -d '{"sourcetype": "mysourcetype", "event": "http auth ftw! with ACKS"}'   ... View more

This appears to be a bug in splunk, as changing setting there seem to "trick" this into working. If I set up a new slack alert to a #channel - it throws the 500's. If I set up a slack alert with default (blank) channel, it triggers properly, and ~50% of the time, once a successful message was triggered to default endpoint, the alert can be set to a different #channel and it will trigger correctly. I have not tried setting this up specifically with full admin permissions, however it seems a fairly large gap to have to grant full admin rights to something that simply need to post messages. ... View more

Hi again, @GeorgeStarkey, Just following up to mention this recently released Calendar Heat Map custom visualization app: https://splunkbase.splunk.com/app/3162/ Hope this helps! ... View more

The following will convert from the timezone of your user account to UTC. You could use it in a subsearch to set earliest/latest in your search. | makeresults | eval myTime=_time | eval showMyTime=strftime(myTime,"%H:%M") | eval myZone=strftime(myTime,"%z") | eval UTC=myTime-((myZone/100) *3600) | eval showUTC=strftime(UTC,"%H:%M") ... View more

You have said the same think a couple of times. Will you show what this search is producing and how it is inadequate, perhaps with a mockup based on the first output? I do not at all understand what you are saying. ... View more

If you cannot find a way to turn it off, you can tack this on your search to create an itty-bitty event at both ends (you may need to adjust the field names some): ... | append [| noop | stats count | eval host="DUMMY_DATA_IGNORE_ME" | eval count = split("0.0001,0.0002",",") | mvexpand count | addinfo | eval _time=if(count="0.0001", info_min_time, info_max_time) | fields - info*] ... View more

@GeorgeStarkey - agreed! And you can make a formal enhancement request here: http://www.splunk.com/index.php/submit_issue Enter it just like a support ticket, but choose the "enhancement" option. ... View more

This should prove useful: http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F ... View more

the faster way would be to use data models and use the |tstats command with summariesonly . Good luck !!!! ... View more

In above mentioned things,which is the precedence?We are facing similar issue and trying to resolve. ... View more

Why is a default install setting items under local/limits.conf instead of under default? I have the local version of this file managed with a remote configuration manager (puppet), which should only put items that I have specifically set... I have some machines calling this file and loading it that are still running 6.0.3, and now some running 6.1.3... is it ok to run 6.1.3 without the file_tracking_db_threshold? ... View more

The path specified in monitor is not a regular expression. There is no single character wildcard. But you could do this [monitor:///path/to/base/app/App*/App*.log] whitelist = /path/to/base/app/App\d{1}/App.*\.log Because a whitelist (and the blacklist) are regular expressions. ... View more