From About HTTP Event Collector Indexer Acknowledgment: Channels are designed so that you assign a unique channel to each client that sends data to HEC. Each channel has a channel identifier (ID), which must be a Globally Unique Identifier (GUID) but can be randomly generated. You assign channel IDs simply by including them in requests as shown in the examples above. When Splunk Enterprise sees a new channel identifier, it creates a new channel. One way to create unique GUIDs is with the Python module uuid. Here is an example of how to do that with a GUID constructed from the local machine's hostname: export HEC_CHANNEL=$(python3 -c "import os, uuid; print(str(uuid.uuid3(uuid.NAMESPACE_DNS, os.uname()[1])))") curl \ -k \ https://$HEC_HOST:8088/services/collector/event \ -H "Authorization: Splunk $HEC_TOKEN" \ -H "X-Splunk-Request-Channel: $HEC_CHANNEL" \ -d '{"sourcetype": "mysourcetype", "event": "http auth ftw! with ACKS"}'
... View more
thanks! this worked great for me as well. (nagendra008 's split method , not the css way) (i didnt want to mess with CSS nor make a new app for a quick table). if this helps others, i used the blank space as the linebreak / replace char; | eval dateonly=strftime(_time, "%m-%d %A %I:%M%P") | eval dateonly= split(dateonly," ") so i ended up with exactly what i wanted 🙂 - vs this before 😐 (unrelated- what is up with the login process for the forums here? its now login on page 1, pw on page2, which breaks chrome and FF password save/remember. maybe they are doing this to fight off bruteforce/bots? etherway its pretty annoying as i now have to lookup + type both 😞
... View more
Just to addon and remove some of the default fields from Splunk (This way you can recover user custom fields) ..your base search..
| streamstats count as temp_id
| stats values(*) by temp_id
| rename values(*) as *
| fields - temp_id, date_*, index, host, info_*,source,sourcetype,linecount,user_watchlist,time*pos,unix_*
... View more