From About HTTP Event Collector Indexer Acknowledgment: Channels are designed so that you assign a unique channel to each client that sends data to HEC. Each channel has a channel identifier (ID), which must be a Globally Unique Identifier (GUID) but can be randomly generated. You assign channel IDs simply by including them in requests as shown in the examples above. When Splunk Enterprise sees a new channel identifier, it creates a new channel.  One way to create unique GUIDs is with the Python module uuid. Here is an example of how to do that with a GUID constructed from the local machine's hostname: export HEC_CHANNEL=$(python3 -c "import os, uuid; print(str(uuid.uuid3(uuid.NAMESPACE_DNS, os.uname()[1])))") curl \ -k \ https://$HEC_HOST:8088/services/collector/event \ -H "Authorization: Splunk $HEC_TOKEN" \ -H "X-Splunk-Request-Channel: $HEC_CHANNEL" \ -d '{"sourcetype": "mysourcetype", "event": "http auth ftw! with ACKS"}'   ... View more

Sorry this is probably too late to help you, but maybe it will help others trying to do this: | eval channel=if( srcip . srcport < dstip . dstport, printf("%s:%s-%s:%s",srcip,srcport,dstip,dstport), printf("%s:%s-%s:%s",dstip,dstport,srcip,srcport)) | transaction channel What you want to compare is not exactly a 4-tuple but a set of two 2-tuples. Since the directionality is not relevant, we arbitrarily sort the list of two (ip,port) 2-tuples {src, dst} so that the first one is less than the second one. ... View more

You can view the public key and installation instructions at the PGP Public Key documentation page http://docs.splunk.com/Documentation/Splunk/latest/Installation/PGPPublicKey you can download the public key using curl -O https://docs.splunk.com/images/6/6b/SplunkPGPKey.pub ... View more

This is not the answer you want, but may help others that are looking to format a field in ISO 8601 format. Try sourcetype="access_combined" |eval iso8601time=strftime(_time,"%Y-%m-%dT%H:%M:%S%z") |table _time, iso8601time _time iso8601time 2015-06-24 14:01:59 2015-06-24T14:01:59-0700 2015-06-24 14:01:40 2015-06-24T14:01:40-0700 2015-06-24 14:01:31 2015-06-24T14:01:31-0700 ... View more

Try this | eval myfield = upper(substr(myfield,1,1)).lower(substr(myfield,2)) ... View more