Thanks @livehybrid, so there does not seem to be a solution. The issue we are trying to address is if someone gets their hands on a HEC token, they could just send data to our Splunk Cloud instance via that HEC token. We have set specific indexes for specific tokens, so that should limit this, but just trying to find a way to identify what is sending to a specific HEC token so we can monitor this. Do you have anymore info on how you added a custom field into the HEC payload?     ... View more

Sorry but the ACS API will not help in this case.  ... View more

Hi Thanks for the info. This is Splunk Cloud so we cannot edit any conf files, nor is there an option in the Web UI when creating HEC tokens to enable this. The following search seems to give all Errors for devices trying to connect with a HEC token, but I do not seem to see successful sources, only failed. index=_internal sourcetype=splunkd component=HttpInputDataHandler   Also the source_IP value, since it is Splunk Cloud, are the Splunk Cloud Loadbalancer IPs. We were told this in a case with Splunk.   ... View more