Can the HTTP Event Collector provide the channel i...

redbugz · ‎04-23-2018

We are sending data to the HTTP Event Collector raw endpoint from multiple systems, but we have no control over the data itself (coming from a third party). We are generating arbitrary channel identifiers for each system, but when we query the data the channel identifier is not present. Unfortunately the data itself does not provide a simple way to determine the system. The system name is sent in a special header, but I doubt the HEC is inspecting that header and I could find no documentation about HEC using headers other than the ones it specifies.

Is there a way to get either the channel identifier or an arbitrary header value used so we can determine which determine which system is sending the data and distinguish between the many systems using the HEC to send data?

dhihoriya_splun · ‎06-10-2019

Hi @redbugz

If you are sending data in Splunk via a different source (channel identifier) then you can search events for that particular source by below query :

source="http:(source_name OR channel identifier)"

Example:
As here let's take one example if you have created one HEC token and its name is "network_demo" and that is for your network instance logs then you can search particular network logs by searching source="http:network_demo".

For more information about HEC, Please follow below doc:
http://dev.splunk.com/view/event-collector/SP-CAAAE7F

Thanks,
Dixit

Can the HTTP Event Collector provide the channel identifier in the Splunk events

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...