Currently, we are using the Splunk Python SDK to get Splunk events based on a query and parse them.
We sometimes make multiple searches on overlapping time frames, and we have a deduping mechanism based on hashing the entire JSON of the event.
However, this mechanism relies on the fact that the same event will return exactly the same in each search - which doesn't happen. For example, the "_serial" field might be different for the same event in consecutive searches.
My question is - are there any other fields like "_serial", that under some preconditions (any at all), might change their value between searches, without any actual change done to the event?