Splunk Enterprise

What are other fields like "_serial", that may vary between searches in the same result?

gkeller
Explorer

Currently, we are using the Splunk Python SDK to get Splunk events based on a query and parse them.

We sometimes make multiple searches on overlapping time frames, and we  have a deduping mechanism based on hashing the entire JSON of the event.

However, this mechanism relies on the fact that the same event will return exactly the same in each search - which doesn't happen. For example, the "_serial" field might be different for the same event in consecutive searches.

My question is - are there any other fields like "_serial", that under some preconditions (any at all), might change their value between searches, without any actual change done to the event?

Thanks so much for the help!

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!