Hi Splunk base users,
Do you think it will be a good idea if splunk provides a UNIQUE id to find an event like a primary key to each event
Anand
Hello Anand,
I do believe the Splunk app for Enterprise Security provides the functionality you are looking for. The app provides an 'Event Hash' of every event, which you can use to refer back to an exact event. Hope this helps.
Hello Anand,
I do believe the Splunk app for Enterprise Security provides the functionality you are looking for. The app provides an 'Event Hash' of every event, which you can use to refer back to an exact event. Hope this helps.
It's not as useful a concept as you might think. Like smolcj says you can easily add your own on the fly index field to a search result with | streamstats count as rowNumber
.
For what it's worth, you can also do | eval id=index + "__" + _cd+"__" + splunk_server
. It won't do you any good as far as searching for events, but the index plus the _cd field value plus the splunk_server field value may comprise a serviceable unique ID in some situations.
the concept is useful when i want to have another system connect some kind of entity to an event in splunk. are there any plans for having this possible or another way to make this work well with the available tools?
Yep, I think it will change. The number before the colon in the _cd value is the bucketnumber in the index I believe. So unless the bucket numbers are perpetually autoincrementing per index, I think it'll change. What do you need this for?
Will the _cd value change over time when buckets are rolled for this event? Will _cd value ever change until it ages off the Splunk filesystem?
u can use streamstats to add unique number to your events