Splunk Search

If SPLUNK provides UNIQUE ID to every event indexed?

ma_anand1984
Contributor

Hi Splunk base users,

Do you think it will be a good idea if splunk provides a UNIQUE id to find an event like a primary key to each event

Anand

Tags (3)
1 Solution

glancaster
Path Finder

Hello Anand,

I do believe the Splunk app for Enterprise Security provides the functionality you are looking for. The app provides an 'Event Hash' of every event, which you can use to refer back to an exact event. Hope this helps.

View solution in original post

glancaster
Path Finder

Hello Anand,

I do believe the Splunk app for Enterprise Security provides the functionality you are looking for. The app provides an 'Event Hash' of every event, which you can use to refer back to an exact event. Hope this helps.

sideview
SplunkTrust
SplunkTrust

It's not as useful a concept as you might think. Like smolcj says you can easily add your own on the fly index field to a search result with | streamstats count as rowNumber.

For what it's worth, you can also do | eval id=index + "__" + _cd+"__" + splunk_server. It won't do you any good as far as searching for events, but the index plus the _cd field value plus the splunk_server field value may comprise a serviceable unique ID in some situations.

pembleton
Path Finder

the concept is useful when i want to have another system connect some kind of entity to an event in splunk. are there any plans for having this possible or another way to make this work well with the available tools?

0 Karma

sideview
SplunkTrust
SplunkTrust

Yep, I think it will change. The number before the colon in the _cd value is the bucketnumber in the index I believe. So unless the bucket numbers are perpetually autoincrementing per index, I think it'll change. What do you need this for?

meamitjain
New Member

Will the _cd value change over time when buckets are rolled for this event? Will _cd value ever change until it ages off the Splunk filesystem?

0 Karma

smolcj
Builder

u can use streamstats to add unique number to your events

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...