Splunk Search

If SPLUNK provides UNIQUE ID to every event indexed?

Contributor

Hi Splunk base users,

Do you think it will be a good idea if splunk provides a UNIQUE id to find an event like a primary key to each event

Anand

Tags (3)
1 Solution

Path Finder

Hello Anand,

I do believe the Splunk app for Enterprise Security provides the functionality you are looking for. The app provides an 'Event Hash' of every event, which you can use to refer back to an exact event. Hope this helps.

View solution in original post

Path Finder

Hello Anand,

I do believe the Splunk app for Enterprise Security provides the functionality you are looking for. The app provides an 'Event Hash' of every event, which you can use to refer back to an exact event. Hope this helps.

View solution in original post

SplunkTrust
SplunkTrust

It's not as useful a concept as you might think. Like smolcj says you can easily add your own on the fly index field to a search result with | streamstats count as rowNumber.

For what it's worth, you can also do | eval id=index + "__" + _cd+"__" + splunk_server. It won't do you any good as far as searching for events, but the index plus the cd field value plus the splunkserver field value may comprise a serviceable unique ID in some situations.

Path Finder

the concept is useful when i want to have another system connect some kind of entity to an event in splunk. are there any plans for having this possible or another way to make this work well with the available tools?

0 Karma

SplunkTrust
SplunkTrust

Yep, I think it will change. The number before the colon in the _cd value is the bucketnumber in the index I believe. So unless the bucket numbers are perpetually autoincrementing per index, I think it'll change. What do you need this for?

New Member

Will the _cd value change over time when buckets are rolled for this event? Will _cd value ever change until it ages off the Splunk filesystem?

0 Karma

Builder

u can use streamstats to add unique number to your events