Hi
My auditors are questioning and requiring that each event we log into Splunk has a unique identifier added by Splunk. I see where they are coming from, but cannot produce evidence of something I know intuitively to be true. Splunk must maintain an internal index of events to enable the searching to work so each recorded event must have a unique id from that. I just need to evidence it for the Auditors
Enterprise Security provides this already.
If you don't have ES, then try the following:
| eval myUniqueId = index + "_" + _cd + "_" + splunk_server
Enterprise Security provides this already.
If you don't have ES, then try the following:
| eval myUniqueId = index + "_" + _cd + "_" + splunk_server
Many thanks I assume in the search string there are some values I need to input? I guess splunk_server = host name or IP or search head or indexer is index to be replaced with a specific value and how about myUniqueId does that need a specific value in there as well
Thanks again I have now managed to understand this and have generated the search with the id attached. My Auditors will now be happy!!!
Yeah. For instance, if you want to return all your non-internal events for the last 10 minutes:
index=* earliest=-10m | eval myUniqueId = index + "_" + _cd + "_" + splunk_server | table _raw myUniqueId
The ID is there, you just need to build it
By the way, splunk_server is different from host. The first one specifies the server where your data is stored (normally your indexer). Host could be multiple things but it normally refers to the host that generated the event.