Splunk Search

Is there a unique event ID for each event in the index?

andy_lee
New Member

Hi

My auditors are questioning and requiring that each event we log into Splunk has a unique identifier added by Splunk. I see where they are coming from, but cannot produce evidence of something I know intuitively to be true. Splunk must maintain an internal index of events to enable the searching to work so each recorded event must have a unique id from that. I just need to evidence it for the Auditors

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

Enterprise Security provides this already.
If you don't have ES, then try the following:

| eval myUniqueId = index + "_" + _cd + "_" + splunk_server

View solution in original post

javiergn
SplunkTrust
SplunkTrust

Enterprise Security provides this already.
If you don't have ES, then try the following:

| eval myUniqueId = index + "_" + _cd + "_" + splunk_server

andy_lee
New Member

Many thanks I assume in the search string there are some values I need to input? I guess splunk_server = host name or IP or search head or indexer is index to be replaced with a specific value and how about myUniqueId does that need a specific value in there as well

0 Karma

andy_lee
New Member

Thanks again I have now managed to understand this and have generated the search with the id attached. My Auditors will now be happy!!!

0 Karma

javiergn
SplunkTrust
SplunkTrust

Yeah. For instance, if you want to return all your non-internal events for the last 10 minutes:

 index=* earliest=-10m | eval myUniqueId = index + "_" + _cd + "_" + splunk_server | table _raw myUniqueId

The ID is there, you just need to build it

By the way, splunk_server is different from host. The first one specifies the server where your data is stored (normally your indexer). Host could be multiple things but it normally refers to the host that generated the event.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...