Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If SPLUNK provides UNIQUE ID to every event indexed?

ma_anand1984
Contributor
‎03-05-2013 08:01 PM

Hi Splunk base users,

Do you think it will be a good idea if splunk provides a UNIQUE id to find an event like a primary key to each event

Anand

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

glancaster
Path Finder
‎07-11-2013 11:45 AM

Hello Anand,

I do believe the Splunk app for Enterprise Security provides the functionality you are looking for. The app provides an 'Event Hash' of every event, which you can use to refer back to an exact event. Hope this helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

glancaster
Path Finder
‎07-11-2013 11:45 AM

Hello Anand,

I do believe the Splunk app for Enterprise Security provides the functionality you are looking for. The app provides an 'Event Hash' of every event, which you can use to refer back to an exact event. Hope this helps.

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎03-05-2013 09:29 PM

It's not as useful a concept as you might think. Like smolcj says you can easily add your own on the fly index field to a search result with | streamstats count as rowNumber.

For what it's worth, you can also do | eval id=index + "__" + _cd+"__" + splunk_server. It won't do you any good as far as searching for events, but the index plus the _cd field value plus the splunk_server field value may comprise a serviceable unique ID in some situations.

Reply
Solved! Jump to solution

pembleton
Path Finder
‎07-11-2013 09:32 AM

the concept is useful when i want to have another system connect some kind of entity to an event in splunk. are there any plans for having this possible or another way to make this work well with the available tools?

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎03-06-2013 09:09 AM

Yep, I think it will change. The number before the colon in the _cd value is the bucketnumber in the index I believe. So unless the bucket numbers are perpetually autoincrementing per index, I think it'll change. What do you need this for?

Reply
Solved! Jump to solution

meamitjain
New Member
‎03-06-2013 08:58 AM

Will the _cd value change over time when buckets are rolled for this event? Will _cd value ever change until it ages off the Splunk filesystem?

0 Karma
Reply
Solved! Jump to solution

smolcj
Builder
‎03-05-2013 08:19 PM

u can use streamstats to add unique number to your events

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...