Solved: Re: Unique row number in while indexing

himanshusinha1 · ‎05-24-2013

Hi All,
Is there any possibility to create a unique index number while indexing because i want to search the result on behalf of last event id i read.then i will read the event greater then from that last event id.
The problem i faced is device is generating wrong date time and that time is future date time in that case our earliest and latest logic is failing. because i was storing the _time value as a last trigger date and that was future date.so i want to create a unique auto incremented row number id while indexing.
Please help!!

Ayn · ‎05-24-2013

You could use _indextime instead of _time. If that's not enough you could also use (or combine) the _cd field for uniqueness. Both are a kind of incrementing counters.

View solution in original post

Ayn · ‎05-24-2013

_cd is a unique number within an index (it consists of a bucket number and an offset within that bucket). It always exists. It does not increment just by 1 though, the only guarantee you have is that it's incrementing.

Not sure what you mean by that it's taking a long time to search and why.

himanshusinha1 · ‎05-24-2013

Thanks.. can we get _cd in every type of device logs?
Can we get the two ranges of _cd logs e.g i got 1234 in _cd now i want the logs between 1234 and 1240 o/p = 6 events?
_indextime is returning epoch time and its taking long time i search.

Ayn · ‎05-24-2013

You could use _indextime instead of _time. If that's not enough you could also use (or combine) the _cd field for uniqueness. Both are a kind of incrementing counters.

Unique row number in while indexing

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases