splunk · spanchal-crest · May 14, 2025 · May 27, 2025
@@ -60,7 +60,8 @@ def ingest(self, events, thread_count):
                 "sourcetype": "sample_HEC",
                 "source": "sample_source",
                 "host": "sample_host",
-                "event": "event_str"
+                "event": "event_str",
+                "fields": {"unique_identifier": "uuid"}
             }
 
         The format of dictionary for ingesting a batch of events::
@@ -70,13 +71,15 @@ def ingest(self, events, thread_count):
                     "sourcetype": "sample_HEC",
                     "source": "sample_source",
                     "host": "sample_host",
-                    "event": "event_str1"
+                    "event": "event_str1",
+                    "fields": {"unique_identifier": "uuid"}
                 },
                 {
                     "sourcetype": "sample_HEC",
                     "source": "sample_source",
                     "host": "sample_host",
-                    "event": "event_str2"
+                    "event": "event_str2",
+                    "fields": {"unique_identifier": "uuid"}
                 },
             ]
 
@@ -92,6 +95,7 @@ def ingest(self, events, thread_count):
                 "source": event.metadata.get("source", "pytest_splunk_addon:hec:event"),
                 "event": event.event,
                 "index": event.metadata.get("index", "main"),
+                "fields": {"unique_identifier": event.unique_identifier},
             }
 
             if event.metadata.get("host_type") in ("plugin", None):

@@ -266,6 +266,7 @@ def generate_requirements_tests(self):
                         "escaped_event": escaped_event,
                         "fields": requirement_fields,
                         "modinput_params": modinput_params,
+                        "unique_identifier": event.unique_identifier,
                     },
                     id=f"sample_name::{event.sample_name}::host::{event.metadata.get('host')}",
                 )

@@ -165,12 +165,16 @@ def test_requirements_fields(
         record_property(
             "stanza_name", splunk_searchtime_fields_requirements["escaped_event"]
         )
+        record_property(
+            "stanza_name", splunk_searchtime_fields_requirements["unique_identifier"]
+        )
         record_property("fields", splunk_searchtime_fields_requirements["fields"])
         record_property(
             "modinput_params", splunk_searchtime_fields_requirements["modinput_params"]
         )
 
         escaped_event = splunk_searchtime_fields_requirements["escaped_event"]
+        unique_identifier = splunk_searchtime_fields_requirements["unique_identifier"]
         fields = splunk_searchtime_fields_requirements["fields"]
         modinput_params = splunk_searchtime_fields_requirements["modinput_params"]
 
@@ -185,7 +189,7 @@ def test_requirements_fields(
             if param_value is not None:
                 basic_search += f" {param}={param_value}"
 
-        search = f"search {index_list} {basic_search} {escaped_event} | fields *"
+        search = f'search {index_list} {basic_search} unique_identifier="{unique_identifier}" | fields *'
 
         self.logger.info(f"Executing the search query: {search}")
 
@@ -225,6 +229,7 @@ def test_requirements_fields(
         assert wrong_value_fields == {}, (
             f"\nNot all required fields have correct values or some fields are missing in Splunk. Wrong field values:\n{wrong_values_table}"
             f"{format_search_query_log(search)}"
+            f"Test failed for event: {escaped_event}\n"
         )
 
     @pytest.mark.splunk_searchtime_fields

@@ -13,6 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+import uuid
 import re
 import logging
 from ..index_tests import key_fields
@@ -68,6 +69,7 @@ def __init__(self, event_string, metadata, sample_name, requirement_test_data=No
         self.metadata = metadata
         self.sample_name = sample_name
         self.host_count = 0
+        self.unique_identifier = str(uuid.uuid4())
         self.requirement_test_data = requirement_test_data
 
     def update(self, new_event):

@@ -131,6 +131,7 @@ def store_events(self, tokenized_events):
                     "events": [
                         {
                             "event": each_event.event,
+                            "unique_identifier": each_event.unique_identifier,
                             "key_fields": each_event.key_fields,
                             "time_values": each_event.time_values,
                             "requirement_test_data": each_event.requirement_test_data,
@@ -141,6 +142,7 @@ def store_events(self, tokenized_events):
                 tokenized_samples_dict[each_event.sample_name]["events"].append(
                     {
                         "event": each_event.event,
+                        "unique_identifier": each_event.unique_identifier,
                         "key_fields": each_event.key_fields,
                         "time_values": each_event.time_values,
                         "requirement_test_data": each_event.requirement_test_data,

@@ -6,6 +6,7 @@
 @dataclass()
 class SampleEvent:
     event: str
+    unique_identifier: str
     metadata: dict
     sample_name: str
     key_fields: dict = None
@@ -17,6 +18,7 @@ def modinput_events():
     return [
         SampleEvent(
             event="test_modinput_1 host=modinput_host_event_time_plugin.samples_1",
+            unique_identifier="uuid",
             key_fields={"host": ["modinput_host_event_time_plugin.samples_1"]},
             metadata={
                 "sourcetype": "test:indextime:sourcetype:modinput_host_event_time_plugin",
@@ -33,6 +35,7 @@ def modinput_events():
         ),
         SampleEvent(
             event="test_modinput_2 host=modinput_host_event_time_plugin.samples_2",
+            unique_identifier="uuid",
             key_fields={"host": ["modinput_host_event_time_plugin.samples_2"]},
             metadata={
                 "sourcetype": "test:indextime:sourcetype:modinput_host_event_time_plugin",
@@ -49,6 +52,7 @@ def modinput_events():
         ),
         SampleEvent(
             event="fake event nothing happened",
+            unique_identifier="uuid",
             key_fields={},
             metadata={
                 "host_type": "plugin",
@@ -73,18 +77,21 @@ def modinput_posts_sent():
             '"source": "pytest-splunk-addon:modinput", '
             '"event": "test_modinput_1 host=modinput_host_event_time_plugin.samples_1", '
             '"index": "main", '
+            '"fields": {"unique_identifier": "uuid"}, '
             '"host": "modinput_host_event_time_plugin.samples_1"'
             "}, {"
             '"sourcetype": "test:indextime:sourcetype:modinput_host_event_time_plugin", '
             '"source": "pytest-splunk-addon:modinput", '
             '"event": "test_modinput_2 host=modinput_host_event_time_plugin.samples_2", '
             '"index": "main", '
+            '"fields": {"unique_identifier": "uuid"}, '
             '"host": "modinput_host_event_time_plugin.samples_2"'
             "}, {"
             '"sourcetype": "pytest_splunk_addon", '
             '"source": "pytest_splunk_addon:hec:event", '
             '"event": "fake event nothing happened", '
             '"index": "fake_index", '
+            '"fields": {"unique_identifier": "uuid"}, '
             '"host": "fake host", '
             '"time": 1234.5678'
             "}]",
@@ -98,6 +105,7 @@ def file_monitor_events():
         SampleEvent(
             event="host=test-host-file_monitor_host_prefix.sample-2 Test for host_prefix file_monitor"
             "host=test-host-file_monitor_host_prefix.sample-4 Test for host_prefix file_monitor",
+            unique_identifier="uuid",
             metadata={
                 "interval": "60",
                 "earliest": "-60s",
@@ -118,6 +126,7 @@ def file_monitor_events():
         SampleEvent(
             event="test_failing_1 src=10.1.0.81 dest_ip=10.100.0.91 src_port=4889 dest_port=21 "
             "dvc=172.16.22.73 user=user297 test_list_all=a [email protected]",
+            unique_identifier="uuid",
             metadata={
                 "sourcetype": "test:indextime:failing",
                 "host_type": "plugin",
@@ -135,6 +144,7 @@ def file_monitor_events():
         ),
         SampleEvent(
             event="fake event nothing happened src=0.0.0.0 src_port=5050 dest=10.0.0.1 dest_port=6060",
+            unique_identifier="uuid",
             metadata={
                 "input_type": "file_monitor",
                 "index": "fake_index",
@@ -223,6 +233,7 @@ def requirement_events():
     return [
         SampleEvent(
             event="requirement event",
+            unique_identifier="uuid",
             metadata={
                 "source": "requirement source",
                 "sourcetype": "requirement source type",
@@ -245,6 +256,7 @@ def sc4s_events():
     return [
         SampleEvent(
             event='sc4s-host-plugin-time-sample-31 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="50486da4-b851-47eb-9e27-a3337f14522f',
+            unique_identifier="uuid",
             metadata={
                 "timestamp_type": "event",
                 "sourcetype": "mcafee:epo:syslog",
@@ -261,6 +273,7 @@ def sc4s_events():
         ),
         SampleEvent(
             event='sc4s-host-plugin-time-sample-32 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="523efa00-cb66-4682-8ad7-c8b800adabd1"',
+            unique_identifier="uuid",
             metadata={
                 "timestamp_type": "event",
                 "sourcetype": "mcafee:epo:syslog",