https://community.splunk.com/t5/Splunk-Search/How-to-get-the-first-and-last-number-of-consecutive-integers-by/m-p/436364#M124379 <P>Here is another much more complicated solution:</P> <PRE><CODE>| makeresults | eval raw="id=1 id=3 id=4 id=5 id=10 id=13 id=14 id=15" | makemv raw | mvexpand raw | rename raw AS _raw | kv | rename COMMENT AS "Everything above generates sample event data; everything below is your solution" | eval id=printf("%06d",id) | stats list(id) AS ids | nomv ids | map search=" | makeresults | eval ids=$ids$ | eval id=$ids$ | makemv id | chart count BY ids id | fields - ids | eval _answer=-1, _prev_val=-999 | foreach * [ eval _last_answer_digit=replace(_answer, \"^.*?(\d+)$\", \"\1\"), &lt;&lt;FIELD&gt;&gt; = \"&lt;&lt;FIELD&gt;&gt;\", _answer = case( (_answer==-1), &lt;&lt;FIELD&gt;&gt;, (_prev_val + 1==&lt;&lt;FIELD&gt;&gt;), _answer, (_last_answer_digit == _prev_val), _answer . \",&lt;&lt;FIELD&gt;&gt;\", true(), _answer . \"-\" . _prev_val . \",&lt;&lt;FIELD&gt;&gt;\"), _prev_prev_val = _prev_val, _prev_val = \"&lt;&lt;FIELD&gt;&gt;\" ]" | eval _answer = _answer . if((_prev_val==(_prev_prev_val + 1)), "-", ",") . _prev_val | table _answer | rename _answer AS answer | rex field=answer mode=sed "s/,0+/,/g s/-0+/-/g" </CODE></PRE> Mon, 11 Mar 2019 23:23:32 GMT woodcock 2019-03-11T23:23:32Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-first-and-last-number-of-consecutive-integers-by/m-p/436361#M124376 <P>Hello Splunkers,</P> <P>Need your help on this.</P> <P>This is my query for testing:</P> <PRE><CODE>| fields id | sort id | delta id AS deltaid | eval consecutive=if(deltaid=1,"consecutive","nonconsecutive") id 1 3 4 5 10 13 14 15 Output in a new field should be like this: 1 3, 5 10 13, 15 </CODE></PRE> Mon, 11 Mar 2019 03:38:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-first-and-last-number-of-consecutive-integers-by/m-p/436361#M124376 Oracle 2019-03-11T03:38:34Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-first-and-last-number-of-consecutive-integers-by/m-p/436362#M124377 <P>@Oracle ,</P> <P>Try this</P> <PRE><CODE>| fields id | sort id | delta id AS deltaid|eval flag=if(deltaid==1,0,1)| accum flag as group | eventstats min(id) as min , max(id) as max by group | eval result=if(min==max,min,min.",".max)|fields id,result </CODE></PRE> <P>If you do not want result in all rows, you can replace <CODE>eventstats</CODE> with <CODE>stats</CODE></P> <PRE><CODE>|delta id AS deltaid|eval flag=if(deltaid==1,0,1)| accum flag as group |stats min(id) as min , max(id) as max,values(id) as id by group |eval result=if(min==max,min,min.",".max)|fields id,result </CODE></PRE> Mon, 11 Mar 2019 05:38:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-first-and-last-number-of-consecutive-integers-by/m-p/436362#M124377 renjith_nair 2019-03-11T05:38:32Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-first-and-last-number-of-consecutive-integers-by/m-p/436363#M124378 <P>Hello @renjith.nair </P> <P>Great, your search provided is working fine! Thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 11 Mar 2019 05:47:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-first-and-last-number-of-consecutive-integers-by/m-p/436363#M124378 Oracle 2019-03-11T05:47:43Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-first-and-last-number-of-consecutive-integers-by/m-p/436364#M124379 <P>Here is another much more complicated solution:</P> <PRE><CODE>| makeresults | eval raw="id=1 id=3 id=4 id=5 id=10 id=13 id=14 id=15" | makemv raw | mvexpand raw | rename raw AS _raw | kv | rename COMMENT AS "Everything above generates sample event data; everything below is your solution" | eval id=printf("%06d",id) | stats list(id) AS ids | nomv ids | map search=" | makeresults | eval ids=$ids$ | eval id=$ids$ | makemv id | chart count BY ids id | fields - ids | eval _answer=-1, _prev_val=-999 | foreach * [ eval _last_answer_digit=replace(_answer, \"^.*?(\d+)$\", \"\1\"), &lt;&lt;FIELD&gt;&gt; = \"&lt;&lt;FIELD&gt;&gt;\", _answer = case( (_answer==-1), &lt;&lt;FIELD&gt;&gt;, (_prev_val + 1==&lt;&lt;FIELD&gt;&gt;), _answer, (_last_answer_digit == _prev_val), _answer . \",&lt;&lt;FIELD&gt;&gt;\", true(), _answer . \"-\" . _prev_val . \",&lt;&lt;FIELD&gt;&gt;\"), _prev_prev_val = _prev_val, _prev_val = \"&lt;&lt;FIELD&gt;&gt;\" ]" | eval _answer = _answer . if((_prev_val==(_prev_prev_val + 1)), "-", ",") . _prev_val | table _answer | rename _answer AS answer | rex field=answer mode=sed "s/,0+/,/g s/-0+/-/g" </CODE></PRE> Mon, 11 Mar 2019 23:23:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-first-and-last-number-of-consecutive-integers-by/m-p/436364#M124379 woodcock 2019-03-11T23:23:32Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-first-and-last-number-of-consecutive-integers-by/m-p/436365#M124380 <P>Wow; very, Very, VERY nicely done! Take a look at my brute-force approach!!!</P> Mon, 11 Mar 2019 23:25:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-first-and-last-number-of-consecutive-integers-by/m-p/436365#M124380 woodcock 2019-03-11T23:25:20Z