topic Finding Historical Gaps in Data in Splunk Search https://community.splunk.com/t5/Splunk-Search/Finding-Historical-Gaps-in-Data/m-p/394884#M173740 <P>I have an existing search that shows devices that currently are not logging i.e. gaps however, I didn't have an alert to fire if a new device was discovered. My question is how can I go back and see the actual gaps on devices from the past that are currently logging presently?</P> <P>For example I know I had gaps from 12.30.18 up to 1.6.19 .. So how can I see or pull this historically?</P> <P>Here is my search:</P> <P>| metadata index=* type=hosts | where host="xxx.yyy.com" | eval gap = now()-lastTime | sort gap d | eval gap=tostring(gap, "duration") | convert ctime(lastTime) | fields host,lastTime,gap | rename gap as "Gap Duration (days+HH:MM:SS)" | rename lastTime AS "Last Time Event Was Seen By Data Source" | rename host AS "Data Source"</P> Wed, 09 Jan 2019 19:07:17 GMT neely_hpe 2019-01-09T19:07:17Z Finding Historical Gaps in Data https://community.splunk.com/t5/Splunk-Search/Finding-Historical-Gaps-in-Data/m-p/394884#M173740 <P>I have an existing search that shows devices that currently are not logging i.e. gaps however, I didn't have an alert to fire if a new device was discovered. My question is how can I go back and see the actual gaps on devices from the past that are currently logging presently?</P> <P>For example I know I had gaps from 12.30.18 up to 1.6.19 .. So how can I see or pull this historically?</P> <P>Here is my search:</P> <P>| metadata index=* type=hosts | where host="xxx.yyy.com" | eval gap = now()-lastTime | sort gap d | eval gap=tostring(gap, "duration") | convert ctime(lastTime) | fields host,lastTime,gap | rename gap as "Gap Duration (days+HH:MM:SS)" | rename lastTime AS "Last Time Event Was Seen By Data Source" | rename host AS "Data Source"</P> Wed, 09 Jan 2019 19:07:17 GMT https://community.splunk.com/t5/Splunk-Search/Finding-Historical-Gaps-in-Data/m-p/394884#M173740 neely_hpe 2019-01-09T19:07:17Z Re: Finding Historical Gaps in Data https://community.splunk.com/t5/Splunk-Search/Finding-Historical-Gaps-in-Data/m-p/394885#M173741 <P>HI,</P> <P>I am not sure I get this right, you can always use<CODE>| timechart count</CODE> to see if there are gaps in your logs.</P> <P>Since these gaps can be origined by delayed sending of your logs, your might be interessed in a delta as well.</P> <P>You can get a delta with <CODE>| eval delta= _indextime - _time</CODE></P> Tue, 15 Jan 2019 07:41:25 GMT https://community.splunk.com/t5/Splunk-Search/Finding-Historical-Gaps-in-Data/m-p/394885#M173741 dkeck 2019-01-15T07:41:25Z