topic Re: How do I detect a gap in a sequence of items? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-I-detect-a-gap-in-a-sequence-of-items/m-p/89101#M182212 <P>In the end I found that the following worked reasonably well:</P> <P><CODE>sourcetype=XXX | sort id_field | delta id_field as id_diff <BR /> | search id_diff&gt;1 | table id_field, id_diff</CODE></P> Tue, 26 Apr 2011 15:49:26 GMT raoul 2011-04-26T15:49:26Z How do I detect a gap in a sequence of items? https://community.splunk.com/t5/Splunk-Search/How-do-I-detect-a-gap-in-a-sequence-of-items/m-p/89099#M182210 <P>I have a number of events reaching Splunk. Each event has an ID which is a simple sequential number. </P> <P>Is there a way (ideally a Splunk query) of detecting gaps in the sequence?</P> Tue, 26 Apr 2011 14:59:54 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-detect-a-gap-in-a-sequence-of-items/m-p/89099#M182210 raoul 2011-04-26T14:59:54Z Re: How do I detect a gap in a sequence of items? https://community.splunk.com/t5/Splunk-Search/How-do-I-detect-a-gap-in-a-sequence-of-items/m-p/89100#M182211 <P>Splunk's <A href="http://www.splunk.com/base/Documentation/latest/Admin/ITDataSigning">IT Data Signing</A> feature allows you to find gaps in the data. IT data signing will:</P> <BLOCKQUOTE> <P>...displays information as to whether<BR /> the block of IT data has gaps, has<BR /> been tampered with, or is valid (no<BR /> gaps or tampering).</P> </BLOCKQUOTE> Tue, 26 Apr 2011 15:44:59 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-detect-a-gap-in-a-sequence-of-items/m-p/89100#M182211 LukeMurphey 2011-04-26T15:44:59Z Re: How do I detect a gap in a sequence of items? https://community.splunk.com/t5/Splunk-Search/How-do-I-detect-a-gap-in-a-sequence-of-items/m-p/89101#M182212 <P>In the end I found that the following worked reasonably well:</P> <P><CODE>sourcetype=XXX | sort id_field | delta id_field as id_diff <BR /> | search id_diff&gt;1 | table id_field, id_diff</CODE></P> Tue, 26 Apr 2011 15:49:26 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-detect-a-gap-in-a-sequence-of-items/m-p/89101#M182212 raoul 2011-04-26T15:49:26Z Re: How do I detect a gap in a sequence of items? https://community.splunk.com/t5/Splunk-Search/How-do-I-detect-a-gap-in-a-sequence-of-items/m-p/89102#M182213 <P>the 'gaps' as meant by the data signing stuff are pretty different -- there it means some data destined for the indexer never made it there, perhaps through malicious activities. Raoul is just looking for gaps in a numeric sequence.</P> Tue, 26 Apr 2011 17:14:33 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-detect-a-gap-in-a-sequence-of-items/m-p/89102#M182213 sideview 2011-04-26T17:14:33Z