Solved: Re: How do I detect a gap in a sequence of items? - Splunk Community

Splunk Search

I have a number of events reaching Splunk. Each event has an ID which is a simple sequential number.

Is there a way (ideally a Splunk query) of detecting gaps in the sequence?

1 Solution

Solution

In the end I found that the following worked reasonably well:

sourcetype=XXX | sort id_field | delta id_field as id_diff | search id_diff>1 | table id_field, id_diff

View solution in original post

Solution

In the end I found that the following worked reasonably well:

sourcetype=XXX | sort id_field | delta id_field as id_diff | search id_diff>1 | table id_field, id_diff

Splunk's IT Data Signing feature allows you to find gaps in the data. IT data signing will:

...displays information as to whether
the block of IT data has gaps, has
been tampered with, or is valid (no
gaps or tampering).

the 'gaps' as meant by the data signing stuff are pretty different -- there it means some data destined for the indexer never made it there, perhaps through malicious activities. Raoul is just looking for gaps in a numeric sequence.

Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

Unleash the power of Splunk Observability Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...