Splunk Search

Find inconsistencies in the IDs of results

New Member


I'm new to Splunk in general, and I was wondering is there was a way to highlight inconsistencies in the IDs of the returned events.

I've got a simple query : index="<field>" | sort -_time | dedup id which returns 6056 results, ranging from ID 31 to 14.236.
Obviously, there are gaps. I'd like to be able to get a clear vision of all the gaps, which could give me an answer to why there are so many.

Any help is greatly appreciated,
Thanks in advance !

0 Karma

Esteemed Legend

Your sort -_time is redundant and not only that it is trimming your result set to 1000 because the default is sort 1000 so get rid of it and then you should see WAAAAAAAAAAAAAAAAY more events and fewer "gaps". If you think that you need the sort to double-check the sorting, then use sort 0 - _time, but it will be the same.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...