Splunk Search

Find inconsistencies in the IDs of results

New Member


I'm new to Splunk in general, and I was wondering is there was a way to highlight inconsistencies in the IDs of the returned events.

I've got a simple query : index="<field>" | sort -_time | dedup id which returns 6056 results, ranging from ID 31 to 14.236.
Obviously, there are gaps. I'd like to be able to get a clear vision of all the gaps, which could give me an answer to why there are so many.

Any help is greatly appreciated,
Thanks in advance !

0 Karma

Esteemed Legend

Your sort -_time is redundant and not only that it is trimming your result set to 1000 because the default is sort 1000 so get rid of it and then you should see WAAAAAAAAAAAAAAAAY more events and fewer "gaps". If you think that you need the sort to double-check the sorting, then use sort 0 - _time, but it will be the same.

0 Karma