Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Finding Historical Gaps in Data

neely_hpe
New Member
‎01-09-2019 11:07 AM

I have an existing search that shows devices that currently are not logging i.e. gaps however, I didn't have an alert to fire if a new device was discovered. My question is how can I go back and see the actual gaps on devices from the past that are currently logging presently?

For example I know I had gaps from 12.30.18 up to 1.6.19 .. So how can I see or pull this historically?

Here is my search:

| metadata index=* type=hosts | where host="xxx.yyy.com" | eval gap = now()-lastTime | sort gap d | eval gap=tostring(gap, "duration") | convert ctime(lastTime) | fields host,lastTime,gap | rename gap as "Gap Duration (days+HH:MM:SS)" | rename lastTime AS "Last Time Event Was Seen By Data Source" | rename host AS "Data Source"

Tags (1)
0 Karma
Reply

dkeck
Influencer
‎01-14-2019 11:41 PM

HI,

I am not sure I get this right, you can always use| timechart count to see if there are gaps in your logs.

Since these gaps can be origined by delayed sending of your logs, your might be interessed in a delta as well.

You can get a delta with | eval delta= _indextime - _time

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...