Splunk Search

How do I detect a gap in a sequence of items?

raoul
Path Finder

I have a number of events reaching Splunk. Each event has an ID which is a simple sequential number.

Is there a way (ideally a Splunk query) of detecting gaps in the sequence?

Tags (1)
1 Solution

raoul
Path Finder

In the end I found that the following worked reasonably well:

sourcetype=XXX | sort id_field | delta id_field as id_diff
| search id_diff>1 | table id_field, id_diff

View solution in original post

raoul
Path Finder

In the end I found that the following worked reasonably well:

sourcetype=XXX | sort id_field | delta id_field as id_diff
| search id_diff>1 | table id_field, id_diff

View solution in original post

LukeMurphey
Champion

Splunk's IT Data Signing feature allows you to find gaps in the data. IT data signing will:

...displays information as to whether
the block of IT data has gaps, has
been tampered with, or is valid (no
gaps or tampering).

0 Karma

sideview
SplunkTrust
SplunkTrust

the 'gaps' as meant by the data signing stuff are pretty different -- there it means some data destined for the indexer never made it there, perhaps through malicious activities. Raoul is just looking for gaps in a numeric sequence.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.