Solved: How do I detect a gap in a sequence of items?

raoul · ‎04-26-2011

I have a number of events reaching Splunk. Each event has an ID which is a simple sequential number.

Is there a way (ideally a Splunk query) of detecting gaps in the sequence?

raoul · ‎04-26-2011

In the end I found that the following worked reasonably well:

sourcetype=XXX | sort id_field | delta id_field as id_diff | search id_diff>1 | table id_field, id_diff

View solution in original post

raoul · ‎04-26-2011

In the end I found that the following worked reasonably well:

sourcetype=XXX | sort id_field | delta id_field as id_diff | search id_diff>1 | table id_field, id_diff

LukeMurphey · ‎04-26-2011

Splunk's IT Data Signing feature allows you to find gaps in the data. IT data signing will:

...displays information as to whether
the block of IT data has gaps, has
been tampered with, or is valid (no
gaps or tampering).

sideview · ‎04-26-2011

the 'gaps' as meant by the data signing stuff are pretty different -- there it means some data destined for the indexer never made it there, perhaps through malicious activities. Raoul is just looking for gaps in a numeric sequence.

How do I detect a gap in a sequence of items?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation