Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I detect a gap in a sequence of items?

raoul
Path Finder
‎04-26-2011 07:59 AM

I have a number of events reaching Splunk. Each event has an ID which is a simple sequential number.

Is there a way (ideally a Splunk query) of detecting gaps in the sequence?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

raoul
Path Finder
‎04-26-2011 08:49 AM

In the end I found that the following worked reasonably well:

sourcetype=XXX | sort id_field | delta id_field as id_diff
| search id_diff>1 | table id_field, id_diff

View solution in original post

Reply
Solved! Jump to solution
Solution

raoul
Path Finder
‎04-26-2011 08:49 AM

In the end I found that the following worked reasonably well:

sourcetype=XXX | sort id_field | delta id_field as id_diff
| search id_diff>1 | table id_field, id_diff

Reply
Solved! Jump to solution

LukeMurphey
Champion
‎04-26-2011 08:44 AM

Splunk's IT Data Signing feature allows you to find gaps in the data. IT data signing will:

...displays information as to whether
the block of IT data has gaps, has
been tampered with, or is valid (no
gaps or tampering).

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎04-26-2011 10:14 AM

the 'gaps' as meant by the data signing stuff are pretty different -- there it means some data destined for the indexer never made it there, perhaps through malicious activities. Raoul is just looking for gaps in a numeric sequence.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...