Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I detect a gap in a sequence of items?

raoul
Path Finder
‎04-26-2011 07:59 AM

I have a number of events reaching Splunk. Each event has an ID which is a simple sequential number.

Is there a way (ideally a Splunk query) of detecting gaps in the sequence?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

raoul
Path Finder
‎04-26-2011 08:49 AM

In the end I found that the following worked reasonably well:

sourcetype=XXX | sort id_field | delta id_field as id_diff
| search id_diff>1 | table id_field, id_diff

View solution in original post

Reply
Solved! Jump to solution
Solution

raoul
Path Finder
‎04-26-2011 08:49 AM

In the end I found that the following worked reasonably well:

sourcetype=XXX | sort id_field | delta id_field as id_diff
| search id_diff>1 | table id_field, id_diff

Reply
Solved! Jump to solution

LukeMurphey
Champion
‎04-26-2011 08:44 AM

Splunk's IT Data Signing feature allows you to find gaps in the data. IT data signing will:

...displays information as to whether
the block of IT data has gaps, has
been tampered with, or is valid (no
gaps or tampering).

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎04-26-2011 10:14 AM

the 'gaps' as meant by the data signing stuff are pretty different -- there it means some data destined for the indexer never made it there, perhaps through malicious activities. Raoul is just looking for gaps in a numeric sequence.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...