Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to check if values are incremental by 1 for a specific category

Nikitha
Explorer
‎09-11-2020 01:28 AM

Nikitha_0-1599812489183.png

If the above displayed data is the result for my stats command [stats values(Values) as Values by Category], how can I use the search to check if the values for each category are incremental by 1 and output the values that have been missed.

 I want the result to look like this :

Nikitha_1-1599812726846.png

Labels (5)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
Super Champion
‎09-11-2020 02:27 AM

try below: 

| stats max(value) as max_value min(value) as min_value values(value) as values by Category
| eval all_numbers=mvrange(min_value,max_value+1)
| fields - max_value,min_value
| nomv values
| eval values=replace(values,"\s",",")
| mvexpand all_numbers
| eval is_found=if(match(values,all_numbers),1,0)
| search is_found=0
| stats values(all_numbers) as missing_values by Category

reference: https://community.splunk.com/t5/Splunk-Search/How-to-find-the-missing-number-sequence-from-a-table/m...

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
Super Champion
‎09-11-2020 02:27 AM

try below: 

| stats max(value) as max_value min(value) as min_value values(value) as values by Category
| eval all_numbers=mvrange(min_value,max_value+1)
| fields - max_value,min_value
| nomv values
| eval values=replace(values,"\s",",")
| mvexpand all_numbers
| eval is_found=if(match(values,all_numbers),1,0)
| search is_found=0
| stats values(all_numbers) as missing_values by Category

reference: https://community.splunk.com/t5/Splunk-Search/How-to-find-the-missing-number-sequence-from-a-table/m...

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

thambisetty
Super Champion
‎09-11-2020 02:16 AM

It's possible to find before applying stats. after applying stats may be possible but it's not easy.

can you also confirm, if those values are in sequential with timestamp?

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-11-2020 02:08 AM 
| makeresults | eval event="{\"Category\":\"Cat1\",\"Values\":[1,2,3,5,7]}\n{\"Category\":\"Cat2\",\"Values\":[6,8,9,10]}"
| eval event=split(event,"\n")
| mvexpand event
| spath input=event
| rename Values{} as Values
| fields Category, Values
| fields - _time
| eval low=tonumber(mvindex(Values,0))
| eval high=tonumber(mvindex(Values,mvcount(Values)-1))
| eval expected=mvrange(low, high + 1)
| eval missing=mvmap(expected,if(isnull(mvfind(Values,expected)),expected,NULL()))
| fields Category, missing
| rename missing as Values
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...