Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to check if values are incremental by 1 for a specific category

Nikitha
Explorer
‎09-11-2020 01:28 AM

Nikitha_0-1599812489183.png

If the above displayed data is the result for my stats command [stats values(Values) as Values by Category], how can I use the search to check if the values for each category are incremental by 1 and output the values that have been missed.

 I want the result to look like this :

Nikitha_1-1599812726846.png

Labels (5)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
Super Champion
‎09-11-2020 02:27 AM

try below: 

| stats max(value) as max_value min(value) as min_value values(value) as values by Category
| eval all_numbers=mvrange(min_value,max_value+1)
| fields - max_value,min_value
| nomv values
| eval values=replace(values,"\s",",")
| mvexpand all_numbers
| eval is_found=if(match(values,all_numbers),1,0)
| search is_found=0
| stats values(all_numbers) as missing_values by Category

reference: https://community.splunk.com/t5/Splunk-Search/How-to-find-the-missing-number-sequence-from-a-table/m...

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
Super Champion
‎09-11-2020 02:27 AM

try below: 

| stats max(value) as max_value min(value) as min_value values(value) as values by Category
| eval all_numbers=mvrange(min_value,max_value+1)
| fields - max_value,min_value
| nomv values
| eval values=replace(values,"\s",",")
| mvexpand all_numbers
| eval is_found=if(match(values,all_numbers),1,0)
| search is_found=0
| stats values(all_numbers) as missing_values by Category

reference: https://community.splunk.com/t5/Splunk-Search/How-to-find-the-missing-number-sequence-from-a-table/m...

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

thambisetty
Super Champion
‎09-11-2020 02:16 AM

It's possible to find before applying stats. after applying stats may be possible but it's not easy.

can you also confirm, if those values are in sequential with timestamp?

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-11-2020 02:08 AM 
| makeresults | eval event="{\"Category\":\"Cat1\",\"Values\":[1,2,3,5,7]}\n{\"Category\":\"Cat2\",\"Values\":[6,8,9,10]}"
| eval event=split(event,"\n")
| mvexpand event
| spath input=event
| rename Values{} as Values
| fields Category, Values
| fields - _time
| eval low=tonumber(mvindex(Values,0))
| eval high=tonumber(mvindex(Values,mvcount(Values)-1))
| eval expected=mvrange(low, high + 1)
| eval missing=mvmap(expected,if(isnull(mvfind(Values,expected)),expected,NULL()))
| fields Category, missing
| rename missing as Values
0 Karma
Reply
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...