Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to check if values are incremental by 1 for a specific category

Nikitha
Explorer
‎09-11-2020 01:28 AM

Nikitha_0-1599812489183.png

If the above displayed data is the result for my stats command [stats values(Values) as Values by Category], how can I use the search to check if the values for each category are incremental by 1 and output the values that have been missed.

 I want the result to look like this :

Nikitha_1-1599812726846.png

Labels (5)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
Super Champion
‎09-11-2020 02:27 AM

try below: 

| stats max(value) as max_value min(value) as min_value values(value) as values by Category
| eval all_numbers=mvrange(min_value,max_value+1)
| fields - max_value,min_value
| nomv values
| eval values=replace(values,"\s",",")
| mvexpand all_numbers
| eval is_found=if(match(values,all_numbers),1,0)
| search is_found=0
| stats values(all_numbers) as missing_values by Category

reference: https://community.splunk.com/t5/Splunk-Search/How-to-find-the-missing-number-sequence-from-a-table/m...

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
Super Champion
‎09-11-2020 02:27 AM

try below: 

| stats max(value) as max_value min(value) as min_value values(value) as values by Category
| eval all_numbers=mvrange(min_value,max_value+1)
| fields - max_value,min_value
| nomv values
| eval values=replace(values,"\s",",")
| mvexpand all_numbers
| eval is_found=if(match(values,all_numbers),1,0)
| search is_found=0
| stats values(all_numbers) as missing_values by Category

reference: https://community.splunk.com/t5/Splunk-Search/How-to-find-the-missing-number-sequence-from-a-table/m...

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

thambisetty
Super Champion
‎09-11-2020 02:16 AM

It's possible to find before applying stats. after applying stats may be possible but it's not easy.

can you also confirm, if those values are in sequential with timestamp?

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-11-2020 02:08 AM 
| makeresults | eval event="{\"Category\":\"Cat1\",\"Values\":[1,2,3,5,7]}\n{\"Category\":\"Cat2\",\"Values\":[6,8,9,10]}"
| eval event=split(event,"\n")
| mvexpand event
| spath input=event
| rename Values{} as Values
| fields Category, Values
| fields - _time
| eval low=tonumber(mvindex(Values,0))
| eval high=tonumber(mvindex(Values,mvcount(Values)-1))
| eval expected=mvrange(low, high + 1)
| eval missing=mvmap(expected,if(isnull(mvfind(Values,expected)),expected,NULL()))
| fields Category, missing
| rename missing as Values
0 Karma
Reply
Get Updates on the Splunk Community!

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...