Splunk Search

How to check if values are incremental by 1 for a specific category

Nikitha
Explorer

Nikitha_0-1599812489183.png

If the above displayed data is the result for my stats command [stats values(Values) as Values by Category], how can I use the search to check if the values for each category are incremental by 1 and output the values that have been missed.

 I want the result to look like this :

Nikitha_1-1599812726846.png

Labels (4)
0 Karma
1 Solution

thambisetty
SplunkTrust
SplunkTrust

try below: 

| stats max(value) as max_value min(value) as min_value values(value) as values by Category
| eval all_numbers=mvrange(min_value,max_value+1)
| fields - max_value,min_value
| nomv values
| eval values=replace(values,"\s",",")
| mvexpand all_numbers
| eval is_found=if(match(values,all_numbers),1,0)
| search is_found=0
| stats values(all_numbers) as missing_values by Category

reference: https://community.splunk.com/t5/Splunk-Search/How-to-find-the-missing-number-sequence-from-a-table/m...

————————————
If this helps, give a like below.

View solution in original post

thambisetty
SplunkTrust
SplunkTrust

try below: 

| stats max(value) as max_value min(value) as min_value values(value) as values by Category
| eval all_numbers=mvrange(min_value,max_value+1)
| fields - max_value,min_value
| nomv values
| eval values=replace(values,"\s",",")
| mvexpand all_numbers
| eval is_found=if(match(values,all_numbers),1,0)
| search is_found=0
| stats values(all_numbers) as missing_values by Category

reference: https://community.splunk.com/t5/Splunk-Search/How-to-find-the-missing-number-sequence-from-a-table/m...

————————————
If this helps, give a like below.

Naga2
Explorer

Hello @thambisetty ,

 

Can you able to explain each line usage if possible?

 

How can we build this same missing_number logic in if condition and throw an error if we miss any number in between.

In our case also the sequnce increase by one.

 

Each Doc_ID(AGDGYS8737vdhh = file_name like category mentioned in this post) has set of sequence_number increase one by one.If it not increase by one means then we came to conclusion like some number missed in between we can trigger alert then and there.

0 Karma

thambisetty
SplunkTrust
SplunkTrust

It's possible to find before applying stats. after applying stats may be possible but it's not easy.

can you also confirm, if those values are in sequential with timestamp?

————————————
If this helps, give a like below.
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults | eval event="{\"Category\":\"Cat1\",\"Values\":[1,2,3,5,7]}\n{\"Category\":\"Cat2\",\"Values\":[6,8,9,10]}"
| eval event=split(event,"\n")
| mvexpand event
| spath input=event
| rename Values{} as Values
| fields Category, Values
| fields - _time
| eval low=tonumber(mvindex(Values,0))
| eval high=tonumber(mvindex(Values,mvcount(Values)-1))
| eval expected=mvrange(low, high + 1)
| eval missing=mvmap(expected,if(isnull(mvfind(Values,expected)),expected,NULL()))
| fields Category, missing
| rename missing as Values
0 Karma
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...