Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the first and last number of consecutive integers by search?

Oracle
Explorer
‎03-10-2019 08:38 PM

Hello Splunkers,

Need your help on this.

This is my query for testing:

| fields id 
| sort id 
| delta id AS deltaid 
| eval consecutive=if(deltaid=1,"consecutive","nonconsecutive")

id
1
3
4
5
10
13
14
15

Output in a new field should be like this:
1
3, 5
10
13, 15
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-10-2019 10:38 PM

@Oracle ,

Try this

| fields id
| sort id
| delta id AS deltaid|eval flag=if(deltaid==1,0,1)| accum flag as group
| eventstats min(id) as min , max(id) as max by group
| eval result=if(min==max,min,min.",".max)|fields id,result

If you do not want result in all rows, you can replace eventstats with stats

|delta id AS deltaid|eval flag=if(deltaid==1,0,1)| accum flag as group
|stats  min(id) as min , max(id) as max,values(id) as id by group
|eval result=if(min==max,min,min.",".max)|fields id,result
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-11-2019 04:23 PM

Here is another much more complicated solution:

| makeresults 
| eval raw="id=1 id=3 id=4 id=5 id=10 id=13 id=14 id=15" 
| makemv raw
| mvexpand raw
| rename raw AS _raw
| kv

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| eval id=printf("%06d",id)
| stats list(id) AS ids
| nomv ids
| map search="
| makeresults
| eval ids=$ids$
| eval id=$ids$
| makemv id
| chart count BY ids id
| fields - ids
| eval _answer=-1, _prev_val=-999
| foreach * [
   eval _last_answer_digit=replace(_answer, \"^.*?(\d+)$\", \"\1\"),
        <<FIELD>> = \"<<FIELD>>\",
        _answer = case(
           (_answer==-1),                     <<FIELD>>,
           (_prev_val + 1==<<FIELD>>),        _answer,
           (_last_answer_digit == _prev_val), _answer . \",<<FIELD>>\",
           true(),                            _answer . \"-\" . _prev_val . \",<<FIELD>>\"),
       _prev_prev_val = _prev_val,
       _prev_val = \"<<FIELD>>\" ]"
| eval _answer = _answer . if((_prev_val==(_prev_prev_val + 1)), "-", ",") . _prev_val
| table _answer
| rename _answer AS answer
| rex field=answer mode=sed "s/,0+/,/g s/-0+/-/g"
0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-10-2019 10:38 PM

@Oracle ,

Try this

| fields id
| sort id
| delta id AS deltaid|eval flag=if(deltaid==1,0,1)| accum flag as group
| eventstats min(id) as min , max(id) as max by group
| eval result=if(min==max,min,min.",".max)|fields id,result

If you do not want result in all rows, you can replace eventstats with stats

|delta id AS deltaid|eval flag=if(deltaid==1,0,1)| accum flag as group
|stats  min(id) as min , max(id) as max,values(id) as id by group
|eval result=if(min==max,min,min.",".max)|fields id,result
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-11-2019 04:25 PM

Wow; very, Very, VERY nicely done! Take a look at my brute-force approach!!!

0 Karma
Reply
Solved! Jump to solution

Oracle
Explorer
‎03-10-2019 10:47 PM

Hello @renjith.nair

Great, your search provided is working fine! Thank you 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...