Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to get the first and last number of consec...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oracle
Explorer
03-10-2019
08:38 PM
Hello Splunkers,
Need your help on this.
This is my query for testing:
| fields id
| sort id
| delta id AS deltaid
| eval consecutive=if(deltaid=1,"consecutive","nonconsecutive")
id
1
3
4
5
10
13
14
15
Output in a new field should be like this:
1
3, 5
10
13, 15
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
03-10-2019
10:38 PM
@Oracle ,
Try this
| fields id
| sort id
| delta id AS deltaid|eval flag=if(deltaid==1,0,1)| accum flag as group
| eventstats min(id) as min , max(id) as max by group
| eval result=if(min==max,min,min.",".max)|fields id,result
If you do not want result in all rows, you can replace eventstats with stats
|delta id AS deltaid|eval flag=if(deltaid==1,0,1)| accum flag as group
|stats min(id) as min , max(id) as max,values(id) as id by group
|eval result=if(min==max,min,min.",".max)|fields id,result
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-11-2019
04:23 PM
Here is another much more complicated solution:
| makeresults
| eval raw="id=1 id=3 id=4 id=5 id=10 id=13 id=14 id=15"
| makemv raw
| mvexpand raw
| rename raw AS _raw
| kv
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| eval id=printf("%06d",id)
| stats list(id) AS ids
| nomv ids
| map search="
| makeresults
| eval ids=$ids$
| eval id=$ids$
| makemv id
| chart count BY ids id
| fields - ids
| eval _answer=-1, _prev_val=-999
| foreach * [
eval _last_answer_digit=replace(_answer, \"^.*?(\d+)$\", \"\1\"),
<<FIELD>> = \"<<FIELD>>\",
_answer = case(
(_answer==-1), <<FIELD>>,
(_prev_val + 1==<<FIELD>>), _answer,
(_last_answer_digit == _prev_val), _answer . \",<<FIELD>>\",
true(), _answer . \"-\" . _prev_val . \",<<FIELD>>\"),
_prev_prev_val = _prev_val,
_prev_val = \"<<FIELD>>\" ]"
| eval _answer = _answer . if((_prev_val==(_prev_prev_val + 1)), "-", ",") . _prev_val
| table _answer
| rename _answer AS answer
| rex field=answer mode=sed "s/,0+/,/g s/-0+/-/g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
03-10-2019
10:38 PM
@Oracle ,
Try this
| fields id
| sort id
| delta id AS deltaid|eval flag=if(deltaid==1,0,1)| accum flag as group
| eventstats min(id) as min , max(id) as max by group
| eval result=if(min==max,min,min.",".max)|fields id,result
If you do not want result in all rows, you can replace eventstats with stats
|delta id AS deltaid|eval flag=if(deltaid==1,0,1)| accum flag as group
|stats min(id) as min , max(id) as max,values(id) as id by group
|eval result=if(min==max,min,min.",".max)|fields id,result
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-11-2019
04:25 PM
Wow; very, Very, VERY nicely done! Take a look at my brute-force approach!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oracle
Explorer
03-10-2019
10:47 PM
Hello @renjith.nair
Great, your search provided is working fine! Thank you 🙂
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Unlock What’s Next: The Splunk Cloud Platform at .conf25
In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...
Index This | How many sevens are there between 1 and 100?
August 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
