Splunk Search

Searching for the absence of events

drodman29
Path Finder

I'm looking for an efficient way to find events that have not been indexed. Given a sequentially increasing number (requestId) how can you find missing requestIds in the events:
This search gets me close, but does not find when an entire bin of requestIDs are missing:
index=myindex (requestId > 78815600) AND (requestId < 78915600) | sort 0 +requestId num | bin requestId span=10 | stats count by requestId | where count !=10

Ideally I would be looking for a list of missing requestIds - Thoughts?

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

index=myindex (requestId > 78815600) AND (requestId < 78915600) 
| stats count by requestId
| streamstats current=f window=1 values(requestId) as prev
| eval gap=requestId-prev 
| where gap>1 AND isnotnull(gap)
| eval missing=mvrange(prev+1,requestId)
| table missing
| mvexpand missing

View solution in original post

0 Karma

somesoni2
Revered Legend

Give this a try

index=myindex (requestId > 78815600) AND (requestId < 78915600) 
| stats count by requestId
| streamstats current=f window=1 values(requestId) as prev
| eval gap=requestId-prev 
| where gap>1 AND isnotnull(gap)
| eval missing=mvrange(prev+1,requestId)
| table missing
| mvexpand missing
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...