Solved: Re: Searching for the absence of events

drodman29 · ‎05-17-2019

I'm looking for an efficient way to find events that have not been indexed. Given a sequentially increasing number (requestId) how can you find missing requestIds in the events:
This search gets me close, but does not find when an entire bin of requestIDs are missing:
index=myindex (requestId > 78815600) AND (requestId < 78915600) | sort 0 +requestId num | bin requestId span=10 | stats count by requestId | where count !=10

Ideally I would be looking for a list of missing requestIds - Thoughts?

somesoni2 · ‎05-17-2019

Give this a try

index=myindex (requestId > 78815600) AND (requestId < 78915600) 
| stats count by requestId
| streamstats current=f window=1 values(requestId) as prev
| eval gap=requestId-prev 
| where gap>1 AND isnotnull(gap)
| eval missing=mvrange(prev+1,requestId)
| table missing
| mvexpand missing

View solution in original post

somesoni2 · ‎05-17-2019

Give this a try

index=myindex (requestId > 78815600) AND (requestId < 78915600) 
| stats count by requestId
| streamstats current=f window=1 values(requestId) as prev
| eval gap=requestId-prev 
| where gap>1 AND isnotnull(gap)
| eval missing=mvrange(prev+1,requestId)
| table missing
| mvexpand missing

Searching for the absence of events

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023