Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Find inconsistencies in the IDs of results

ilomax
New Member
‎09-11-2017 08:02 AM

Hello,

I'm new to Splunk in general, and I was wondering is there was a way to highlight inconsistencies in the IDs of the returned events.

I've got a simple query : index="<field>" | sort -_time | dedup id which returns 6056 results, ranging from ID 31 to 14.236.
Obviously, there are gaps. I'd like to be able to get a clear vision of all the gaps, which could give me an answer to why there are so many.

Any help is greatly appreciated,
Thanks in advance !

0 Karma
Reply

woodcock
Esteemed Legend
‎09-11-2017 08:43 AM

Your sort -_time is redundant and not only that it is trimming your result set to 1000 because the default is sort 1000 so get rid of it and then you should see WAAAAAAAAAAAAAAAAY more events and fewer "gaps". If you think that you need the sort to double-check the sorting, then use sort 0 - _time, but it will be the same.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...