I have a number of events reaching Splunk. Each event has an ID which is a simple sequential number.
Is there a way (ideally a Splunk query) of detecting gaps in the sequence?
In the end I found that the following worked reasonably well:
sourcetype=XXX | sort id_field | delta id_field as id_diff
| search id_diff>1 | table id_field, id_diff
In the end I found that the following worked reasonably well:
sourcetype=XXX | sort id_field | delta id_field as id_diff
| search id_diff>1 | table id_field, id_diff
Splunk's IT Data Signing feature allows you to find gaps in the data. IT data signing will:
...displays information as to whether
the block of IT data has gaps, has
been tampered with, or is valid (no
gaps or tampering).
the 'gaps' as meant by the data signing stuff are pretty different -- there it means some data destined for the indexer never made it there, perhaps through malicious activities. Raoul is just looking for gaps in a numeric sequence.