Splunk Search

How do I detect a gap in a sequence of items?

raoul
Path Finder

I have a number of events reaching Splunk. Each event has an ID which is a simple sequential number.

Is there a way (ideally a Splunk query) of detecting gaps in the sequence?

Tags (1)
1 Solution

raoul
Path Finder

In the end I found that the following worked reasonably well:

sourcetype=XXX | sort id_field | delta id_field as id_diff
| search id_diff>1 | table id_field, id_diff

View solution in original post

raoul
Path Finder

In the end I found that the following worked reasonably well:

sourcetype=XXX | sort id_field | delta id_field as id_diff
| search id_diff>1 | table id_field, id_diff

LukeMurphey
Champion

Splunk's IT Data Signing feature allows you to find gaps in the data. IT data signing will:

...displays information as to whether
the block of IT data has gaps, has
been tampered with, or is valid (no
gaps or tampering).

0 Karma

sideview
SplunkTrust
SplunkTrust

the 'gaps' as meant by the data signing stuff are pretty different -- there it means some data destined for the indexer never made it there, perhaps through malicious activities. Raoul is just looking for gaps in a numeric sequence.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...