Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Find inconsistencies in the IDs of results

ilomax
New Member
‎09-11-2017 08:02 AM

Hello,

I'm new to Splunk in general, and I was wondering is there was a way to highlight inconsistencies in the IDs of the returned events.

I've got a simple query : index="<field>" | sort -_time | dedup id which returns 6056 results, ranging from ID 31 to 14.236.
Obviously, there are gaps. I'd like to be able to get a clear vision of all the gaps, which could give me an answer to why there are so many.

Any help is greatly appreciated,
Thanks in advance !

0 Karma
Reply

woodcock
Esteemed Legend
‎09-11-2017 08:43 AM

Your sort -_time is redundant and not only that it is trimming your result set to 1000 because the default is sort 1000 so get rid of it and then you should see WAAAAAAAAAAAAAAAAY more events and fewer "gaps". If you think that you need the sort to double-check the sorting, then use sort 0 - _time, but it will be the same.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...