Solved: Re: How do I detect a gap in a sequence of items? - Splunk Community

Splunk Search

I have a number of events reaching Splunk. Each event has an ID which is a simple sequential number.

Is there a way (ideally a Splunk query) of detecting gaps in the sequence?

1 Solution

Solution

In the end I found that the following worked reasonably well:

sourcetype=XXX | sort id_field | delta id_field as id_diff | search id_diff>1 | table id_field, id_diff

View solution in original post

Solution

In the end I found that the following worked reasonably well:

sourcetype=XXX | sort id_field | delta id_field as id_diff | search id_diff>1 | table id_field, id_diff

Splunk's IT Data Signing feature allows you to find gaps in the data. IT data signing will:

...displays information as to whether
the block of IT data has gaps, has
been tampered with, or is valid (no
gaps or tampering).

the 'gaps' as meant by the data signing stuff are pretty different -- there it means some data destined for the indexer never made it there, perhaps through malicious activities. Raoul is just looking for gaps in a numeric sequence.

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience, ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...