https://community.splunk.com/t5/Deployment-Architecture/how-to-not-overwrite-time-modifiers-with-time-bins/m-p/259164#M21497 <P>Just lie to Splunk about your <CODE>time</CODE> value, like this:</P> <PRE><CODE>... earliest=-12h@m | eval _time = _time - (60 * tonumber(strftime(now(),"%M"))) | bin _time span=1h | stats count BY field </CODE></PRE> Sun, 05 Mar 2017 08:47:13 GMT woodcock 2017-03-05T08:47:13Z https://community.splunk.com/t5/Deployment-Architecture/how-to-not-overwrite-time-modifiers-with-time-bins/m-p/259161#M21494 <P>Let's say it is currently 4:37 pm. I want to write a query that bins _time by 1 hour and where the last time bucket includes events between 3:37pm and the current time (4:37pm).</P> <P>However, the bin command in the following query seems to overwrite the @m time modifier and makes all of the time buckets start at minute 0 (ie 2:00pm - 3:00pm, 3:00pm - 4:00pm, ...). </P> <PRE><CODE>... ... ... earliest=-12h@m | bin _time span=1h | stats count by field </CODE></PRE> <P>This makes the last bucket be 4:00pm - 5:00pm which means it only has 37 minutes worth of data while all other buckets have 60 minutes. I want to be able to compare counts between this last bucket and the previous buckets but it won't work if the time sample sizes aren't all the same. How can I change the query so that the last time bucket would be 3:47pm - 4:37pm? Any help is greatly appreciated.</P> Wed, 25 Jan 2017 00:46:23 GMT https://community.splunk.com/t5/Deployment-Architecture/how-to-not-overwrite-time-modifiers-with-time-bins/m-p/259161#M21494 matthewb4 2017-01-25T00:46:23Z https://community.splunk.com/t5/Deployment-Architecture/how-to-not-overwrite-time-modifiers-with-time-bins/m-p/259162#M21495 <P>Good question </P> Thu, 26 Jan 2017 13:50:56 GMT https://community.splunk.com/t5/Deployment-Architecture/how-to-not-overwrite-time-modifiers-with-time-bins/m-p/259162#M21495 jplumsdaine22 2017-01-26T13:50:56Z https://community.splunk.com/t5/Deployment-Architecture/how-to-not-overwrite-time-modifiers-with-time-bins/m-p/259163#M21496 <P>Here's how I generated some pseudo-random test data - </P> <PRE><CODE>| gentimes start="1/25/2017:13:59:21" increment=97m | append [| gentimes start="1/25/2017:13:28:52" increment=41m ] | append [| gentimes start="1/25/2017:13:33:18" increment=17m ] | eval _time = starttime | table _time | sort 0 _time </CODE></PRE> <P>Here's how I created bins starting with the minute of the lowest results. Just create a new field deltaTime with the time shifted by the minute value of the lowest results, then bin that, then raise up the bins by the same amount you lowered them. </P> <PRE><CODE>| eventstats min(_time) as minTime | eval minTime = relative_time(minTime,"@m") | eval deltaTime = _time - minTime | bin deltaTime as deltaBin span=1h | eval deltaBin = deltaBin + minTime | eval deltaBinF = strftime(deltaBin,"%Y-%m-%d %H:%M:%S") | table _time deltaBin deltaBinF </CODE></PRE> <P>The last two lines are just to present the results for review for testing. </P> Thu, 26 Jan 2017 16:34:28 GMT https://community.splunk.com/t5/Deployment-Architecture/how-to-not-overwrite-time-modifiers-with-time-bins/m-p/259163#M21496 DalJeanis 2017-01-26T16:34:28Z https://community.splunk.com/t5/Deployment-Architecture/how-to-not-overwrite-time-modifiers-with-time-bins/m-p/259164#M21497 <P>Just lie to Splunk about your <CODE>time</CODE> value, like this:</P> <PRE><CODE>... earliest=-12h@m | eval _time = _time - (60 * tonumber(strftime(now(),"%M"))) | bin _time span=1h | stats count BY field </CODE></PRE> Sun, 05 Mar 2017 08:47:13 GMT https://community.splunk.com/t5/Deployment-Architecture/how-to-not-overwrite-time-modifiers-with-time-bins/m-p/259164#M21497 woodcock 2017-03-05T08:47:13Z