https://community.splunk.com/t5/Dashboards-Visualizations/snap-to-5-minute-increments-in-timerange/m-p/35419#M1556 <P>I have data that needs to evaluated over periods that end on 5 minute boundaries</P> <P>I would like to be able to snap to a search end time that ends on an even 5 minute increment like this:</P> <PRE><CODE> search ABC earliest=-2h@h latest=[most recent 5 minute increment] | ..... </CODE></PRE> <P>So if this search were run at 13:57:33 the actual time range would be from 11:00:00 to 13:55:00</P> <P>I have tried all sorts of permutations like <STRONG>latest=h@5m</STRONG> (not valid syntax) but they are not producing the desired results of ending on an even (12:55:00) time boundary.</P> <P>I would appreciate thoughts on how best to accomplish this.</P> Wed, 14 Aug 2013 23:28:54 GMT charleswheelus 2013-08-14T23:28:54Z https://community.splunk.com/t5/Dashboards-Visualizations/snap-to-5-minute-increments-in-timerange/m-p/35419#M1556 <P>I have data that needs to evaluated over periods that end on 5 minute boundaries</P> <P>I would like to be able to snap to a search end time that ends on an even 5 minute increment like this:</P> <PRE><CODE> search ABC earliest=-2h@h latest=[most recent 5 minute increment] | ..... </CODE></PRE> <P>So if this search were run at 13:57:33 the actual time range would be from 11:00:00 to 13:55:00</P> <P>I have tried all sorts of permutations like <STRONG>latest=h@5m</STRONG> (not valid syntax) but they are not producing the desired results of ending on an even (12:55:00) time boundary.</P> <P>I would appreciate thoughts on how best to accomplish this.</P> Wed, 14 Aug 2013 23:28:54 GMT https://community.splunk.com/t5/Dashboards-Visualizations/snap-to-5-minute-increments-in-timerange/m-p/35419#M1556 charleswheelus 2013-08-14T23:28:54Z https://community.splunk.com/t5/Dashboards-Visualizations/snap-to-5-minute-increments-in-timerange/m-p/35420#M1557 <P>After a bit of poking around, This syntax works:</P> <PRE><CODE> search ABC earliest=-2h@h [ stats count | eval latest=(floor(now()/300))*300 | fields latest ] | ... </CODE></PRE> Wed, 14 Aug 2013 23:33:23 GMT https://community.splunk.com/t5/Dashboards-Visualizations/snap-to-5-minute-increments-in-timerange/m-p/35420#M1557 charleswheelus 2013-08-14T23:33:23Z https://community.splunk.com/t5/Dashboards-Visualizations/snap-to-5-minute-increments-in-timerange/m-p/35421#M1558 <P>Is there any other way to achieve this in the latest versions of splunk ?</P> <P>Thanks</P> Thu, 22 Feb 2018 12:50:09 GMT https://community.splunk.com/t5/Dashboards-Visualizations/snap-to-5-minute-increments-in-timerange/m-p/35421#M1558 immortalraghava 2018-02-22T12:50:09Z https://community.splunk.com/t5/Dashboards-Visualizations/snap-to-5-minute-increments-in-timerange/m-p/579058#M47418 <P>The extra parenthesis around the floor function causes it to no longer work. So it should now be ...</P><PRE>search ABC earliest=-2h@h [ stats count | eval latest=floor(now()/300)*300 | fields latest ] | ...</PRE><P>However, I think for newer Splunk this is better and looks easier to read ...</P><PRE>search ABC earliest=-2h@h latest=[makeresults | eval snap=floor(now()/300)*300 | return $snap]&nbsp;| ...</PRE> Tue, 21 Dec 2021 19:46:23 GMT https://community.splunk.com/t5/Dashboards-Visualizations/snap-to-5-minute-increments-in-timerange/m-p/579058#M47418 dstuder 2021-12-21T19:46:23Z