https://community.splunk.com/t5/Splunk-Search/bucket-from-relative-time/m-p/358238#M105916 <P>I think <CODE>relative_time</CODE> will solve your problem</P> <P><A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/DateandTimeFunctions#relative_time.28X.2CY.29">http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/DateandTimeFunctions#relative_time.28X.2CY.29</A></P> <P><CODE>... | eval n=relative_time(now(), "-1d@d")</CODE></P> Thu, 28 Dec 2017 14:41:39 GMT skoelpin 2017-12-28T14:41:39Z https://community.splunk.com/t5/Splunk-Search/bucket-from-relative-time/m-p/358237#M105915 <P>good day!<BR /> when solving the problem of obtaining statistics, they encountered a problem. It is necessary to calculate the average number of events for a specific query. When using the bucket, the information is collected from the beginning of the hour. It is necessary to receive information from the current moment. If it's now 10.15, then you need to collect data from 08.15 to 09.15, then from 09.15 to 10.15 and so on.</P> <PRE><CODE>query | bucket _time span=1h | stats count as tCount by _time | eventstats avg(tCount) as aCount </CODE></PRE> Thu, 28 Dec 2017 11:19:44 GMT https://community.splunk.com/t5/Splunk-Search/bucket-from-relative-time/m-p/358237#M105915 yav2810 2017-12-28T11:19:44Z https://community.splunk.com/t5/Splunk-Search/bucket-from-relative-time/m-p/358238#M105916 <P>I think <CODE>relative_time</CODE> will solve your problem</P> <P><A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/DateandTimeFunctions#relative_time.28X.2CY.29">http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/DateandTimeFunctions#relative_time.28X.2CY.29</A></P> <P><CODE>... | eval n=relative_time(now(), "-1d@d")</CODE></P> Thu, 28 Dec 2017 14:41:39 GMT https://community.splunk.com/t5/Splunk-Search/bucket-from-relative-time/m-p/358238#M105916 skoelpin 2017-12-28T14:41:39Z https://community.splunk.com/t5/Splunk-Search/bucket-from-relative-time/m-p/358239#M105917 <P>You can use <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Streamstats">streamstats</A> for that:</P> <PRE><CODE>query | streamstats time_window=1h count time_window Syntax: time_window=&lt;span-length&gt; Description: Specifies the window size for the streamstats calculations, based on time. The time_window argument is limited by range of values in the _time field in the events. To use the time_window argument, the events must be sorted in either ascending or descending time order. You can use the window argument with the time_window argument to specify the maximum number of events in a window. For the &lt;span-length&gt;, to specify five minutes, use time_window=5m. To specify 2 days, use time_window=2d. Default: None. However, the value of the max_stream_window attribute in the limits.conf file applies. The default value is 10000 events. </CODE></PRE> <P>Note: this may not be a very efficient search, depending on how much data you have. You should probably consider using <CODE>stats</CODE> on a smaller time period bucket (perhaps 1min) before piping the results into <CODE>streamstats</CODE>, so that you don't run into performance or limits issues. <CODE>streamstats</CODE> also retains the raw event and existing extracted fields, so including <CODE>stats</CODE> before it would limit that to only fields you actually care about.</P> <PRE><CODE>query | bin span=1min _time | stats count BY _time | streamstats time_window=1h sum(count) AS count </CODE></PRE> Thu, 28 Dec 2017 15:50:45 GMT https://community.splunk.com/t5/Splunk-Search/bucket-from-relative-time/m-p/358239#M105917 micahkemp 2017-12-28T15:50:45Z https://community.splunk.com/t5/Splunk-Search/bucket-from-relative-time/m-p/358240#M105918 <P>See this answer </P> <P><A href="https://answers.splunk.com/answers/581635/can-i-use-relative-time-for-bin-span.html">https://answers.splunk.com/answers/581635/can-i-use-relative-time-for-bin-span.html</A></P> Thu, 28 Dec 2017 15:52:38 GMT https://community.splunk.com/t5/Splunk-Search/bucket-from-relative-time/m-p/358240#M105918 naidusadanala 2017-12-28T15:52:38Z