https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489298#M136689 <P>Try with this:</P> <PRE><CODE>| timechart span=5m values(src_ip) as src_ip </CODE></PRE> <P>This will literally paste the value of the src_ip after every 5th minute.</P> Tue, 05 May 2020 20:38:02 GMT shivanshu1593 2020-05-05T20:38:02Z https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489290#M136681 <P>Hi. <BR /> When I search a '_time' field, there are two result values like <STRONG>'2020/04/30 18:00'</STRONG> and <STRONG>'2020/04/30 18:03'</STRONG><BR /> I just want to delete the result values within 5 minutes.<BR /> for example,<BR /> <STRONG>_time<BR /> 2020/04/30 18:00<BR /> 2020/04/30 18:06</STRONG></P> <P>Above is ok but, following result search I do not want.</P> <P><STRONG>_time<BR /> 2020/04/30 18:00<BR /> 2020/04/30 18:03</STRONG></P> <P>Is it possible to delete data value in '_time' field within 5 minutes?<BR /> My goal is</P> <P><STRONG>_time<BR /> 2020/04/30 18:00<BR /> 2020/04/30 18:03 **(delete automatically in search)</STRONG>**</P> <P>I would appreciate it if you give me some tips. <BR /> Thanks.</P> Wed, 30 Sep 2020 05:15:37 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489290#M136681 tkdguq0110 2020-09-30T05:15:37Z https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489291#M136682 <P>what do you mean by "delete"?<BR /> have you tried using the <CODE>|bin</CODE> command?<BR /> examples:<BR /> <CODE>... | bin _time span=5s</CODE> <BR /> <CODE>... | bin _time span=5m</CODE> </P> Thu, 30 Apr 2020 00:55:01 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489291#M136682 adonio 2020-04-30T00:55:01Z https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489292#M136683 <P>I mean, if there is a '_time' field data incomming within 5 minutes, I do not want to see that result(I thought this was delete).<BR /> I used 'bin' command before but that was just to combine time using '_time' field..</P> Wed, 30 Sep 2020 05:15:46 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489292#M136683 tkdguq0110 2020-09-30T05:15:46Z https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489293#M136684 <P>so ... so you want only a round time results? meaning seconds 0,5,10, ... 55 ?<BR /> or minutes as described?<BR /> what if you have let say, 4 events: <BR /> 10:00<BR /> 10:06<BR /> 10:09<BR /> 10:11</P> <P>what will be the desired result there?</P> Thu, 30 Apr 2020 13:13:21 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489293#M136684 adonio 2020-04-30T13:13:21Z https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489294#M136685 <P>I do not want to see time results incoming within 5 minutes.<BR /> for example, if search result is below<BR /> _time<BR /> 10:00<BR /> 10:01<BR /> 10:02<BR /> 10:03<BR /> 10:04<BR /> 10:05</P> <P>I do not want to see the result 10:01 to 10:04<BR /> I only want to see search result below<BR /> _time<BR /> 10:00<BR /> 10:05</P> <P>Is it possible?<BR /> Thanks</P> Sun, 03 May 2020 19:00:23 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489294#M136685 tkdguq0110 2020-05-03T19:00:23Z https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489295#M136686 <P>If I understand your requirement correctly, you would like to filter out some of the events in the result, so that events only show up every five minutes in the result set.</P> <P>This is easy to do as only a filter is needed to look at the minute component of the event time stamps. </P> <PRE><CODE>index = _internal | eval curMin = strftime(_time,"%M") | eval eventtext = "my event " + curMin | table _time, eventtext, curMin | search curMin=*0 OR curMin=*5 </CODE></PRE> <P>The second line in the search parse the minute of the timestamp in the event, and the last line has a filter to only return the events that occurred during the time when the <CODE>minute</CODE> is divisible by 5. Of course you can tailor the filter (e.g., adding more restrictions on the <CODE>second</CODE> portion of the time stamp as well) to however you see fit. </P> <P>OR, do you want the neighboring events in the result to be at least 5 minutes apart? </P> Sun, 03 May 2020 20:34:41 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489295#M136686 tauliang 2020-05-03T20:34:41Z https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489296#M136687 <P>Thanks for your helping.<BR /> My goal is not to see search result set incoming within 5 minutes comparing previous _time.</P> <P>for instance, there are two fields and values in search result set.<BR /> src_ip _time<BR /> 2.2.2.2 10:00</P> <P>and new search result set data added, like<BR /> src_ip _time<BR /> 2.2.2.2 10:00<BR /> 2.2.2.2 10:03</P> <P>comparing previous _time(10:00) and new added _time(10:03)<BR /> and new added _time(10:03) is just incoming within 5 minutes just comparing previous _time(10:00)<BR /> so, I do not want to see new added _time(10:03) in search result set.</P> <P>but, if search result set is below<BR /> src_ip _time<BR /> 2.2.2.2 10:00<BR /> 2.2.2.2 10:06</P> <P>new added _time(10:06) is just incoming after 5 minutes comparing previous _time(10:00)<BR /> I want to see this search result set.</P> <P>Thanks</P> Mon, 04 May 2020 08:11:58 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489296#M136687 tkdguq0110 2020-05-04T08:11:58Z https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489297#M136688 <P>what is the anticipated result in this scenario:<BR /> 2.2.2.2 10:00<BR /> 2.2.2.2 10:06<BR /> 2.2.2.2 10:09<BR /> 2.2.2.2 10:10<BR /> 2.2.2.2 10:11<BR /> 2.2.2.2 10:15<BR /> 2.2.2.2 10:16<BR /> 2.2.2.2 10:22</P> Tue, 05 May 2020 19:40:05 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489297#M136688 adonio 2020-05-05T19:40:05Z https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489298#M136689 <P>Try with this:</P> <PRE><CODE>| timechart span=5m values(src_ip) as src_ip </CODE></PRE> <P>This will literally paste the value of the src_ip after every 5th minute.</P> Tue, 05 May 2020 20:38:02 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-search-data-result-incoming-within-5-minutes/m-p/489298#M136689 shivanshu1593 2020-05-05T20:38:02Z