https://community.splunk.com/t5/Splunk-Search/How-can-I-manipulate-time-stamps-to-quot-snap-quot-to-5-minute/m-p/327453#M160835 <P>Hello, I'm joining two tables in splunk and their only common attribute is time. This works well 99% of the time. Both data sets have time stamps every 5 minutes. Occasionally one side of the data has a timestamp that is 1 minute off. Is there a way in splunk to detect the "off" timestamp and round it to the nearest 5 minute mark? </P> <P>The timestamps are pieces of the data I am dealing with. They are not Splunk timestamps.</P> <P>Thank you for your time.</P> Mon, 05 Jun 2017 15:15:46 GMT jcouture 2017-06-05T15:15:46Z https://community.splunk.com/t5/Splunk-Search/How-can-I-manipulate-time-stamps-to-quot-snap-quot-to-5-minute/m-p/327453#M160835 <P>Hello, I'm joining two tables in splunk and their only common attribute is time. This works well 99% of the time. Both data sets have time stamps every 5 minutes. Occasionally one side of the data has a timestamp that is 1 minute off. Is there a way in splunk to detect the "off" timestamp and round it to the nearest 5 minute mark? </P> <P>The timestamps are pieces of the data I am dealing with. They are not Splunk timestamps.</P> <P>Thank you for your time.</P> Mon, 05 Jun 2017 15:15:46 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-manipulate-time-stamps-to-quot-snap-quot-to-5-minute/m-p/327453#M160835 jcouture 2017-06-05T15:15:46Z https://community.splunk.com/t5/Splunk-Search/How-can-I-manipulate-time-stamps-to-quot-snap-quot-to-5-minute/m-p/327454#M160836 <PRE><CODE>&lt;your search&gt; | bin span=5min _time | &lt;your stats/join/whatever&gt; </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bin">bin</A> command docs</P> Mon, 05 Jun 2017 15:24:36 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-manipulate-time-stamps-to-quot-snap-quot-to-5-minute/m-p/327454#M160836 micahkemp 2017-06-05T15:24:36Z https://community.splunk.com/t5/Splunk-Search/How-can-I-manipulate-time-stamps-to-quot-snap-quot-to-5-minute/m-p/327455#M160837 <P>How does this know to look at the timestamp I'm examining? I should also mention this is not a Splunk timestamp it is an attribute of the table that I have pulled into Splunk from a Db</P> Mon, 05 Jun 2017 15:30:15 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-manipulate-time-stamps-to-quot-snap-quot-to-5-minute/m-p/327455#M160837 jcouture 2017-06-05T15:30:15Z https://community.splunk.com/t5/Splunk-Search/How-can-I-manipulate-time-stamps-to-quot-snap-quot-to-5-minute/m-p/327456#M160838 <P>You can specify a different timestamp:</P> <PRE><CODE>| bin span=5min &lt;timestamp field&gt; </CODE></PRE> <P>You may need to look into how that field needs to be formatted to work with the <CODE>bin</CODE> command.</P> Mon, 05 Jun 2017 15:41:13 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-manipulate-time-stamps-to-quot-snap-quot-to-5-minute/m-p/327456#M160838 micahkemp 2017-06-05T15:41:13Z https://community.splunk.com/t5/Splunk-Search/How-can-I-manipulate-time-stamps-to-quot-snap-quot-to-5-minute/m-p/327457#M160839 <P>Ok, thank you for your help. I'll test it the next time I have an anomaly. </P> Mon, 05 Jun 2017 16:27:07 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-manipulate-time-stamps-to-quot-snap-quot-to-5-minute/m-p/327457#M160839 jcouture 2017-06-05T16:27:07Z https://community.splunk.com/t5/Splunk-Search/How-can-I-manipulate-time-stamps-to-quot-snap-quot-to-5-minute/m-p/327458#M160840 <P>1) The <CODE>span=5m</CODE> assumes your data is formatted as epoch-time ... as a number (integer or float) where +1 = +1 second. </P> <P>2) <CODE>bin</CODE> truncates the <CODE>timestamp</CODE> to the preceding 5m interval.</P> <P>3) If your timestamp is occasionally off by 1 minute, I'd recommend doing a histogram on each source with a span to see where the breaks are. For example, If source 1 item timestamps are at 4:20-7:45 and 9:15-2:27 minutes, then I'd recommend adding 50 seconds before the bin command, so that the former bin to 5:00 and the latter to 0:00. </P> <PRE><CODE>(your search for one source ) | bin mytime as mytime600 span=10m | bin mytime as mytime10 span=10s | eval mytime0=mytime10-mytime600 | chart count by mytime0 </CODE></PRE> <P>Either way, you're going to have to play around a bit to make sure you are cutting the events on each side at the right spot so that they match up. </P> Mon, 05 Jun 2017 17:56:13 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-manipulate-time-stamps-to-quot-snap-quot-to-5-minute/m-p/327458#M160840 DalJeanis 2017-06-05T17:56:13Z https://community.splunk.com/t5/Splunk-Search/How-can-I-manipulate-time-stamps-to-quot-snap-quot-to-5-minute/m-p/327459#M160841 <P>Very helpful explanation, thank you. I think this should work. I'll update the post when I have found my solution. </P> Mon, 05 Jun 2017 19:38:45 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-manipulate-time-stamps-to-quot-snap-quot-to-5-minute/m-p/327459#M160841 jcouture 2017-06-05T19:38:45Z