https://community.splunk.com/t5/Splunk-Search/Get-10-minutes-before-1-minute/m-p/357231#M170077 <P>Like this:</P> <PRE><CODE>YOUR SEARCH HERE | streamstats current=f window=10 sum(*count) AS sum_last_10_*count </CODE></PRE> Thu, 10 May 2018 05:10:46 GMT woodcock 2018-05-10T05:10:46Z https://community.splunk.com/t5/Splunk-Search/Get-10-minutes-before-1-minute/m-p/357228#M170074 <P>If I search, I can see the count value of each field for one minute, and also want to know the sum count value 10 minutes before that.</P> <P>For example<BR /> At FFM_count 2 on 20170101 00:15:00<BR /> Please see the FFM_count sum from 201701 00:04 to 201701 00:14.</P> <P>Is it possible for a splunk to express this way?<BR /> If possible, I'd like to know how.<IMG src="https://community.splunk.com/storage/temp/240659-splunk1.jpg" alt="alt text" /><IMG src="https://community.splunk.com/storage/temp/240660-splunk2.jpg" alt="alt text" /></P> Tue, 29 Sep 2020 19:12:27 GMT https://community.splunk.com/t5/Splunk-Search/Get-10-minutes-before-1-minute/m-p/357228#M170074 mkoh 2020-09-29T19:12:27Z https://community.splunk.com/t5/Splunk-Search/Get-10-minutes-before-1-minute/m-p/357229#M170075 <P>host=* source=* earliest=-10m latest=now (Try this in your query and let me know whether it helps) . For more reference . Go through the below link.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/SearchTimeModifiers">https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/SearchTimeModifiers</A></P> Tue, 24 Apr 2018 04:43:01 GMT https://community.splunk.com/t5/Splunk-Search/Get-10-minutes-before-1-minute/m-p/357229#M170075 Shan 2018-04-24T04:43:01Z https://community.splunk.com/t5/Splunk-Search/Get-10-minutes-before-1-minute/m-p/357230#M170076 <P>@mkoh - Do the above command helps you .. </P> Fri, 27 Apr 2018 05:52:24 GMT https://community.splunk.com/t5/Splunk-Search/Get-10-minutes-before-1-minute/m-p/357230#M170076 Shan 2018-04-27T05:52:24Z https://community.splunk.com/t5/Splunk-Search/Get-10-minutes-before-1-minute/m-p/357231#M170077 <P>Like this:</P> <PRE><CODE>YOUR SEARCH HERE | streamstats current=f window=10 sum(*count) AS sum_last_10_*count </CODE></PRE> Thu, 10 May 2018 05:10:46 GMT https://community.splunk.com/t5/Splunk-Search/Get-10-minutes-before-1-minute/m-p/357231#M170077 woodcock 2018-05-10T05:10:46Z https://community.splunk.com/t5/Splunk-Search/Get-10-minutes-before-1-minute/m-p/357232#M170078 <P>Actually, I think that you need a <CODE>| reverse</CODE> in there above the <CODE>| streamstats</CODE> or you will be getting the 10 <EM>after</EM>, not <EM>before</EM>.</P> Thu, 10 May 2018 05:25:00 GMT https://community.splunk.com/t5/Splunk-Search/Get-10-minutes-before-1-minute/m-p/357232#M170078 woodcock 2018-05-10T05:25:00Z