topic Re: snap to 10 minutes in Splunk Search

snap to 10 minutes

dadi — Mon, 28 Sep 2020 12:20:11 GMT

Hi ,
I want to snap to 10 minutes.
I know how to snap to an hour for example:
... | eval _time=relative_time(_time,"@h")

However, this doesn't work for 10 minutes time. Is there any other way to do it?

Thanks

Re: snap to 10 minutes

jonuwz — Sun, 26 Aug 2012 13:02:48 GMT

You're probably looking for the bin/bucket command :

It "bins" values into discrete sets (or buckets)

This should do it.

... | bin _time span=10m  | ...

John

Re: snap to 10 minutes

charleswheelus — Wed, 14 Aug 2013 23:38:25 GMT

This might be what you are looking for:

http://answers.splunk.com/answers/99161/snap-to-5-minute-increments-in-timerange

Re: snap to 10 minutes

morethanyell — Wed, 22 Jan 2020 07:21:45 GMT

Making time snap to the next 10th minute

| makeresults 
| eval now = now() 
| eval now_snapped_to_next_10th_min = relative_time(now(), 
    [| makeresults 
    | eval now = now() 
    | convert ctime(now) 
    | rex field=now "\d(?<min>\d)\:(?:\d{2})$" 
    | eval min = 10 - min 
    | eval min = if(min == 10, 0, min) 
    | eval adder = "\"+" . tostring(min) . "m@m\"" 
    | return $adder])
| convert ctime(now*) timeformat="%F %X"