https://community.splunk.com/t5/Splunk-Search/ideas-for-reliably-bracketing-timerange-around-discrete/m-p/42693#M9991 <P>Your best bet is to use the "head" command which can take a predicate instead of an absolute count.</P> <P>For example, the following search only takes (all of) the events from the most recent second from index=_internal:</P> <PRE><CODE>index=_internal | streamstats dc(_time) as dc_time | head dc_time==1 </CODE></PRE> Thu, 14 Jul 2011 12:50:40 GMT Stephen_Sorkin 2011-07-14T12:50:40Z https://community.splunk.com/t5/Splunk-Search/ideas-for-reliably-bracketing-timerange-around-discrete/m-p/42692#M9990 <P>Say that you have a huge volume of events, and they come in big batches. Each batch is a discrete unit, and mixing information from the most recent batch with the previous batch is unacceptable. </P> <P>more givens: </P> <OL> <LI>the events within a particular batch are spread out over a few minutes. </LI> <LI>we do have control over the data so we could write a particular event at the start and at the end of the batch if necessary. We could even create a start/end event that had a different source or sourcetype. </LI> </OL> <P>Given all this, Is there a good clean way to construct a custom search or a custom view that will be sure to operate only on the events of the most recent batch? </P> Thu, 14 Jul 2011 04:32:48 GMT https://community.splunk.com/t5/Splunk-Search/ideas-for-reliably-bracketing-timerange-around-discrete/m-p/42692#M9990 sideview 2011-07-14T04:32:48Z https://community.splunk.com/t5/Splunk-Search/ideas-for-reliably-bracketing-timerange-around-discrete/m-p/42693#M9991 <P>Your best bet is to use the "head" command which can take a predicate instead of an absolute count.</P> <P>For example, the following search only takes (all of) the events from the most recent second from index=_internal:</P> <PRE><CODE>index=_internal | streamstats dc(_time) as dc_time | head dc_time==1 </CODE></PRE> Thu, 14 Jul 2011 12:50:40 GMT https://community.splunk.com/t5/Splunk-Search/ideas-for-reliably-bracketing-timerange-around-discrete/m-p/42693#M9991 Stephen_Sorkin 2011-07-14T12:50:40Z https://community.splunk.com/t5/Splunk-Search/ideas-for-reliably-bracketing-timerange-around-discrete/m-p/42694#M9992 <P>The events here are not in a single second, but this offers a tool that seems to open up a number of other ideas. Is that ability of the head command new in 4.2? It seems like I could use eval and streamstats to keep track of when I see the 'start' event and 'end' event, and then use head to terminate once I get back to the correct head event. Is that what you would do?</P> Thu, 14 Jul 2011 17:19:58 GMT https://community.splunk.com/t5/Splunk-Search/ideas-for-reliably-bracketing-timerange-around-discrete/m-p/42694#M9992 sideview 2011-07-14T17:19:58Z https://community.splunk.com/t5/Splunk-Search/ideas-for-reliably-bracketing-timerange-around-discrete/m-p/42695#M9993 <P>Wouldn't this be a good use of a transaction command? especially if you've got a well defined start and stop?</P> Thu, 14 Jul 2011 17:27:09 GMT https://community.splunk.com/t5/Splunk-Search/ideas-for-reliably-bracketing-timerange-around-discrete/m-p/42695#M9993 Brian_Osburn 2011-07-14T17:27:09Z https://community.splunk.com/t5/Splunk-Search/ideas-for-reliably-bracketing-timerange-around-discrete/m-p/42696#M9994 <P>transaction wont work here because the set of events needs to be sliced and diced up a number of ways by a lot of different 'stats foo(bar) by baz, bat' searches, and transaction is going to put me in multivalue hell.</P> Thu, 14 Jul 2011 19:15:12 GMT https://community.splunk.com/t5/Splunk-Search/ideas-for-reliably-bracketing-timerange-around-discrete/m-p/42696#M9994 sideview 2011-07-14T19:15:12Z https://community.splunk.com/t5/Splunk-Search/ideas-for-reliably-bracketing-timerange-around-discrete/m-p/42697#M9995 <P>This ability of head has been around since 4.1, I believe.</P> Sat, 16 Jul 2011 01:45:49 GMT https://community.splunk.com/t5/Splunk-Search/ideas-for-reliably-bracketing-timerange-around-discrete/m-p/42697#M9995 Stephen_Sorkin 2011-07-16T01:45:49Z