Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Display the Results of Search Query at regular intervals of time with fixed start DateTime

boppana
New Member
‎07-02-2018 01:05 AM

Hi ,
Currently am running below SPlunk Search Query where am using earliest=-0d@d latest=-2m.

earliest=-0d@d latest=-2m | spath message | rex field=message "TradeID = (?\w+)" | dedup 1 id sortby -_time |timechart count

But My requirement is to run the above search Query for every 10 mins interval where earliest=-0d@d is always fixed and the latest is the time when we are running this search Query I.e for every 10 mins and display the result of that Query at each 10 mins as chart.

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-05-2018 09:21 AM

Upon further reflection, you should skip using earliest and latest entirely and just use the Today value from the Timepicker!

0 Karma
Reply

woodcock
Esteemed Legend
‎07-04-2018 08:56 PM

Use this cron:

*/10 * * * *

And this search time specifier:

earliest=@d latest=@min
0 Karma
Reply

niketn
Legend
‎07-02-2018 04:59 AM

@boppana if your earliest time is always static to the beginning of the day. Do you need to just bucket the count every 10 minutes?

<yourCurrentSearch>
|timechart span=10m count
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

boppana
New Member
‎07-02-2018 05:33 AM

Am not sure what is bucket means, but let me explain my requirement in simple text with examples.

I have a search Query, I want to run this for every 10 mins

Example:

Step1: At 00:10 my search Query should run(here it should search logs from 00:00 to 00:10)--suppose we have 10 count
Step-2: Again at 00:20 my search Query should run (here it should search logs for given search pattern from 00:00 to 00:20)

Like this Query should run for every 10 mins and I want form chart with the count results from 00:00 to current time.

Note: In Step 2 the count can increase or decrease from 10, becoz by 00:10 we have 10 count but after 00:10 there mi8 be chance that among those 10 count some mi8 not continue the same pattern.

Example: At 00:10 , we have 10 active threads, again if I run that Query at 00:20 some of active threads(lets suppose 4) from 10 might be killed.So we have 6 active threads are there and also from 00:10 to 00:20 we have 2 more active threads added So when I run the Search from 00:00 to 00:20 Search apttern should return count as 8.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...