Archive

How to get a 'now()' function to return the current time rounded to the nearest minute/hour?

Communicator

My search is a scheduled report and calls the now()function to only get entries from a specific time away, using the relative_time method. However, the search is usually executed 2-5 seconds late (I don't know why, but that's what the splunk job report says) so I think it'll miss entries which were done 1 second past the clock. So how do I get the now() function to round down so the missing records are taken in as well?

Tags (3)

SplunkTrust
SplunkTrust

Hi sjanwity,

you can not only use -1min with relative_time(), you can use also things like -1min@min or -2d@d which will snap to the minute or hour.
See the docs for more information on this topic http://docs.splunk.com/Documentation/Splunk/6.1.2/Search/Specifytimemodifiersinyoursearch

cheers, MuS

Communicator

hi MuS, can I do things like now()@min? That's really what I wanted.

0 Karma

SplunkTrust
SplunkTrust

more like

relative_time(now(), "@min")
0 Karma