Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using bucket span of 1 minute, the logs will be displayed starting from 0 to 59 seconds. Is there a way to specify the minute from x sec to y sec instead of 0 to 59?

lavanya413
New Member
‎10-11-2017 07:21 AM

Hi Team,
I am using Splunk for my analysis after running the script in Load runner. In Splunk query, I am using bucket span=1m_time which will give the results with 1 m interval starting from 0 to 59 seconds. Let say in a given minute, system should process only 60 requests. If I start my exection around x seconds other than 0, my 1 minutes time span will start from the x sec+59 seconds.

using bucket span, I always gets the results considering the start of the minute as 0 and end of the minute as 59. Please let me know is there a way to specify the start time of the minute with x seconds instead of standard 0 seconds.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎10-11-2017 12:12 PM

Basically, if you want your minute spans to start at x=25 seconds after the minute, use something like this... 

 | eval _time = _time -25 
 | bucket _time span=1m
 | eval _time = _time +25

Now that you understand, here's the efficient way, since it's streaming distributable. 

| eval _time = 25+60*floor( (_time-25)/60)

... and if you want the low end to start exactly at the low end of your search time, then use addinfo and calculate it this way

| addinfo
| eval mysecond = floor(info_min_time) - 60*floor(info_min_time/60)
| eval _time = mysecond+60*floor( (_time-mysecond)/60)

...or possibly...

| addinfo
| eval _time = floor(info_min_time) + 60*floor((_time - info_min_time)/60)

Those two will give fractionally different results, but the second one should be slightly quicker, I would think.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎10-11-2017 12:12 PM

Basically, if you want your minute spans to start at x=25 seconds after the minute, use something like this... 

 | eval _time = _time -25 
 | bucket _time span=1m
 | eval _time = _time +25

Now that you understand, here's the efficient way, since it's streaming distributable. 

| eval _time = 25+60*floor( (_time-25)/60)

... and if you want the low end to start exactly at the low end of your search time, then use addinfo and calculate it this way

| addinfo
| eval mysecond = floor(info_min_time) - 60*floor(info_min_time/60)
| eval _time = mysecond+60*floor( (_time-mysecond)/60)

...or possibly...

| addinfo
| eval _time = floor(info_min_time) + 60*floor((_time - info_min_time)/60)

Those two will give fractionally different results, but the second one should be slightly quicker, I would think.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...