Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I want to do `latest=-10m@5m`

HattrickNZ
Motivator
‎07-24-2019 02:31 PM

I want to do latest=-10m@5m

But I am discovering I cannot do the @5m, I can only do
@m @h @d @mon @y

the reason for wanting the @5m is because the complete data does not come in until the full 5minutes is complete.
And if I can only use @m the if I look at the graph at X:58 (for example) the graph will show a drop as the full 5 minutes of data will not be available to be shown. So I want to show the full previous 5minutes(up to X:55).

Any ideas of ways around this? tks

Tags (3)
0 Karma
Reply

maheshsn
Explorer
‎07-29-2019 02:28 PM

I would try this : |timechart partial=false span=5min

Reply

nvanderwalt_spl
Splunk Employee
Splunk Employee
‎07-28-2019 04:33 PM

Sounds like you don't want partial results at the end.

If you are visualising with timechart, try

|timechart partial=false count by whatever
Reply

HattrickNZ
Motivator
‎07-30-2019 01:48 PM

tks, as already mentioned by @MuS partial=false seems to b what I want
- How does it make its decisions?
- Is it tied to the span=5m and the current time?
my understanding is that it won't display the X.25 - X.30 data, in that time, until the time has passed the X.30+ e.g. X.31 or X.30.01

0 Karma
Reply

adonio
Ultra Champion
‎07-24-2019 06:14 PM

try this:

earliest=-10m@m latest=-5m@m

hope it helps

0 Karma
Reply

HattrickNZ
Motivator
‎07-24-2019 06:34 PM

tks
the @m of latest=-5m@m will bring it to the close minute. e.g. if i run the query/graph @ X:58 then the query/graph will run up X:53.

What i want is to Run the query/graph up to X:50.

Or What is want is to Run the query/graph up to X:00, X:05, X:10...X:50, X:5 (5 minute intervals only). Not other times outside of this and independent of when the query/graph is run.

0 Karma
Reply

MuS
Legend
‎07-24-2019 06:46 PM

I would try | bin _time span=5m | stats values(*) AS * by _time and see if this helps to solve your problem.

cheers, MuS

Reply

HattrickNZ
Motivator
‎07-28-2019 03:59 PM

i can't get that to work and don't think it can as that does not allow me to control the latest time to be @ a 5minute end time e.g. X.05, X.10, .... x.55

0 Karma
Reply

MuS
Legend
‎07-28-2019 06:44 PM

try this:

what ever search here earliest=-0h@h | timechart span=5min partial=f count

This will search the current hour and only returns events for chunks of 5 minutes, where the 5 minutes already have passed and the chunk is complete.

cheers, MuS

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...