Dashboards & Visualizations

I want to do `latest=-10m@5m`

HattrickNZ
Motivator

I want to do latest=-10m@5m

But I am discovering I cannot do the @5m, I can only do
@m @h @d @mon @y

the reason for wanting the @5m is because the complete data does not come in until the full 5minutes is complete.
And if I can only use @m the if I look at the graph at X:58 (for example) the graph will show a drop as the full 5 minutes of data will not be available to be shown. So I want to show the full previous 5minutes(up to X:55).

Any ideas of ways around this? tks

Tags (3)
0 Karma

maheshsn
Explorer

I would try this : |timechart partial=false span=5min

nvanderwalt_spl
Splunk Employee
Splunk Employee

Sounds like you don't want partial results at the end.

If you are visualising with timechart, try

|timechart partial=false count by whatever

HattrickNZ
Motivator

tks, as already mentioned by @MuS partial=false seems to b what I want
- How does it make its decisions?
- Is it tied to the span=5m and the current time?
my understanding is that it won't display the X.25 - X.30 data, in that time, until the time has passed the X.30+ e.g. X.31 or X.30.01

0 Karma

adonio
Ultra Champion

try this:

earliest=-10m@m latest=-5m@m

hope it helps

0 Karma

HattrickNZ
Motivator

tks
the @m of latest=-5m@m will bring it to the close minute. e.g. if i run the query/graph @ X:58 then the query/graph will run up X:53.

What i want is to Run the query/graph up to X:50.

Or What is want is to Run the query/graph up to X:00, X:05, X:10...X:50, X:5 (5 minute intervals only). Not other times outside of this and independent of when the query/graph is run.

0 Karma

MuS
SplunkTrust
SplunkTrust

I would try | bin _time span=5m | stats values(*) AS * by _time and see if this helps to solve your problem.

cheers, MuS

HattrickNZ
Motivator

i can't get that to work and don't think it can as that does not allow me to control the latest time to be @ a 5minute end time e.g. X.05, X.10, .... x.55

0 Karma

MuS
SplunkTrust
SplunkTrust

try this:

what ever search here earliest=-0h@h | timechart span=5min partial=f count

This will search the current hour and only returns events for chunks of 5 minutes, where the 5 minutes already have passed and the chunk is complete.

cheers, MuS

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...