Dashboards & Visualizations

I want to do `latest=-10m@5m`

HattrickNZ
Motivator

I want to do latest=-10m@5m

But I am discovering I cannot do the @5m, I can only do
@m @h @d @mon @y

the reason for wanting the @5m is because the complete data does not come in until the full 5minutes is complete.
And if I can only use @m the if I look at the graph at X:58 (for example) the graph will show a drop as the full 5 minutes of data will not be available to be shown. So I want to show the full previous 5minutes(up to X:55).

Any ideas of ways around this? tks

Tags (3)
0 Karma

maheshsn
Explorer

I would try this : |timechart partial=false span=5min

nvanderwalt_spl
Splunk Employee
Splunk Employee

Sounds like you don't want partial results at the end.

If you are visualising with timechart, try

|timechart partial=false count by whatever

HattrickNZ
Motivator

tks, as already mentioned by @MuS partial=false seems to b what I want
- How does it make its decisions?
- Is it tied to the span=5m and the current time?
my understanding is that it won't display the X.25 - X.30 data, in that time, until the time has passed the X.30+ e.g. X.31 or X.30.01

0 Karma

adonio
Ultra Champion

try this:

earliest=-10m@m latest=-5m@m

hope it helps

0 Karma

HattrickNZ
Motivator

tks
the @m of latest=-5m@m will bring it to the close minute. e.g. if i run the query/graph @ X:58 then the query/graph will run up X:53.

What i want is to Run the query/graph up to X:50.

Or What is want is to Run the query/graph up to X:00, X:05, X:10...X:50, X:5 (5 minute intervals only). Not other times outside of this and independent of when the query/graph is run.

0 Karma

MuS
Legend

I would try | bin _time span=5m | stats values(*) AS * by _time and see if this helps to solve your problem.

cheers, MuS

HattrickNZ
Motivator

i can't get that to work and don't think it can as that does not allow me to control the latest time to be @ a 5minute end time e.g. X.05, X.10, .... x.55

0 Karma

MuS
Legend

try this:

what ever search here earliest=-0h@h | timechart span=5min partial=f count

This will search the current hour and only returns events for chunks of 5 minutes, where the 5 minutes already have passed and the chunk is complete.

cheers, MuS

Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...